81,092
社区成员
发帖
与我相关
我的任务
分享
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="
...op-4.1.xsd" default-lazy-init="true">
<context:component-scan base-package="org.supda.system.controller" />
<!-- 对模型视图名称的解析,即在模型视图名称添加前后缀 -->
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="viewClass"
value="org.springframework.web.servlet.view.JstlView" />
<property name="prefix" value="/"></property>
<property name="suffix" value=".jsp"></property>
</bean>
<mvc:annotation-driven>
<!-- 处理responseBody 里面日期类型 -->
<mvc:message-converters>
<bean id="mappingJackson2HttpMessageConverter"
class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter">
<property name="objectMapper">
<bean class="org.supda.system.util.HibernateAwareObjectMapper">
<property name="dateFormat">
<bean class="java.text.SimpleDateFormat">
<constructor-arg type="java.lang.String" value="yyyy-MM-dd HH:mm:ss" />
</bean>
</property>
</bean>
</property>
<property name="supportedMediaTypes">
<list>
<value>text/html;charset=UTF-8</value>
<value>text/json;charset=UTF-8</value>
<value>application/json;charset=UTF-8</value>
</list>
</property>
</bean>
</mvc:message-converters>
</mvc:annotation-driven>
<!-- 配置文件上传,如果没有使用文件上传可以不用配置,当然如果不配,那么配置文件中也不必引入上传组件包 -->
<bean id="multipartResolver"
class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
<!-- 默认编码 -->
<property name="defaultEncoding" value="utf-8" />
<!-- 文件大小最大值 -->
<property name="maxUploadSize" value="10485760000" />
<!-- 内存中的最大值 -->
<property name="maxInMemorySize" value="40960" />
</bean>
<import resource="spring-mvc-shiro.xml"/>
</beans>
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://
... sd">
<!-- Support Shiro Annotation -->
<bean class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver">
<property name="exceptionMappings">
<props>
<prop key="org.apache.shiro.authz.UnauthorizedException">/denied.jsp</prop>
</props>
</property>
</bean>
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor"/>
<aop:config proxy-target-class="true"></aop:config>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>
</beans>
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="htt...d" default-lazy-init="true">
<bean id="credentialsMatcher" class="org.supda.system.shiro.credentials.RetryLimitHashedCredentialsMatcher">
<constructor-arg ref="cacheManager" />
<property name="hashAlgorithmName" value="md5" />
<property name="hashIterations" value="2" />
<property name="storedCredentialsHexEncoded" value="true" />
</bean>
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="myRealm" />
<property name="sessionManager" ref="sessionManager"/>
<property name="cacheManager" ref="cacheManager" />
</bean>
<bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
<property name="arguments" ref="securityManager"/>
</bean>
<!--自定义Realm -->
<bean id="myRealm" class="org.supda.system.shiro.MyRealm">
<property name="credentialsMatcher" ref="credentialsMatcher" />
<property name="cachingEnabled" value="false" />
<!--<property name="authenticationCachingEnabled" value="true"/>-->
<!--<property name="authenticationCacheName" value="authenticationCache"/>-->
<!--<property name="authorizationCachingEnabled" value="true"/>-->
<!--<property name="authorizationCacheName" value="authorizationCache"/>-->
</bean>
<bean id="kickoutSessionControlFilter" class="org.supda.system.shiro.filter.KickoutSessionControlFilter">
<property name="cacheManager" ref="cacheManager"/>
<property name="sessionManager" ref="sessionManager"/>
<property name="kickoutAfter" value="false"/>
<property name="maxSession" value="1"/>
<property name="kickoutUrl" value="/login.shtml"/>
</bean>
<!-- 配置shiro的过滤器工厂类,id- shiroFilter要和我们在web.xml中配置的过滤器一致 -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<property name="loginUrl" value="/login.shtml" />
<property name="successUrl" value="/index.shtml" />
<property name="unauthorizedUrl" value="/denied.jsp" />
<!-- 自定义权限配置 -->
<property name="filterChainDefinitionMap" ref="chainDefinitionSectionMetaSource" />
<property name="filters">
<util:map>
<entry key="sysUser" value-ref="sysUserFilter"/>
<entry key="kickout" value-ref="kickoutSessionControlFilter"/>
</util:map>
</property>
</bean>
<bean id="sysUserFilter" class="org.supda.system.shiro.filter.SysUserFilter"/>
<!--自定义filterChainDefinitionMap -->
<bean id="chainDefinitionSectionMetaSource" class="org.supda.system.shiro.ChainDefinitionSectionMetaSource">
<property name="filterChainDefinitions">
<value>
/static/** = anon
/denied.jsp = anon
/home.shtml = anon
/userList.shtml = anon
/login.shtml = anon
/anon/** = anon
</value>
