shiro 认证 配置单个realm和多个realm时的写法

认证:

配置单个realm时,不涉及modularRealmAuthenticator, 因此,也就不涉及认证策略

注意:applicationContext.xml配置中的MyRealm和SecondRealm是我定义的两个Realm


配置单个realm时.

applicationContext.xml:

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd">

<!-- =========================================================
Shiro Core Components - Not Spring Specific
========================================================= -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="cacheManager" ref="cacheManager"/>
<!-- Single realm app.  If you have multiple realms, use the 'realms' property instead. -->
<property name="sessionMode" value="native"/>
<property name="realm" ref="realm"/>

</bean>

<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">

<property name="cacheManagerConfigFile" value="classpath:ehcache.xml"/>
</bean>

<!-- MD5校验 -->
<bean id="realm" class="com.qx.realm.MyRealm">
<property name="credentialsMatcher">
<bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="MD5"></property>
<property name="hashIterations" value="1024"></property>
</bean>
</property>
</bean>

<!-- =========================================================
Shiro Spring-specific integration
========================================================= -->
<!-- Post processor that automatically invokes init() and destroy() methods
for Spring-configured Shiro objects so you don't have to
1) specify an init-method and destroy-method attributes for every bean
definition and
2) even know which Shiro objects require these methods to be
called. -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>

<!-- Enable Shiro Annotations for Spring-configured beans.  Only run after the lifecycleBeanProcessor has run: -->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>

<!-- Secure Spring remoting:  Ensure any Spring Remoting method invocations can be associated with a Subject for security checks. -->
<bean id="secureRemoteInvocationExecutor" class="org.apache.shiro.spring.remoting.SecureRemoteInvocationExecutor">
<property name="securityManager" ref="securityManager"/>
</bean>

<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/login.jsp"/>
<property name="successUrl" value="/success.jsp"/>
<property name="unauthorizedUrl" value="/unauthorized.jsp"/>

<property name="filterChainDefinitions">
<!-- anon代表所有人都可以访问,authc必须登陆认证后才可以访问 -->
<value>
/login.jsp = anon
/user/login.action = anon
/success.jsp = authc
/index.jsp = anon
/logout=logout

/list.jsp=roles[user]
/admin.jsp=roles[admin]
# everything else requires authentication:
/** = authc
</value>
</property>
</bean>

</beans>

配置多个realm时:--配置多个realm时,就涉及到modularRealmAuthenticator, 因此,也就涉及到配置何种认证策略

applicationContext.xml写法1:

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd">

<!-- =========================================================
Shiro Core Components - Not Spring Specific
========================================================= -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="cacheManager" ref="cacheManager"/>
<!-- Single realm app.  If
1047c
you have multiple realms, use the 'realms' property instead. -->
<property name="sessionMode" value="native"/>

<property name="authenticator" ref="modularRealmAuthenticator"></property>

<property name="realms">
<!-- 在这里的配置,其实最终设置给了org.apache.shiro.authc.pam.ModularRealmAuthenticator,注意这是在有多个realm的情况 -->
<list>
<ref bean="realm"/>
<ref bean="secondRealm"/>
</list>
</property>
</bean>

<!-- 配置多个realm的时候如何认证 (给modularRealmAuthernticator设置id,是因为,在securityManager中要配置authenticator,需要ref它)-->
<bean id="modularRealmAuthenticator" class="org.apache.shiro.authc.pam.ModularRealmAuthenticator">
<property name="authenticationStrategy">
<!-- 认证策略 -->
<bean class="org.apache.shiro.authc.pam.AllSuccessfulStrategy"></bean>

</property>
</bean>

<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManagerConfigFile" value="classpath:ehcache.xml"/>
</bean>

<!-- MD5校验 -->
<bean id="realm" class="com.qx.realm.MyRealm">
<property name="credentialsMatcher">
<bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="MD5"></property>
<property name="hashIterations" value="1024"></property>
</bean>
</property>
</bean>

<!-- SHA1校验 -->
<bean id="secondRealm" class="com.qx.realm.SecondRealm">
<property name="credentialsMatcher">
<bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="SHA1"></property>
<property name="hashIterations" value="1024"></property>
</bean>
</property>
</bean>

<!-- =========================================================
Shiro Spring-specific integration
========================================================= -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>

<!-- Enable Shiro Annotations for Spring-configured beans.  Only run after
the lifecycleBeanProcessor has run: -->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>

