springboot shiro 整合

本文还是转载自

http://blog.csdn.net/u014695188/article/details/52356158

实际上在Spring boot里用Spring Security最合适，毕竟是自家东西，

最重要的一点是Spring Security里自带有csrf filter，防止csrf攻击，shiro里就没有。
但是Spring Security有点太复杂，custmize起来比较费力，不如shiro来的简单。

如果想要在Spring boot里使用shiro，需要进行以下配置，首先pom.xml里要添加shiro的依赖

<dependency>           <groupId>org.apache.shiro</groupId>              <artifactId>shiro-spring</artifactId>              <version>1.2.5</version>          </dependency>          <dependency>              <groupId>org.apache.shiro</groupId>              <artifactId>shiro-ehcache</artifactId>              <version>1.2.5</version>          </dependency>          <dependency>              <groupId>com.github.theborakompanioni</groupId>              <artifactId>thymeleaf-extras-shiro</artifactId>           <version>1.2.1</version>  </dependency>  

shiro官方只提供了jsp的标签，没有提供thymeleaf的，而thymeleaf在spring boot里应用已经很广泛了，这里依赖了一个第三方包。
然后就是shiro的配置文件，这里我们使用java－based 配置

@Configuration  public class ShiroConfiguration {            @Bean(name = "lifecycleBeanPostProcessor")      public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {          return new LifecycleBeanPostProcessor();      }            @Bean(name = "hashedCredentialsMatcher")      public HashedCredentialsMatcher hashedCredentialsMatcher() {          HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher();          credentialsMatcher.setHashAlgorithmName("MD5");          credentialsMatcher.setHashIterations(2);          credentialsMatcher.setStoredCredentialsHexEncoded(true);          return credentialsMatcher;      }            @Bean(name = "shiroRealm")      @DependsOn("lifecycleBeanPostProcessor")      public ShiroRealm shiroRealm() {          ShiroRealm realm = new ShiroRealm();           realm.setCredentialsMatcher(hashedCredentialsMatcher());          return realm;      }            @Bean(name = "ehCacheManager")      @DependsOn("lifecycleBeanPostProcessor")      public EhCacheManager ehCacheManager(){          EhCacheManager ehCacheManager = new EhCacheManager();          return ehCacheManager;      }            @Bean(name = "securityManager")      public SecurityManager securityManager(){          DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();          securityManager.setRealm(shiroRealm());          securityManager.setCacheManager(ehCacheManager());          return securityManager;      }        @Bean(name = "shiroFilter")      public ShiroFilterFactoryBean shiroFilterFactoryBean(){          ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();          shiroFilterFactoryBean.setSecurityManager(securityManager());                    Map<String, Filter> filters = new LinkedHashMap<String, Filter>();          LogoutFilter logoutFilter = new LogoutFilter();          logoutFilter.setRedirectUrl("/login");          filters.put("logout", logoutFilter);          shiroFilterFactoryBean.setFilters(filters);                    Map<String, String> filterChainDefinitionManager = new LinkedHashMap<String, String>();          filterChainDefinitionManager.put("/logout", "logout");          filterChainDefinitionManager.put("/user/**", "authc,roles[user]");          filterChainDefinitionManager.put("/shop/**", "authc,roles[shop]");          filterChainDefinitionManager.put("/admin/**","authc,roles[admin]");          filterChainDefinitionManager.put("/**", "anon");          shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionManager);                    shiroFilterFactoryBean.setLoginUrl("/login");          shiroFilterFactoryBean.setSuccessUrl("/");          shiroFilterFactoryBean.setUnauthorizedUrl("/403");                    return shiroFilterFactoryBean;      }        @Bean      @ConditionalOnMissingBean      public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {          DefaultAdvisorAutoProxyCreator daap = new DefaultAdvisorAutoProxyCreator();          daap.setProxyTargetClass(true);          return daap;      }            @Bean      public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor() {          AuthorizationAttributeSourceAdvisor aasa = new AuthorizationAttributeSourceAdvisor();          aasa.setSecurityManager(securityManager());          return aasa;      }            @Bean(name = "shiroDialect")      public ShiroDialect shiroDialect(){          return new ShiroDialect();      }  }  

1.LifecycleBeanPostProcessor，这是个DestructionAwareBeanPostProcessor的子类，负责org.apache.shiro.util.Initializable类型bean的生命周期的，初始化和销毁。主要是AuthorizingRealm类的子类，以及EhCacheManager类。

2.HashedCredentialsMatcher，这个类是为了对密码进行编码的，防止密码在数据库里明码保存，当然在登陆认证的生活，这个类也负责对form里输入的密码进行编码。

3.ShiroRealm，这是个自定义的认证类，继承自AuthorizingRealm，负责用户的认证和权限的处理，可以参考JdbcRealm的实现。
4.EhCacheManager，缓存管理，用户登陆成功后，把用户信息和权限信息缓存起来，然后每次用户请求时，放入用户的session中，如果不设置这个bean，每个请求都会查询一次数据库。
5.SecurityManager，权限管理，这个类组合了登陆，登出，权限，session的处理，是个比较重要的类。
6.ShiroFilterFactoryBean，是个factorybean，为了生成ShiroFilter。它主要保持了三项数据，securityManager，filters，filterChainDefinitionManager。
7.DefaultAdvisorAutoProxyCreator，Spring的一个bean，由Advisor决定对哪些类的方法进行AOP代理。
 8.AuthorizationAttributeSourceAdvisor，shiro里实现的Advisor类，内部使用AopAllianceAnnotationsAuthorizingMethodInterceptor来拦截用以下注解的方法。老实说，这里注入securityManager，我不知道有啥用，从source上看不出它在什么地方会被调用。

    private static final Class<? extends Annotation>[] AUTHZ_ANNOTATION_CLASSES =
            new Class[] {
                    RequiresPermissions.class, RequiresRoles.class,
                    RequiresUser.class, RequiresGuest.class, RequiresAuthentication.class
            };

9.ShiroDialect，为了在thymeleaf里使用shiro的标签的bean