Shiro

本文是针对web应用web.xml:

<filter>  <filter-name>shiroFilter</filter-name>  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>  <init-param>    <param-name>targetFilterLifecycle</param-name>    <param-value>true</param-value>  </init-param></filter>                          <filter-mapping><!-- Make sure any request you want accessible to Shiro is filtered. /* catches all --><!-- requests.  Usually this filter mapping is defined first (before all others) to --><!-- ensure that Shiro works in subsequent filters in the filter chain:             -->  <filter-name>shiroFilter</filter-name>  <url-pattern>/*</url-pattern>  <dispatcher>REQUEST</dispatcher>  <dispatcher>FORWARD</dispatcher>  <dispatcher>INCLUDE</dispatcher>  <dispatcher>ERROR</dispatcher></filter-mapping>

参数TargetFilterLifecycle：缺省值为false，即生命周期由Spring app context管理。设置为true时由servlet container管理。

配置applicationContext.xml：

<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">    <property name="securityManager" ref="securityManager"/>                                                                                                                                                    <!-- 配置要跳转的URL -->    <property name="loginUrl" value="/login.jsp"/>    <property name="successUrl" value="/main.jsp"/>    <property name="unauthorizedUrl" value="/err404.jsp"/>                                                                                                                                                    <!-- 配置过滤策略 切记这是FIRST MATCH WINS -->    <property name="filterChainDefinitions">        <value>            /download/** = user            /images/** = anon            /admin/** = authc, roles[admin]            /docs/** = authc, perms[document:read]            /** = authc            /logout.html = logout        </value>    </property></bean>                                                                                                                                                <bean id="myRealm" class="king.common.security.MyRealm"></bean><bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">    <property name="realm" ref="myRealm" /></bean><bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>

另外，DefaultSecurityManager继承RealmSecurityManager。因此，当需要多个realm时可以使用"realms"property。ShiroFilterFactoryBean提供了Filters属性，关于Filters：This property is optional: this {@code FactoryBean} implementation will discover all beans in the web application context that implement the {@link Filter} interface and automatically add them to this filter map under their bean name.

如果需要的话可以配置一下，如：

<property name="filters">    <util:map>        <entry key="myAlias1" value-ref="myFilter1"/>    </util:map></property>

filterChainDefinitions这一property的set方法是这样定义的：

public void setFilterChainDefinitions(String definitions) {    Ini ini = new Ini();    ini.load(definitions);    //did they explicitly state a 'urls' section?  Not necessary, but just in case:    Ini.Section section = ini.getSection(IniFilterChainResolverFactory.URLS);    if (CollectionUtils.isEmpty(section)) {        //no urls section.  Since this _is_ a urls chain definition property, just assume the        //default section contains only the definitions:        section = ini.getSection(Ini.DEFAULT_SECTION_NAME);    }    setFilterChainDefinitionMap(section);}

于是我们便可以使用filterChainDefinitionMap这一property。我们可以写一个继承FactoryBean<Section>的类动态构成一个filterChainDefinitionMap。(Ps:Section是实现Map<String,String>的Ini的静态内部类。)

另外，如果希望使用注解：

<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/>                                                                                                <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">    <property name="securityManager" ref="securityManager"/></bean>