Home > Article > Backend Development > Apache Shiro User Manual (5) Shiro Configuration Instructions
Apache Shiro User Manual (5) Shiro Configuration Instructions
Blog Category:
Development
Security Framework Shiro
The configuration of Apache Shiro is mainly divided into It is divided into four parts:
Definition and configuration of objects and attributes
URL filter configuration
Static user configuration
Static role configuration
Among them, because users and roles are generally Dynamic data is operated by the background, so Shiro configuration generally only contains the first two configurations.
Most components of Apache Shiro are based on POJO, so we can use any POJO-compatible configuration mechanism for configuration, such as Java code, Sping XML, YAML, JSON, ini files, etc. Below, we take the Spring XML configuration method as an example, and give some brief explanations of some of the configuration parameters.
Configuration of Shiro objects:
Mainly defines and configures the implementation of each component of Shiro. The main components have been briefly introduced in the previous article and will not be explained one by one here.
<bean id="securityManager" class="org.apache.shiro.mgt.DefaultSecurityManager"> <property name="cacheManager" ref="cacheManager"/> <property name="sessionMode" value="native"/> <!-- Single realm app. If you have multiple realms, use the 'realms' property instead. --> <property name="realm" ref="myRealm"/> <property name="sessionManager" ref="sessionManager"/> </bean>
Shiro filter configuration
Shiro mainly performs security management through URL filtering. The configuration here is to specify the specific authorization rule definition.
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager"/> <property name="loginUrl" value="/login.jsp"/> <property name="successUrl" value="/home.jsp"/> <property name="unauthorizedUrl" value="/unauthorized.jsp"/> --> <property name="filterChainDefinitions"> <value> # some example chain definitions: /admin/** = authc, roles[admin] /docs/** = authc, perms[document:read] /** = authc # more URL-to-FilterChain definitions here </value> </property> </bean>
URL filter configuration instructions:
Shiro can implement URL-based authorization verification through configuration files. FilterChain definition format:
URL_Ant_Path_Expression = Path_Specific_Filter_Chain
Each URL configuration indicates that application requests matching the URL will be verified by the corresponding filter.
For example:
[urls] /index.html = anon /user/create = anon /user/** = authc /admin/** = authc, roles[administrator] /rest/** = authc, rest /remoting/rpc/** = authc, perms["remote:invoke"]
URL expression description
1. The URL directory is based on HttpServletRequest.getContextPath(). This directory setting
2. The URL can be used Wildcard, ** represents any subdirectory
3. When Shiro verifies the URL, if the URL matches successfully, it will no longer continue to match and search. So pay attention to the order of URLs in the configuration file, especially when using wildcards.
Filter Chain Definition Description
1. A URL can configure multiple Filters, separated by commas
2. When multiple filters are set, all must be verified to pass. Considered as passed
3. Some filters can specify parameters, such as perms, roles
Shiro’s built-in FilterChain
Filter Name Class
anon org. apache.shiro.web.filter.authc.AnonymousFilter
authc org.apache.shiro.web.filter.authc.FormAuthenticationFilter
authcBasic org.apache.shiro.web.filter.authc. BasicHttpAuthenticationFilter
perms org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter
port org.apache.shiro.web.filter.authz.PortFilter
rest org. apache.shiro.web.filter.authz.HttpMethodPermissionFilter
roles org.apache.shiro.web.filter.authz.RolesAuthorizationFilter
ssl org.apache.shiro.web.filter.authz. SslFilter
user org.apache.shiro.web.filter.authc.UserFilter
The above is the content of the Apache Shiro User Manual (5) Shiro Configuration Instructions. For more related content, please pay attention to PHP Chinese Net (www.php.cn)!