Spring集成Apache Shiro安全框架

前段时间项目中用到Apache Shiro安全框架用于实现用户认证与授权。
参考资料:
http://www.ibm.com/developerworks/cn/web/wa-apacheshiro/
http://www.ibm.com/developerworks/cn/opensource/os-cn-shiro/
http://www.infoq.com/cn/articles/apache-shiro

配置信息

web.xml中通过spring的代理过滤器将过滤交给shiro。同时applicationContext.xml中需要一个叫shiroFilter的过滤器。
代码如下：

    <filter>
        <filter-name>shiroFilter</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        <init-param>
            <param-name>targetFilterLifecycle</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>shiroFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

applicationContext-shiro.xml用于shiro安全框架的配置。
代码如下：

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:util="http://www.springframework.org/schema/util"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd"
    default-lazy-init="true">

    <description>Shiro安全配置</description>

    <!-- Shiro's main business-tier object for web-enabled applications -->
    <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
        <property name="realm" ref="shiroDbRealm" />
    </bean>

    <!-- 項目自定义的Realm, 所有accountService依赖的dao都需要用depends-on声明 -->
    <bean id="shiroDbRealm" class="xxx.xxx.xxx.service.account.ShiroDbRealm" depends-on="">
        <property name="accountService" ref="accountService"/>
    </bean>
    
    <!-- 自定义url过滤器 -->
    <bean id="URLFilter" class="xxx.xxx.xxx.web.filter.URLFilter">
        <constructor-arg>
        <value>sitemesh=false</value>
        </constructor-arg>
    </bean>
    
    <bean id="UserFormAuthenticationFilter" class="xxx.xxx.xxx.web.filter.UserFormAuthenticationFilter">

    </bean> 
    
    <!-- Shiro Filter /login = authc-->
    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean" depends-on="UserFormAuthenticationFilter">
         <property name="filters">
            <util:map>
                <entry key="UserFormAuthenticationFilter" value-ref="UserFormAuthenticationFilter"/>
                <entry key="urlFilter" value-ref="URLFilter"/>
            </util:map>
        </property> 
        <property name="securityManager" ref="securityManager" />
        <property name="loginUrl" value="/login" />
        <property name="successUrl" value="/" />
        <property name="unauthorizedUrl" value="/PermissionController/403"/>
        <property name="filterChainDefinitions">
            <value>
                /login = UserFormAuthenticationFilter
                /logout = logout
                /static/** = anon
                /register/** = anon
                /views/**/*.jsp = user,urlFilter
                /** = user
            </value>
        </property>
    </bean>
    
    <!-- 保证实现了Shiro内部lifecycle函数的bean执行 -->
    <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
    
</beans>

代码实现部分

ShiroDbRealm继承AuthorizingRealm类实现用户认证和授权的方法。

public class ShiroDbRealm extends AuthorizingRealm
{
    private AccountService accountService;

    public ShiroDbRealm() {
        super();
        //setCredentialsMatcher(new AllowAllCredentialsMatcher());
        //设置认证token的实现类，该处使用UsernamepasswordTken,也可自定义token，如果自定义token则需继承AuthenticationToken;
            setAuthenticationTokenClass(EhrUserToken.class);       
   }
    
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(
            AuthenticationToken authcToken) throws AuthenticationException
    {
        return info;
    }
    
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(
            PrincipalCollection principals)
    {
        
        return info;
    }
}

自定义的过滤器继承AuthenticationFilter

public class URLFilter extends AuthenticationFilter
{

    @Override
    protected boolean onAccessDenied(ServletRequest request,
            ServletResponse response) throws Exception
    {
        HttpServletResponse rsp = (HttpServletResponse)response;
        rsp.sendError(403);
        return false;
    }

    @Override
    public void doFilterInternal(ServletRequest request,
            ServletResponse response, FilterChain chain)
            throws ServletException, IOException
    {
        Exception exception = null;
        try
        {
            //授权成功
            executeChain(request, response, chain);
            postHandle(request, response);
            
            //授权失败
            onAccessDenied(request,response);   
        } catch (Exception e)
        {
             exception = e;
        }
        finally {
            cleanup(request, response, exception);
        }
    }
}