<!-- Secure Spring remoting:  Ensure any Spring Remoting method invocations can be associated
with a Subject for security checks. -->
<bean id="secureRemoteInvocationExecutor" class="org.apache.shiro.spring.remoting.SecureRemoteInvocationExecutor">
<property name="securityManager" ref="securityManager"/>
</bean>

<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/login.jsp"/>
<property name="successUrl" value="/success.jsp"/>
<property name="unauthorizedUrl" value="/unauthorized.jsp"/>

<property name="filterChainDefinitions">
<!-- anon代表所有人都可以访问,authc必须登陆认证后才可以访问 -->
<value>
/login.jsp = anon
/user/login.action = anon
/success.jsp = authc
/index.jsp = anon
/logout=logout

/list.jsp=roles[user]
/admin.jsp=roles[admin]
# everything else requires authentication:
/** = authc
</value>
</property>
</bean>

</beans>

applicationContext.xml写法2:---严重不推荐,会出现各种问题提示realm没有配置

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd">

<!-- =========================================================
Shiro Core Components - Not Spring Specific
========================================================= -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="cacheManager" ref="cacheManager"/>
<!-- Single realm app.  If you have multiple realms, use the 'realms' property instead. -->
<property name="sessionMode" value="native"/>

<property name="authenticator" ref="modularRealmAuthenticator"></property>
</bean>

<!-- 配置多个realm的时候如何认证 (给modularRealmAuthernticator设置id,是因为,在securityManager中要配置authenticator,需要ref它) -->
<bean id="modularRealmAuthenticator" class="org.apache.shiro.authc.pam.ModularRealmAuthenticator">
<property name="authenticationStrategy">
<!-- 认证策略 -->
<bean class="org.apache.shiro.authc.pam.AtLeastOneSuccessfulStrategy"></bean>
</property>

<!-- 可以配置到securityManager上面 -->
<property name="realms">
<list>
<ref bean="realm"/>
<ref bean="secondRealm"/>
</list>
</property>
</bean>

<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManagerConfigFile" value="classpath:ehcache.xml"/>
</bean>

<!-- MD5校验 -->
<bean id="realm" class="com.qx.realm.MyRealm">
<property name="credentialsMatcher">
<bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="MD5"></property>
<property name="hashIterations" value="1024"></property>
</bean>
</property>
</bean>

<!-- SHA1校验 -->
<bean id="secondRealm" class="com.qx.realm.SecondRealm">
<property name="credentialsMatcher">
<bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="SHA1"></property>
<property name="hashIterations" value="1024"></property>
</bean>
</property>
</bean>

<!-- =========================================================
Shiro Spring-specific integration
========================================================= -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>

<!-- Enable Shiro Annotations for Spring-configured beans.  Only run after
the lifecycleBeanProcessor has run: -->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>

<!-- Secure Spring remoting:  Ensure any Spring Remoting method invocations can be associated
with a Subject for security checks. -->
<bean id="secureRemoteInvocationExecutor" class="org.apache.shiro.spring.remoting.SecureRemoteInvocationExecutor">
<property name="securityManager" ref="securityManager"/>
</bean>

<!-- 配置shiro的 filter id 必须和web.xml中的配置的shiroFilter的filter-name一致 ,否则一定会报错-->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/login.jsp"/>
<property name="successUrl" value="/success.jsp"/>
<property name="unauthorizedUrl" value="/unauthorized.jsp"/>

</property> -->
<property name="filterChainDefinitions">
<!-- anon代表所有人都可以访问,authc必须登陆认证后才可以访问 -->
<value>
/login.jsp = anon
/user/login.action = anon
/success.jsp = authc
/index.jsp = anon
/logout=logout

/list.jsp=roles[user]
/admin.jsp=roles[admin]
# everything else requires authentication:
/** = authc
</value>
</property>
</bean>
</beans>

applicationContext.xml写法3:

---需要在shiroFilter中注入filterChainDefinitionMap,因此,需要自己定义一个RolesMapFactory,访问那个url需要什么权限在 RolesMapFactory中定义,放在一个LinkedHashMap中,定义一个init方法返回该map.

