protected ShiroFilterFactoryBean shiroFilterFactoryBean() { ShiroFilterFactoryBean filterFactoryBean = new ShiroFilterFactoryBean(); filterFactoryBean.setLoginUrl(loginUrl); filterFactoryBean.setSuccessUrl(successUrl); filterFactoryBean.setUnauthorizedUrl(unauthorizedUrl); filterFactoryBean.setSecurityManager(securityManager); filterFactoryBean.setFilterChainDefinitionMap(shiroFilterChainDefinition.getFilterChainMap()); return filterFactoryBean; } }
/** * ShiroFilter<br/> * 注意这里参数中的 StudentService 和 IScoreDao 只是一个例子,因为我们在这里可以用这样的方式获取到相关访问数据库的对象, * 然后读取数据库相关配置,配置到 shiroFilterFactoryBean 的访问规则中。实际项目中,请使用自己的Service来处理业务逻辑。 */ @Bean(name = "shiroFilter") public ShiroFilterFactoryBean getShiroFilterFactoryBean(DefaultWebSecurityManager securityManager) { ShiroFilterFactoryBean shiroFilterFactoryBean = new MShiroFilterFactoryBean(); // 必须设置 SecurityManager shiroFilterFactoryBean.setSecurityManager(securityManager); // 如果不设置默认会自动寻找Web工程根目录下的"/login.jsp"页面 shiroFilterFactoryBean.setLoginUrl("/login"); // 登录成功后要跳转的连接 // shiroFilterFactoryBean.setSuccessUrl("/user"); shiroFilterFactoryBean.setUnauthorizedUrl("/403"); loadShiroFilterChain(shiroFilterFactoryBean); return shiroFilterFactoryBean; }
public void reloadFilterChain() { ShiroFilterFactoryBean shiroFilterFactoryBean = SpringContextHolder.getBean(ShiroFilterFactoryBean.class); AbstractShiroFilter abstractShiroFilter = null; try { abstractShiroFilter = (AbstractShiroFilter)shiroFilterFactoryBean.getObject(); RestPathMatchingFilterChainResolver filterChainResolver = (RestPathMatchingFilterChainResolver)abstractShiroFilter.getFilterChainResolver(); DefaultFilterChainManager filterChainManager = (DefaultFilterChainManager)filterChainResolver.getFilterChainManager(); filterChainManager.getFilterChains().clear(); shiroFilterFactoryBean.getFilterChainDefinitionMap().clear(); shiroFilterFactoryBean.setFilterChainDefinitionMap(this.initGetFilterChain()); shiroFilterFactoryBean.getFilterChainDefinitionMap().forEach((k,v) -> filterChainManager.createChain(k,v)); }catch (Exception e) { LOGGER.error(e.getMessage(),e); } } }
@Bean @ConfigurationProperties(prefix = "shiro") @ConditionalOnMissingBean(ShiroFilterFactoryBean.class) public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) throws InvocationTargetException, IllegalAccessException { ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); shiroFilterFactoryBean.setSecurityManager(securityManager); shiroFilterFactoryBean.setFilters(DefaultFilter.createInstanceMap(requestProperties)); return shiroFilterFactoryBean; }
/** * A convenience method that sets the {@link #setFilterChainDefinitionMap(java.util.Map) filterChainDefinitionMap} * property by accepting a {@link java.util.Properties Properties}-compatible string (multi-line key/value pairs). * Each key/value pair must conform to the format defined by the * {@link FilterChainManager#createChain(String,String)} JavaDoc - each property key is an ant URL * path expression and the value is the comma-delimited chain definition. * * @param definitions a {@link java.util.Properties Properties}-compatible string (multi-line key/value pairs) * where each key/value pair represents a single urlPathExpression-commaDelimitedChainDefinition. */ public void setFilterChainDefinitions(String definitions) { Ini ini = new Ini(); ini.load(definitions); //did they explicitly state a 'urls' section? Not necessary, but just in case: Ini.Section section = ini.getSection(IniFilterChainResolverFactory.URLS); if (CollectionUtils.isEmpty(section)) { //no urls section. Since this _is_ a urls chain definition property, just assume the //default section contains only the definitions: section = ini.getSection(Ini.DEFAULT_SECTION_NAME); } setFilterChainDefinitionMap(section); }
ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean(); factoryBean.setSecurityManager(securityManager); // referring to previous
/** * <p> * shiro过滤器工厂bean * </p> * * @param securityManager * @return org.apache.shiro.spring.web.ShiroFilterFactoryBean * @author daiqi * @date 2018/6/27 10:39 */ @Bean @Order(value = 0) public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager, EcBaseAuthorityCustomFilterConfig customFilterConfig, EcSysFilterConfigService filterConfigService) throws Exception { ShiroFilterFactoryBean shiroFilterFactoryBean = shiroFilterFactoryBean(); shiroFilterFactoryBean.setFilterChainDefinitionMap(filterConfigService.loadFilterChainDefinitions()); shiroFilterFactoryBean.setSecurityManager(securityManager); shiroFilterFactoryBean.getFilters().putAll(customFilterConfig.customFilters()); return shiroFilterFactoryBean; }
