simple_xg_total_process_master/src/main/resources/spring-context-shiro.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="
		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
		http://www.springframework.org/schema/context  http://www.springframework.org/schema/context/spring-context-4.0.xsd"
       default-lazy-init="true">

    <description>Shiro Configuration</description>

    <!-- 加载配置属性文件 -->
    <context:property-placeholder ignore-unresolvable="true" location="classpath:jeeplus.properties" />

    <!-- Shiro权限过滤过滤器定义 -->
    <bean name="shiroFilterChainDefinitions" class="java.lang.String">
        <constructor-arg>
            <value>
                /static/** = anon
                /userfiles/** = anon
                ${adminPath}/clockInRecordController/** = anon
                ${adminPath}/hrUserController/** = anon
                ${adminPath}/workMaterialCollect/total/** = anon
                ${adminPath}/ruralProject/signatureOldMessageDispose/** = anon
                ${adminPath}/weChatCallBack/** = anon
                ${adminPath}/ruralProject/ruralProjectRecords/getDownloadProjectView = anon
                ${adminPath}/ruralProject/signatureCallBack/** = anon
                ${adminPath}/dailyOfficeWork/signatureCallBack/** = anon
                ${adminPath}/projectReportSignatureCallBack/projectReportSignatureCallBack/** = anon
                ${adminPath}/weXin/theOrder/** = anon
                ${adminPath}/viewFile/viewFile/** = anon
                ${adminPath}/webpage/weixin/orderMeal.jsp = anon
                ${adminPath}/webpage/weixin/error.jsp = anon
                ${adminPath}/sys/user/infoCareStatus = anon
                ${adminPath}/sys/user/validateLoginName = anon
                ${adminPath}/sys/user/validateMobile = anon
                ${adminPath}/sys/user/validateMobileExist = anon
                ${adminPath}/sys/user/resetPassword = anon
                ${adminPath}/sys/user/getAllCompany = anon
                ${adminPath}/sys/user/getComName = anon
                ${adminPath}/sys/user/formulaType = anon
                ${adminPath}/sys/user/formulaData = anon
                ${adminPath}/sys/user/formulaInfo = anon
                ${adminPath}/sys/register = anon
                ${adminPath}/sys/register/registerUser = anon
                ${adminPath}/sys/register/getRegisterCode = anon
                ${adminPath}/sys/register/validateMobileCode = anon
                ${adminPath}/sys/register/validatePassword = anon
                ${adminPath}/sys/register/validatePasswordPublic = anon
                ${adminPath}/workstaff/workStaffBasicInfo/repeatName = anon
                ${adminPath}/sys/register/users = anon
                ${adminPath}/login/getRandomCode = anon
                ${adminPath}/soft/sysVersion/getAndroidVer = anon
                ${adminPath}/soft/sysVersion/getIosVer = anon
                ${adminPath}/projectreportnum/projectReportNum/report = anon
                ${adminPath}/cas = cas
                ${adminPath}/login = authc
                ${adminPath}/logout = anon
                ${adminPath}/** = user
                ${frontPath}/login = authcMobile
                ${frontPath}/logout = anon
                ${frontPath}/registerUser = anon
                ${frontPath}/getRandomCode = anon
                ${frontPath}/validateMobileCode = anon
                ${frontPath}/userInfo/setup/modifyPwd = anon
                ${frontPath}/userInfo/setup/updateMobile = anon
                ${frontPath}/caseinfo/caseInfo/** = anon
                ${frontPath}/** = userMobile
                /act/rest/service/editor/** = perms[act:model:edit]
                /act/rest/service/model/** = perms[act:model:edit]
                /act/rest/service/** = user
                /ReportServer/** = user
            </value>
        </constructor-arg>
    </bean>


    <bean id="authcMobile" class="com.jeeplus.modules.sys.security.FormAuthenticationMobileFilter">
        <property name="loginUrl" value="${frontPath}/login" />
        <property name="successUrl" value="${frontPath}" />
    </bean>
    <bean id="authc" class="com.jeeplus.modules.sys.security.FormAuthenticationFilter">
        <property name="loginUrl" value="${adminPath}/login" />
        <property name="successUrl" value="${adminPath}" />
    </bean>

    <bean id="userMobile" class="org.apache.shiro.web.filter.authc.UserFilter">
        <property name="loginUrl" value="${frontPath}/login" />
        <!--<property name="successUrl" value="${frontPath}" /> -->
    </bean>
    <!-- 安全认证过滤器 -->
    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
        <property name="securityManager" ref="securityManager" />
        <!--cas服务登陆-->
        <!-- 设定用户的登录链接，这里为cas登录页面的链接地址可配置回调地址 -->
		<!--<property name="loginUrl" value="${cas.server.url}?service=${cas.project.url}${adminPath}" />-->
        <!--本应用登陆地址-->
        <property name="loginUrl" value="${adminPath}/login" />
        <property name="successUrl" value="${adminPath}?login" />
        <property name="filters">
            <map>
                <entry key="cas" value-ref="casFilter"/>
                <entry key="authc" value-ref="authc"/>
                <entry key="authcMobile" value-ref="authcMobile"/>
                <entry key="userMobile" value-ref="userMobile"/>
            </map>
        </property>
        <property name="filterChainDefinitions">
            <ref bean="shiroFilterChainDefinitions"/>
        </property>
    </bean>

