web.xml中：

<!--指定Spring的config文件地址 --> <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/applicationContext.xml /WEB-INF/shiro-conf.xml /WEB-INF/context-component.xml </param-value> </context-param> <!--Shiro Filter --> <filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <!-- 该值缺省为false,表示生命周期由SpringApplicationContext管理,设置为true则表示由ServletContainer管理 --> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <!--<url-pattern>*.do</url-pattern>--> <url-pattern>/*</url-pattern> </filter-mapping>

applicationContext.xml

<!-- 为安全检查使用Shiro 的注解（例如，@RequiresRoles，@RequiresPermissions 等等）。 --> <!--以下两个bean的配置是为了在Controller层使用元注释控制权限 --> <!--如果使用spring-mvc一定要不要放在webroot的配置文件中 --> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager"/> </bean> <!--交由shiro管理bean的生命周期--> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>

shiro-conf.xml

<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager"/> <property name="loginUrl" value="/login.do"/> <property name="filters"> <map> <entry key="authc" value-ref="authcFilter"/> <entry key="user" value-ref="userFilter"/> </map> </property> <property name="filterChainDefinitions"> <value> /login.do = authc <!--方便测试--> <!--/** =anon--> **.do = user </value> </property> </bean> <!-- Shiro Filter --> <bean id="authcFilter" class="cn.com.a.credit.common.security.shiro.CredirAuthenticationFilter"/> <bean id="userFilter" class="cn.com.a.credit.common.security.shiro.CreditUserFilter"/> <!-- Shiro's main business-tier object for web-enabled applications --> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realms"> <list> <ref bean="shiroDbRealm"/> </list> </property> <!--<property name="cacheManager" ref="shiroEhcacheManager"/>--> <property name="rememberMeManager" ref="rememberMeManager"/> </bean> <!-- 保证实现了Shiro内部lifecycle函数的bean执行 --> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> <!--项目自定义的Realm --> <!--为防止bean注入时的先后依赖问题，shiroDbRealm里面依赖的dao都需要用depends-on声明--> <bean id="shiroDbRealm" class="cn.com.a.credit.common.security.shiro.ShiroDbRealm" depends-on="userDao,operationLogDao"> <property name="credentialsDigest" ref="credentialsDigest"/> </bean> <!-- 用户授权信息Cache, 采用EhCache --> <!--TODO 需要时再打开下面注释--> <!--<bean id="shiroEhcacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">--> <!--<property name="cacheManagerConfigFile" value="classpath:ehcache-shiro.xml"/>--> <!--</bean>--> <!--rememberMe管理器 --> <bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager"> <property name="cookie" ref="rememberMeCookie"/> </bean> <bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimpleCookie"> <constructor-arg value="rememberMeClub"/> <property name="httpOnly" value="true"/> <!-- 300天 --> <property name="maxAge" value="25920000"/> </bean>

注意，shiro处于filter级别，过滤的时候spring-mvc.xml中配置的bean还没有被初始出来。 需要在appliactionContext中添加如下代码，再扫描一次。

<context:component-scan base-package="cn.com.sgcc.credit.core"/>

参考：http://blog.csdn.net/cenkunjj/article/details/51078101 这位作者尝试把 mvc的配置文件写到web.xml中一次。原理一样