/** * 对过滤器进行调整 * * @return */ @Bean protected ShiroFilterFactoryBean shiroFilterFactoryBean() { //把subject对象设为subjectFactory //由于cas代理了用户,所以必须通过cas进行创建对象 ((DefaultSecurityManager) securityManager).setSubjectFactory(new Pac4jSubjectFactory()); ShiroFilterFactoryBean filterFactoryBean = super.shiroFilterFactoryBean(); filterFactoryBean.setFilters(shiroFilters()); return filterFactoryBean; } /**
/** * ShiroFilter<br/> * 注意这里参数中的 StudentService 和 IScoreDao 只是一个例子,因为我们在这里可以用这样的方式获取到相关访问数据库的对象, * 然后读取数据库相关配置,配置到 shiroFilterFactoryBean 的访问规则中。实际项目中,请使用自己的Service来处理业务逻辑。 */ @Bean(name = "shiroFilter") public ShiroFilterFactoryBean getShiroFilterFactoryBean(DefaultWebSecurityManager securityManager) { ShiroFilterFactoryBean shiroFilterFactoryBean = new MShiroFilterFactoryBean(); // 必须设置 SecurityManager shiroFilterFactoryBean.setSecurityManager(securityManager); // 如果不设置默认会自动寻找Web工程根目录下的"/login.jsp"页面 shiroFilterFactoryBean.setLoginUrl("/login"); // 登录成功后要跳转的连接 // shiroFilterFactoryBean.setSuccessUrl("/user"); shiroFilterFactoryBean.setUnauthorizedUrl("/error"); loadShiroFilterChain(shiroFilterFactoryBean); return shiroFilterFactoryBean; }
AbstractShiroFilter shiroFilter; try { shiroFilter = (AbstractShiroFilter) shiroFilterFactoryBean.getObject(); } catch (Exception e) { throw new RuntimeException(e.getMessage(), e); shiroFilterFactoryBean.getFilterChainDefinitionMap().clear(); shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap); Map<String, String> chains = shiroFilterFactoryBean.getFilterChainDefinitionMap(); for (Map.Entry<String, String> entry : chains.entrySet()) { String url = entry.getKey();
@PostConstruct public void initPermission() { shiroFilterFactoryBean.setFilterChainDefinitionMap(CollectionUtils.clone(defaultFilterChainDefinitionMap)); logger.debug("initialize shiro permission success..."); }
@Bean public ShiroFilterFactoryBean shiroFilter() { ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean(); factoryBean.setSecurityManager(securityManager()); return factoryBean; }
@Bean public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) { System.out.println("ShiroConfiguration.shirFilter()"); ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); shiroFilterFactoryBean.setSecurityManager(securityManager); //拦截器. Map<String,String> filterChainDefinitionMap = new LinkedHashMap<String,String>(); // 配置不会被拦截的链接 顺序判断 filterChainDefinitionMap.put("/static/**", "anon"); //配置退出 过滤器,其中的具体的退出代码Shiro已经替我们实现了 filterChainDefinitionMap.put("/logout", "logout"); //<!-- 过滤链定义,从上向下顺序执行,一般将/**放在最为下边 -->:这是一个坑呢,一不小心代码就不好使了; //<!-- authc:所有url都必须认证通过才可以访问; anon:所有url都都可以匿名访问--> filterChainDefinitionMap.put("/**", "authc"); // 如果不设置默认会自动寻找Web工程根目录下的"/login.jsp"页面 shiroFilterFactoryBean.setLoginUrl("/login"); // 登录成功后要跳转的链接 shiroFilterFactoryBean.setSuccessUrl("/index"); //未授权界面; shiroFilterFactoryBean.setUnauthorizedUrl("/403"); shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap); return shiroFilterFactoryBean; }
/** * ShiroFilter<br/> * 注意这里参数中的 StudentService 和 IScoreDao 只是一个例子,因为我们在这里可以用这样的方式获取到相关访问数据库的对象, * 然后读取数据库相关配置,配置到 shiroFilterFactoryBean 的访问规则中。实际项目中,请使用自己的Service来处理业务逻辑。 */ @Bean(name = "shiroFilter") public ShiroFilterFactoryBean getShiroFilterFactoryBean(DefaultWebSecurityManager securityManager) { ShiroFilterFactoryBean shiroFilterFactoryBean = new MShiroFilterFactoryBean(); // 必须设置 SecurityManager shiroFilterFactoryBean.setSecurityManager(securityManager); // 如果不设置默认会自动寻找Web工程根目录下的"/login.jsp"页面 shiroFilterFactoryBean.setLoginUrl("/login"); // 登录成功后要跳转的连接 //shiroFilterFactoryBean.setSuccessUrl("/user"); shiroFilterFactoryBean.setUnauthorizedUrl("/403"); loadShiroFilterChain(shiroFilterFactoryBean); return shiroFilterFactoryBean; }
try { shiroFilter = (AbstractShiroFilter) shiroFilterFactoryBean .getObject(); } catch (Exception e) { throw new RuntimeException( shiroFilterFactoryBean.getFilterChainDefinitionMap().clear(); shiroFilterFactoryBean .setFilterChainDefinitionMap(getAllRolesByPermission()); .getFilterChainDefinitionMap(); for (Map.Entry<String, String> entry : chains.entrySet()) { String url = entry.getKey();
