详细见参考文章:
基于Spring + Spring MVC + Mybatis 高性能web构建 http://blog.csdn.net/zoutongyuan/article/details/41379851
SpringMVC整合Shiro http://blog.csdn.net/jadyer/article/details/12208847
一些配置参考:
<?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd" default-lazy-init="true"> <description>Shiro Configuration</description> <!-- Shiro's main business-tier object for web-enabled applications --> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="shiroDbRealm" /> <property name="cacheManager" ref="cacheManager" /> </bean> <!-- 項目自定义的Realm --> <bean id="shiroDbRealm" class="cn.ssms.realm.ShiroDbRealm"> <property name="cacheManager" ref="cacheManager" /> </bean> <!-- Shiro Filter --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager" /> <property name="loginUrl" value="/tologin.html" /> <property name="successUrl" value="/view/index.html" /> <property name="unauthorizedUrl" value="/error/noperms.jsp" /> <property name="filterChainDefinitions"> <value> /index.html = authc /login.html = anon /tologin.html = anon /logout.html = anon /** = authc </value> </property> </bean> <!-- 用户授权信息Cache --> <bean id="cacheManager" class="org.apache.shiro.cache.MemoryConstrainedCacheManager" /> <!-- 保证实现了Shiro内部lifecycle函数的bean执行 --> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /> <!-- AOP式方法级权限检查 --> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"> <property name="proxyTargetClass" value="true" /> </bean> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager" /> </bean></beans>
Realm类:
package cn.ssms.realm;import java.util.HashSet;import java.util.Set;import javax.annotation.PostConstruct;import org.apache.shiro.authc.AuthenticationException;import org.apache.shiro.authc.AuthenticationInfo;import org.apache.shiro.authc.AuthenticationToken;import org.apache.shiro.authc.IncorrectCredentialsException;import org.apache.shiro.authc.SimpleAuthenticationInfo;import org.apache.shiro.authc.UsernamePasswordToken;import org.apache.shiro.authc.credential.HashedCredentialsMatcher;import org.apache.shiro.authz.AuthorizationInfo;import org.apache.shiro.authz.SimpleAuthorizationInfo;import org.apache.shiro.cache.Cache;import org.apache.shiro.realm.AuthorizingRealm;import org.apache.shiro.subject.PrincipalCollection;import org.apache.shiro.subject.SimplePrincipalCollection;import org.slf4j.Logger;import org.slf4j.LoggerFactory;import org.springframework.beans.factory.annotation.Autowired;import cn.ssms.model.User;import cn.ssms.service.UserService;import cn.ssms.util.CipherUtil;import cn.ssms.util.EncryptUtils;public class ShiroDbRealm extends AuthorizingRealm { private static Logger logger = LoggerFactory.getLogger(ShiroDbRealm.class); private static final String ALGORITHM = "MD5"; @Autowired private UserService userService; public ShiroDbRealm() { super(); } /** * 认证回调函数, 登录时调用. */ @Override protected AuthenticationInfo doGetAuthenticationInfo( AuthenticationToken authcToken) throws AuthenticationException { UsernamePasswordToken token = (UsernamePasswordToken) authcToken; System.out.println(token.getUsername()); User user = userService.findUserByLoginName(token.getUsername()); System.out.println(user); if (user != null) { return new SimpleAuthenticationInfo(user.getName(), user.getPassword(), getName()); }else{ throw new AuthenticationException(); } } /** * 授权查询回调函数, 进行鉴权但缓存中无用户的授权信息时调用. */ @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { /* 这里编写授权代码 */ Set<String> roleNames = new HashSet<String>(); Set<String> permissions = new HashSet<String>(); roleNames.add("admin"); roleNames.add("zhangsan"); permissions.add("user.do?myjsp"); permissions.add("login.do?main"); permissions.add("login.do?logout"); SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(roleNames); info.setStringPermissions(permissions); return info; } /** * 更新用户授权信息缓存. */ public void clearCachedAuthorizationInfo(String principal) { SimplePrincipalCollection principals = new SimplePrincipalCollection(principal, getName()); clearCachedAuthorizationInfo(principals); } /** * 清除所有用户授权信息缓存. */ public void clearAllCachedAuthorizationInfo() { Cache<Object, AuthorizationInfo> cache = getAuthorizationCache(); if (cache != null) { for (Object key : cache.keys()) { cache.remove(key); } } }// @PostConstruct// public void initCredentialsMatcher() {//MD5加密// HashedCredentialsMatcher matcher = new HashedCredentialsMatcher(ALGORITHM);// setCredentialsMatcher(matcher);// }}UserService实现类
@Service("userService")public class UserServiceImpl implements UserService { @Autowired private UserMapper userMapper; public User getUserById(int id) { return userMapper.selectByPrimaryKey(id); } public User findUserByLoginName(String username) { System.out.println("findUserByLoginName call!"); return userMapper.findUserByLoginName(username); }}