其实关于shiro的博客介绍特别多,这里记录一下自己的学习过程。
Shiro是一个强大易用的Java安全框架,提供了认证、授权、加密和会话管理等功能。先简单的学习一下它的认证和授权。
shiro的认证过程
文章图片
先使用测试类的方式来验证:
SimpleAccountRealm
- 认证过程
SimpleAccountRealm realm = new SimpleAccountRealm(); @Before public void addUser() { realm.addAccount("admin", "123456"); } @Test public void testAuthentication() { //创建一个SecurityManager对象 DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager(); defaultSecurityManager.setRealm(realm); //主体提交认证请求 SecurityUtils.setSecurityManager(defaultSecurityManager); Subject subject =SecurityUtils.getSubject(); UsernamePasswordToken token = new UsernamePasswordToken("admin", "123456"); subject.login(token); System.out.println("isAuthenticated:"+subject.isAuthenticated()); }
当用户名和密码正确是打印出true
- 授权过程
SimpleAccountRealm realm = new SimpleAccountRealm(); @Before public void addUser() { realm.addAccount("admin", "123456","admin","user"); } @Test public void testAuthentication() { //创建一个SecurityManager对象 DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager(); defaultSecurityManager.setRealm(realm); //主体提交认证请求 SecurityUtils.setSecurityManager(defaultSecurityManager); Subject subject =SecurityUtils.getSubject(); UsernamePasswordToken token = new UsernamePasswordToken("admin", "123456"); subject.login(token); System.out.println("isAuthenticated:"+subject.isAuthenticated()); subject.checkRoles("admin","user"); //subject.logout(); }
需要注意的是:SimpleAccountRealm不支持权限
- 认证过程
IniRealm realm = new IniRealm("classpath:user.ini"); @Before public void addUser() { realm.addAccount("admin", "123456","admin","user"); } @Test public void testAuthentication() { //创建一个SecurityManager对象 DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager(); defaultSecurityManager.setRealm(realm); //主体提交认证请求 SecurityUtils.setSecurityManager(defaultSecurityManager); Subject subject =SecurityUtils.getSubject(); UsernamePasswordToken token = new UsernamePasswordToken("admin", "123456"); subject.login(token); System.out.println("isAuthenticated:"+subject.isAuthenticated()); //subject.checkRoles("admin","user"); //subject.logout(); }其中user.ini为resources下的一个文件,里面的内容为:[users] admin=123456
- 授权过程
修改user.ini中的内容如下[users] admin=123456,admin [roles] admin=user:delete
同时修改测试类的代码如下:
IniRealm realm = new IniRealm("classpath:user.ini"); @Test public void testAuthentication() { //创建一个SecurityManager对象 DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager(); defaultSecurityManager.setRealm(realm); //主体提交认证请求 SecurityUtils.setSecurityManager(defaultSecurityManager); Subject subject =SecurityUtils.getSubject(); UsernamePasswordToken token = new UsernamePasswordToken("admin", "123456"); subject.login(token); System.out.println("isAuthenticated:"+subject.isAuthenticated()); //subject.checkRoles("admin","user"); //subject.logout(); subject.checkRole("admin"); subject.checkPermission("user:delete"); }
自定义realm
创建Myrealm继承AuthorizingRealm
Map map = new HashMap(); { map.put("admin", "123456"); super.setName("MyRealm"); //这个名字可以随便取 } @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { //从主体传过来的认证信息中获取用户名 String userName = (String)principals.getPrimaryPrincipal(); //模拟从数据库获取角色和权限 Set roleSet = getRoleByUserName(userName); Set permissionSet = getPermissinByUserName(userName); SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo(); authorizationInfo.addRoles(roleSet); authorizationInfo.addStringPermissions(permissionSet); return authorizationInfo; } @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {//从主体传过来的认证信息中获取用户名 String userName = (String)token.getPrincipal(); //根据用户名获取密码,模拟从数据库获取 String password = getPassWord(userName); if(password == null) { return null; } SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(userName, password, "MyRealm"); return simpleAuthenticationInfo; } private String getPassWord(String userName) { String password = map.get(userName); return password; } /** * 从数据库获取角色 * @param userName * @return */ private Set getRoleByUserName(String userName) { Set set = new HashSet(); set.add("admin"); set.add("aaaaa"); return set; } private Set getPermissinByUserName(String userName) { Set set = new HashSet(); set.add("user:delete"); set.add("user:update"); return set; }
测试类:
public class RealmTest { @Test public void testAuthentication() { MyRealm realm = new MyRealm(); //创建一个SecurityManager对象 DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager(); defaultSecurityManager.setRealm(realm); //主体提交认证请求 SecurityUtils.setSecurityManager(defaultSecurityManager); Subject subject =SecurityUtils.getSubject(); UsernamePasswordToken token = new UsernamePasswordToken("admin", "123456"); subject.login(token); System.out.println("isAuthenticated:"+subject.isAuthenticated()); subject.checkRole("aaaaa"); subject.checkPermission("user:delete"); //subject.checkRoles("admin","user"); //subject.logout(); }}
【springboot+shiro入门学习(一)】
推荐阅读
- Shiro之保存Session到数据库中-yellowcong
- √|shiro教程(session管理)
- Shiro入门-session管理
- servlet总结|设置session失效时间(不使用框架)----使用shiro设置session失效时间(使用shiro框架)
- shiro|shiro中session实现的简单分析
- Shiro 设置session超时时间
- Shiro|shiro中的session 获取过期时间/设置过期时间
- Shiro 之Subject、SecurityManager、Realm源码分析
- spring+shiro 整合之自己注册会话和自写realm