commons-io commons-io 2.5 commons-fileupload commons-fileupload 1.3.2 org.springframework spring-webmvc 4.3.3.RELEASE org.springframework spring-aop 4.3.3.RELEASE org.springframework spring-aspects 4.3.3.RELEASE org.springframework spring-jdbc 4.3.3.RELEASE com.mchange c3p0 0.9.1.2
commons-io commons-io 2.5 commons-fileupload commons-fileupload 1.3.2 org.springframework spring-core 4.3.3.RELEASE org.springframework spring-beans 4.3.3.RELEASE org.springframework spring-tx 4.3.3.RELEASE org.springframework spring-context 4.3.3.RELEASE org.springframework spring-context-support 4.3.3.RELEASE org.springframework spring-web 4.3.3.RELEASE org.springframework spring-webmvc 4.3.3.RELEASE org.springframework spring-aop 4.3.3.RELEASE org.springframework spring-aspects 4.3.3.RELEASE org.springframework spring-jdbc 4.3.3.RELEASE c3p0 c3p0 0.9.1.2
org.mybatis mybatis 3.4.1 org.mybatis mybatis-spring 1.3.0
org.apache.shiro shiro-spring 1.3.2
db.driver=org.gjt.mm.mysql.Driverdb.url=jdbc:mysql://localhost:3306/shirodbdb.user=rootdb.password=db.maxPoolSize=1db.maxIdleTime=1db.minPoolSize=1db.initialPoolSize=1
org.springframework.web.context.ContextLoaderListener contextConfigLocation classpath:applicationContext.xml springmvc org.springframework.web.servlet.DispatcherServlet contextConfigLocation classpath:applicationMVC.xml springmvc *.action encoding org.springframework.web.filter.CharacterEncodingFilter encoding UTF-8 encoding /*
shiroFilter org.springframework.web.filter.DelegatingFilterProxy targetFilterLifecycle true shiroFilter /* REQUEST FORWARD INCLUDE ERROR
org.apache.shiro.spring.web.ShiroFilterFactoryBean的源码:
* Licensed to the Apache Software Foundation (ASF) under onepackage org.apache.shiro.spring.web;import org.apache.shiro.config.Ini;import org.apache.shiro.mgt.SecurityManager;import org.apache.shiro.util.CollectionUtils;import org.apache.shiro.util.Nameable;import org.apache.shiro.util.StringUtils;import org.apache.shiro.web.config.IniFilterChainResolverFactory;import org.apache.shiro.web.filter.AccessControlFilter;import org.apache.shiro.web.filter.authc.AuthenticationFilter;import org.apache.shiro.web.filter.authz.AuthorizationFilter;import org.apache.shiro.web.filter.mgt.DefaultFilterChainManager;import org.apache.shiro.web.filter.mgt.FilterChainManager;import org.apache.shiro.web.filter.mgt.FilterChainResolver;import org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver;import org.apache.shiro.web.mgt.WebSecurityManager;import org.apache.shiro.web.servlet.AbstractShiroFilter;import org.slf4j.Logger;import org.slf4j.LoggerFactory;import org.springframework.beans.BeansException;import org.springframework.beans.factory.BeanInitializationException;import org.springframework.beans.factory.FactoryBean;import org.springframework.beans.factory.config.BeanPostProcessor;import javax.servlet.Filter;import java.util.LinkedHashMap;import java.util.Map;/** * { @link org.springframework.beans.factory.FactoryBean FactoryBean} to be used in Spring-based web applications for * defining the master Shiro Filter. * Usage
* Declare a DelegatingFilterProxy in { @code web.xml}, matching the filter name to the bean id: * * <filter> * <filter-name>shiroFilter</filter-name> * <filter-class>org.springframework.web.filter.DelegatingFilterProxy<filter-class> * <init-param> * <param-name>targetFilterLifecycle</param-name> * <param-value>true</param-value> * </init-param> * </filter> *
* Then, in your spring XML file that defines your web ApplicationContext: * * <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> * <property name="securityManager" ref="securityManager"/> * <!-- other properties as necessary ... --> * </bean> *
* Filter Auto-Discovery
* While there is a { @link #setFilters(java.util.Map) filters} property that allows you to assign a filter beans * to the 'pool' of filters available when defining { @link #setFilterChainDefinitions(String) filter chains}, it is * optional. * * This implementation is also a { @link BeanPostProcessor} and will acquire * any { @link javax.servlet.Filter Filter} beans defined independently in your Spring application context. Upon * discovery, they will be automatically added to the { @link #setFilters(java.util.Map) map} keyed by the bean ID. * That ID can then be used in the filter chain definitions, for example: * * * <bean id="myCustomFilter" class="com.class.that.implements.javax.servlet.Filter"/> * ... * <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> * ... * <property name="filterChainDefinitions"> * <value> * /some/path/** = authc, myCustomFilter * </value> * </property> * </bean> *
* Global Property Values
