Shiro 快速指南

认证

/* 收集实体+凭据 */
//Example using most common scenario of username/password pair:  
UsernamePasswordToken token = new UsernamePasswordToken(username, password);  
//”Remember Me” built-in:  
token.setRememberMe(true);  
/* 提交实体+凭据 */
Subject currentUser = SecurityUtils.getSubject();  
currentUser.login(token); 
/* 认证处理 */
try {  
    currentUser.login(token);  
} catch ( UnknownAccountException uae ) { ...  
} catch ( IncorrectCredentialsException ice ) { ...  
} catch ( LockedAccountException lae ) { ...  
} catch ( ExcessiveAttemptsException eae ) { ...  
} ... catch your own ...  
} catch ( AuthenticationException ae ) {  
    //unexpected error?  
}  

currentUser.logout(); //removes all identifying information and invalidates their session too.

如果login方法执行完毕且没有抛出任何异常信息,那么便认为用户认证通过。之后在应用程序任意地方调用SecurityUtils.getSubject() 都可以获取到当前认证通过的用户实例,使用subject.isAuthenticated()判断用户是否已验证都将返回true.

相反,如果login方法执行过程中抛出异常,那么将认为认证失败。Shiro有着丰富的层次鲜明的异常类来描述认证失败的原因,如代码示例。

Shiro 快速指南

Realm将调用getAuthenticationInfo(token); getAuthenticationInfo 方法就是实际认证处理,我们通过覆盖Realm的doGetAuthenticationInfo方法来编写我们自定义的认证处理。

授权

/* 编程方式 */
/* 对象 */
Permission printPermission = new PrinterPermission("laserjet4400n", "print");  
Subject currentUser = SecurityUtils.getSubject();  
if (currentUser.isPermitted(printPermission)) {  
    //show the Print button  
} else {  
    //don't show the button?  Grey it out?  
}  
/* 字符串 */
Subject currentUser = SecurityUtils.getSubject();  
if (currentUser.isPermitted("printer:print:laserjet4400n")) {  
    //show the Print button  
} else {  
    //don't show the button?  Grey it out?  
}  
/* 断言:对象 */
Subject currentUser = SecurityUtils.getSubject();  
//guarantee that the current user is permitted  
//to open a bank account:  
Permission p = new AccountPermission("open");  
currentUser.checkPermission(p);  
openBankAccount();  
/* 断言:字符串 */
Subject currentUser = SecurityUtils.getSubject();  
//guarantee that the current user is permitted  
//to open a bank account:  
currentUser.checkPermission("account:open");  
openBankAccount();  

/* 注解方式 */
@RequiresAuthentication  
public void updateAccount(Account userAccount) {  
    //this method will only be invoked by a   
    //Subject that is guaranteed authenticated  
    ...  
}  
@RequiresPermissions("account:create")  
public void createAccount(Account account) {  
    //this method will only be invoked by a Subject  
    //that is permitted to create an account  
    ...  
}

Shiro 快速指南

Realm 实现

protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) throws AuthenticationException {  
        UsernamePasswordToken token = (UsernamePasswordToken) authcToken;  
        User user = accountManager.findUserByUserName(token.getUsername());  
        if (user != null) {  
            return new SimpleAuthenticationInfo(user.getUserName(), user.getPassword(), getName());  
        } else {  
            return null;  
        }  
}

protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {  
        String userName = (String) principals.fromRealm(getName()).iterator().next();  
        User user = accountManager.findUserByUserName(userName);  
        if (user != null) {  
            SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();  
            for (Group group : user.getGroupList()) {  
                info.addStringPermissions(group.getPermissionList());  
            }  
            return info;  
        } else {  
            return null;  
        }  
}

Shiro 配置

<bean id="securityManager" class="org.apache.shiro.mgt.DefaultSecurityManager">  
        <property name="cacheManager" ref="cacheManager"/>  
        <property name="sessionMode" value="native"/>  
        <!-- Single realm app.  If you have multiple realms, use the 'realms' property instead. -->  
        <property name="realm" ref="myRealm"/>  
        <property name="sessionManager" ref="sessionManager"/>   
</bean>  

<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">  
    <property name="securityManager" ref="securityManager"/>  
    <property name="loginUrl" value="/login.jsp"/>  
    <property name="successUrl" value="/home.jsp"/>  
    <property name="unauthorizedUrl" value="/unauthorized.jsp"/> -->  
    <property name="filterChainDefinitions">  
        <value>  
            # some example chain definitions:  
            /admin/** = authc, roles[admin]  
            /docs/** = authc, perms[document:read]  
            /** = authc  
            # more URL-to-FilterChain definitions here  
        </value>  
    </property>  
</bean>

Shiro可以通过配置文件实现基于URL的授权验证。FilterChain定义格式:

URL_Ant_Path_Expression = Path_Specific_Filter_Chain

URL表达式说明

1、URL目录是基于HttpServletRequest.getContextPath()此目录设置

2、URL可使用通配符,**代表任意子目录

3、Shiro验证URL时,URL匹配成功便不再继续匹配查找。所以要注意配置文件中的URL顺序,尤其在使用通配符时。

Filter Chain定义说明

1、一个URL可以配置多个Filter,使用逗号分隔

2、当设置多个过滤器时,全部验证通过,才视为通过

3、部分过滤器可指定参数,如perms,roles

Shiro内置的FilterChain

Filter Name Class
anon org.apache.shiro.web.filter.authc.AnonymousFilter
authc org.apache.shiro.web.filter.authc.FormAuthenticationFilter
authcBasic org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter
perms org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter
port org.apache.shiro.web.filter.authz.PortFilter
rest org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter
roles org.apache.shiro.web.filter.authz.RolesAuthorizationFilter
ssl org.apache.shiro.web.filter.authz.SslFilter
user org.apache.shiro.web.filter.authc.UserFilter

Apache Shiro 使用手册(二)Shiro 认证

原文 

https://www.yuhanliu.com/archives/shiro-quickly-start

本站部分文章源于互联网,本着传播知识、有益学习和研究的目的进行的转载,为网友免费提供。如有著作权人或出版方提出异议,本站将立即删除。如果您对文章转载有任何疑问请告之我们,以便我们及时纠正。

PS:推荐一个微信公众号: askHarries 或者qq群:474807195,里面会分享一些资深架构师录制的视频录像:有Spring,MyBatis,Netty源码分析,高并发、高性能、分布式、微服务架构的原理,JVM性能优化这些成为架构师必备的知识体系。还能领取免费的学习资源,目前受益良多

转载请注明原文出处:Harries Blog™ » Shiro 快速指南

赞 (0)
分享到:更多 ()

评论 0

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址