Apache Shiro User's Manual (v) Shiro configuration instructions

The configuration of Apache Shiro is divided into four main parts:

• Definition and configuration of objects and properties
• Filter configuration for URLs
• Static User Configuration
• Static role Configuration

The Shiro configuration typically contains only the first two items because of dynamic data that the user and role typically operates from the background.

Most of the components of Apache Shiro are based on Pojo, so we can configure them with any configuration mechanism Pojo compatible, such as Java code, sping XML, YAML, JSON, INI files, and so on. The following is an example of how spring XML is configured, and some of these configuration parameters are briefly explained.

configuration of the Shiro object:
The main component is the implementation of the Shiro to define the configuration, the main components in the previous article has done a brief introduction, here is no longer one by one description.

<BeanID= "SecurityManager"class= "Org.apache.shiro.mgt.DefaultSecurityManager">        < Propertyname= "CacheManager"ref= "CacheManager"/>        < Propertyname= "SessionMode"value= "Native"/>        <!--Single Realm app. If you had multiple realms, use the ' Realms ' property instead.  -        < Propertyname= "Realm"ref= "Myrealm"/>        < Propertyname= "SessionManager"ref= "SessionManager"/> </Bean>

configuration of the Shiro filter
Shiro is primarily through URL filtering for security management, where the configuration is to specify a specific authorization rule definition.

<BeanID= "Shirofilter"class= "Org.apache.shiro.spring.web.ShiroFilterFactoryBean">    < Propertyname= "SecurityManager"ref= "SecurityManager"/>    < Propertyname= "Loginurl"value= "/login.jsp"/>    < Propertyname= "Successurl"value= "/home.jsp"/>    < Propertyname= "Unauthorizedurl"value= "/unauthorized.jsp"/> -< Propertyname= "Filterchaindefinitions">        <value># Some example chain definitions:/admin/** = authc, roles[admin]/docs/** = authc, Perms[document:read]/** = authc # more Url-to-filterchain definitions here</value>    </ Property></Bean>

URL Filter Configuration description:
Shiro can implement URL-based authorization validation through a configuration file. Filterchain Definition Format:
Url_ant_path_expression = Path_specific_filter_chain
Each URL is configured to indicate that the application request that matches the URL will be validated by the corresponding filter.
For example:
[URLs]
/index.html = Anon
/user/create = Anon
/user/** = authc
/admin/** = authc, Roles[administrator]
/rest/** = authc, rest
/remoting/rpc/** = authc, perms["Remote:invoke"]

URL Expression Description
1. URL directory is based on Httpservletrequest.getcontextpath () This directory setting
2, the URL can use wildcards, * * to represent any sub-directory
3. When Shiro validates the URL, the URL match succeeds and the matching lookup is no longer continued. So pay attention to the order of URLs in the configuration file, especially if you are using a wildcard character.

Filter Chain Definition Description
1. A URL can be configured with multiple filter, separated by commas
2. When multiple filters are set, all validation passes and is considered
3, some filters can specify parameters, such as Perms,roles

Shiro built -in Filterchain

Filter Name	Class
Anon	Org.apache.shiro.web.filter.authc.AnonymousFilter
Authc	Org.apache.shiro.web.filter.authc.FormAuthenticationFilter
Authcbasic	Org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter
Perms	Org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter
Port	Org.apache.shiro.web.filter.authz.PortFilter
Rest	Org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter
Roles	Org.apache.shiro.web.filter.authz.RolesAuthorizationFilter
Ssl	Org.apache.shiro.web.filter.authz.SslFilter
User	Org.apache.shiro.web.filter.authc.UserFilter

Apache Shiro User's Manual (v) Shiro configuration instructions