<dependency>   <groupId>org.apache.shiro</groupId>   <artifactId>shiro-core</artifactId>   <version>1.2.1</version>  </dependency>  <dependency>   <groupId>org.apache.shiro</groupId>   <artifactId>shiro-web</artifactId>   <version>1.2.1</version>  </dependency>  <dependency>   <groupId>org.apache.shiro</groupId>   <artifactId>shiro-ehcache</artifactId>   <version>1.2.1</version>  </dependency>  <dependency>   <groupId>org.apache.shiro</groupId>   <artifactId>shiro-spring</artifactId>   <version>1.2.1</version>  </dependency>   <dependency>   <groupId>commons-logging</groupId>   <artifactId>commons-logging</artifactId>   <version>1.2</version>  </dependency>

public class CommonRealm extends AuthorizingRealm { @Autowired private UserLoginService userLoginService; @Override public String getName() {  return "CommonRealm"; } //授權(quán) @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {  String usernmae = (String) principals.getPrimaryPrincipal();  List<String> permissions = new ArrayList<String>();  if ("admin".equals(usernmae)) {   permissions.add("admin:ee");  }  SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();  info.addStringPermissions(permissions);  return info; } //身份認(rèn)證 @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {  String username = (String) token.getPrincipal();  User user = userLoginService.getUser(username);  if (user == null) {   return null;  }  SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(username, user.getPassword(), getName());  return info; }}

@Controllerpublic class UserAction { @Autowired private UserLoginService userLoginService; @RequestMapping("/login.do") public String userLogin(HttpServletRequest request, String username, String password) throws Exception {  // 如果登陸失敗從request中獲取異常信息，shiroLoginFailure就是shiro異常類的全限定名  String exceptionClassName = (String) request.getAttribute("shiroLoginFailure");  if (exceptionClassName != null) {   if (UnknownAccountException.class.getName().equals(exceptionClassName)) {    // 最終會(huì)拋給異常處理器    throw new XXXException("用戶名不存在");   } else if (IncorrectCredentialsException.class.getName().equals(exceptionClassName)) {    throw new XXXException("用戶名/密碼錯(cuò)誤");   } else {    throw new Exception();// 最終在異常處理器生成未知錯(cuò)誤   }  }  // 如果登錄成功的話不走此方法，shiro認(rèn)證成功會(huì)自動(dòng)跳轉(zhuǎn)到上一個(gè)請(qǐng)求路徑，配的的successUrl沒(méi)效果，后邊會(huì)說(shuō)  // 登陸失敗走此方法，捕獲異常，然后 return ~ ,還到login頁(yè)面  return "login.jsp"; }}

 //此方法為了驗(yàn)證權(quán)限是否生效 @RequestMapping("/findAll.do") @RequiresPermissions("admin:ee") public ModelAndView list(HttpServletRequest request){  .......  }

public class LoginSuccessToFilter extends FormAuthenticationFilter { @Override protected boolean onLoginSuccess(AuthenticationToken token, Subject subject, ServletRequest request, ServletResponse response) throws Exception {  WebUtils.getAndClearSavedRequest(request);  WebUtils.redirectToSavedRequest(request,response,"/findAll.do");  return false; }}

 <bean id="myfilter" class="com.xxx.realm.LoginSuccessToFilter"></bean>

<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">  <property name="filters">   <map>    <entry key="authc" value-ref="myfilter"></entry>   </map>  </property></bean><bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">  <property name="filters">   <map>    <entry key="authc" value-ref="myfilter"></entry>   </map>  </property></bean>

applicationContext-shiro.xml<?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.org/schema/beans"  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"  xmlns:context="http://www.springframework.org/schema/context"  xmlns:aop="http://www.springframework.org/schema/aop" xmlns:jee="http://www.springframework.org/schema/jee"  xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:util="http://www.springframework.org/schema/util"  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd   http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd   http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee.xsd   http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd   http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">  <!-- 管理器，必須設(shè)置 -->  <property name="securityManager" ref="securityManager"/>  <property name="filters">   <map>    <entry key="authc" value-ref="myfilter"></entry>   </map>  </property>  <!-- 攔截到，跳轉(zhuǎn)到的地址,通過(guò)此地址去認(rèn)證 -->  <property name="loginUrl" value="/login.do"/>  <!-- 認(rèn)證成功統(tǒng)一跳轉(zhuǎn)到/admin/index.do，建議不配置，shiro認(rèn)證成功自動(dòng)到上一個(gè)請(qǐng)求路徑 -->  <!--<property name="successUrl" value="/findAll.do"/>-->  <!-- 通過(guò)unauthorizedUrl指定沒(méi)有權(quán)限操作時(shí)跳轉(zhuǎn)頁(yè)面 -->  <property name="unauthorizedUrl" value="/refuse.jsp"/>  <!-- 自定義filter，可用來(lái)更改默認(rèn)的表單名稱配置 -->  <!--<property name="filters">-->  <!--<map>-->  <!--<!– 將自定義 的FormAuthenticationFilter注入shiroFilter中 –>-->  <!--<entry key="authc" value-ref="formAuthenticationFilter" />-->  <!--</map>-->  <!--</property>-->  <property name="filterChainDefinitions">   <value>    <!-- 對(duì)靜態(tài)資源設(shè)置匿名訪問(wèn) -->    /image/** = anon    /css/** = anon    /js/** = anon    /logout.do = logout    /** = authc   </value>  </property> </bean> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> <!-- securityManager安全管理器 --> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">  <property name="realm" ref="customRealm"/>  <!-- 注入緩存管理器 -->  <!--<property name="cacheManager" ref="cacheManager" />-->  <!-- 注入session管理器 -->  <!-- <property name="sessionManager" ref="sessionManager" /> -->  <!-- 記住我 -->  <!--<property name="rememberMeManager" ref="rememberMeManager" />--> </bean> <!-- 自定義realm --> <bean id="customRealm" class="com.dhl.realm.CommonRealm"></bean> <bean id="myfilter" class="com.dhl.realm.LoginSuccessToFilter"></bean> <!-- 憑證匹配器 --> <!--<bean id="credentialsMatcher"-->   <!--class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">-->  <!--<!– 選用MD5散列算法 –>-->  <!--<property name="hashAlgorithmName" value="md5"/>-->  <!--<!– 進(jìn)行一次加密 –>-->  <!--<property name="hashIterations" value="1"/>--> <!--</bean>--></beans>

<?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.org/schema/beans"  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  xmlns:aop="http://www.springframework.org/schema/aop"  xmlns:tx="http://www.springframework.org/schema/tx"  xmlns:context="http://www.springframework.org/schema/context"  xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:jdbc="http://www.springframework.org/schema/jdbc"  xsi:schemaLocation="http://www.springframework.org/schema/beans  http://www.springframework.org/schema/beans/spring-beans.xsd  http://www.springframework.org/schema/aop  http://www.springframework.org/schema/aop/spring-aop.xsd  http://www.springframework.org/schema/tx  http://www.springframework.org/schema/tx/spring-tx.xsd  http://www.springframework.org/schema/context  http://www.springframework.org/schema/context/spring-context.xsd  http://www.springframework.org/schema/mvc  http://www.springframework.org/schema/mvc/spring-mvc.xsd http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc.xsd"> <context:component-scan base-package="com.dhl.controller"></context:component-scan> <mvc:annotation-driven></mvc:annotation-driven> <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"></bean> <!-- 開(kāi)啟shiro注解的配置移動(dòng)到這兒 --> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor">  <property name="proxyTargetClass" value="true" /> </bean> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">  <property name="securityManager" ref="securityManager"/> </bean></beans>