Shiro集成Spring

1、加入Spring和Shiro的jar包。

2、配置Spring和SpringMVC

3、配置Spring环境：在web.mxl文件中加入监听

        <context-param><param-name>contextConfigLocation</param-name><param-value>classpath:applicationContext.xml</param-value></context-param><!-- Bootstraps the root web application context before servlet initialization --><listener><listener-class>org.springframework.web.context.ContextLoaderListener</listener-class></listener>

4、在根目录下，新建Spring配置文件applicationContext.xml

5、在web.xml中配置拦截器

<!-- The front controller of this Spring Web application, responsible for handling all application requests --><servlet><servlet-name>spring</servlet-name><servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class><load-on-startup>1</load-on-startup></servlet><!-- Map all requests to the DispatcherServlet for handling --><servlet-mapping><servlet-name>spring</servlet-name><url-pattern>/</url-pattern></servlet-mapping>

6、在WEB-INF下新建Spring配置文件：spring-servlet.xml

7、配置SpringMVC的基本配置

<context:component-scan base-package="com.yintong.shiro"></context:component-scan><bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"><property name="prefix" value="/"></property><property name="suffix" value=".jsp"></property></bean><mvc:annotation-driven></mvc:annotation-driven><mvc:default-servlet-handler/>

8、与Shiro整合，第一步：在web.xml中配置ShiroFilter

        1. 配置  Shiro 的 shiroFilter.  2. DelegatingFilterProxy 实际上是 Filter 的一个代理对象. 默认情况下, Spring 会到 IOC 容器中查找和 <filter-name> 对应的 filter bean. 也可以通过 targetBeanName 的初始化参数来配置 filter bean 的 id. -->    <filter>        <filter-name>shiroFilter</filter-name>        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>        <init-param>            <param-name>targetFilterLifecycle</param-name>            <param-value>true</param-value>        </init-param>    </filter>    <filter-mapping>        <filter-name>shiroFilter</filter-name>        <url-pattern>/*</url-pattern>    </filter-mapping>

