Springboot integrates apache shiro and springbootshiro

Springboot integrates apache shiro and springbootshiro

In the past few days, shiro has been learned due to project needs, which leaves some records and hopes to help shiro beginners.

Springboot is a new project in the past two years. It is designed to reduce the need to introduce various jar packages and xml configuration files during spring MVC development, it makes full use of the Configuration Mode of JavaConfig and the concept of "better than configuration" to help developers configure most of the things they need. Many columns are provided in the springboot project on github,

 

Apache shiro is a lightweight authentication and authorization framework. Compared with spring security, apache shiro is easy to use and flexible. springboot itself provides security support. After all, it is its own business. Springboot is not integrated with shiro at the moment, so you have to configure it yourself.

 

I found some information on the Internet and configured shiro. There are many requirements on the web. xml, application. various configurations in xml, but springboot does not. springboot advocates no xml and is not familiar with the configuration using javaconfig. However, some people have configured shiro using javaconfig, refer to the configuration of shiro integrated by spring boot, a blog member of csdn, download the demo, and simulate the successful configuration. However, I am used to the xml configuration method and feel that the javaconfig method is not very intuitive, So I replaced it with xml. The main configuration process is as follows:

First is spring-shiro.xml

<? Xml version = "1.0" encoding = "UTF-8"?> <Beans xmlns = "http://www.springframework.org/schema/beans" xmlns: xsi = "http://www.w3.org/2001/XMLSchema-instance" xmlns: aop = "http://www.springframework.org/schema/aop" xmlns: tx = "http://www.springframework.org/schema/tx" xmlns: util = "http://www.springframework.org/schema/util" xmlns: context = "http://www.springframework.org/schema/context" xsi: schemaLocation = "http://www.springframework.org/schema/beans Http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd Text http://www.springframework.org/schema/context/spring-context.xsd "> <! -- ===================================================== ======================== Shiro Components ============================ =================================================== --> <! -- The cache manager is implemented using Ehcache --> <bean id = "cacheManager" class = "org. apache. shiro. cache. ehcache. ehCacheManager "> <property name =" cacheManagerConfigFile "value =" classpath: app/config/ehcache-shiro.xml "/> </bean> <! -- Virtual reality requires the self-written realm implementation class to act as a bridge between shiro and application security data --> <bean id = "MonitorRealm" class = "com. test. monitorRealm "> </bean> <! -- Security manager --> <bean id = "securityManager" class = "org. apache. shiro. web. mgt. defaultWebSecurityManager "> <property name =" realms "> <list> <ref bean =" MonitorRealm "/> </list> </property> <property name =" cacheManager "ref = "cacheManager"/> </bean> <! -- Shiro lifecycle Processor --> <! -- The official explanation for This post processor makes it easier to configure Shiro beans in Spring, since the user never has to worry about whether or not if they have to specify init-method and destroy-method bean attributes. the general idea is to make shiro bena injection more convenient --> <bean id = "lifecycleBeanPostProcessor" class = "org. apache. shiro. s Pring. LifecycleBeanPostProcessor "/> <! -- Shiro's Web Filter --> <bean id = "shiroFilter" class = "org. apache. shiro. spring. web. shiroFilterFactoryBean "> <property name =" securityManager "ref =" securityManager "/> <property name =" loginUrl "value ="/user-web/login "/> <property name = "unauthorizedUrl" value = "/unauthorized"/> <property name = "filters"> <util: map> <entry key = "authc"> <! -- Authentication interceptor, the default is FormAuthenticationFilter, but PassThruAuthenticationFilter is relatively powerful, For details, see https://shiro.apache.org/static/1.2.1/apidocs/org/apache/shiro/web/filter/authc/PassThruAuthenticationFilter.html --> <bean class = "org. apache. shiro. web. filter. authc. passThruAuthenticationFilter "/> </entry> </util: map> </property> <! -- Shiro's powerful interceptor chain can match all URLs, and intercept according to the configuration --> <property name = "filterChainDefinitions"> <value> # Put the files that can be accessed without authentication in front/js/* = anon/css/* = anon /img/* = anon/images/* = anon/user-web/login = anon/logout = logout/user-web/* = authc/backend-web/* = authc </value> </property> </bean> <! -- Enable Shiro annotations (for example, @ RequiresRoles and @ RequiresPermissions). You need to use SpringAOP to scan classes that use Shiro annotations and perform security logic verification if necessary --> <! -- Here we need to configure the following two beans. Before that, we need to configure lifecycleBeanPostProcessor --> <bean class = "org. springframework. aop. framework. autoproxy. defaultAdvisorAutoProxyCreator "depends-on =" lifecycleBeanPostProcessor "> <! -- Add the following sentence to solve the problem of If the controller requires proxying (e.g. due to @ Transactional) and please use class-based proxying --> <! -- Referring to the http://www.cnblogs.com/digdeep/p/4624998.html, we will find that the above error is a conflict problem caused by different configuration methods of Spring AOP --> <property name = "proxyTargetClass" value = "true"/> </bean> <bean class = "org. apache. shiro. spring. security. interceptor. authorizationAttributeSourceAdvisor "> <property name =" securityManager "ref =" securityManager "/> </bean> <! -- Exception interception --> <bean class = "org. springframework. web. servlet. handler. simpleMappingExceptionResolver "> <property name =" exceptionMappings "> <props> <prop key =" org. apache. shiro. authz. unauthorizedException ">/unauthorized <! -- Unauthorized processing page --> </prop> <prop key = "org. apache. shiro. authz. UnauthenticatedException">/user-web/login <! -- Identity not verified --> </prop> </props> </property> </bean> </beans>

The following is the Ehcache. xml file.

Ehcache is a pure Java in-process cache framework. For more information, see here.

<ehcache updateCheck="false" name="shiroCache">    <defaultCache            maxElementsInMemory="10000"            eternal="false"            timeToIdleSeconds="120"            timeToLiveSeconds="120"            overflowToDisk="false"            diskPersistent="false"            diskExpiryThreadIntervalSeconds="120"            /></ehcache>

Spring boot loads xml configuration files

import org.springframework.boot.SpringApplication;import org.springframework.boot.autoconfigure.EnableAutoConfiguration;import org.springframework.boot.autoconfigure.SpringBootApplication;import org.springframework.context.annotation.ComponentScan;import org.springframework.context.annotation.Configuration;@Configuration@SpringBootApplication@ComponentScan@EnableAutoConfigurationpublic class Application {public static void main(String[] args) {SpringApplication.run(new String[] {"classpath*:app/config/spring-*.xml","classpath*:app/config/spring-session-redis.xml","classpath*:/user/captcha.xml"//....}, args);}}

In this way. Spingboot configures shiro in xml format, and then uses the annotation method on the controller method to implement permission control.

The MonitorRealm class is not provided here. The doGetAuthorizationInfo (authorization) and doGetAuthenticationInfo (authentication) methods must be implemented, and some changes must be made in loginController, if you need it, you can refer to this SpringMVC integrated Shiro blog.