尝试使用 Apache Shiro 保护 Spring Web MVC,其中用户管理是通过 Stormpath Api 实现的。
Trying to secure Spring Web MVC using Apache Shiro where user management is achieved through Stormpath Api.
我正在尝试使用 Apache Shiro 和 Stormpath 保护我的 Spring Web MVC 项目。我浏览了网上的一些教程,并通过 shiro.ini 文件示例获得了示例配置,还通过 Spring 的 applicationContext.xml 配置了 Shiro。我试图从这两种方法中获得相同的结果。
这是 shiro.ini 文件:
[main]
shiro.loginUrl = admin/login.htm
authc.successUrl = /admin/index.htm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
stormpathClient = com.stormpath.shiro.client.ClientFactory
stormpathClient.cacheManager = $cacheManager
stormpathClient.apiKeyFileLocation =
$HOME/.stormpath/apiKey.properties
stormpathRealm = com.stormpath.shiro.realm.ApplicationRealm
stormpathRealm.client = $stormpathClient
stormpathRealm.applicationRestUrl =
https://api.stormpath.com/v1/applications/
stormpathRealm.groupRoleResolver.modeNames = name
securityManager.realm = $stormpathRealm
[urls]
/admin/** = authc
/logout.htm = logout
这里是 applicationContext.xml 文件中的 bean 定义:
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/admin/login.htm"/>
<property name="successUrl" value="/admin/index.htm"/>
<!-- override these for application-specific URLs if you like:
<property name="unauthorizedUrl" value="/unauthorized.jsp"/> -->
<!-- The 'filters' property is not necessary since any declared javax.servlet.Filter bean -->
<!-- defined will be automatically acquired and available via its beanName in chain -->
<!-- definitions, but you can perform instance overrides or name aliases here if you like: -->
<!-- <property name="filters">
<util:map>
<entry key="anAlias" value-ref="someFilter"/>
</util:map>
</property> -->
<property name="filterChainDefinitions">
<value>
/admin/** = authc, roles[admin]
/logout.htm = logout
# some example chain definitions:
#/docs/** = authc, perms[document:read]
#/** = authc
# more URL-to-FilterChain definitions here
</value>
</property>
</bean>
<!-- Define any javax.servlet.Filter beans you want anywhere in this application context. -->
<!-- They will automatically be acquired by the 'shiroFilter' bean above and made available -->
<!-- to the 'filterChainDefinitions' property. Or you can manually/explicitly add them -->
<!-- to the shiroFilter's 'filters' Map if desired. See its JavaDoc for more details. -->
<!--<bean id="someFilter" class="..."/>
<bean id="anotherFilter" class="..."> ... </bean>
-->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<!-- Single realm app. If you have multiple realms, use the 'realms' property instead. -->
<property name="realm" ref="myRealm"/>
<property name="cacheManager" ref="cacheManager"/>
<!-- By default the servlet container sessions will be used. Uncomment this line
to use shiro's native sessions (see the JavaDoc for more): -->
<!-- <property name="sessionMode" value="native"/> -->
</bean>
<bean id="stormpathClient" class="com.stormpath.shiro.client.ClientFactory">
<!-- Single realm app. If you have multiple realms, use the 'realms' property instead. -->
<property name="cacheManager" ref="cacheManager"/>
<property name="apiKeyFileLocation" value="$HOME/.stormpath/apiKey.properties"/>
<!-- By default the servlet container sessions will be used. Uncomment this line
to use shiro's native sessions (see the JavaDoc for more): -->
<!-- <property name="sessionMode" value="native"/> -->
</bean>
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<!-- Define the Shiro Realm implementation you want to use to connect to your back-end -->
<!-- security datasource: -->
<bean id="myRealm" class="com.stormpath.shiro.realm.ApplicationRealm">
<property name="applicationRestUrl" value="https://api.stormpath.com/v1/applications/<my app key here removed for privacy>"/>
<property name="client" ref="stormpathClient"/>
</bean>
<bean id="cacheManager" class="org.apache.shiro.cache.MemoryConstrainedCacheManager" />
我一直收到错误提示:
无法将类型 [com.stormpath.shiro.client.ClientFactory] 的值转换为 属性 所需的类型 [com.stormpath.sdk.client.Client] 'client': 没有匹配的编辑器或转换策略找到
这可能是因为不完整的 maven 依赖:
<!-- https://mvnrepository.com/artifact/org.apache.shiro/shiro-spring -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0-RC2</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.stormpath.shiro/stormpath-shiro-core -->
<dependency>
<groupId>com.stormpath.shiro</groupId>
<artifactId>stormpath-shiro-core</artifactId>
<version>0.8.0-RC1</version>
</dependency>
有人可以建议实现此目的所需的依赖项。
您的 XML 中可能缺少 factory-bean / factory-method 个元素。
附带说明一下,开始使用 Apache Shiro 和 Stormpath 的最简单方法是查看 examples
在你的情况下可能是 spring-boot-web 一个。
