<?xml version="1.0" encoding="utf-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
id="WebApp_ID" version="3.0"> <!-- Spring -->
<!-- 配置Spring配置文件路径 -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath*:applicationContext.xml
classpath*:applicationContext-shiro.xml
<!-- classpath*:spring-jms.xml -->
</param-value>
</context-param>
<!-- 配置Spring上下文监听器 -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- <listener> -->
<!-- <listener-class>org.activemq.web.SpringBrokerContextListener</listener-class> -->
<!-- </listener> -->
<!-- Spring --> <!-- 配置Spring字符编码过滤器 -->
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping> <!-- shiro 安全过滤器 -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping> <!-- 配置log4j配置文件路径 -->
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>classpath:log4j.properties</param-value>
</context-param>
<!-- 60s 检测日志配置 文件变化 -->
<context-param>
<param-name>log4jRefreshInterval</param-name>
<param-value>60000</param-value>
</context-param> <!-- 配置Log4j监听器 -->
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener> <!-- Spring MVC 核心控制器 DispatcherServlet 配置 -->
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath*:spring-mvc.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<!-- 拦截所有/rest/* 的请求,交给DispatcherServlet处理,性能最好 -->
<url-pattern>/rest/*</url-pattern>
</servlet-mapping> <!-- 首页 -->
<welcome-file-list>
<welcome-file>rest/index</welcome-file>
</welcome-file-list> <!-- 错误页 -->
<error-page>
<error-code>404</error-code>
<location>/rest/page/404</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/rest/page/500</location>
</error-page>
<error-page>
<exception-type>org.apache.shiro.authz.AuthorizationException</exception-type>
<location>/rest/page/401</location>
</error-page> </web-app>
web.xml 用到了shiro的过滤器和配置文件
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"> <description>apache shiro配置</description> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/rest/page/index"/>
<property name="successUrl" value="/rest/index"/>
<property name="unauthorizedUrl" value="/rest/page/401"/>
<property name="filterChainDefinitions">
<value>
<!-- 静态资源允许访问 -->
/app/** = anon
<!-- 登录页(静态)允许访问 -->
/rest/users/index = anon
<!-- 登录页(动态)允许访问 -->
/rest/users/login = anon
<!-- app登录页面 -->
/rest/users/apploginindex = anon
<!-- app登录页面 -->
rest/users/login2 = anon
<!-- 其他资源需要认证 -->
/** = authc
</value>
</property>
</bean> <!-- 缓存管理器 使用Ehcache实现 -->
<bean id="shiroEhcacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManagerConfigFile" value="classpath:ehcache-shiro.xml"/>
</bean> <!-- 会话DAO -->
<bean id="sessionDAO" class="org.apache.shiro.session.mgt.eis.MemorySessionDAO"/> <!-- 会话管理器 -->
<bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
<property name="sessionDAO" ref="sessionDAO"/>
</bean> <!-- 安全管理器 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realms">
<list>
<ref bean="securityRealm"/> ------------------这里的验证来自于下面
</list>
</property>
<!-- cacheManager,集合spring缓存工厂 -->
<!-- <property name="cacheManager" ref="shiroEhcacheManager" /> -->
<!-- <property name="sessionManager" ref="sessionManager" /> -->
</bean> <!-- Shiro生命周期处理器 -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> </beans>
applicationContext-shiro.xml 配置了shiro的静态登录页面,允许登录页面(这里有两个登录,一个是app登录,一个是pc登录),允许运行的路径等。
package com.timestech.wsgk.web.security; import java.util.List; import javax.annotation.Resource; import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.stereotype.Component; import com.timestech.wsgk.web.model.SysRole;
import com.timestech.wsgk.web.model.SysUser;
import com.timestech.wsgk.web.service.SysRoleService;
import com.timestech.wsgk.web.service.SysUserService; @Component(value = "securityRealm")
public class SecurityRealm extends AuthorizingRealm { @Resource
private SysUserService sysUserService;
@Resource
private SysRoleService sysRoleService; /**
* 登录验证
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String account = String.valueOf(token.getPrincipal());
String password = new String((char[]) token.getCredentials());
// 通过数据库进行验证 final SysUser authentication = sysUserService.authentication(account,password);
if (authentication == null) {
throw new AuthenticationException("用户名或密码错误.");
}
final List<SysRole> sysRoles = sysRoleService.selectRoleByUserId(authentication.getId()); --------service从数据库中查询验证
if(sysRoles.size() == )
throw new AuthenticationException("权限信息不完整,请联系管理员!");
SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(account, password, getName());
return authenticationInfo;
} @Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection arg0) {
return null;
} }