hasAnyRole标签

　　当前的Subject被分配了任意一个来自于逗号分隔的角色名列表中的具体角色，将会显示它所包含的内容。

　　<shiro:hasAnyRoles name="developer, project manager, administrator">

　　You are either a developer, project manager, or administrator.

　　</shiro:lacksRole>

　　hasPermission标签

　　当前Subject拥有特定的权限时，会显示它所包含的内容。hasPermission标签与lacksPermission标签逻辑相反。

　　<shiro:hasPermission name="user:create">

　　<a href="createUser.jsp">Create a new User</a>

　　</shiro:hasPermission>

　　lacksPermission标签

　　当前Subject没有拥有(蕴含)特定的权限，将会显示它所包含的内容。也就是说，用户没有特定的能力。

　　<shiro:lacksPermission name="user:delete">

　　Sorry, you are not allowed to delete user accounts.

　　</shiro:hasPermission>

　　3、Spring集成Shiro

　　配置自定义Realm：实现自定义认证和授权

　　配置Shiro实体类使用的缓存策略

　　配置SecurityManager

　　配置保证Shiro内部Bean声明周期都得到执行的Lifecycle Bean后置处理器

　　配置AOP式方法级权限检查

　　配置Shiro Filter

　　基于Maven构建项目

   web.xml

　　<?xml version="1.0" encoding="utf-8"?>

　　<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

　　xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee

　　http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"

　　version="3.1" metadata-complete="true">

　　<!-- ==================================================================

　　Context parameters ================================================================== -->

　　<context-param>

　　<param-name>contextConfigLocation</param-name>

　　<param-value>classpath:spring/applicationContext*.xml</param-value>

　　</context-param>

　　<!-- ==================================================================

　　Servlet listeners ================================================================== -->

　　<listener>

　　<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>

　　</listener>

　　<!-- ==================================================================

　　Filters ================================================================== -->

　　<filter>

　　<filter-name>encodingFilter</filter-name>

　　<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>

　　<init-param>

　　<param-name>encoding</param-name>

　　<param-value>UTF-8</param-value>

　　</init-param>

　　<init-param>

　　<param-name>forceEncoding</param-name>

　　<param-value>true</param-value>

　　</init-param>

　　</filter>

　　<filter-mapping>

　　<filter-name>encodingFilter</filter-name>

　　<url-pattern>/*</url-pattern>

　　</filter-mapping>

　　<!-- Shiro Filter is defined in the spring application context: -->

　　<filter>

　　<filter-name>shiroFilter</filter-name>

　　<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>

　　<init-param>

　　<param-name>targetFilterLifecycle</param-name>

　　<param-value>true</param-value>

　　</init-param>

　　</filter>

　　<filter-mapping>

　　<filter-name>shiroFilter</filter-name>

　　<url-pattern>/*</url-pattern>

　　</filter-mapping>

　　<!-- ==================================================================

　　Servlets ================================================================== -->

　　<servlet>

　　<servlet-name>springDispatcherServlet</servlet-name>

　　<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>

　　<load-on-startup>1</load-on-startup>

　　</servlet>

　　<servlet-mapping>

　　<servlet-name>springDispatcherServlet</servlet-name>

　　<url-pattern>/</url-pattern>

　　</servlet-mapping>

　　<error-page>

　　<error-code>500</error-code>

　　<location>/WEB-INF/jsp/error/500.jsp</location>

　　</error-page>

　　</web-app>

　　applicationContext.xml

　　<?xml version="1.0" encoding="UTF-8"?>

　　<beans xmlns="http://www.springframework.org/schema/beans"

　　xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

　　xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx"

　　xsi:schemaLocation="http://www.springframework.org/schema/beans      http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd">

　　<context:component-scan base-package="com.github.gxshiro">

　　<context:exclude-filter type="annotation" expression="org.springframework.stereotype.Controller"/>

　　<context:exclude-filter type="annotation" expression="org.springframework.web.bind.annotation.ControllerAdvice"/>

