Shiro引入Spring

       添加jar包/maven配置

<!-- shiro支持 -->

       <dependency>

           <groupId>org.apache.shiro</groupId>

           <artifactId>shiro-core</artifactId>

           <version>1.2.4</version>

       </dependency>

       <dependency>

           <groupId>org.apache.shiro</groupId>

           <artifactId>shiro-web</artifactId>

           <version>1.2.4</version>

       </dependency>

       <dependency>

           <groupId>org.apache.shiro</groupId>

           <artifactId>shiro-spring</artifactId>

           <version>1.2.4</version>

       </dependency>

       <!-- 緩存 註解 -->

       <dependency>

           <groupId>org.apache.shiro</groupId>

           <artifactId>shiro-aspectj</artifactId>

           <version>1.2.4</version>

       </dependency>

       <dependency>

           <groupId>org.apache.shiro</groupId>

           <artifactId>shiro-ehcache</artifactId>

           <version>1.2.4</version>

        </dependency>

添加spring-shiro.xml配置文件

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"

    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"

    xmlns:context="http://www.springframework.org/schema/context"

    xmlns:aop="http://www.springframework.org/schema/aop"

    xmlns:tx="http://www.springframework.org/schema/tx"

    xsi:schemaLocation="http://www.springframework.org/schema/beans

        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd

        http://www.springframework.org/schema/context

        http://www.springframework.org/schema/context/spring-context-3.0.xsd

        http://www.springframework.org/schema/aop

        http://www.springframework.org/schema/aop/spring-aop-3.0.xsd

        http://www.springframework.org/schema/tx

        http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">

    <context:annotation-config />

    <!-- 自定義Realm -->

    <bean id="myRealm" class="shiro03.realm.MyRealm"/>

    <!-- 安全管理器 -->

    <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> 

      <property name="realm" ref="myRealm"/> 

    </bean>

    <!-- 配置任何角色 -->

    <bean id="anyofroles" class="shiro03.realm.AnyOfRolesAuthorizationFilter"/>

    <!-- Shiro過濾器 -->

    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> 

        <!-- Shiro的核心安全介面,這個屬性是必須的 --> 

        <property name="securityManager" ref="securityManager"/>

        <!-- 身份認證失敗，則跳轉到登錄頁面的配置 --> 

        <property name="loginUrl" value="/index.jsp"/>

        <!-- 許可權認證失敗，則跳轉到指定頁面 --> 

        <property name="unauthorizedUrl" value="/unauthorized.jsp"/>

        <!-- <property name="anyofroles" ref="anyofroles"/> -->

        <!-- Shiro連接約束配置,即過濾鏈的定義 --> 

        <property name="filterChainDefinitions"> 

            <value> 

                 /login=anon

              /admin*=authc

              /student=anyofroles["admin,teacher"]

              /teacher=roles[admin]

            </value> 

        </property>

    </bean>

    <!-- 保證實現了Shiro內部lifecycle函數的bean執行 --> 

    <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> 

    <!-- 開啟Shiro註解 -->

    <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/> 

        <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> 

      <property name="securityManager" ref="securityManager"/> 

    </bean>

</beans>

自定義Realm類MyRealm.java

public class MyRealm extends AuthorizingRealm{

    @Resource

    private UserService userService;

    /**

     * 為當限前登錄的用戶授予角色和權

     */

    @Override

    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {

       String userName=(String)principals.getPrimaryPrincipal();

       SimpleAuthorizationInfo authorizationInfo=new SimpleAuthorizationInfo();

       authorizationInfo.setRoles(userService.getRoles(userName));

       authorizationInfo.setStringPermissions(userService.getPermissions(userName));

       return authorizationInfo;

    }

    /**

     * 驗證當前登錄的用戶

     */

    @Override

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

       String userName=(String)token.getPrincipal();

           User user=userService.getByUserName(userName);

           if(user!=null){

              AuthenticationInfo authcInfo=new SimpleAuthenticationInfo(user.getUserName(),user.getPassword(),"xx");

              return authcInfo;

           }else{

              return null;            

           }

    }

}

自定義角色過濾器AnyOfRolesAuthorizationFilter.java

       當一個角色有多個功能模塊頁面的許可權時，會出現許可權失效問題，無法配置，需要自己定義角色過濾器。

public class AnyOfRolesAuthorizationFilter extends RolesAuthorizationFilter{

    @Override

    public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)

           throws IOException {

       Subject subject = getSubject(request, response);

        String[] rolesArray = (String[]) mappedValue;

        if (rolesArray == null || rolesArray.length == 0) {

            return true;

        }

        for (String roleName : rolesArray) {

            if (subject.hasRole(roleName)) {

                return true;

            }

        }

       return false;

    }

}