通过 shiro-spring-boot-starter, you should only need to worry about your method annotations 使用 Spring 的自动配置。
我正在尝试使用 Apache Shiro 和 Stormpath 保护我的 Spring Web MVC 项目。我浏览了网上的一些教程,并通过 shiro.ini 文件示例获得了示例配置,还通过 Spring 的 applicationContext.xml 配置了 Shiro。我试图从这两种方法中获得相同的结果。 这是 shiro.ini 文件:
[main]
shiro.loginUrl = admin/login.htm
authc.successUrl = /admin/index.htm
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
stormpathClient = com.stormpath.shiro.client.ClientFactory
stormpathClient.cacheManager = $cacheManager
stormpathClient.apiKeyFileLocation = $HOME/.stormpath/apiKey.properties
stormpathRealm = com.stormpath.shiro.realm.ApplicationRealm
stormpathRealm.client = $stormpathClient
stormpathRealm.applicationRestUrl = https://api.stormpath.com/v1/applications/
stormpathRealm.groupRoleResolver.modeNames = name
securityManager.realm = $stormpathRealm
[urls]
/admin/** = authc
/logout.htm = logout
这里是 applicationContext.xml 文件中的 bean 定义:
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/admin/login.htm"/>
<property name="successUrl" value="/admin/index.htm"/>
<!-- override these for application-specific URLs if you like:
<property name="unauthorizedUrl" value="/unauthorized.jsp"/> -->
<!-- The 'filters' property is not necessary since any declared javax.servlet.Filter bean -->
<!-- defined will be automatically acquired and available via its beanName in chain -->
<!-- definitions, but you can perform instance overrides or name aliases here if you like: -->
<!-- <property name="filters">
<util:map>
<entry key="anAlias" value-ref="someFilter"/>
</util:map>
</property> -->
<property name="filterChainDefinitions">
<value>
/admin/** = authc, roles[admin]
/logout.htm = logout
# some example chain definitions:
#/docs/** = authc, perms[document:read]
#/** = authc
# more URL-to-FilterChain definitions here
</value>
</property>
</bean>
<!-- Define any javax.servlet.Filter beans you want anywhere in this application context. -->
<!-- They will automatically be acquired by the 'shiroFilter' bean above and made available -->
<!-- to the 'filterChainDefinitions' property. Or you can manually/explicitly add them -->
<!-- to the shiroFilter's 'filters' Map if desired. See its JavaDoc for more details. -->
<!--<bean id="someFilter" class="..."/>
<bean id="anotherFilter" class="..."> ... </bean>
-->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<!-- Single realm app. If you have multiple realms, use the 'realms' property instead. -->
<property name="realm" ref="myRealm"/>
<property name="cacheManager" ref="cacheManager"/>
<!-- By default the servlet container sessions will be used. Uncomment this line
to use shiro's native sessions (see the JavaDoc for more): -->
<!-- <property name="sessionMode" value="native"/> -->
</bean>
<bean id="stormpathClient" class="com.stormpath.shiro.client.ClientFactory">
<!-- Single realm app. If you have multiple realms, use the 'realms' property instead. -->
<property name="cacheManager" ref="cacheManager"/>
<property name="apiKeyFileLocation" value="$HOME/.stormpath/apiKey.properties"/>
<!-- By default the servlet container sessions will be used. Uncomment this line
to use shiro's native sessions (see the JavaDoc for more): -->
<!-- <property name="sessionMode" value="native"/> -->
</bean>
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<!-- Define the Shiro Realm implementation you want to use to connect to your back-end -->
<!-- security datasource: -->
<bean id="myRealm" class="com.stormpath.shiro.realm.ApplicationRealm">
<property name="applicationRestUrl" value="https://api.stormpath.com/v1/applications/<my app key here removed for privacy>"/>
<property name="client" ref="stormpathClient"/>
</bean>
<bean id="cacheManager" class="org.apache.shiro.cache.MemoryConstrainedCacheManager" />
我一直收到错误提示:
无法将类型 [com.stormpath.shiro.client.ClientFactory] 的值转换为 属性 所需的类型 [com.stormpath.sdk.client.Client] 'client': 没有匹配的编辑器或转换策略找到
这可能是因为不完整的 maven 依赖:
<!-- https://mvnrepository.com/artifact/org.apache.shiro/shiro-spring -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0-RC2</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.stormpath.shiro/stormpath-shiro-core -->
<dependency>
<groupId>com.stormpath.shiro</groupId>
<artifactId>stormpath-shiro-core</artifactId>
<version>0.8.0-RC1</version>
</dependency>
有人可以建议实现此目的所需的依赖项。
您的 XML 中可能缺少 factory-bean / factory-method 个元素。
附带说明一下,开始使用 Apache Shiro 和 Stormpath 的最简单方法是查看 examples 在你的情况下可能是 spring-boot-web 一个。
通过 shiro-spring-boot-starter, you should only need to worry about your method annotations 使用 Spring 的自动配置。