* Most Shiro servlet Filter implementations exist for defining custom Filter * { @link #setFilterChainDefinitions(String) chain definitions}. Most implementations subclass one of the * { @link AccessControlFilter}, { @link AuthenticationFilter}, { @link AuthorizationFilter} classes to simplify things, * and each of these 3 classes has configurable properties that are application-specific. * * A dilemma arises where, if you want to for example set the application's 'loginUrl' for any Filter, you don't want * to have to manually specify that value for each filter instance definied. * * To prevent configuration duplication, this implementation provides the following properties to allow you * to set relevant values in only one place: * * - { @link #setLoginUrl(String)}
* - { @link #setSuccessUrl(String)}
* - { @link #setUnauthorizedUrl(String)}
*
* * Then at startup, any values specified via these 3 properties will be applied to all configured * Filter instances so you don't have to specify them individually on each filter instance. To ensure your own custom * filters benefit from this convenience, your filter implementation should subclass one of the 3 mentioned * earlier. * * @see org.springframework.web.filter.DelegatingFilterProxy DelegatingFilterProxy * @since 1.0 */public class ShiroFilterFactoryBean implements FactoryBean, BeanPostProcessor { private static transient final Logger log = LoggerFactory.getLogger(ShiroFilterFactoryBean.class); private SecurityManager securityManager; private Map
filters; private Map filterChainDefinitionMap; //urlPathExpression_to_comma-delimited-filter-chain-definition private String loginUrl; private String successUrl; private String unauthorizedUrl; private AbstractShiroFilter instance; public ShiroFilterFactoryBean() { this.filters = new LinkedHashMap (); this.filterChainDefinitionMap = new LinkedHashMap (); //order matters! } /** * Sets the application { @code SecurityManager} instance to be used by the constructed Shiro Filter. This is a * required property - failure to set it will throw an initialization exception. * * @return the application { @code SecurityManager} instance to be used by the constructed Shiro Filter. */ public SecurityManager getSecurityManager() { return securityManager; } /** * Sets the application { @code SecurityManager} instance to be used by the constructed Shiro Filter. This is a * required property - failure to set it will throw an initialization exception. * * @param securityManager the application { @code SecurityManager} instance to be used by the constructed Shiro Filter. */ public void setSecurityManager(SecurityManager securityManager) { this.securityManager = securityManager; } /** * Returns the application's login URL to be assigned to all acquired Filters that subclass * { @link AccessControlFilter} or { @code null} if no value should be assigned globally. The default value * is { @code null}. * * @return the application's login URL to be assigned to all acquired Filters that subclass * { @link AccessControlFilter} or { @code null} if no value should be assigned globally. * @see #setLoginUrl */ public String getLoginUrl() { return loginUrl; } /** * Sets the application's login URL to be assigned to all acquired Filters that subclass * { @link AccessControlFilter}. This is a convenience mechanism: for all configured { @link #setFilters filters}, * as well for any default ones ({ @code authc}, { @code user}, etc), this value will be passed on to each Filter * via the { @link AccessControlFilter#setLoginUrl(String)} method *. This eliminates the need to * configure the 'loginUrl' property manually on each filter instance, and instead that can be configured once * via this attribute. * * *If a filter already has already been explicitly configured with a value, it will * not receive this value. Individual filter configuration overrides this global convenience property. * * @param loginUrl the application's login URL to apply to as a convenience to all discovered * { @link AccessControlFilter} instances. * @see AccessControlFilter#setLoginUrl(String) */ public void setLoginUrl(String loginUrl) { this.loginUrl = loginUrl; } /** * Returns the application's after-login success URL to be assigned to all acquired Filters that subclass * { @link AuthenticationFilter} or { @code null} if no value should be assigned globally. The default value * is { @code null}. * * @return the application's after-login success URL to be assigned to all acquired Filters that subclass * { @link AuthenticationFilter} or { @code null} if no value should be assigned globally. * @see #setSuccessUrl */ public String getSuccessUrl() { return