Using shiro‘s native and the default http session

1.) web.xml - enable shiro filter:

<listener>
 <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>

<filter>
 <filter-name>ShiroFilter</filter-name>
 <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>

<filter-mapping>
 <filter-name>ShiroFilter</filter-name>
 <url-pattern>/*</url-pattern>
 <dispatcher>REQUEST</dispatcher>
 <dispatcher>FORWARD</dispatcher>
 <dispatcher>INCLUDE</dispatcher>
 <dispatcher>ERROR</dispatcher>
</filter-mapping>

2.) Enable default Http session in shiro.ini:

[main]
saltedJdbcRealm = com.czetsuya.commons.web.security.shiro.JdbcRealmImpl

# any object property is automatically configurable in Shiro.ini file
saltedJdbcRealm.jndiDataSourceName = dropshipDS 

# the realm should handle also authorization
saltedJdbcRealm.permissionsLookupEnabled = true

# If not filled, subclasses of JdbcRealm assume "select password from users where username  =  ?"
# first result column is password, second result column is salt
saltedJdbcRealm.authenticationQuery  =  SELECT password, salt FROM crm_users WHERE disabled = false AND username = ?

# If not filled, subclasses of JdbcRealm assume "select role_name from user_roles where username  =  ?"
saltedJdbcRealm.userRolesQuery  =  SELECT name FROM crm_roles a INNER JOIN crm_user_roles b ON a.id = b.role_id INNER JOIN crm_users c ON c.id = b.user_id WHERE c.username = ?

# If not filled, subclasses of JdbcRealm assume "select permission from roles_permissions where role_name  =  ?"
saltedJdbcRealm.permissionsQuery  =  SELECT action FROM crm_permissions WHERE role = ?

# password hashing specification, put something big for hasIterations
sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha256Matcher.hashAlgorithmName = SHA-256
sha256Matcher.hashIterations = 1
saltedJdbcRealm.credentialsMatcher = $sha256Matcher
securityManager.realms = $saltedJdbcRealm

cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
cacheManager.cacheManagerConfigFile = classpath:ehcache.xml
securityManager.cacheManager = $cacheManager

dsFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
dsFilter.loginUrl = /login.xhtml

roles = com.czetsuya.commons.web.security.shiro.RolesAuthorizationFilter

[urls]
/login.xhtml = dsFilter
/backend/** = dsFilter, roles[backend]
/affiliate/** = dsFilter, roles[affiliate]
/api/** = noSessionCreation, dsFilter
/logout = logout

3.) Enable shiro‘s native session:

[main]
saltedJdbcRealm = com.czetsuya.commons.web.security.shiro.JdbcRealmImpl

# any object property is automatically configurable in Shiro.ini file
saltedJdbcRealm.jndiDataSourceName = dummyDS 

# the realm should handle also authorization
saltedJdbcRealm.permissionsLookupEnabled = true

# If not filled, subclasses of JdbcRealm assume "select password from users where username  =  ?"
# first result column is password, second result column is salt
saltedJdbcRealm.authenticationQuery  =  SELECT password, salt FROM crm_users WHERE disabled = false AND username = ?

# If not filled, subclasses of JdbcRealm assume "select role_name from user_roles where username  =  ?"
saltedJdbcRealm.userRolesQuery  =  SELECT name FROM crm_roles a INNER JOIN crm_user_roles b ON a.id = b.role_id INNER JOIN crm_users c ON c.id = b.user_id WHERE c.username = ?

# If not filled, subclasses of JdbcRealm assume "select permission from roles_permissions where role_name  =  ?"
saltedJdbcRealm.permissionsQuery  =  SELECT action FROM crm_permissions WHERE role = ?

