菜園子

<filter>

<filter-name>shiroFilter</filter-name>

<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>

<init-param>

            <param-name>targetFilterLifecycle</param-name>

            <param-value>true</param-value>

     </init-param>

</filter>    

<filter-mapping>

<filter-name>shiroFilter</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

public class ShiroDbRealm extends AuthorizingRealm {

    @Inject

    private UserService userService ;

    /**

 * 認證回調函數,登錄時調用.

 */

protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) 
throws AuthenticationException {

UsernamePasswordToken token = (UsernamePasswordToken) authcToken;

User user= userService.getUserByUserId(token.getUsername());

if (user!= null) {  

    return new SimpleAuthenticationInfo(user.getUserId(), user.getUserId(), getName());

} else {

return null;

}

}

/**

 * 授權查詢回調函數, 進行鑒權但緩存中無用戶的授權信息時調用.

 */

protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {

String loginName = (String) principals.fromRealm(getName()).iterator().next();

User user= userService.getUserByUserId(loginName);

if (user != null) {

SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();

info.addStringPermission("common-user");

return info;

} else {

return null;

}

}

}

<?xml version="1.0" encoding="UTF-8"?>

<beans >

<description>Shiro Configuration</description>

<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"/>

<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">

<property name="realm" ref="shiroDbRealm" />

</bean>

<bean id="shiroDbRealm" class="com.company.service.common.shiro.ShiroDbRealm" />

    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">

        <property name="securityManager" ref="securityManager"/>

        <property name="loginUrl" value="/common/security/login" />

        <property name="successUrl" value="/common/security/welcome" />

        <property name="unauthorizedUrl" value="/common/security/unauthorized"/>

        <property name="filterChainDefinitions">

            <value>

                /resources/** = anon

                /manageUsers = perms[user:manage]

                /** = authc

            </value>

        </property>

    </bean>

<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />

    <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/>

    <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">

        <property name="securityManager" ref="securityManager"/>

    </bean>

</beans>

@Controller

@RequestMapping(value = "/common/security/*")

public class SecurityController {

    @Inject

    private UserService userService;

    @RequestMapping(value = "/login")

    public String login(String loginName, String password,
HttpServletResponse response, HttpServletRequest request) throws Exception {

        User user = userService.getUserByLogin(loginName);

            if (null != user) {

                setLogin(loginInfoVO.getUserId(), loginInfoVO.getUserId());

                return "redirect:/common/security/welcome";

            } else {

                return "redirect:/common/path?path=showLogin";

            }

    };

    public static final void setLogin(String userId, String password) {

        Subject currentUser = SecurityUtils.getSubject();

        if (!currentUser.isAuthenticated()) {

            //collect user principals and credentials in a gui specific manner 

            //such as username/password html form, X509 certificate, OpenID, etc.

            //We'll use the username/password example here since it is the most common.

            //(do you know what movie this is from? ;)

            UsernamePasswordToken token = new UsernamePasswordToken(userId, password);

            //this is all you have to do to support 'remember me' (no config - built in!):

            token.setRememberMe(true);

            currentUser.login(token);

        }

    };

    @RequestMapping(value="/logout")

    @ResponseBody

    public void logout(HttpServletRequest request){

        Subject subject = SecurityUtils.getSubject();

        if (subject != null) {           

            subject.logout();

        }

        request.getSession().invalidate();

    };

}

    public static final void setCurrentUser(User user) {

        Subject currentUser = SecurityUtils.getSubject();

        if (null != currentUser) {

            Session session = currentUser.getSession();

            if (null != session) {

                session.setAttribute(Constants.CURRENT_USER, user);

            }

        }

    };

    public static final User getCurrentUser() {

        Subject currentUser = SecurityUtils.getSubject();

        if (null != currentUser) {

            Session session = currentUser.getSession();

            if (null != session) {

                User user = (User) session.getAttribute(Constants.CURRENT_USER);

                if(null != user){

                    return user;

                }

}

}

    };