/** * 加载shiroFilter权限控制规则(从数据库读取然后配置) */ private void loadShiroFilterChain(ShiroFilterFactoryBean shiroFilterFactoryBean) { // authc:该过滤器下的页面必须验证后才能访问,它是Shiro内置的一个拦截器org.apache.shiro.web.filter.authc.FormAuthenticationFilter // anon:它对应的过滤器里面是空的,什么都没做 /////////////////////// 下面这些规则配置最好配置到配置文件中 /////////////////////// Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>(); logger.info("##################从数据库读取权限规则,加载到shiroFilter中##################"); // filterChainDefinitionMap.put("/user/edit/**", "authc,perms[user:edit]");// 这里为了测试,固定写死的值,也可以从数据库或其他配置中读取 filterChainDefinitionMap.put("/static/**", "anon");// anon 可以理解为不拦截 filterChainDefinitionMap.put("/favicon.ico", "anon"); filterChainDefinitionMap.put("/login", "authc"); filterChainDefinitionMap.put("/**", "authc"); filterChainDefinitionMap.put("/logout", "logout"); shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap); }
@Bean public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) { ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); shiroFilterFactoryBean.setSecurityManager(securityManager); Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>(); filterChainDefinitionMap.put("/admin/auth/login", "anon"); filterChainDefinitionMap.put("/admin/auth/401", "anon"); filterChainDefinitionMap.put("/admin/auth/index", "anon"); filterChainDefinitionMap.put("/admin/auth/403", "anon"); filterChainDefinitionMap.put("/admin/**", "authc"); shiroFilterFactoryBean.setLoginUrl("/admin/auth/401"); shiroFilterFactoryBean.setSuccessUrl("/admin/auth/index"); shiroFilterFactoryBean.setUnauthorizedUrl("/admin/auth/403"); shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap); return shiroFilterFactoryBean; }
try { shiroFilter = (AbstractShiroFilter) shiroFilterFactoryBean .getObject(); } catch (Exception e) { throw new RuntimeException( shiroFilterFactoryBean.getFilterChainDefinitionMap().clear(); shiroFilterFactoryBean .setFilterChainDefinitionMap(loadFilterChainDefinitions()); .getFilterChainDefinitionMap(); for (Map.Entry<String, String> entry : chains.entrySet()) { String url = entry.getKey();
/** * 加载shiroFilter权限控制规则(从数据库读取然后配置) */ private void loadShiroFilterChain(ShiroFilterFactoryBean shiroFilterFactoryBean) { /////////////////////// 下面这些规则配置最好配置到配置文件中 /////////////////////// // TODO 重中之重啊,过滤顺序一定要根据自己需要排序 Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>(); // 需要验证的写 authc 不需要的写 anon filterChainDefinitionMap.put("/resource/**", "anon"); filterChainDefinitionMap.put("/install", "anon"); filterChainDefinitionMap.put("/hello", "anon"); // anon:它对应的过滤器里面是空的,什么都没做 log.info("##################从数据库读取权限规则,加载到shiroFilter中##################"); // 不用注解也可以通过 API 方式加载权限规则 Map<String, String> permissions = new LinkedHashMap<>(); permissions.put("/users/find", "perms[user:find]"); filterChainDefinitionMap.putAll(permissions); filterChainDefinitionMap.put("/**", "authc"); shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap); }
/** * ShiroFilterFactoryBean,是个factorybean,为了生成ShiroFilter。 * 它主要保持了三项数据,securityManager,filters,filterChainDefinitionManager。 */ @Bean(name = "shiroFilter") public ShiroFilterFactoryBean shiroFilterFactoryBean() { ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); shiroFilterFactoryBean.setSecurityManager(securityManager()); Map<String, Filter> filters = new LinkedHashMap<String, Filter>(); LogoutFilter logoutFilter = new LogoutFilter(); logoutFilter.setRedirectUrl("/login"); // filters.put("logout",null); shiroFilterFactoryBean.setFilters(filters); Map<String, String> filterChainDefinitionManager = new LinkedHashMap<String, String>(); filterChainDefinitionManager.put("/logout", "logout"); filterChainDefinitionManager.put("/user/**", "authc,roles[ROLE_USER]"); filterChainDefinitionManager.put("/events/**", "authc,roles[ROLE_ADMIN]"); // filterChainDefinitionManager.put("/user/edit/**", "authc,perms[user:edit]");// 这里为了测试,固定写死的值,也可以从数据库或其他配置中读取 filterChainDefinitionManager.put("/**", "anon"); shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionManager); shiroFilterFactoryBean.setSuccessUrl("/"); shiroFilterFactoryBean.setUnauthorizedUrl("/403"); return shiroFilterFactoryBean; }