Apache Shiro user's manual of 5 Shiro configuration instructions

The configuration of Apache Shiro is mainly divided into four parts:

Object and property definition and configuration
Filter configuration for URL
Static user configuration
Static role configuration
Among them, because of the dynamic data operated by the background like user and role 1, Shiro configuration 1 generally only contains the configuration of the first two items.

Most components of Apache Shiro are based on POJO, so we can configure them using any configuration mechanism that is POJO compatible, such as: Java code, Sping XML, YAML, JSON, ini files, and so on. Below, take the configuration mode of Spring XML as an example, and briefly explain some configuration parameters.

Configuration of Shiro objects:
It is mainly to define and configure the implementation of various components of Shiro. The main components have been briefly introduced in the previous section, and are not explained here.

<bean id="securityManager" class="org.apache.shiro.mgt.DefaultSecurityManager">
        <property name="cacheManager" ref="cacheManager"/>
        <property name="sessionMode" value="native"/>
        <!-- Single realm app.  If you have multiple realms, use the 'realms' property instead. -->
        <property name="realm" ref="myRealm"/>
        <property name="sessionManager" ref="sessionManager"/> 
</bean>

Configuration of Shiro filters
Shiro is mainly used for security management through URL filtering, and the configuration here is to specify specific authorization rule definitions.

<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
    <property name="securityManager" ref="securityManager"/>
    <property name="loginUrl" value="/login.jsp"/>
    <property name="successUrl" value="/home.jsp"/>
    <property name="unauthorizedUrl" value="/unauthorized.jsp"/> -->
    <property name="filterChainDefinitions">
        <value>
            # some example chain definitions:
            /admin/** = authc, roles[admin]
            /docs/** = authc, perms[document:read]
            /** = authc
            # more URL-to-FilterChain definitions here
        </value>
    </property>
</bean>

Configuration instructions for URL filter:

Shiro enables authorization verification based on URL via configuration files. FilterChain definition format:
URL_Ant_Path_Expression = Path_Specific_Filter_Chain
Each URL configuration means that an application request matching that URL will be validated by the corresponding filter.
Such as:
[urls]
/index.html = anon
/user/create = anon
/user/** = authc
/admin/** = authc, roles[administrator]
/rest/** = authc, rest
/remoting/rpc/** = authc, perms["remote:invoke"]

The URL expression

1. The URL directory is based on the HttpServletRequest.getContextPath () directory setting
2. URL can use the wildcard character ** to represent any subdirectory
3. When Shiro verifies URL, URL will no longer continue to match. So pay attention to the URL order in the configuration file, especially when using wildcards.

Definition of Filter Chain

1. Multiple Filter can be configured with one URL, separated by a comma
2. When multiple filters are set, all of them will be deemed to have passed
3. Some filters can specify parameters, such as perms, roles

Shiro built-in FilterChain

Filter Name Class anon org.apache.shiro.web.filter.authc.AnonymousFilter authc org.apache.shiro.web.filter.authc.FormAuthenticationFilter authcBasic org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter perms org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter port org.apache.shiro.web.filter.authz.PortFilter rest org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter roles org.apache.shiro.web.filter.authz.RolesAuthorizationFilter ssl org.apache.shiro.web.filter.authz.SslFilter user org.apache.shiro.web.filter.authc.UserFilter