</property>
</bean>
<bean id="sessionIdGenerator" class="org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator"/>
<!-- 会话DAO -->
<bean id="sessionDAO" class="org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO">
<property name="activeSessionsCacheName" value="shiro-activeSessionCache"/>
<property name="sessionIdGenerator" ref="sessionIdGenerator"/>
</bean>
<!-- 会话验证调度器 -->
<!-- 全局的会话信息检测扫描信息间隔30分钟-->
<bean id="sessionValidationScheduler" class="org.apache.shiro.session.mgt.quartz.QuartzSessionValidationScheduler">
<property name="sessionValidationInterval" value="1800000"/>
<property name="sessionManager" ref="sessionManager"/>
</bean>
<!-- 会话管理器 -->
<!-- 全局的会话信息设置成30分钟,sessionValidationSchedulerEnabled参数就是是否开启扫描 -->
<bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
<property name="globalSessionTimeout" value="1800000"/>
<property name="deleteInvalidSessions" value="true"/>
<property name="sessionValidationSchedulerEnabled" value="true"/>
<property name="sessionValidationScheduler" ref="sessionValidationScheduler"/>
<property name="sessionDAO" ref="sessionDAO"/>
</bean>
<!--shiro缓存管理器 -->
<bean id="cacheManager" class="org.supda.system.shiro.spring.SpringCacheManagerWrapper" >
<property name="cacheManager" ref="springCacheManager"/>
</bean>
<bean id="springCacheManager" class="org.springframework.cache.ehcache.EhCacheCacheManager">
<property name="cacheManager" ref="ehcacheManager"/>
</bean>
<!--ehcache-->
<bean id="ehcacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
<property name="configLocation" value="classpath:ehcache.xml"/>
</bean>
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
</beans>
public class MyRealm extends AuthorizingRealm {
@Inject
private UserService userService;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
String loginName = SecurityUtils.getSubject().getPrincipal().toString();
if (!StringUtils.isEmpty(loginName)) {
String userId = SecurityUtils.getSubject().getSession().getAttribute("userSessionId").toString();
TUser user = userService.findById(Long.parseLong(userId));
// 权限信息对象info,用来存放查出的用户的所有的角色(role)及权限(permission)
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
Set<String> roles = new HashSet<String>();
Set<String> reses = new HashSet<String>();
for(TRole role : userService.findRoles(loginName)){
roles.add(role.getRoleKey());
}
for(TResources res : userService.findResources(loginName)){
reses.add(res.getResKey());
}
//添加用户角色
info.addRoles(roles);
info.addStringPermissions(reses);
return info;
}
return null;
}
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String accountName = (String) token.getPrincipal();
List<TUser> users = userService.findByAccountName(accountName);
if (users!=null && users.size() != 0) {
if ("2".equals(users.get(0).getLocked())) {
throw new LockedAccountException(); // 帐号锁定
}
// 交给AuthenticatingRealm使用CredentialsMatcher进行密码匹配,如果觉得人家的不好可以自定义实现
SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(accountName, // 用户名
users.get(0).getPassword(), // 密码
ByteSource.Util.bytes(accountName + "" + users.get(0).getCredentialsSalt()),// salt=username+salt
getName() // realm name
);
// 当验证都通过后,把用户信息放在session里
Session session = SecurityUtils.getSubject().getSession();
session.setAttribute("userSession", users.get(0));
session.setAttribute("userSessionId", users.get(0).getId());
return authenticationInfo;
} else {
throw new UnknownAccountException();// 没找到帐号
}
}
/**
* 产生责任链,确定每个url的访问权限
*
*/
public class ChainDefinitionSectionMetaSource implements FactoryBean<Ini.Section> {
@Resource
private ResourceService resourceService;
// 静态资源访问权限
private String filterChainDefinitions = null;
public Ini.Section getObject() throws Exception {
Ini ini = new Ini();
// 加载默认的url
ini.load(filterChainDefinitions);
Ini.Section section = ini.getSection(Ini.DEFAULT_SECTION_NAME);
// 循环Resource的url,逐个添加到section中。section就是filterChainDefinitionMap,
// 里面的键就是链接URL,值就是存在什么条件才能访问该链接
List<TResources> lists = resourceService.listResources();
for (TResources resource : lists) {
// 构成permission字符串
if (StringUtils.isNotEmpty(resource.getResUrl()) && StringUtils.isNotEmpty(resource.getResKey())) {
String permission = "perms[" + resource.getResKey() + "]";
System.out.println(permission);
// 不对角色进行权限验证
// 如需要则 permission = "roles[" + resources.getResKey() + "]";
section.put(resource.getResUrl() + "", permission);
}
}
// 所有资源的访问权限,必须放在最后
/*section.put("/**", "authc");*/
/** 如果需要一个用户只能登录一处地方,,修改为 section.put("/**", "authc,kickout,sysUser,user"); **/
section.put("/**", "authc");
System.out.println(section);
return section;
}