<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
default-lazy-init="true" xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd">
<description>Shiro Configuration</description>
<!-- Shiro Filter -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<!-- 安全管理器 -->
<property name="securityManager" ref="securityManager" />
<!-- 登陆的Url,暂时没用 -->
<property name="loginUrl" value="" />
<!-- 登录成功的Url,未用 -->
<property name="successUrl" value="/web/index.html" />
<!-- 为通过验证的URL -->
<property name="unauthorizedUrl" value="/index.html" />
<property name="filters">
<map>
<entry key="authc" value-ref="formAuthenticationFilter" />
</map>
</property>
<property name="filterChainDefinitions">
<ref bean="shiroFilterChainDefinitions" />
</property>
</bean>
<!-- Shiro权限过滤过滤器定义 -->
<bean name="shiroFilterChainDefinitions" class="java.lang.String">
<constructor-arg>
<value>
<!-- anon表示不校验 -->
/bower_components/** = anon
/info/home/Vh1/**=anon
/=anon
<!-- 剩余请求均经过authc -->
/** = authc
</value>
</constructor-arg>
</bean>
<!-- Form认证过滤器 -->
<bean id="formAuthenticationFilter"
class="com.xxxx.xxxx.system.security.FormAuthenticationFilter" />
<!-- 定义Shiro安全管理配置 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<!-- 单realm应用。如果有多个realm,使用‘realms’属性代替 -->
<!-- 管理认证和授权 -->
<property name="realm" ref="systemAuthorizingRealm" />
<!-- 仅shiro适用 -->
<property name="cacheManager" ref="shiroCacheManager" />
<!-- 分布式或单机session缓存 -->
<property name="sessionManager" ref="sessionManager" />
<!-- 自动登录使用,暂时没有使用 -->
<property name="rememberMeManager" ref="rememberMeManager" />
</bean>
<bean id="systemAuthorizingRealm"
class="com.emcc.xxxx.system.security.shiro.SystemAuthorizingRealm" />
<!-- 自定义会话管理配置 -->
<bean id="sessionManager"
class="com.emcc.xxxx.system.security.shiro.session.SessionManager">
<!-- Redis/本地保存 -->
<property name="sessionDAO" ref="sessionDAO" />
<!-- 会话超时时间,配置在system.properties 单位:毫秒 -->
<property name="globalSessionTimeout" value="${session.sessionTimeout}" />
<!-- 定时清理失效会话, 清理用户直接关闭浏览器造成的孤立会话 -->
<property name="sessionValidationInterval" value="${session.sessionTimeoutClean}" />
<property name="sessionValidationSchedulerEnabled" value="false" />
<!-- 配置cookie中sessionid的key -->
<property name="sessionIdCookie" ref="sessionIdCookie" />
<property name="sessionIdCookieEnabled" value="true" />
</bean>
<!-- 指定本系统SESSIONID, 默认为: JSESSIONID 问题: 与SERVLET容器名冲突, 如JETTY, TOMCAT 等默认JSESSIONID,
当跳出SHIRO SERVLET时如ERROR-PAGE容器会为JSESSIONID重新分配值导致登录会话丢失! -->
<bean id="sessionIdCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
<constructor-arg name="name" value="web.session.id" />
</bean>
<!-- 自定义Session存储容器,集群环境使用 <bean id="sessionDAO" class="com.emcc.xxxx.system.security.shiro.session.JedisSessionDAO">
<property name="sessionIdGenerator" ref="idGen" /> <property name="sessionKeyPrefix"
value="${redis.keyPrefix}_session_" /> </bean> -->
<!-- 自定义Session存储容器,开发环境使用 -->
<bean id="sessionDAO"
class="com.emcc.xxxx.system.security.shiro.session.CacheSessionDAO">
<property name="sessionIdGenerator" ref="idGen" />
<property name="activeSessionsCacheName" value="activeSessionsCache" />
<property name="cacheManager" ref="shiroCacheManager" />
</bean>
<!-- rememberMe管理器 -->
<bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager">
<!-- rememberMe cookie加密的密钥 建议每个项目都不一样 默认AES算法 密钥长度(128 256 512 位) -->
<property name="cipherKey"
value="#{T(org.apache.shiro.codec.Base64).decode('4AvVhmFLUs0KTA3Kprsdag==')}" />
<property name="cookie" ref="rememberMeCookie" />
</bean>
<bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
<constructor-arg value="rememberMe" />
<property name="httpOnly" value="true" />
<property name="maxAge" value="2592000" /><!-- 30天 -->
</bean>
<!-- 定义授权缓存管理器 <bean id="shiroCacheManager" class="com.emcc.xxxx.system.security.shiro.cache.SessionCacheManager"
/> -->
<!-- 定义授权缓存管理器 -->
<bean id="shiroCacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManager" ref="cacheManager" />
</bean>
<!-- 保证实现了Shiro内部lifecycle函数的bean执行 -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
<!-- securityManager -->
<bean
class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod"
value="org.apache.shiro.SecurityUtils.setSecurityManager" />
<property name="arguments" ref="securityManager" />
</bean>
<!-- AOP式方法级权限检查 -->
<!-- AOP式方法级权限检查 这两个类主要用于注解 -->
<bean
class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager" />
</bean>
</beans>