successUrl; } /** * Sets the application's after-login success URL to be assigned to all acquired Filters that subclass * { @link AuthenticationFilter}. This is a convenience mechanism: for all configured { @link #setFilters filters}, * as well for any default ones ({ @code authc}, { @code user}, etc), this value will be passed on to each Filter * via the { @link AuthenticationFilter#setSuccessUrl(String)} method *. This eliminates the need to * configure the 'successUrl' property manually on each filter instance, and instead that can be configured once * via this attribute. * * *If a filter already has already been explicitly configured with a value, it will * not receive this value. Individual filter configuration overrides this global convenience property. * * @param successUrl the application's after-login success URL to apply to as a convenience to all discovered * { @link AccessControlFilter} instances. * @see AuthenticationFilter#setSuccessUrl(String) */ public void setSuccessUrl(String successUrl) { this.successUrl = successUrl; } /** * Returns the application's after-login success URL to be assigned to all acquired Filters that subclass * { @link AuthenticationFilter} or { @code null} if no value should be assigned globally. The default value * is { @code null}. * * @return the application's after-login success URL to be assigned to all acquired Filters that subclass * { @link AuthenticationFilter} or { @code null} if no value should be assigned globally. * @see #setSuccessUrl */ public String getUnauthorizedUrl() { return unauthorizedUrl; } /** * Sets the application's 'unauthorized' URL to be assigned to all acquired Filters that subclass * { @link AuthorizationFilter}. This is a convenience mechanism: for all configured { @link #setFilters filters}, * as well for any default ones ({ @code roles}, { @code perms}, etc), this value will be passed on to each Filter * via the { @link AuthorizationFilter#setUnauthorizedUrl(String)} method *. This eliminates the need to * configure the 'unauthorizedUrl' property manually on each filter instance, and instead that can be configured once * via this attribute. * * *If a filter already has already been explicitly configured with a value, it will * not receive this value. Individual filter configuration overrides this global convenience property. * * @param unauthorizedUrl the application's 'unauthorized' URL to apply to as a convenience to all discovered * { @link AuthorizationFilter} instances. * @see AuthorizationFilter#setUnauthorizedUrl(String) */ public void setUnauthorizedUrl(String unauthorizedUrl) { this.unauthorizedUrl = unauthorizedUrl; } /** * Returns the filterName-to-Filter map of filters available for reference when defining filter chain definitions. * All filter chain definitions will reference filters by the names in this map (i.e. the keys). * * @return the filterName-to-Filter map of filters available for reference when defining filter chain definitions. */ public Map getFilters() { return filters; } /** * Sets the filterName-to-Filter map of filters available for reference when creating * { @link #setFilterChainDefinitionMap(java.util.Map) filter chain definitions}. * * Note: This property is optional: this { @code FactoryBean} implementation will discover all beans in the * web application context that implement the { @link Filter} interface and automatically add them to this filter * map under their bean name. * * For example, just defining this bean in a web Spring XML application context: * * <bean id="myFilter" class="com.class.that.implements.javax.servlet.Filter"> * ... * </bean>
* Will automatically place that bean into this Filters map under the key ' myFilter'. * * @param filters the optional filterName-to-Filter map of filters available for reference when creating * { @link #setFilterChainDefinitionMap (java.util.Map) filter chain definitions}. */ public void setFilters(Map filters) { this.filters = filters; } /** * Returns the chainName-to-chainDefinition map of chain definitions to use for creating filter chains intercepted * by the Shiro Filter. Each map entry should conform to the format defined by the * { @link FilterChainManager#createChain(String, String)} JavaDoc, where the map key is the chain name (e.g. URL * path expression) and the map value is the comma-delimited string chain definition. * * @return he chainName-to-chainDefinition map of chain definitions to use for creating filter chains intercepted * by the Shiro Filter. */ public Map getFilterChainDefinitionMap() { return filterChainDefinitionMap; } /** * Sets the chainName-to-chainDefinition map of chain definitions