　　</context:component-scan>

　　<context:property-placeholder location="classpath:properties/jdbc.properties"/>

　　<bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource">

　　<property name="driverClass" value="${jdbc.driverClass}"/>

　　<property name="jdbcUrl" value="${jdbc.jdbcUrl}"/>

　　<property name="user" value="${jdbc.user}"/>

　　<property name="password" value="${jdbc.password}"/>

　　</bean>

　　<bean id="sqlSessionFactory" class="org.mybatis.spring.SqlSessionFactoryBean">

　　<property name="configLocation" value="classpath:config/mybatis-config.xml"/>

　　<property name="dataSource" ref="dataSource"/>

　　<property name="typeAliasesPackage" value="com.github.gxshiro.domain"/>

　　<property name="mapperLocations" value="classpath:mapper/*.xml"/>

　　</bean>

　　<bean class="org.mybatis.spring.mapper.MapperScannerConfigurer">

　　<property name="sqlSessionFactoryBeanName" value="sqlSessionFactory"/>

　　<property name="basePackage" value="com.github.gxshiro.mapper"/>

　　</bean>

　　<bean id="transactionManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager">

　　<property name="dataSource" ref="dataSource"/>

　　</bean>

　　<tx:annotation-driven/>

　　</beans>

　　applicationContext-shiro.xml

　　<?xml version="1.0" encoding="UTF-8"?>

　　<beans xmlns="http://www.springframework.org/schema/beans"

　　xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

　　xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">

　　<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">

　　<!-- Set a net.sf.ehcache.CacheManager instance here if you already have one. If not, a new one

　　will be creaed with a default config:

　　<property name="cacheManager" ref="ehCacheManager"/> -->

　　<!-- If you don't have a pre-built net.sf.ehcache.CacheManager instance to inject, but you want

　　a specific Ehcache configuration to be used, specify that here. If you don't, a default

　　will be used.:-->

　　<property name="cacheManagerConfigFile" value="classpath:config/ehcache.xml"/>

　　</bean>

　　<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">

　　<!-- Single realm app. If you have multiple realms, use the 'realms' property instead. -->

　　<property name="realm" ref="myRealm"/>

　　<!-- By default the servlet container sessions will be used. Uncomment this line

　　to use shiro's native sessions (see the JavaDoc for more): -->

　　<!-- <property name="sessionMode" value="native"/> -->

　　<property name="cacheManager" ref="cacheManager"/>

　　</bean>

　　<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">

　　<property name="securityManager" ref="securityManager"/>

　　<property name="loginUrl" value="/shiro-login"/>

　　<property name="successUrl" value="/success"/>

　　<property name="unauthorizedUrl" value="/shiro-unauthorized"/>

　　<!-- The 'filters' property is not necessary since any declared javax.servlet.Filter bean

　　defined will be automatically acquired and available via its beanName in chain

　　definitions, but you can perform overrides or parent/child consolidated configuration

　　here if you like: -->

　　<!-- <property name="filters">

　　<util:map>

　　<entry key="aName" value-ref="someFilterPojo"/>

　　</util:map>

　　</property> -->

　　<property name="filterChainDefinitions">

　　<value>

　　/** = anon

　　</value>

　　</property>

　　</bean>

　　<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>

　　</beans>

　　springDispatherServlet-servlet.xml

　　<?xml version="1.0" encoding="UTF-8"?>

　　<beans xmlns="http://www.springframework.org/schema/beans"

　　xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

　　xmlns:context="http://www.springframework.org/schema/context"

　　xmlns:mvc="http://www.springframework.org/schema/mvc"

　　xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd">

　　<context:component-scan base-package="com.github.gxshiro" use-default-filters="false">

　　<context:include-filter type="annotation" expression="org.springframework.stereotype.Controller"/>

　　<context:include-filter type="annotation" expression="org.springframework.web.bind.annotation.ControllerAdvice"/>

　　</context:component-scan>

　　<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">

　　<property name="prefix" value="/WEB-INF/jsp/"/>

　　<property name="suffix" value=".jsp"/>

　　</bean>

　　<mvc:view-controller path="/shiro-login" view-name="home/login"/>

　　<mvc:view-controller path="/success" view-name="login/success"/>

　　<!-- 配置没有权限的页面-->

　　<mvc:view-controller path="/shiro-unauthorized" view-name="/unauthorized"/>

　　<mvc:annotation-driven/>

　　<mvc:default-servlet-handler></mvc:default-servlet-handler>

　　<!-- Enable Shiro Annotations for Spring-configured beans. Only run after -->

　　<!-- the lifecycleBeanProcessor has run: -->

　　<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/>

　　<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">

　　<property name="securityManager" ref="securityManager"/>

　　</bean>

　　<!--<bean id="menu" class="net.sf.navigator.menu.MenuLoader">-->

　　<!--<property name="menuConfig" value="classpath:/config/menu-config.xml"/>-->

　　<!--</bean>-->

　　</beans>