    <!-- CAS认证过滤器 -->
    <bean id="casFilter" class="org.apache.shiro.cas.CasFilter">
        <property name="failureUrl" value="${adminPath}/login"/>
    </bean>

    <!-- 定义Shiro安全管理配置 -->
    <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
        <property name="realm" ref="systemAuthorizingRealm" />
        <property name="sessionManager" ref="sessionManager" />
        <property name="cacheManager" ref="shiroCacheManager" />
        <!--修复CVE-2016-4437漏洞-->
        <property name="rememberMeManager" ref="rememberMeManager"></property>
    </bean>

    <bean id="systemAuthorizingRealm" class="com.jeeplus.modules.sys.security.SystemAuthorizingRealm"/>

    <!-- 自定义会话管理配置 -->
    <bean id="sessionManager" class="com.jeeplus.common.security.shiro.session.SessionManager">
        <property name="sessionDAO" ref="sessionDAO"/>

        <!-- 会话超时时间，单位：毫秒  -->
        <property name="globalSessionTimeout" value="${session.sessionTimeout}"/>
        <!--<property name="globalSessionTimeout" value="-1000001"/> -->
        <!-- 定时清理失效会话, 清理用户直接关闭浏览器造成的孤立会话   -->
        <property name="sessionValidationInterval" value="${session.sessionTimeoutClean}"/>
        <!--  		<property name="sessionValidationSchedulerEnabled" value="false"/> -->
        <property name="sessionValidationSchedulerEnabled" value="true"/>

        <property name="sessionIdCookie" ref="sessionIdCookie"/>
        <property name="sessionIdCookieEnabled" value="true"/>
    </bean>

    <!-- 指定本系统SESSIONID, 默认为: JSESSIONID 问题: 与SERVLET容器名冲突, 如JETTY, TOMCAT 等默认JSESSIONID,
        当跳出SHIRO SERVLET时如ERROR-PAGE容器会为JSESSIONID重新分配值导致登录会话丢失! -->
    <bean id="sessionIdCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
        <constructor-arg name="name" value="jeeplus.session.id"/>
    </bean>

<!-- ***********************************     Redis缓存    ******************************************** -->
    <!-- 自定义Session存储容器 -->
     	<bean id="sessionDAO" class="com.jeeplus.common.security.shiro.session.JedisSessionDAO">
     		<property name="sessionIdGenerator" ref="idGen" />
     		<property name="sessionKeyPrefix" value="${redis.keyPrefix}_session_" />
     	</bean>
    <!-- 定义授权缓存管理器 -->
    <bean id="shiroCacheManager" class="com.jeeplus.common.security.shiro.cache.JedisCacheManager" />

<!-- ***********************************     EhCache缓存    ******************************************** -->
    <!-- 自定义Session存储容器 -->
    <!--<bean id="sessionDAO" class="com.jeeplus.common.security.shiro.session.CacheSessionDAO">
        <property name="sessionIdGenerator" ref="idGen" />
        <property name="activeSessionsCacheName" value="activeSessionsCache" />
        <property name="cacheManager" ref="shiroCacheManager" />
    </bean>
    &lt;!&ndash; 定义授权缓存管理器 &ndash;&gt;
    <bean id="shiroCacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
        <property name="cacheManager" ref="cacheManager"/>
    </bean>-->


    <!-- 保证实现了Shiro内部lifecycle函数的bean执行 -->
    <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>

    <!-- AOP式方法级权限检查  -->
    <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor">
        <property name="proxyTargetClass" value="true" />
    </bean>
    <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
        <property name="securityManager" ref="securityManager"/>
    </bean>

    <!-- 在使用WebSocket时,出现UnavailableSecurityManagerException，加了如下配置 -->
    <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
        <property name="staticMethod"
                  value="org.apache.shiro.SecurityUtils.setSecurityManager" />
        <property name="arguments" ref="securityManager" />
    </bean>

    <!--修复CVE-2016-4437漏洞-->
    <bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager">
        <property name="cipherKey" value="#{T(com.jeeplus.modules.utils.GenerateCipherKey).generateNewKey()}"></property>
        <property name="cookie" ref="rememberMeCookie"></property>
    </bean>
    <!--修复CVE-2016-4437漏洞-->
    <bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
        <!-- 写到cookie的name值 -->
        <constructor-arg value="sid"/>
        <!-- 设置js是否可以访问cookie，true 不能访问 -->
        <property name="httpOnly" value="true"></property>
        <!-- 保存时长30天，以秒为单位 -->
        <property name="maxAge" value="2592000"></property>
    </bean>




</beans>