shiro是一个被广泛使用的安全层框架,通过xml配置方式与spring无缝对接,用户的登陆/退出/权限控制/Cookie等管理系统基础功能交给shiro来管理。
一般,在JavaWEB管理平台系统时,用户退出系统之前没需要清除用户数据和关闭连接,防止垃圾数据堆积,shiro提供了LogoutFilter过滤器,我们可以通过LogoutFilter的preHandle方法,实现清除缓存功能。
页面代码:
<div class="item" style="float:right;cursor:pointer;"> <@shiro.guest> <a href="${base}/u/zhuti/ztzx"><span style="font-weight:bold">登录</span> |</a> </@shiro.guest> <@shiro.user> <a href="${base}/b/logout">退出</a> </@shiro.user> </div>
shiro配置文件:applicationContext-shiro.xml
先贴出整个配置文件:
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jee="http://www.springframework.org/schema/jee" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:context="http://www.springframework.org/schema/context" xmlns:aop="http://www.springframework.org/schema/aop" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-4.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd"> <bean id="shiroCacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"> <property name="cacheManagerConfigFile" value="classpath:ehcache-shiro.xml" /> </bean> <!-- <bean id="myRealm" class="cn.com.zhulong.app.security.shiro.MyRealm" /> --> <!-- <bean id="casRealm" class="org.apache.shiro.cas.CasRealm"> --> <bean id="casRealm" class="cn.com.zhulong.app.security.shiro.MyCasRealm"> </bean> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <!-- <property name="sessionMode" value="native"/> --> <property name="realm" ref="casRealm" /> <property name="cacheManager" ref="shiroCacheManager" /> <property name="sessionManager" ref="sessionManager"/> <property name="subjectFactory" ref="casSubjectFactory" /> </bean> <!-- 如果要实现cas的remember me的功能,需要用到下面这个bean,并设置到securityManager的subjectFactory中 --> <bean id="casSubjectFactory" class="org.apache.shiro.cas.CasSubjectFactory"/> <!-- 单点登录配置 --> <!-- <bean id="casFilter" class="org.apache.shiro.cas.CasFilter"> --> <bean id="casFilter" class="cn.com.zhulong.app.security.shiro.CasFilter"> <!--配置验证错误时的失败页面(Ticket 校验不通过时展示的错误页面) --> <property name="failureUrl" value="/error" /> </bean> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <!-- <bean id="shiroFilter" class="cn.com.zhulong.app.security.shiro.MyShiroFilterFactoryBean"> --> <property name="securityManager" ref="securityManager" /> <!--没有单点登录下的配置:没有权限或者失败后跳转的页面 --> <property name="loginUrl" value="/login" /> <!--有单点登录的配置:登录 CAS 服务端地址,参数 service 为服务端的返回地址 --> <!-- <property name="loginUrl" value="${cas.shiro.loginUrl}" /> --> <property name="successUrl" value="/" /> <property name="unauthorizedUrl" value="/unauthorized" /> <property name="filters"> <map> <entry key="casFilter" value-ref="casFilter"></entry> <entry key="myperms"> <bean class="cn.com.zhulong.common.web.shiro.MyPermissionsAuthorizationFilter"> </bean> </entry> <entry key="touSuAuthc"> <bean class="cn.com.zhulong.app.security.shiro.TouSuFormAuthenticationFilter"> </bean> </entry> <!--退出过滤器--> <entry key="logout" value-ref="logoutFilter" /> </map> </property> <!-- 先注释掉,先不要权限判断,只要登陆验证就可以访问,测试方便 <property name="filterChainDefinitions"> <value> /logout=logoutFilter /enum_js=anon /admin/**=authc,myperms /admin/**=authc /admin/** = authc /jyzk/toZycdAdd** = authc /jyzk/zycdAdd** = authc </value> </property> --> <property name="filterChainDefinitions"> <value> /authentication* = casFilter /res/** = anon /enum_js = anon /b/logout = logout /admin/** = authc /u/zbxmts/** = touSuAuthc /u/** = authc /open/** = authc /jyzk/toZycdAdd** = authc /jyzk/zycdAdd** = authc </value> </property> </bean> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /> <!-- 会话ID生成器 --> <bean id="sessionIdGenerator" class="org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator" /> <bean id="logoutFilter" class="org.apache.shiro.web.filter.authc.LogoutFilter"> <property name="redirectUrl" value="/login" /> </bean> <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"> <property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager" /> <property name="arguments" ref="securityManager" /> </bean> <bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"> <property name="globalSessionTimeout" value="1800000" /> <property name="deleteInvalidSessions" value="true" /> <property name="sessionValidationSchedulerEnabled" value="true" /> <property name="sessionValidationScheduler" ref="sessionValidationScheduler" /> <property name="sessionDAO" ref="sessionDAO" /> <property name="sessionIdCookieEnabled" value="true" /> <!-- <property name="sessionIdCookie.path" value="/365-mfgg-adminweb/" /> --> </bean> <!-- 会话验证调度器 --> <bean id="sessionValidationScheduler" class="org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler"> <!-- 30分钟 单位为毫秒 --> <property name="interval" value="1800000" /> <property name="sessionManager" ref="sessionManager" /> </bean> <bean id="sessionDAO" class="cn.com.zhulong.common.web.shiro.dao.CustomShiroSessionDAO"> <property name="shiroSessionRepository" ref="memcachedShiroSessionRepository" /> </bean> <bean id="memcachedShiroSessionRepository" class="cn.com.zhulong.common.web.shiro.dao.MemcachedShiroSessionRepository" /> </beans>
首先页面点击退出时:拦截/b/logout找到对应logout:
<property name="filterChainDefinitions"> <value> /authentication* = casFilter /res/** = anon /enum_js = anon /b/logout = logout /admin/** = authc /u/zbxmts/** = touSuAuthc /u/** = authc /open/** = authc /jyzk/toZycdAdd** = authc /jyzk/zycdAdd** = authc </value> </property>
再根据logout找到对应退出过滤器:
<property name="filters"> <map> <entry key="casFilter" value-ref="casFilter"></entry> <entry key="myperms"> <bean class="cn.com.zhulong.common.web.shiro.MyPermissionsAuthorizationFilter"> </bean> </entry> <entry key="touSuAuthc"> <bean class="cn.com.zhulong.app.security.shiro.TouSuFormAuthenticationFilter"> </bean> </entry> <!--退出过滤器--> <entry key="logout" value-ref="logoutFilter" /> </map> </property>
再根据logoutFilter找到此配置
<bean id="logoutFilter" class="org.apache.shiro.web.filter.authc.LogoutFilter"> <property name="redirectUrl" value="/login" /> </bean>
此处先执行LogoutFilter的退出清空缓存操作,然后重定向,value为重定向的地址