一、在web.xml中添加shiro过滤器 

<!-- Shiro filter-->   <filter>    <filter-name>shiroFilter</filter-name>    <filter-class>     org.springframework.web.filter.DelegatingFilterProxy    </filter-class>   </filter>   <filter-mapping>    <filter-name>shiroFilter</filter-name>    <url-pattern>/*</url-pattern>   </filter-mapping>

二、在Spring的applicationContext.xml中添加shiro配置 
1、添加shiroFilter定义

<!-- Shiro Filter -->  <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">   <property name="securityManager" ref="securityManager" />   <property name="loginUrl" value="/login" />   <property name="successUrl" value="/user/list" />   <property name="unauthorizedUrl" value="/login" />   <property name="filterChainDefinitions">    <value>     /login = anon     /user/** = authc     /role/edit/* = perms[role:edit]     /role/save = perms[role:edit]     /role/list = perms[role:view]     /** = authc    </value>   </property>  </bean>

2、添加securityManager定义 

<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">    <property name="realm" ref="myRealm" />   </bean>

3、添加realm定义 

<bean id=" myRealm" class="com...MyRealm" />

三、实现MyRealm：继承AuthorizingRealm，并重写认证授权方法 

public class MyRealm extends AuthorizingRealm{     private AccountManager accountManager;   public void setAccountManager(AccountManager accountManager) {    this.accountManager = accountManager;   }     /**    * 授权信息    */   protected AuthorizationInfo doGetAuthorizationInfo(      PrincipalCollection principals) {    String username=(String)principals.fromRealm(getName()).iterator().next();    if( username != null ){     User user = accountManager.get( username );     if( user != null && user.getRoles() != null ){      SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();      for( SecurityRole each: user.getRoles() ){        info.addRole(each.getName());        info.addStringPermissions(each.getPermissionsAsString());      }      return info;     }    }    return null;   }     /**    * 认证信息    */   protected AuthenticationInfo doGetAuthenticationInfo(      AuthenticationToken authcToken ) throws AuthenticationException {    UsernamePasswordToken token = (UsernamePasswordToken) authcToken;    String userName = token.getUsername();    if( userName != null && !"".equals(userName) ){     User user = accountManager.login(token.getUsername(),         String.valueOf(token.getPassword()));       if( user != null )      return new SimpleAuthenticationInfo(         user.getLoginName(),user.getPassword(), getName());    }    return null;   }    }

原文地址：http://kdboy.iteye.com/blog/1103794