applicationContext-shiro.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd"
	default-lazy-init="true">

	<description>Shiro安全配置</description>

	<!-- Shiro's main business-tier object for web-enabled applications -->
	<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager" depends-on="userJpaDao">
		<property name="realm" ref="shiroDbRealm" />
		<property name="cacheManager" ref="shiroCacheManager" />
	</bean>

	<!-- 項目自定义的Realm -->
	<bean id="shiroDbRealm" class="org.springside.examples.showcase.security.ShiroDbRealm">
		<property name="accountManager" ref="accountManager"/>
		<!-- 可配置cache token<->认证信息的cache，用于REST等需要频繁认证的场景 -->
		<property name="authorizationCachingEnabled" value="true"/>
	</bean>
	
	<!-- Shiro Filter -->
	<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
		<property name="securityManager" ref="securityManager" />
		<property name="loginUrl" value="/login" />
		<property name="successUrl" value="/" />
		<property name="filterChainDefinitions">
			<value>
				/login = authc
				/logout = logout
				/common/user/update/* = user
				/rs/users = authcBasic
			</value>
		</property>
	</bean>

	<!-- 用户授权/认证信息Cache, 采用EhCache RMI集群 -->
	<bean id="shiroCacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
		<property name="cacheManager" ref="shiroEhcacheManager"/>
	</bean>
	<bean id="shiroEhcacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
		<property name="configLocation" value="classpath:/security/ehcache-shiro-rmi.xml" />
	</bean>	
	
	<!-- 保证实现了Shiro内部lifecycle函数的bean执行 -->
	<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
	
	<!-- AOP式方法级权限检查  -->
	<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor">
		<property name="proxyTargetClass" value="true" />
	</bean>
	<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
    	<property name="securityManager" ref="securityManager"/>
	</bean>
</beans>