# password hashing specification, put something big for hasIterations
sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha256Matcher.hashAlgorithmName = SHA-256
sha256Matcher.hashIterations = 1
saltedJdbcRealm.credentialsMatcher = $sha256Matcher
securityManager.realms = $saltedJdbcRealm

sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
sessionDAO.activeSessionsCacheName = dropship-activeSessionCache

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionManager.sessionDAO = $sessionDAO
#sessionManager.sessionIdCookie.domain = com.sido
# 1,800,000 milliseconds = 30 mins
#sessionManager.globalSessionTimeout = 1800000

sessionValidationScheduler = org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
# 1,800,000 milliseconds = 30 mins
sessionValidationScheduler.interval = 1800000
sessionManager.sessionValidationScheduler = $sessionValidationScheduler

securityManager.sessionManager = $sessionManager 

cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
cacheManager.cacheManagerConfigFile = classpath:ehcache.xml
securityManager.cacheManager = $cacheManager

sidoFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
sidoFilter.loginUrl = /login.xhtml
# logout.redirectUrl = /login.xhtml

[urls]
/login.xhtml = sidoFilter
/secure/** = sidoFilter
/api/** = noSessionCreation, sidoFilter
# /logout = logout
时间: 2024-10-13 01:13:28

Using shiro‘s native and the default http session的相关文章

Shiro源码分析之两种Session的方式

1.Shiro默认的Session处理方式 <!-- 定义 Shiro 主要业务对象 --> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <!-- <property name="sessionManager" ref="sessionManager" />

shiro登陆成功保存用户信息到session

我们经常会需要把登录成功后的用户信息保存到session中,但是如果我们使用shiro做权限管理,该怎么去实现呢?其实很简单 第一步:写一个类CustomFormAuthenticationFilter继承FormAuthenticationFilter,并重写onLoginSuccess方法,以下是我的实现 @Override protected boolean onLoginSuccess(AuthenticationToken token, Subject subject, Servlet

Shiro使用Redis作存储之后更新Session失败的问题

问题 因为想在多个应用之间共享用户的登录态,因此实现了自己的SessionDAO,使用Kryo把SimpleSession序列化然后放到redis之中去,同时也使用了shiro.userNativeSessionManager: true来使用shiro自己的存储.然而之后一直出现丢失更新的问题,例如 Session session = SecurityUtils.getSubject().getSession(); User user = (User) session.getAttribute

SpringBoot 整合Shiro实现动态权限加载更新+Session共享+单点登录

作者:Sans_ juejin.im/post/5d087d605188256de9779e64 一.说明 Shiro是一个安全框架,项目中主要用它做认证,授权,加密,以及用户的会话管理,虽然Shiro没有SpringSecurity功能更丰富,但是它轻量,简单,在项目中通常业务需求Shiro也都能胜任. 二.项目环境 MyBatis-Plus版本: 3.1.0 SpringBoot版本:2.1.5 JDK版本:1.8 Shiro版本:1.4 Shiro-redis插件版本:3.1.0 数据表(

shiro session管理

http://shiro.apache.org/session-management.html Using Sessions The SessionManager Session Timeout Per-Session Timeout Session Listeners Session Storage EHCache SessionDAO EHCache Session Cache Configuration EHCache Session Cache Name Custom Session I

细说shiro之五:在spring框架中集成shiro

官网:https://shiro.apache.org/ 1. 下载在Maven项目中的依赖配置如下: <!-- shiro配置 --> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> <version>${version.shiro}</version> </dependency&g

springMVC和Shiro框架整合使用简单示例 【转】

一.目录结构 首先是目录结构如图: 二.pom.xml文件 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"   xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0

Apache Shiro学习笔记(九)Spring集成

鲁春利的工作笔记,好记性不如烂笔头 Integrating Apache Shiro into Spring-based Applications Shiro 的组件都是JavaBean/POJO 式的组件,所以非常容易使用Spring进行组件管理,可以非常方便的从ini配置迁移到Spring进行管理,且支持JavaSE应用及Web 应用的集成. Web Applications 1.web.xml <!-- The filter-name matches name of a 'shiroFil

Shiro整合Spring

首先需要添加shiro的spring整合包. 要想在WEB应用中整合Spring和Shiro的话,首先需要添加一个由spring代理的过滤器如下: <!-- The filter-name matches name of a 'shiroFilter' bean inside applicationContext.xml --> <filter> <filter-name>shiroFilter</filter-name> <filter-class&