9、在application.xml文件中进行整合，配置Shiro。

    <!--      1. 配置 SecurityManager!    -->         <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">        <property name="cacheManager" ref="cacheManager"/>        <property name="authenticator" ref="authenticator"></property>                <property name="realms">        <list>    <ref bean="jdbcRealm"/>    <ref bean="secondRealm"/>    </list>        </property>                <property name="rememberMeManager.cookie.maxAge" value="10"></property>    </bean>    <!-- Let's use some enterprise caching support for better performance.  You can replace this with any enterprise         caching framework implementation that you like (Terracotta+Ehcache, Coherence, GigaSpaces, etc -->    <!--      2. 配置 CacheManager.     2.1 需要加入 ehcache 的 jar 包及配置文件.     -->         <bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">        <!-- Set a net.sf.ehcache.CacheManager instance here if you already have one.  If not, a new one             will be creaed with a default config:             <property name="cacheManager" ref="ehCacheManager"/> -->        <!-- If you don't have a pre-built net.sf.ehcache.CacheManager instance to inject, but you want             a specific Ehcache configuration to be used, specify that here.  If you don't, a default             will be used.: -->        <property name="cacheManagerConfigFile" value="classpath:ehcache.xml"/>     </bean>        <bean id="authenticator"     class="org.apache.shiro.authc.pam.ModularRealmAuthenticator">    <property name="authenticationStrategy">    <bean class="org.apache.shiro.authc.pam.AtLeastOneSuccessfulStrategy"></bean>    </property>    </bean>    <!-- Used by the SecurityManager to access security data (users, roles, etc).         Many other realm implementations can be used too (PropertiesRealm,         LdapRealm, etc. -->    <!--     3. 配置 Realm     3.1 直接配置实现了 org.apache.shiro.realm.Realm 接口的 bean    -->         <bean id="jdbcRealm" class="com.atguigu.shiro.realms.ShiroRealm">    <property name="credentialsMatcher">    <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">    <property name="hashAlgorithmName" value="MD5"></property>    <property name="hashIterations" value="1024"></property>    </bean>    </property>    </bean>        <bean id="secondRealm" class="com.atguigu.shiro.realms.SecondRealm">    <property name="credentialsMatcher">    <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">    <property name="hashAlgorithmName" value="SHA1"></property>    <property name="hashIterations" value="1024"></property>    </bean>    </property>    </bean>    <!-- =========================================================         Shiro Spring-specific integration         ========================================================= -->    <!-- Post processor that automatically invokes init() and destroy() methods         for Spring-configured Shiro objects so you don't have to         1) specify an init-method and destroy-method attributes for every bean            definition and         2) even know which Shiro objects require these methods to be            called. -->    <!--      4. 配置 LifecycleBeanPostProcessor. 可以自定的来调用配置在 Spring IOC 容器中 shiro bean 的生命周期方法.     -->           <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>    <!-- Enable Shiro Annotations for Spring-configured beans.  Only run after         the lifecycleBeanProcessor has run: -->    <!--      5. 启用 IOC 容器中使用 shiro 的注解. 但必须在配置了 LifecycleBeanPostProcessor 之后才可以使用.     -->         <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"          depends-on="lifecycleBeanPostProcessor"/>    <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">        <property name="securityManager" ref="securityManager"/>    </bean>    <!-- Define the Shiro Filter here (as a FactoryBean) instead of directly in web.xml -         web.xml uses the DelegatingFilterProxy to access this bean.  This allows us         to wire things with more control as well utilize nice Spring things such as         PropertiesPlaceholderConfigurer and abstract beans or anything else we might need: -->    <!--      6. 配置 ShiroFilter.     6.1 id 必须和 web.xml 文件中配置的 DelegatingFilterProxy 的 <filter-name> 一致.                      若不一致, 则会抛出: NoSuchBeanDefinitionException. 因为 Shiro 会来 IOC 容器中查找和 <filter-name> 名字对应的 filter bean.    -->         <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">        <property name="securityManager" ref="securityManager"/>        <property name="loginUrl" value="/login.jsp"/>        <property name="successUrl" value="/list.jsp"/>        <property name="unauthorizedUrl" value="/unauthorized.jsp"/>                <property name="filterChainDefinitionMap" ref="filterChainDefinitionMap"></property>                <!--          配置哪些页面需要受保护.         以及访问这些页面需要的权限.         1). anon 可以被匿名访问        2). authc 必须认证(即登录)后才可能访问的页面.         3). logout 登出.        4). roles 角色过滤器        -->        <!--          <property name="filterChainDefinitions">            <value>                /login.jsp = anon                /shiro/login = anon                /shiro/logout = logout                                /user.jsp = roles[user]                /admin.jsp = roles[admin]                                # everything else requires authentication:                /** = authc            </value>        </property>        -->    </bean>        <!-- 配置一个 bean, 该 bean 实际上是一个 Map. 通过实例工厂方法的方式 -->    <bean id="filterChainDefinitionMap"     factory-bean="filterChainDefinitionMapBuilder" factory-method="buildFilterChainDefinitionMap"></bean>        <bean id="filterChainDefinitionMapBuilder"    class="com.atguigu.shiro.factory.FilterChainDefinitionMapBuilder"></bean>        <bean id="shiroService"    class="com.atguigu.shiro.services.ShiroService"></bean>

10、通过ShiroFilter拦截需要安全控制的URL,然后进行相应验证。类似宇Struts2/SpringMVC这种web框架的前端控制器，是安全控制的入口。

负责读取ini配置文件，然后判断URL是否可以登录/权限等工作。

工作流程：

11、在ShiroFilter配置中，为什么web.xml文件中的filter-name必须与SpringIOC容器中配置的ShiroFilter的Id相同。

<filter-name>描述的是一个代理对象，当系统启动之后，会去IOC容器中找实现了ShiroFilter接口的Bean。也可以通过targetBeanName的初始化参数寻找该类。

如下：DelegatingFilterProxy是Shiro的一个代理对象，默认Bean与<filter-name>相同。也可以通过通过参数targetBeanName的初始化来配置filter bean的id。

    <filter>        <filter-name>shiroFilter</filter-name>        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>        <init-param>            <param-name>targetFilterLifecycle</param-name>            <param-value>true</param-value>        </init-param>        <init-param>            <param-name>targetBeanName</param-name>            <param-value>shiroFilter</param-value>        </init-param>    </filter>