shiro是一個被廣泛使用的安全層框架,通過xml配置方式與spring無縫對接,用戶的登陸/退出/權限控制/Cookie等管理系統基礎功能交給shiro來管理。
一般,在JavaWEB管理平台系統時,用戶退出系統之前沒需要清除用戶數據和關閉連接,防止垃圾數據堆積,shiro提供了LogoutFilter過濾器,我們可以通過LogoutFilter的preHandle方法,實現清除緩存功能。
頁面代碼:
<div class="item" style="float:right;cursor:pointer;"> <@shiro.guest> <a href="${base}/u/zhuti/ztzx"><span style="font-weight:bold">登錄</span> |</a> </@shiro.guest> <@shiro.user> <a href="${base}/b/logout">退出</a> </@shiro.user>
</div>
shiro配置文件:applicationContext-shiro.xml
先貼出整個配置文件:
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jee="http://www.springframework.org/schema/jee" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:context="http://www.springframework.org/schema/context" xmlns:aop="http://www.springframework.org/schema/aop" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-4.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd"> <bean id="shiroCacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"> <property name="cacheManagerConfigFile" value="classpath:ehcache-shiro.xml" /> </bean> <!-- <bean id="myRealm" class="cn.com.zhulong.app.security.shiro.MyRealm" /> --> <!-- <bean id="casRealm" class="org.apache.shiro.cas.CasRealm"> --> <bean id="casRealm" class="cn.com.zhulong.app.security.shiro.MyCasRealm"> </bean> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <!-- <property name="sessionMode" value="native"/> --> <property name="realm" ref="casRealm" /> <property name="cacheManager" ref="shiroCacheManager" /> <property name="sessionManager" ref="sessionManager"/> <property name="subjectFactory" ref="casSubjectFactory" /> </bean> <!-- 如果要實現cas的remember me的功能,需要用到下面這個bean,並設置到securityManager的subjectFactory中 --> <bean id="casSubjectFactory" class="org.apache.shiro.cas.CasSubjectFactory"/> <!-- 單點登錄配置 --> <!-- <bean id="casFilter" class="org.apache.shiro.cas.CasFilter"> --> <bean id="casFilter" class="cn.com.zhulong.app.security.shiro.CasFilter"> <!--配置驗證錯誤時的失敗頁面(Ticket 校驗不通過時展示的錯誤頁面) --> <property name="failureUrl" value="/error" /> </bean> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <!-- <bean id="shiroFilter" class="cn.com.zhulong.app.security.shiro.MyShiroFilterFactoryBean"> --> <property name="securityManager" ref="securityManager" /> <!--沒有單點登錄下的配置:沒有權限或者失敗后跳轉的頁面 --> <property name="loginUrl" value="/login" /> <!--有單點登錄的配置:登錄 CAS 服務端地址,參數 service 為服務端的返回地址 --> <!-- <property name="loginUrl" value="${cas.shiro.loginUrl}" /> --> <property name="successUrl" value="/" /> <property name="unauthorizedUrl" value="/unauthorized" /> <property name="filters"> <map> <entry key="casFilter" value-ref="casFilter"></entry> <entry key="myperms"> <bean class="cn.com.zhulong.common.web.shiro.MyPermissionsAuthorizationFilter"> </bean> </entry> <entry key="touSuAuthc"> <bean class="cn.com.zhulong.app.security.shiro.TouSuFormAuthenticationFilter"> </bean> </entry> <!--退出過濾器--> <entry key="logout" value-ref="logoutFilter" /> </map> </property> <!-- 先注釋掉,先不要權限判斷,只要登陸驗證就可以訪問,測試方便 <property name="filterChainDefinitions"> <value> /logout=logoutFilter /enum_js=anon /admin/**=authc,myperms /admin/**=authc /admin/** = authc /jyzk/toZycdAdd** = authc /jyzk/zycdAdd** = authc </value> </property> --> <property name="filterChainDefinitions"> <value> /authentication* = casFilter /res/** = anon /enum_js = anon /b/logout = logout /admin/** = authc /u/zbxmts/** = touSuAuthc /u/** = authc /open/** = authc /jyzk/toZycdAdd** = authc /jyzk/zycdAdd** = authc </value> </property> </bean> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /> <!-- 會話ID生成器 --> <bean id="sessionIdGenerator" class="org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator" /> <bean id="logoutFilter" class="org.apache.shiro.web.filter.authc.LogoutFilter"> <property name="redirectUrl" value="/login" /> </bean> <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"> <property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager" /> <property name="arguments" ref="securityManager" /> </bean> <bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"> <property name="globalSessionTimeout" value="1800000" /> <property name="deleteInvalidSessions" value="true" /> <property name="sessionValidationSchedulerEnabled" value="true" /> <property name="sessionValidationScheduler" ref="sessionValidationScheduler" /> <property name="sessionDAO" ref="sessionDAO" /> <property name="sessionIdCookieEnabled" value="true" /> <!-- <property name="sessionIdCookie.path" value="/365-mfgg-adminweb/" /> --> </bean> <!-- 會話驗證調度器 --> <bean id="sessionValidationScheduler" class="org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler"> <!-- 30分鍾 單位為毫秒 --> <property name="interval" value="1800000" /> <property name="sessionManager" ref="sessionManager" /> </bean> <bean id="sessionDAO" class="cn.com.zhulong.common.web.shiro.dao.CustomShiroSessionDAO"> <property name="shiroSessionRepository" ref="memcachedShiroSessionRepository" /> </bean> <bean id="memcachedShiroSessionRepository" class="cn.com.zhulong.common.web.shiro.dao.MemcachedShiroSessionRepository" /> </beans>
首先頁面點擊退出時:攔截/b/logout找到對應logout
<property name="filterChainDefinitions"> <value> /authentication* = casFilter /res/** = anon /enum_js = anon /b/logout = logout /admin/** = authc /u/zbxmts/** = touSuAuthc /u/** = authc /open/** = authc /jyzk/toZycdAdd** = authc /jyzk/zycdAdd** = authc </value> </property>
再根據logout找到對應退出過濾器:
<property name="filters"> <map> <entry key="casFilter" value-ref="casFilter"></entry> <entry key="myperms"> <bean class="cn.com.zhulong.common.web.shiro.MyPermissionsAuthorizationFilter"> </bean> </entry> <entry key="touSuAuthc"> <bean class="cn.com.zhulong.app.security.shiro.TouSuFormAuthenticationFilter"> </bean> </entry> <!--退出過濾器--> <entry key="logout" value-ref="logoutFilter" /> </map> </property>
再根據logoutFilter找到此配置
<bean id="logoutFilter" class="org.apache.shiro.web.filter.authc.LogoutFilter"> <property name="redirectUrl" value="/login" /> </bean>
此處先執行LogoutFilter的退出清空緩存操作,然后重定向,value為重定向的地址