The configuration of Apache Shiro is divided into four main parts:
- Definition and configuration of objects and properties
- Filter configuration for URLs
- Static User Configuration
- Static role Configuration
The Shiro configuration typically contains only the first two items because of dynamic data that the user and role typically operates from the background.
Most of the components of Apache Shiro are based on Pojo, so we can configure them with any configuration mechanism Pojo compatible, such as Java code, sping XML, YAML, JSON, INI files, and so on. The following is an example of how spring XML is configured, and some of these configuration parameters are briefly explained.
configuration of the Shiro object:
The main component is the implementation of the Shiro to define the configuration, the main components in the previous article has done a brief introduction, here is no longer one by one description.
<BeanID= "SecurityManager"class= "Org.apache.shiro.mgt.DefaultSecurityManager"> < Propertyname= "CacheManager"ref= "CacheManager"/> < Propertyname= "SessionMode"value= "Native"/> <!--Single Realm app. If you had multiple realms, use the ' Realms ' property instead. - < Propertyname= "Realm"ref= "Myrealm"/> < Propertyname= "SessionManager"ref= "SessionManager"/> </Bean>
configuration of the Shiro filter
Shiro is primarily through URL filtering for security management, where the configuration is to specify a specific authorization rule definition.
<BeanID= "Shirofilter"class= "Org.apache.shiro.spring.web.ShiroFilterFactoryBean"> < Propertyname= "SecurityManager"ref= "SecurityManager"/> < Propertyname= "Loginurl"value= "/login.jsp"/> < Propertyname= "Successurl"value= "/home.jsp"/> < Propertyname= "Unauthorizedurl"value= "/unauthorized.jsp"/> -< Propertyname= "Filterchaindefinitions"> <value># Some example chain definitions:/admin/** = authc, roles[admin]/docs/** = authc, Perms[document:read]/** = authc # more Url-to-filterchain definitions here</value> </ Property></Bean>
URL Filter Configuration description:
Shiro can implement URL-based authorization validation through a configuration file. Filterchain Definition Format:
Url_ant_path_expression = Path_specific_filter_chain
Each URL is configured to indicate that the application request that matches the URL will be validated by the corresponding filter.
For example:
[URLs]
/index.html = Anon
/user/create = Anon
/user/** = authc
/admin/** = authc, Roles[administrator]
/rest/** = authc, rest
/remoting/rpc/** = authc, perms["Remote:invoke"]
URL Expression Description
1. URL directory is based on Httpservletrequest.getcontextpath () This directory setting
2, the URL can use wildcards, * * to represent any sub-directory
3. When Shiro validates the URL, the URL match succeeds and the matching lookup is no longer continued. So pay attention to the order of URLs in the configuration file, especially if you are using a wildcard character.
Filter Chain Definition Description
1. A URL can be configured with multiple filter, separated by commas
2. When multiple filters are set, all validation passes and is considered
3, some filters can specify parameters, such as Perms,roles
Shiro built -in Filterchain
Filter Name |
Class |
Anon |
Org.apache.shiro.web.filter.authc.AnonymousFilter |
Authc |
Org.apache.shiro.web.filter.authc.FormAuthenticationFilter |
Authcbasic |
Org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter |
Perms |
Org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter |
Port |
Org.apache.shiro.web.filter.authz.PortFilter |
Rest |
Org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter |
Roles |
Org.apache.shiro.web.filter.authz.RolesAuthorizationFilter |
Ssl |
Org.apache.shiro.web.filter.authz.SslFilter |
User |
Org.apache.shiro.web.filter.authc.UserFilter |
Apache Shiro User's Manual (v) Shiro configuration instructions