<?xml version="1.0" encoding="utf-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0"> <!-- Spring --> <!-- 配置Spring配置文件路径 --> <context-param> <param-name>contextConfigLocation</param-name> <param-value> classpath*:applicationContext.xml classpath*:applicationContext-shiro.xml <!-- classpath*:spring-jms.xml --> </param-value> </context-param> <!-- 配置Spring上下文监听器 --> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <!-- <listener> --> <!-- <listener-class>org.activemq.web.SpringBrokerContextListener</listener-class> --> <!-- </listener> --> <!-- Spring --> <!-- 配置Spring字符编码过滤器 --> <filter> <filter-name>encodingFilter</filter-name> <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> <init-param> <param-name>forceEncoding</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>encodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- shiro 安全过滤器 --> <filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <async-supported>true</async-supported> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 配置log4j配置文件路径 --> <context-param> <param-name>log4jConfigLocation</param-name> <param-value>classpath:log4j.properties</param-value> </context-param> <!-- 60s 检测日志配置 文件变化 --> <context-param> <param-name>log4jRefreshInterval</param-name> <param-value>60000</param-value> </context-param> <!-- 配置Log4j监听器 --> <listener> <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class> </listener> <!-- Spring MVC 核心控制器 DispatcherServlet 配置 --> <servlet> <servlet-name>dispatcher</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <init-param> <param-name>contextConfigLocation</param-name> <param-value>classpath*:spring-mvc.xml</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>dispatcher</servlet-name> <!-- 拦截所有/rest/* 的请求,交给DispatcherServlet处理,性能最好 --> <url-pattern>/rest/*</url-pattern> </servlet-mapping> <!-- 首页 --> <welcome-file-list> <welcome-file>rest/index</welcome-file> </welcome-file-list> <!-- 错误页 --> <error-page> <error-code>404</error-code> <location>/rest/page/404</location> </error-page> <error-page> <error-code>500</error-code> <location>/rest/page/500</location> </error-page> <error-page> <exception-type>org.apache.shiro.authz.AuthorizationException</exception-type> <location>/rest/page/401</location> </error-page> </web-app>
web.xml 用到了shiro的过滤器和配置文件
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"> <description>apache shiro配置</description> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager"/> <property name="loginUrl" value="/rest/page/index"/> <property name="successUrl" value="/rest/index"/> <property name="unauthorizedUrl" value="/rest/page/401"/> <property name="filterChainDefinitions"> <value> <!-- 静态资源允许访问 --> /app/** = anon <!-- 登录页(静态)允许访问 --> /rest/users/index = anon <!-- 登录页(动态)允许访问 --> /rest/users/login = anon <!-- app登录页面 --> /rest/users/apploginindex = anon <!-- app登录页面 --> rest/users/login2 = anon <!-- 其他资源需要认证 --> /** = authc </value> </property> </bean> <!-- 缓存管理器 使用Ehcache实现 --> <bean id="shiroEhcacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"> <property name="cacheManagerConfigFile" value="classpath:ehcache-shiro.xml"/> </bean> <!-- 会话DAO --> <bean id="sessionDAO" class="org.apache.shiro.session.mgt.eis.MemorySessionDAO"/> <!-- 会话管理器 --> <bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"> <property name="sessionDAO" ref="sessionDAO"/> </bean> <!-- 安全管理器 --> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realms"> <list> <ref bean="securityRealm"/> ------------------这里的验证来自于下面 </list> </property> <!-- cacheManager,集合spring缓存工厂 --> <!-- <property name="cacheManager" ref="shiroEhcacheManager" /> --> <!-- <property name="sessionManager" ref="sessionManager" /> --> </bean> <!-- Shiro生命周期处理器 --> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> </beans>
applicationContext-shiro.xml 配置了shiro的静态登录页面,允许登录页面(这里有两个登录,一个是app登录,一个是pc登录),允许运行的路径等。
package com.timestech.wsgk.web.security; import java.util.List; import javax.annotation.Resource; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.springframework.stereotype.Component; import com.timestech.wsgk.web.model.SysRole; import com.timestech.wsgk.web.model.SysUser; import com.timestech.wsgk.web.service.SysRoleService; import com.timestech.wsgk.web.service.SysUserService; @Component(value = "securityRealm") public class SecurityRealm extends AuthorizingRealm { @Resource private SysUserService sysUserService; @Resource private SysRoleService sysRoleService; /** * 登录验证 */ @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { String account = String.valueOf(token.getPrincipal()); String password = new String((char[]) token.getCredentials()); // 通过数据库进行验证 final SysUser authentication = sysUserService.authentication(account,password); if (authentication == null) { throw new AuthenticationException("用户名或密码错误."); } final List<SysRole> sysRoles = sysRoleService.selectRoleByUserId(authentication.getId()); --------service从数据库中查询验证 if(sysRoles.size() == 0) throw new AuthenticationException("权限信息不完整,请联系管理员!"); SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(account, password, getName()); return authenticationInfo; } @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection arg0) { return null; } }