This article covers ways to integrate Shiro into Spring-based applications.
Shiro's Java Bean compatibility makes it ideal for configuring via Spring XML or other Spring-based configuration mechanisms. Shiro's applications require an instance of the Application Singleton Security Manager (SecuriyManager). Note that this is not necessarily a static singleton, but the application should only use one instance, regardless of whether it is a static singleton or not.
1. Standalone application
Here is the easiest way to enable Application Singleton Security Manager in Spring applications:
<!-- Define Realm connected to a backend secure data source: --><bean id="myRealm"> ...</bean><bean id="securityManager"> <!-- This is written by a single Realm application. If there are multiple Realm, you can use the "realms" property --> <property name="realm" ref="myRealm"/></bean><bean id="lifecycleBeanPostProcessor"/> <!-- For the simplest integration, just like all static methods in SecurityUtils, it applies in all cases, declaring the securityManager bean as a static singleton object. But don't do this in a web application. See the "web application" section below. --><bean> <property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager"/> <property name="arguments" ref="securityManager"/></bean>
2.Web application
Shiro has great support for Spring web applications. In a web application, all available web requests must pass through Shiro Filter. This filter is very powerful and allows for special customization of any filter chain based on URL path expressions.
Prior to Shiro 1.0, you had to use a hybrid approach in Spring web applications to define Shiro's filters. All configuration properties are in web.xml. But defining securityManager in spring.xml is a bit unfriendly.
Now, in Shiro 1.0 or above, all Shiro configurations are done in Spring XML, which provides a more robust Spring configuration mechanism.
Here is how to configure Shiro in a spring-based web application:
web.xml
In addition to some other spring tags (ContextLoaderListener, Log4jConfigListener, etc.), the following filters and filter mappings are also defined:
<!-- In applicationContext.xml, the name of the filter name "shiroFilter" bean matches. --><filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param></filter>...<!-- Make sure any request you want can be filtered. /* Capture all requests. Typically, this filter map is defined first (before all others), ensuring that Shiro works in subsequent filters in the filter chain:--><filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern></filter-mapping>
applicationContext.xml
In the applicationContext.xml file, define the SecurityManager and "shiroFilter" beans that are applicable to the web, which will be referenced in the web.xml.
<bean id="shiroFilter"> <property name="securityManager" ref="securityManager"/> <!-- Define the following properties according to the specific situation: <property name="loginUrl" value="/login.jsp"/> <property name="successUrl" value="/home.jsp"/> <property name="unauthorizedUrl" value="/unauthorized.jsp"/> --> <!-- If any javax.servlet has been declared, the "filters" property is unnecessary --> <!-- <property name="filters"> <util:map> <entry key="anAlias" value-ref="someFilter"/> </util:map> </property> --> <property name="filterChainDefinitions"> <value> # Define the url to be filtered: /admin/** = authc, roles[admin] /docs/** = authc, perms[document:read] /** = authc </value> </property></bean><!-- Any javax.servlet.Filter bean that can be defined in the context, which will be automatically captured by the "shiroFilter" bean above and used by the "filterChainDefinitions" property. If needed, you can manually/explicitly add to the shiroFilter's "filters" map. --><bean id="someFilter"/><bean id="anotherFilter"> ... </bean>...<bean id="securityManager"> <!-- This is written by a single Realm application. If there are multiple Realm, you can use the "realms" property. --> <property name="realm" ref="myRealm"/> <!-- In the case of recognition, the session of the servlet container is applicable. After uncommenting this line, use shiro's native session --> <!-- <property name="sessionMode" value="native"/> --></bean><bean id="lifecycleBeanPostProcessor"/><!-- Use the background data source by customizing the subclass of Shiro Realm --><bean id="myRealm"> ...</bean>
Shiro enabled annotations
In an application, you may need to use Shiro's annotations for security checks (for example, @RequiresRole, @requiresPermission, etc. This requires Shiro's Spring AOP integration to scan for appropriate annotated classes and perform security logic if necessary. Here's how to enable these annotations to add these two bean definitions to the applicationContext.xml:
<bean depends-on="lifecycleBeanPostProcessor"/> <bean> <property name="securityManager" ref="securityManager"/></bean>
The above is all the content of this article. I hope it will be helpful to everyone's learning and I hope everyone will support Wulin.com more.