spring集成shiro的配置xml

一个是spring-mvc-shiro.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:aop="http://www.springframework.org/schema/aop"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="
       http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
       http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
       ">

    <aop:config proxy-target-class="true"/>

    <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
        <property name="securityManager" ref="securityManager"/>
    </bean>
</beans>

另一个是spring-config-shiro.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:util="http://www.springframework.org/schema/util"
       xsi:schemaLocation="
          http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
          http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">

    <!-- realm -->
    <!--depends-on="userRepository, userLastOnlineRepository, userStatusHistoryRepository, springUtils" -->
    <bean id="userRealm" class="org.apache.shiro.realm.UserRealm">
        <!-- 用切面缓存代理了 此处就不缓存了 -->
        <property name="authenticationCachingEnabled" value="false"/>
        <property name="authorizationCachingEnabled" value="false"/>
    </bean>

    <!---cookie-->
    <!-- uid(session id) 生成策略 -->
    <bean id="sessionIdGenerator" class="org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator"/>
    <bean id="sessionIdCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
        <constructor-arg value="${shiro.uid.cookie.name}"/>
        <property name="domain" value="${shiro.uid.cookie.domain}"/>
        <property name="path" value="${shiro.uid.cookie.path}"/>
        <property name="httpOnly" value="${shiro.uid.cookie.httpOnly}"/>
        <property name="maxAge" value="${shiro.uid.cookie.maxAge}"/>
    </bean>
    <bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
        <constructor-arg value="${shiro.uid.rememeberMe.cookie.name}"/>
        <property name="domain" value="${shiro.uid.cookie.domain}"/>
        <property name="path" value="${shiro.uid.cookie.path}"/>
        <property name="httpOnly" value="${shiro.uid.cookie.httpOnly}"/>
        <property name="maxAge" value="${shiro.uid.rememeberMe.cookie.maxAge}"/>
    </bean>

    <!--dao -->
    <!-- 会话保持的DAO -->
    <bean id="onlineSessionDAO" class="org.apache.shiro.session.mgt.eis.OnlineSessionDAO">
        <property name="sessionIdGenerator" ref="sessionIdGenerator"/>
        <property name="activeSessionsCacheName" value="${shiro.active.session.cacheName}"/>
    </bean>

    <bean id="onlineSessionFactory" class="org.apache.shiro.session.mgt.OnlineSessionFactory"/>

    <!-- manager -->
    <!-- Remembered vs Authenticated http://www.ituring.com.cn/article/287 -->
    <bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager">
        <!-- rememberme cookie加密的密钥 建议每个项目都不一样 默认AES算法 密钥长度（128 256 512 位）-->
        <property name="cipherKey"
                  value="#{T(org.apache.shiro.codec.Base64).decode('${shiro.uid.rememeberMe.cookie.base64.cipherKey}')}"/>
        <property name="cookie" ref="rememberMeCookie"/>
    </bean>

    <bean id="shiroCacheManager" class="org.apache.shiro.cache.spring.SpringCacheManagerWrapper">
        <property name="cacheManager" ref="springCacheManager"/>
    </bean>

    <!-- 会话验证调度  -->
    <bean id="sessionValidationScheduler" class="org.apache.shiro.session.mgt.scheduler.SpringSessionValidationScheduler">
        <property name="sessionValidationInterval" value="${shiro.session.validation.interval}"/>
        <property name="sessionManager" ref="sessionManager"/>
        <!-- see spring-config-task.xml-->
        <property name="scheduler" ref="scheduler"/>
    </bean>
    <!-- 会话管理器 -->
    <bean id="sessionManager" class="org.apache.shiro.web.session.mgt.OnlineWebSessionManager">
        <property name="globalSessionTimeout" value="${shiro.session.globalSessionTimeout}"></property>
        <property name="sessionFactory" ref="onlineSessionFactory"/>
        <property name="sessionDAO" ref="onlineSessionDAO"/>
        <property name="deleteInvalidSessions" value="false"/>


        <property name="sessionValidationInterval" value="${shiro.session.globalSessionTimeout}"/>
        <property name="sessionValidationSchedulerEnabled" value="true"/>
        <property name="sessionValidationScheduler" ref="sessionValidationScheduler"/>

        <property name="cacheManager" ref="shiroCacheManager"/>
        <property name="sessionIdCookieEnabled" value="true"/>
        <property name="sessionIdCookie" ref="sessionIdCookie"/>
    </bean>

