配置
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"> <!-- realm --> <bean id="userRealm" class="ch.entity.user.UserRealm"> <constructor-arg index="0" name="matcher" ref="credentialsMatcher"/> <!-- 打开缓存 --> <property name="cachingEnabled" value="true"/> <!-- 启用身份验证缓存,即缓存AuthenticationInfo信息,默认false --> <property name="authenticationCachingEnabled" value="true"/> <!-- 打开授权缓存 --> <property name="authorizationCachingEnabled" value="true"/> <!-- 缓存AuthenticationInfo信息的缓存名称 --> <property name="authenticationCacheName" value="authenticationCache"/> <!-- 缓存AuthorizationInfo信息的缓存名称 --> <property name="authorizationCacheName" value="authorizationCache"/> </bean> <!---cookie--> <!-- uid(session id) 生成策略 --> <bean id="sessionIdGenerator" class="org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator"/> <!-- 记住密码Cookie --> <bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimpleCookie"> <constructor-arg value="rememberMe"/> <property name="httpOnly" value="true"/> <property name="maxAge" value="#{7 * 24 * 60 * 60}"/> </bean> <!-- sesisonCookie 设置 --> <bean id="sessionIdCookie" class="org.apache.shiro.web.servlet.SimpleCookie"> <!-- cookie的名字 --> <constructor-arg value="sessionIdCookie"/> <property name="httpOnly" value="true"/> <!-- 30分钟 单位是秒--> <property name="maxAge" value="1800"/> </bean> <!-- rememberMe管理器,cipherKey生成见{@code Base64Test.java} cookie加密的秘钥--> <bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager"> <property name="cipherKey" value="#{T(org.apache.shiro.codec.Base64).decode('5aaC5qKm5oqA5pyvAAAAAA==')}"/> <property name="cookie" ref="rememberMeCookie"/> </bean> <!-- 配置自定义缓存管理器,中引入redis缓存管理器或者,用Redis使用redis,用ehcache使用ehcache中 --> <!-- 用户授权信息Cache, 采用spring-cache, 具体请查看spring-shirocache.xml --> <bean id="shiroSpringCacheManager" class="ch.cache.shirocache.ShiroSpringCacheManager"> <property name="cacheManager" ref="cacheManager" /> </bean> <!-- 会话管理器 --> <bean id="sessionManager" class="ch.cache.session.SessionManager"> <!-- 设置全局会话超时时间 半小时 --> <property name="globalSessionTimeout" value="#{30 * 60 * 1000}"/> <property name="sessionValidationInterval" value="120000"/> <property name="sessionValidationSchedulerEnabled" value="true"/> <property name="sessionIdCookieEnabled" value="true"/> <property name="sessionIdCookie" ref="sessionIdCookie"/> <property name="sessionDAO" ref="sessionDAO"/> <!-- <property name="sessionIdCookie.name" value="TRM_JSESSIONID"/> --> </bean> <!-- 会话DAO 用于会话的CRUD --> <bean id="sessionDAO" class="ch.cache.session.CacheSessionDAO"> <!-- Session缓存名字,默认就是shiro-activeSessionCache --> <property name="activeSessionsCacheName" value="activeSessionCache"/> <property name="cacheManager" ref="shiroSpringCacheManager"/> </bean> <!--配置安全管理器--> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <!--设置自定义Realm--> <property name="realm" ref="userRealm"/> <!--将缓存管理器,交给安全管理器--> <property name="cacheManager" ref="shiroSpringCacheManager"/> <!-- 记住密码管理 --> <property name="sessionManager" ref="sessionManager"/> <property name="rememberMeManager" ref="rememberMeManager"/> </bean> <!-- 在方法中 注入 securityManager ,进行代理控制 --> <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"> <property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager"/> <property name="arguments" ref="securityManager"/> </bean> <!-- shiro密码加密配置 --> <bean id="passwordHash" class="ch.cache.PasswordHash"> <!-- 密码加密 1次md5,增强密码可修改此处 --> <property name="algorithmName" value="md5"/> <property name="hashIterations" value="1"/> </bean> <!-- 密码错误5次锁定半小时 --> <bean id="credentialsMatcher" class="ch.cache.RetryLimitCredentialsMatcher"> <constructor-arg ref="shiroSpringCacheManager"/> <!-- <property name="cacheManager" ref="shiroSpringCacheManager"/> --> <property name="retryLimitCacheName" value="halfHour"/> <property name="passwordHash" ref="passwordHash"/> </bean> <!-- Shiro Filter --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <!-- 安全管理器 --> <property name="securityManager" ref="securityManager"/> <!-- 默认的登陆访问url --> <property name="loginUrl" value="/views/admin/centre/login.jsp"/> <!-- 登陆成功后跳转的url --> <property name="successUrl" value="/views/admin/centre/main.jsp"/> <!-- 没有权限跳转的url --> <property name="unauthorizedUrl" value="/"/> <property name="filterChainDefinitions"> <value> <!-- anon 不需要认证 authc 需要认证 user 验证通过或RememberMe登录的都可以 --> /** = anon /views/decorator/** = anon </value> </property> <property name="filters"> <map> <entry key="user" value-ref="ajaxSessionFilter" /> </map> </property> </bean> <!-- ajax session超时时处理 --> <bean id="ajaxSessionFilter" class="ch.cache.ShiroAjaxSessionFilter"/> <!-- 保证实现了Shiro内部lifecycle函数的bean执行 --> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> <!-- 启用shrio 控制器授权注解拦截方式 --> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager"/> </bean> <!-- AOP式方法级权限检查 --> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"> <property name="proxyTargetClass" value="true"/> </bean> </beans>