第2.1.7章 WEB系统最佳实践Spring文件配置之spring-shiro.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
" default-lazy-init="false">
<description>Shiro安全配置</description>

<!-- 缓存管理器 -->
<bean id="cacheManager" class="com.dzmsoft.framework.base.common.cache.SpringCacheManagerWrapper">
<property name="cacheManager" ref="springCacheManager"/>
</bean>

<!-- 凭证匹配器 -->
<bean id="credentialsMatcher" class="com.dzmsoft.framework.base.web.shiro.RetryLimitHashedCredentialsMatcher">
<constructor-arg ref="cacheManager"/>
<constructor-arg type="java.lang.String" value="passwordRetryEhcache" />
<constructor-arg type="java.lang.Integer" value="5" />
<property name="hashAlgorithmName" value="${hashAlgorithmName}" />
<property name="storedCredentialsHexEncoded" value="true" />
<property name="hashIterations" value="${hashIterations}" />
</bean>

<!-- Realm实现 -->
<bean id="userRealm" class="com.dzmsoft.ucs.base.shiro.UserRealm">
<property name="credentialsMatcher" ref="credentialsMatcher"/>
<property name="cachingEnabled" value="true"/>
<property name="authenticationCachingEnabled" value="true"/>
<property name="authenticationCacheName" value="authenticationCache"/>
<property name="authorizationCachingEnabled" value="true"/>
<property name="authorizationCacheName" value="authorizationCache"/>
</bean>

<!-- 会话ID生成器 -->
<bean id="sessionIdGenerator" class="org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator"/>

<!-- 会话Cookie模板 -->
<bean id="sessionIdCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
<constructor-arg value="sid"/>
<property name="httpOnly" value="true"/>
<property name="maxAge" value="-1"/> <!-- sessionIdCookie：maxAge=-1表示浏览器关闭时失效此Cookie-->
</bean>

<bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
<constructor-arg value="rememberMe"/>
<property name="httpOnly" val
4000
ue="true"/>
<property name="maxAge" value="2592000"/><!-- 30天 -->
</bean>

<!-- rememberMe管理器 -->
<bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager">
<!-- rememberMe cookie加密的密钥 建议每个项目都不一样 默认AES算法 密钥长度（128 256 512 位）-->
<property name="cipherKey"
value="#{T(org.apache.shiro.codec.Base64).decode('4AvVhmFLUs0KTA3Kprsdag==')}"/>
<property name="cookie" ref="rememberMeCookie"/>
</bean>

<!-- 会话DAO -->
<bean id="sessionDAO" class="org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO">
<property name="activeSessionsCacheName" value="shiro-activeSessionCache"/>
<property name="sessionIdGenerator" ref="sessionIdGenerator"/>
</bean>

<!-- 会话验证调度器 -->
<bean id="sessionValidationScheduler" class="com.dzmsoft.framework.base.web.shiro.Quartz2SessionValidationScheduler">
<property name="sessionValidationInterval" value="1800000"/>
<property name="sessionManager" ref="sessionManager"/>
</bean>

<!-- 会话管理器 -->
<bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
<property name="globalSessionTimeout" value="1800000"/>
<property name="deleteInvalidSessions" value="true"/>
<property name="sessionValidationSchedulerEnabled" value="true"/>
<property name="sessionValidationScheduler" ref="sessionValidationScheduler"/>
<property name="sessionDAO" ref="sessionDAO"/>
<property name="sessionIdCookieEnabled" value="true"/>
<property name="sessionIdCookie" ref="sessionIdCookie"/>
</bean>

<!-- 安全管理器 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="userRealm"/>
<property name="sessionManager" ref="sessionManager"/>
<property name="cacheManager" ref="cacheManager"/>
<!-- <property name="rememberMeManager" ref="rememberMeManager"/> -->
<!-- sessionMode参数设置为native时，那么shrio就将用户的基本认证信息保存到缺省名称为shiro-activeSessionCache 的Cache中 -->
<!--<property name="sessionMode" value="native" />-->
</bean>

<!-- 相当于调用SecurityUtils.setSecurityManager(securityManager) -->
<bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
<property name="arguments" ref="securityManager"/>
</bean>

<!-- 基于Form表单的身份验证过滤器 -->
<bean id="authcFilter" class="com.dzmsoft.framework.base.web.shiro.AuthcFilter">
<property name="usernameParam" value="username"/>
<property name="passwordParam" value="password"/>
<property name="rememberMeParam" value="rememberMe"/>
<property name="failureKeyAttribute" value="shiroLoginFailure"/>
</bean>

<bean id="myCaptchaFilter" class="com.dzmsoft.framework.base.web.filter.FormAuthenticationCaptchaFilter"/>
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<property name="loginUrl" value="/login" />
<property name="successUrl" value="/index" />
<property name="filters">
<util:map>
<entry key="authc" value-ref="authcFilter"/>
<entry key="captchaFilter" value-ref="myCaptchaFilter"/>
</util:map>
</property>
<property name="filterChainDefinitions">
<value>
/resources/** = anon
/ueditor/** = anon
/upload/** = anon
/login = captchaFilter,authc
/rest/**=anon
/hessian/**=anon
/logout = logout
/** = authc
</value>
</property>
</bean>

<!--保证实现了Shiro内部lifecycle函数的bean执行 -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />

</beans>