| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| ~ Licensed to the Apache Software Foundation (ASF) under one |
| ~ or more contributor license agreements. See the NOTICE file |
| ~ distributed with this work for additional information |
| ~ regarding copyright ownership. The ASF licenses this file |
| ~ to you under the Apache License, Version 2.0 (the |
| ~ "License"); you may not use this file except in compliance |
| ~ with the License. You may obtain a copy of the License at |
| ~ |
| ~ http://www.apache.org/licenses/LICENSE-2.0 |
| ~ |
| ~ Unless required by applicable law or agreed to in writing, |
| ~ software distributed under the License is distributed on an |
| ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| ~ KIND, either express or implied. See the License for the |
| ~ specific language governing permissions and limitations |
| ~ under the License. |
| --> |
| <beans xmlns="http://www.springframework.org/schema/beans" |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
| xsi:schemaLocation=" |
| http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd"> |
| |
| <!-- Sample RDBMS data source that would exist in any application - not Shiro related. --> |
| <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"> |
| <property name="driverClassName" value="org.hsqldb.jdbcDriver"/> |
| <property name="url" value="jdbc:hsqldb:mem:shiro-spring"/> |
| <property name="username" value="sa"/> |
| </bean> |
| <!-- Populates the sample database with sample users and roles. --> |
| <bean id="bootstrapDataPopulator" class="org.apache.shiro.samples.spring.BootstrapDataPopulator"> |
| <property name="dataSource" ref="dataSource"/> |
| </bean> |
| |
| <!-- Simulated business-tier "Manager", not Shiro related, just an example --> |
| <bean id="sampleManager" class="org.apache.shiro.samples.spring.DefaultSampleManager"/> |
| |
| <!-- ========================================================= |
| Shiro Core Components - Not Spring Specific |
| ========================================================= --> |
| <!-- Shiro's main business-tier object for web-enabled applications |
| (use DefaultSecurityManager instead when there is no web environment)--> |
| <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> |
| <property name="cacheManager" ref="cacheManager"/> |
| <!-- Single realm app. If you have multiple realms, use the 'realms' property instead. --> |
| <property name="sessionMode" value="native"/> |
| <property name="realm" ref="jdbcRealm"/> |
| </bean> |
| |
| <!-- Let's use some enterprise caching support for better performance. You can replace this with any enterprise |
| caching framework implementation that you like (Terracotta+Ehcache, Coherence, GigaSpaces, etc --> |
| <bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"> |
| <!-- Set a net.sf.ehcache.CacheManager instance here if you already have one. If not, a new one |
| will be creaed with a default config: |
| <property name="cacheManager" ref="ehCacheManager"/> --> |
| <!-- If you don't have a pre-built net.sf.ehcache.CacheManager instance to inject, but you want |
| a specific Ehcache configuration to be used, specify that here. If you don't, a default |
| will be used.: |
| <property name="cacheManagerConfigFile" value="classpath:some/path/to/ehcache.xml"/> --> |
| </bean> |
| |
| <!-- Used by the SecurityManager to access security data (users, roles, etc). |
| Many other realm implementations can be used too (PropertiesRealm, |
| LdapRealm, etc. --> |
| <bean id="jdbcRealm" class="org.apache.shiro.samples.spring.realm.SaltAwareJdbcRealm"> |
| <property name="name" value="jdbcRealm"/> |
| <property name="dataSource" ref="dataSource"/> |
| <property name="credentialsMatcher"> |
| <!-- The 'bootstrapDataPopulator' Sha256 hashes the password |
| (using the username as the salt) then base64 encodes it: --> |
| <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> |
| <property name="hashAlgorithmName" value="SHA-256"/> |
| <!-- true means hex encoded, false means base64 encoded --> |
| <property name="storedCredentialsHexEncoded" value="false"/> |
| </bean> |
| </property> |
| </bean> |
| |
| <!-- ========================================================= |
| Shiro Spring-specific integration |
| ========================================================= --> |
| <!-- Post processor that automatically invokes init() and destroy() methods |
| for Spring-configured Shiro objects so you don't have to |
| 1) specify an init-method and destroy-method attributes for every bean |
| definition and |
| 2) even know which Shiro objects require these methods to be |
| called. --> |
| <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> |
| |
| <!-- Enable Shiro Annotations for Spring-configured beans. Only run after |
| the lifecycleBeanProcessor has run: --> |
| <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" |
| depends-on="lifecycleBeanPostProcessor"/> |
| <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> |
| <property name="securityManager" ref="securityManager"/> |
| </bean> |
| |
| <!-- Secure Spring remoting: Ensure any Spring Remoting method invocations can be associated |
| with a Subject for security checks. --> |
| <bean id="secureRemoteInvocationExecutor" class="org.apache.shiro.spring.remoting.SecureRemoteInvocationExecutor"> |
| <property name="securityManager" ref="securityManager"/> |
| </bean> |
| |
| <!-- Define the Shiro Filter here (as a FactoryBean) instead of directly in web.xml - |
| web.xml uses the DelegatingFilterProxy to access this bean. This allows us |
| to wire things with more control as well utilize nice Spring things such as |
| PropertiesPlaceholderConfigurer and abstract beans or anything else we might need: --> |
| <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> |
| <property name="securityManager" ref="securityManager"/> |
| <property name="loginUrl" value="/s/login"/> |
| <property name="successUrl" value="/s/index"/> |
| <property name="unauthorizedUrl" value="/s/unauthorized"/> |
| <!-- The 'filters' property is not necessary since any declared javax.servlet.Filter bean |
| defined will be automatically acquired and available via its beanName in chain |
| definitions, but you can perform overrides or parent/child consolidated configuration |
| here if you like: --> |
| <!-- <property name="filters"> |
| <util:map> |
| <entry key="aName" value-ref="someFilterPojo"/> |
| </util:map> |
| </property> --> |
| <property name="filterChainDefinitions"> |
| <value> |
| /favicon.ico = anon |
| /logo.png = anon |
| /shiro.css = anon |
| /s/login = anon |
| # allow WebStart to pull the jars for the swing app: |
| /*.jar = anon |
| # everything else requires authentication: |
| /** = authc |
| </value> |
| </property> |
| </bean> |
| |
| </beans> |