    <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
        <!-- Single realm app.  If you have multiple realms, use the 'realms' property instead. -->
        <property name="realm" ref="userRealm"/>
        <property name="sessionManager" ref="sessionManager"/>
        <property name="rememberMeManager" ref="rememberMeManager"/>
    </bean>


    <!-- filter -->
    <!--替换默认的form 验证过滤器-->
    <bean id="formAuthenticationFilter" class="org.apache.shiro.web.filter.authc.CustomFormAuthenticationFilter">
        <property name="defaultSuccessUrl" value="${shiro.default.success.url}"/>
        <property name="adminDefaultSuccessUrl" value="${shiro.admin.default.success.url}"/>
        <!--表单上的用户名/密码 下次自动登录的参数名-->
        <property name="usernameParam" value="username"/>
        <property name="passwordParam" value="password"/>
        <property name="rememberMeParam" value="rememberMe"/>
    </bean>

    <!-- 退出登录过滤器 -->
    <bean id="logoutFilter" class="org.apache.shiro.web.filter.authc.LogoutFilter">
        <property name="redirectUrl" value="${shiro.logout.success.url}"/>
    </bean>
    <!--提取系统用户（User） 验证用户是否合法的过滤器（如是否删除了 是否锁定了） -->
    <bean id="sysUserFilter" class="org.apache.shiro.web.filter.user.SysUserFilter">
        <property name="userBlockedUrl" value="${shiro.user.blocked.url}"/>
        <property name="userNotfoundUrl" value="${shiro.user.notfound.url}"/>
        <property name="userUnknownErrorUrl" value="${shiro.user.unknown.error.url}"/>
    </bean>
    <!-- 验证会话是否是强制退出等的filter -->
    <bean id="onlineSessionFilter" class="org.apache.shiro.web.filter.online.OnlineSessionFilter">
        <property name="forceLogoutUrl" value="${shiro.user.force.logout.url}"/>
        <property name="onlineSessionDAO" ref="onlineSessionDAO"/>
    </bean>

    <bean id="jCaptchaValidateFilter" class="org.apache.shiro.web.filter.jcaptcha.JCaptchaValidateFilter">
        <property name="jcaptchaEbabled" value="${shiro.jcaptcha.enable}"/>
        <property name="jcaptchaParam" value="jcaptchaCode"/>
        <property name="jcapatchaErrorUrl" value="${shiro.jcaptcha.error.url}"/>
    </bean>

    <!-- 同步当前会话数据到数据库 -->
    <bean id="syncOnlineSessionFilter" class="org.apache.shiro.web.filter.sync.SyncOnlineSessionFilter">
        <property name="onlineSessionDAO" ref="onlineSessionDAO"/>
    </bean>


    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
        <property name="securityManager" ref="securityManager"/>
        <!-- override these for application-specific URLs if you like:-->
        <property name="loginUrl" value="${shiro.login.url}"/>
        <property name="unauthorizedUrl" value="${shiro.unauthorizedUrl}"/>
        <!-- The 'filters' property is not necessary since any declared javax.servlet.Filter bean  -->
        <!-- defined will be automatically acquired and available via its beanName in chain        -->
        <!-- definitions, but you can perform instance overrides or name aliases here if you like: -->
        <property name="filters">
            <util:map>
                <entry key="authc" value-ref="formAuthenticationFilter"/>
                <entry key="logout" value-ref="logoutFilter"/>
                <entry key="sysUser" value-ref="sysUserFilter"/>
                <entry key="onlineSession" value-ref="onlineSessionFilter"/>
                <entry key="syncOnlineSession" value-ref="syncOnlineSessionFilter"/>
                <entry key="jCaptchaValidate" value-ref="jCaptchaValidateFilter"/>
            </util:map>
        </property>
        <property name="filterChainDefinitions">
            <value>
                /static/** = anon
                /jcaptcha* = anon
                /logout = logout
                /login = jCaptchaValidate,authc
                /** = sysUser,onlineSession,user,syncOnlineSession,perms,roles
            </value>
        </property>
    </bean>


    <!-- aop and other-->
    <!-- For simplest integration, so that all SecurityUtils.* methods work in all cases, -->
    <!-- make the securityManager bean a static singleton.  DO NOT do this in web         -->
    <!-- applications - see the 'Web Applications' section below instead.                 -->
    <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
        <property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
        <property name="arguments" ref="securityManager"/>
    </bean>

    <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>

</beans>