shiro+spring

第一步、导入maven依赖  

<!-- shiro --><dependency>    <groupId>org.apache.shiro</groupId>    <artifactId>shiro-core</artifactId>    <version>${org.apache.shiro.version}</version></dependency><dependency>    <groupId>org.apache.shiro</groupId>    <artifactId>shiro-web</artifactId>    <version>${org.apache.shiro.version}</version></dependency><dependency>    <groupId>org.apache.shiro</groupId>    <artifactId>shiro-spring</artifactId>    <version>${org.apache.shiro.version}</version></dependency><dependency>    <groupId>org.apache.shiro</groupId>    <artifactId>shiro-ehcache</artifactId>    <version>${org.apache.shiro.version}</version></dependency>

第二步、在项目中定义shiro的过滤器（shiro的实现主要是通过filter实现）

<!-- Shiro Security filter --><filter>    <filter-name>shiroFilter</filter-name>    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>    <init-param>    <param-name>targetFilterLifecycle</param-name>    <param-value>true</param-value>    </init-param></filter><filter-mapping>    <filter-name>shiroFilter</filter-name>    <url-pattern>/*</url-pattern>    <dispatcher>REQUEST</dispatcher></filter-mapping>

第三步、创建一个Realm

public class UserRealm extends AuthorizingRealm {    @Autowired    private UserBiz biz;    //验证用户信息，认证的实现    @Override    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {        String userno = (String) authenticationToken.getPrincipal();        String password = new String((char[]) authenticationToken.getCredentials());        Result<RcUser> result = biz.login(userno, password);        if (result.isStatus()) {            Session session = SecurityUtils.getSubject().getSession();            session.setAttribute(Constants.Token.RONCOO, userno);            RcUser user = result.getResultData();            return new SimpleAuthenticationInfo(user.getUserNo(), user.getPassword(), getName());        }        return null;    }    //验证用户的权限，实现认证    @Override    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {        SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();        String userno = (String) principals.getPrimaryPrincipal();        Result<RcUser> result = biz.queryByUserNo(userno);        if(result.isStatus()){            Result<List<RcRole>> resultRole = biz.queryRoles(result.getResultData().getId());            if(resultRole.isStatus()){                //获取角色                HashSet<String> roles = new HashSet<String>();                for (RcRole rcRole : resultRole.getResultData()) {                    roles.add(rcRole.getRoleValue());                }                System.out.println("角色："+roles);                authorizationInfo.setRoles(roles);                //获取权限                Result<List<RcPermission>> resultPermission = biz.queryPermissions(resultRole.getResultData());                if(resultPermission.isStatus()){                    HashSet<String> permissions = new HashSet<String>();                    for (RcPermission rcPermission : resultPermission.getResultData()) {                        permissions.add(rcPermission.getPermissionsValue());                    }                    System.out.println("权限："+permissions);                    authorizationInfo.setStringPermissions(permissions);                }            }        }        return authorizationInfo;    }}

第四步、添加shiro配置

1、shiro缓存<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE xml><ehcache updateCheck="false" name="shiroCache"><!-- http://ehcache.org/ehcache.xml -->    <defaultCache            maxElementsInMemory="10000"            eternal="false"            timeToIdleSeconds="120"            timeToLiveSeconds="120"            overflowToDisk="false"            diskPersistent="false"            diskExpiryThreadIntervalSeconds="120"            /></ehcache>2、在spring的core配置文件中配置shiro<description>Shiro安全配置</description><bean id="userRealm" class="com.roncoo.adminlte.controller.realm.UserRealm" /> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"><property name="realm" ref="userRealm" /><property name="cacheManager" ref="shiroEhcacheManager" /></bean><!-- Shiro 过滤器 --><bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"><!-- Shiro的核心安全接口,这个属性是必须的 --><property name="securityManager" ref="securityManager" /><!-- 身份认证失败，则跳转到登录页面的配置 --><property name="loginUrl" value="/login" /><property name="successUrl" value="/certification" /><property name="unauthorizedUrl" value="/error" /><!-- Shiro连接约束配置,即过滤链的定义 --><property name="filterChainDefinitions"><value>/login = authc/exit = anon/admin/security/list=authcBasic,perms[admin:read]/admin/security/save=authcBasic,perms[admin:insert]/admin/security/update=authcBasic,perms[admin:update]/admin/security/delete=authcBasic,perms[admin:delete]</value></property></bean><!-- 用户授权信息Cache, 采用EhCache --><bean id="shiroEhcacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"><property name="cacheManagerConfigFile" value="classpath:ehcache/ehcache-shiro.xml" /></bean><!-- 保证实现了Shiro内部lifecycle函数的bean执行 --><bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /><!-- AOP式方法级权限检查 --><beanclass="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"depends-on="lifecycleBeanPostProcessor"><property name="proxyTargetClass" value="true" /></bean><beanclass="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"><property name="securityManager" ref="securityManager" /></bean>

第五步、shiro退出登录的实现

        第一种方式        /** * 退出登陆操作 */@RequestMapping(value = "/exit", method = RequestMethod.GET)public String exit(RedirectAttributes redirectAttributes, HttpSession session) {session.removeAttribute(Constants.Token.RONCOO);SecurityUtils.getSubject().logout();redirectAttributes.addFlashAttribute("msg", "您已经安全退出");return redirect("/login");}第二种方式：在shiroFilter的约束配置中配置<!-- Shiro连接约束配置,即过滤链的定义 --><property name="filterChainDefinitions"><value>    /exit = logout</value></property>