to use for creating filter chains intercepted * by the Shiro Filter. Each map entry should conform to the format defined by the * { @link FilterChainManager#createChain(String, String)} JavaDoc, where the map key is the chain name (e.g. URL * path expression) and the map value is the comma-delimited string chain definition. * * @param filterChainDefinitionMap the chainName-to-chainDefinition map of chain definitions to use for creating * filter chains intercepted by the Shiro Filter. */ public void setFilterChainDefinitionMap(Map filterChainDefinitionMap) { this.filterChainDefinitionMap = filterChainDefinitionMap; } /** * A convenience method that sets the { @link #setFilterChainDefinitionMap(java.util.Map) filterChainDefinitionMap} * property by accepting a { @link java.util.Properties Properties}-compatible string (multi-line key/value pairs). * Each key/value pair must conform to the format defined by the * { @link FilterChainManager#createChain(String,String)} JavaDoc - each property key is an ant URL * path expression and the value is the comma-delimited chain definition. * * @param definitions a { @link java.util.Properties Properties}-compatible string (multi-line key/value pairs) * where each key/value pair represents a single urlPathExpression-commaDelimitedChainDefinition. */ public void setFilterChainDefinitions(String definitions) { Ini ini = new Ini(); ini.load(definitions); //did they explicitly state a 'urls' section? Not necessary, but just in case: Ini.Section section = ini.getSection(IniFilterChainResolverFactory.URLS); if (CollectionUtils.isEmpty(section)) { //no urls section. Since this _is_ a urls chain definition property, just assume the //default section contains only the definitions: section = ini.getSection(Ini.DEFAULT_SECTION_NAME); } setFilterChainDefinitionMap(section); } /** * Lazily creates and returns a { @link AbstractShiroFilter} concrete instance via the * { @link #createInstance} method. * * @return the application's Shiro Filter instance used to filter incoming web requests. * @throws Exception if there is a problem creating the { @code Filter} instance. */ public Object getObject() throws Exception { if (instance == null) { instance = createInstance(); } return instance; } /** * Returns { @link org.apache.shiro.web.servlet.AbstractShiroFilter}.class * * @return { @link org.apache.shiro.web.servlet.AbstractShiroFilter}.class */ public Class getObjectType() { return SpringShiroFilter.class; } /** * Returns { @code true} always. There is almost always only ever 1 Shiro { @code Filter} per web application. * * @return { @code true} always. There is almost always only ever 1 Shiro { @code Filter} per web application. */ public boolean isSingleton() { return true; } protected FilterChainManager createFilterChainManager() { DefaultFilterChainManager manager = new DefaultFilterChainManager(); Map defaultFilters = manager.getFilters(); //apply global settings if necessary: for (Filter filter : defaultFilters.values()) { applyGlobalPropertiesIfNecessary(filter); } //Apply the acquired and/or configured filters: Map filters = getFilters(); if (!CollectionUtils.isEmpty(filters)) { for (Map.Entry entry : filters.entrySet()) { String name = entry.getKey(); Filter filter = entry.getValue(); applyGlobalPropertiesIfNecessary(filter); if (filter instanceof Nameable) { ((Nameable) filter).setName(name); } //'init' argument is false, since Spring-configured filters should be initialized //in Spring (i.e. 'init-method=blah') or implement InitializingBean: manager.addFilter(name, filter, false); } } //build up the chains: Map chains = getFilterChainDefinitionMap(); if (!CollectionUtils.isEmpty(chains)) { for (Map.Entry entry : chains.entrySet()) { String url = entry.getKey(); String chainDefinition = entry.getValue(); manager.createChain(url, chainDefinition); } } return manager; } /** * This implementation: * * - Ensures the required { @link #setSecurityManager(org.apache.shiro.mgt.SecurityManager) securityManager} * property has been set
* - { @link #createFilterChainManager() Creates} a { @link FilterChainManager} instance that reflects the * configured { @link #setFilters(java.util.Map) filters} and * { @link #setFilterChainDefinitionMap(java.util.Map) filter chain definitions}
* - Wraps the FilterChainManager with a suitable * { @link org.apache.shiro.web.filter.mgt.FilterChainResolver FilterChainResolver} since the Shiro Filter * implementations do not know of { @code FilterChainManager}s
* - Sets both the { @code SecurityManager} and { @code FilterChainResolver} instances on a new Shiro Filter * instance and returns that filter instance.
