1.解析Quickstart.java代码
-
首先来解析上一篇博客中我们粘贴的官方doc给出的快速开始的代码
public class Quickstart { private static final transient Logger log = LoggerFactory.getLogger(Quickstart.class); public static void main(String[] args) { Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini"); SecurityManager securityManager = factory.getInstance(); SecurityUtils.setSecurityManager(securityManager); Subject currentUser = SecurityUtils.getSubject(); Session session = currentUser.getSession(); session.setAttribute("someKey", "aValue"); String value = (String) session.getAttribute("someKey"); if (value.equals("aValue")) { log.info("Retrieved the correct value! [" + value + "]"); } // let's login the current user so we can check against roles and permissions: if (!currentUser.isAuthenticated()) { UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa"); token.setRememberMe(true); try { currentUser.login(token); } catch (UnknownAccountException uae) { log.info("There is no user with username of " + token.getPrincipal()); } catch (IncorrectCredentialsException ice) { log.info("Password for account " + token.getPrincipal() + " was incorrect!"); } catch (LockedAccountException lae) { log.info("The account for username " + token.getPrincipal() + " is locked. " + "Please contact your administrator to unlock it."); } catch (AuthenticationException ae) { } } log.info("User [" + currentUser.getPrincipal() + "] logged in successfully."); if (currentUser.hasRole("schwartz")) { log.info("May the Schwartz be with you!"); } else { log.info("Hello, mere mortal."); } if (currentUser.isPermitted("lightsaber:wield")) { log.info("You may use a lightsaber ring. Use it wisely."); } else { log.info("Sorry, lightsaber rings are for schwartz masters only."); } if (currentUser.isPermitted("winnebago:drive:eagle5")) { log.info("You are permitted to 'drive' the winnebago with license plate (id) 'eagle5'. " + "Here are the keys - have fun!"); } else { log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!"); } currentUser.logout(); System.exit(0); } }
-
前3行固定代码,就是加载shiro.ini文件,获取SecurityManager工厂,并将工厂实例设置到SecurityUtils中供后面使用,这就设置了一个简单的shiro环境
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini"); SecurityManager securityManager = factory.getInstance(); SecurityUtils.setSecurityManager(securityManager);
-
获取subject实例
Subject currentUser = SecurityUtils.getSubject(); //通过SecurityUtils获取当前正在执行的用户,获取Subject对象
-
shiro中的session对象的使用方法
Session session = currentUser.getSession();//通过用户对象获取session对象,注意:这不是http的session对象,而是Shiro自己的session session.setAttribute("someKey", "aValue");//在session中存放了一个键值对,someKey:aValue String value = (String) session.getAttribute("someKey");//将上面存入的值取出来 if (value.equals("aValue")) { //判断取出的值是不是aValue log.info("Retrieved the correct value! [" + value + "]"); //是的话就记录日志 }
-
shiro认证用户使用方法,注意:token为令牌
if (!currentUser.isAuthenticated()) { //如果当前用户没有被"认证" UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa"); //设置用户的账号+密码,获取令牌(token) token.setRememberMe(true); //设置记住我 try { currentUser.login(token); //使用令牌"认证"当前用户 } catch (UnknownAccountException uae) { //未知账户异常,就是当前登陆的用户并没有注册过,在ini文件中没有这个账户的信息 log.info("There is no user with username of " + token.getPrincipal()); } catch (IncorrectCredentialsException ice) { //账户密码错误异常 log.info("Password for account " + token.getPrincipal() + " was incorrect!"); } catch (LockedAccountException lae) { //登陆账户被锁定的异常,比如连续输错5次密码就把你的账户锁定 log.info("The account for username " + token.getPrincipal() + " is locked. " + "Please contact your administrator to unlock it."); } catch (AuthenticationException ae) { //认证异常,这是整个认证过程中最大的异常,所以上面的异常都可以不写,直接写这个异常即可 } }
-
打印当前subject/用户的唯一标识符
log.info("User [" + currentUser.getPrincipal() + "] logged in successfully."); //打印当前用户/subject的唯一标识符,以证明用户/subject登陆成功 //方法getPrincipal()的作用:返回此subject在应用程序范围内唯一标识主体,如果此subject是匿名的,则返回{@code null}, //因为它还没有任何关联的帐户数据(例如,如果他们尚未登录)[从源码注释中获取]
-
测试subject/用户的角色
if (currentUser.hasRole("schwartz")) { //看看subject的角色是不是schwartz(人名) log.info("May the Schwartz be with you!"); } else { log.info("Hello, mere mortal."); }
-
因为登陆的账户就是lonestarr,所以,他有两个角色goodguy和schwartz,所以上面的判断条件必然为真,所以一定会打印log.info(“May the Schwartz be with you!”)
-
运行测试结果
-
测试subject/用户的权限
//test a typed permission (not instance-level) //测试类型化权限(不是实例级别) if (currentUser.isPermitted("lightsaber:wield")) { //看看subject有没有权限lightsaber:wield log.info("You may use a lightsaber ring. Use it wisely."); } else { log.info("Sorry, lightsaber rings are for schwartz masters only."); } //a (very powerful) Instance Level permission: //实例级权限(非常强大): if (currentUser.isPermitted("winnebago:drive:eagle5")) { //看看subject有没有winnebago:drive:eagle5权限 log.info("You are permitted to 'drive' the winnebago with license plate (id) 'eagle5'. " + "Here are the keys - have fun!"); } else { log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!"); }
- 注销subject/用户
currentUser.logout(); //注销当前subject
- 结束运行
System.exit(0); //结束方法调用
2.小结
从官方给出的Quickstart例子中,我们可以看出它着重讲述了subject/用户 对象的操作
- 怎么获取subject:Subject currentUser = SecurityUtils.getSubject();
- 怎么获取该subject的session对象:Session session = currentUser.getSession();
- 认证subject:currentUser.login(token);
- 判断该subject是否通过了认证:currentUser.isAuthenticated()
- 打印subject的唯一标识符:currentUser.getPrincipal()
- 判断subject是否拥有指定的角色:currentUser.hasRole(“schwartz”)
- 判断subject的角色是否拥有指定的权限:currentUser.isPermitted(“lightsaber:wield”)
- 注销用户:currentUser.logout();
从上面讲解的方法我们可以发现,上面的操作在spring boot中有相同/类似的操作