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd">

<!-- =========================================================
Shiro Core Components - Not Spring Specific
========================================================= -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="cacheManager" ref="cacheManager"/>
<!-- Single realm app.  If you have multiple realms, use the 'realms' property instead. -->
<property name="sessionMode" value="native"/>
<!-- <property name="realm" ref="realm"/> -->
<property name="authenticator" ref="modularRealmAuthenticator"></property>

<!-- 可以配置到securityManager上面  -->
<property name="realms">
<list>
<ref bean="realm"/>
<ref bean="secondRealm"/>
</list>
</property>
</bean>

<!-- 配置多个realm的时候如何认证 -->
<bean id="modularRealmAuthenticator" class="org.apache.shiro.authc.pam.ModularRealmAuthenticator">
<property name="authenticationStrategy">
<!-- 认证策略 -->
<bean class="org.apache.shiro.authc.pam.AtLeastOneSuccessfulStrategy"></bean>
</property>

<!-- 可以配置到securityManager上面
<property name="realms">
<list>
<ref bean="realm"/>
<ref bean="secondRealm"/>
</list>
</property> -->
</bean>

<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<!-- Set a net.sf.ehcache.CacheManager instance here if you already have one.  If not, a new one
will be creaed with a default config:
<property name="cacheManager" ref="ehCacheManager"/> -->
<!-- If you don't have a pre-built net.sf.ehcache.CacheManager instance to inject, but you want
a specific Ehcache configuration to be used, specify that here.  If you don't, a default
will be used.:
<property name="cacheManagerConfigFile" value="classpath:some/path/to/ehcache.xml"/> -->
<property name="cacheManagerConfigFile" value="classpath:ehcache.xml"/>
</bean>

<!-- MD5校验 -->
<bean id="realm" class="com.qx.realm.MyRealm">
<property name="credentialsMatcher">
<bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="MD5"></property>
<property name="hashIterations" value="1024"></property>
</bean>
</property>
</bean>

<!-- SHA1校验 -->
<bean id="secondRealm" class="com.qx.realm.SecondRealm">
<property name="credentialsMatcher">
<bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="SHA1"></property>
<property name="hashIterations" value="1024"></property>
</bean>
</property>
</bean>

<!-- =========================================================
Shiro Spring-specific integration
========================================================= -->
<!-- Post processor that automatically invokes init() and destroy() methods
for Spring-configured Shiro objects so you don't have to
1) specify an init-method and destroy-method attributes for every bean
definition and
2) even know which Shiro objects require these methods to be
called. -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>

<!-- Enable Shiro Annotations for Spring-configured beans.  Only run after
the lifecycleBeanProcessor has run: -->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>

<!-- Secure Spring remoting:  Ensure any Spring Remoting method invocations can be associated
with a Subject for security checks. -->
<bean id="secureRemoteInvocationExecutor" class="org.apache.shiro.spring.remoting.SecureRemoteInvocationExecutor">
<property name="securityManager" ref="securityManager"/>
</bean>

<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/login.jsp"/>
<property name="successUrl" value="/success.jsp"/>
<property name="unauthorizedUrl" value="/unauthorized.jsp"/>

<property name="filterChainDefinitionMap" ref="filterChainDefinitionMap">

</property>

<!-- <property name="filterChainDefinitions">
anon代表所有人都可以访问,authc必须登陆认证后才可以访问
<value>
/login.jsp = anon
/user/login.action = anon
/success.jsp = authc
/index.jsp = anon
/logout=logout

/list.jsp=roles[user]
/admin.jsp=roles[admin]
# everything else requires authentication:
/** = authc
</value>
</property> -->
</bean>

<bean id="rolesMapFactory" class="com.qx.shiro.controller.RolesMapFactory"></bean>
<bean id="filterChainDefinitionMap" factory-bean="rolesMapFactory" factory-method="initRoleMap"></bean>

</beans>

所需要的RolesMapFactory:

package com.qx.shiro.controller;

import java.util.HashMap;
import java.util.LinkedHashMap;

public class RolesMapFactory {
/**
* 初始化权限,此处实际项目中应该是从数据库中获取数据
* @return
*/
public HashMap<String, String> initRoleMap(){
LinkedHashMap<String, String> map=new LinkedHashMap<>();
map.put("/login.jsp", "anon");
map.put("/user/login.action", "anon");
map.put("/success.jsp", "authc");
map.put("/index .jsp", "anon");
map.put("/logout", "logout");
map.put("/list.jsp", "roles[user]");
map.put("/admin.jsp", "roles[admin]");
map.put("/**", "authc");
return map;
}
}

无论是上述是哪种配置web.xml中都需要配置shiroFilter 且要 注意 filter-name必须和spring中对应的org.apache.shiro.spring.web.ShiroFilterFactoryBean的id一致

web.xml:中这样配置shiroFilter:

<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>

<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>