*
* * @return a new Shiro Filter reflecting any configured filters and filter chain definitions. * @throws Exception if there is a problem creating the AbstractShiroFilter instance. */ protected AbstractShiroFilter createInstance() throws Exception { log.debug("Creating Shiro Filter instance."); SecurityManager securityManager = getSecurityManager(); if (securityManager == null) { String msg = "SecurityManager property must be set."; throw new BeanInitializationException(msg); } if (!(securityManager instanceof WebSecurityManager)) { String msg = "The security manager does not implement the WebSecurityManager interface."; throw new BeanInitializationException(msg); } FilterChainManager manager = createFilterChainManager(); //Expose the constructed FilterChainManager by first wrapping it in a // FilterChainResolver implementation. The AbstractShiroFilter implementations // do not know about FilterChainManagers - only resolvers: PathMatchingFilterChainResolver chainResolver = new PathMatchingFilterChainResolver(); chainResolver.setFilterChainManager(manager); //Now create a concrete ShiroFilter instance and apply the acquired SecurityManager and built //FilterChainResolver. It doesn't matter that the instance is an anonymous inner class //here - we're just using it because it is a concrete AbstractShiroFilter instance that accepts //injection of the SecurityManager and FilterChainResolver: return new SpringShiroFilter((WebSecurityManager) securityManager, chainResolver); } private void applyLoginUrlIfNecessary(Filter filter) { String loginUrl = getLoginUrl(); if (StringUtils.hasText(loginUrl) && (filter instanceof AccessControlFilter)) { AccessControlFilter acFilter = (AccessControlFilter) filter; //only apply the login url if they haven't explicitly configured one already: String existingLoginUrl = acFilter.getLoginUrl(); if (AccessControlFilter.DEFAULT_LOGIN_URL.equals(existingLoginUrl)) { acFilter.setLoginUrl(loginUrl); } } } private void applySuccessUrlIfNecessary(Filter filter) { String successUrl = getSuccessUrl(); if (StringUtils.hasText(successUrl) && (filter instanceof AuthenticationFilter)) { AuthenticationFilter authcFilter = (AuthenticationFilter) filter; //only apply the successUrl if they haven't explicitly configured one already: String existingSuccessUrl = authcFilter.getSuccessUrl(); if (AuthenticationFilter.DEFAULT_SUCCESS_URL.equals(existingSuccessUrl)) { authcFilter.setSuccessUrl(successUrl); } } } private void applyUnauthorizedUrlIfNecessary(Filter filter) { String unauthorizedUrl = getUnauthorizedUrl(); if (StringUtils.hasText(unauthorizedUrl) && (filter instanceof AuthorizationFilter)) { AuthorizationFilter authzFilter = (AuthorizationFilter) filter; //only apply the unauthorizedUrl if they haven't explicitly configured one already: String existingUnauthorizedUrl = authzFilter.getUnauthorizedUrl(); if (existingUnauthorizedUrl == null) { authzFilter.setUnauthorizedUrl(unauthorizedUrl); } } } private void applyGlobalPropertiesIfNecessary(Filter filter) { applyLoginUrlIfNecessary(filter); applySuccessUrlIfNecessary(filter); applyUnauthorizedUrlIfNecessary(filter); } /** * Inspects a bean, and if it implements the { @link Filter} interface, automatically adds that filter * instance to the internal { @link #setFilters(java.util.Map) filters map} that will be referenced * later during filter chain construction. */ public Object postProcessBeforeInitialization(Object bean, String beanName) throws BeansException { if (bean instanceof Filter) { log.debug("Found filter chain candidate filter '{}'", beanName); Filter filter = (Filter) bean; applyGlobalPropertiesIfNecessary(filter); getFilters().put(beanName, filter); } else { log.trace("Ignoring non-Filter bean '{}'", beanName); } return bean; } /** * Does nothing - only exists to satisfy the BeanPostProcessor interface and immediately returns the * { @code bean} argument. */ public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException { return bean; } /** * Ordinarily the { @code AbstractShiroFilter} must be subclassed to additionally perform configuration * and initialization behavior. Because this { @code FactoryBean} implementation manually builds the * { @link AbstractShiroFilter}'s * { @link AbstractShiroFilter#setSecurityManager(org.apache.shiro.web.mgt.WebSecurityManager) securityManager} and * { @link AbstractShiroFilter#setFilterChainResolver(org.apache.shiro.web.filter.mgt.FilterChainResolver) filterChainResolver} * properties, the only thing left to do is set those properties explicitly. We do that in a simple * concrete subclass in the constructor. */ private static final class SpringShiroFilter extends AbstractShiroFilter { protected SpringShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver resolver) { super(); if (webSecurityManager == null) { throw new IllegalArgumentException("WebSecurityManager property cannot be null."); } setSecurityManager(webSecurityManager); if (resolver != null) { setFilterChainResolver(resolver); } } }} 
