(二)、shiro之一些重要的组件和工具类

版权声明:本文为博主原创文章,遵循 CC 4.0 by-sa 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Kevin_King1992/article/details/72834132

由于笔者水平有限,难免有说不清楚,或者理解有偏差的地方,望指正。


SecurityManager:
SecurityManager是shiro的核心组件,安全管理器;它的主要实现类有DefaultWebSecurityManager,并且当你在不指定的情况下会通过以下方法进行:

protected WebSecurityManager createDefaultSecurityManager() {
        //该方法是在AbstractShiroFilter中的方法,这是在web应用中用到的过滤器,一般会在web.xml中配置ShiroFilter 而,shiroFilter则extends AbstractShiroFilter;所以当在shiro.ini中不指定或者与Spring集成的时候;便会生成这个默认的安全器类
        return new DefaultWebSecurityManager();
 }

SecurityManager接口继承了Authenticator, Authorizer, SessionManager三个接口;
并且提供了一下三个方法:

    //登录
    Subject login(Subject subject, AuthenticationToken authenticationToken) throws AuthenticationException;
    //登出
    void logout(Subject subject);
    //创建Subject
    Subject createSubject(SubjectContext context);

SecurityUtils:
以下是它所含的代码:

private static SecurityManager securityManager;
public static Subject getSubject() {
        Subject subject = ThreadContext.getSubject();
        if (subject == null) {
            subject = (new Subject.Builder()).buildSubject();
            ThreadContext.bind(subject);
        }
        return subject;
    }
    public static void setSecurityManager(SecurityManager securityManager) {
        SecurityUtils.securityManager = securityManager;
    }
    public static SecurityManager getSecurityManager() throws UnavailableSecurityManagerException {
        SecurityManager securityManager = ThreadContext.getSecurityManager();
        if (securityManager == null) {
            securityManager = SecurityUtils.securityManager;
        }
        if (securityManager == null) {
            String msg = "No SecurityManager accessible to the calling code, either bound to the " +
                    ThreadContext.class.getName() + " or as a vm static singleton.  This is an invalid application " +
                    "configuration.";
            throw new UnavailableSecurityManagerException(msg);
        }
        return securityManager;
    }

可以将安全管理器组件,利用setSecurityManagement()方法设置到私有对象securityManager中,然后获取到Subject对象,然后进行登录登出的操作。

Subject:
Subject current = SecurityUtils.getSubject();`Subject是一个接口;从SecurityUtils工具类中的getSubject()静态方法中获取得到,
方法如下:

public static Subject getSubject() {
        Subject subject = ThreadContext.getSubject();
        if (subject == null) {
            subject = (new Subject.Builder()).buildSubject();
            ThreadContext.bind(subject);
        }
        return subject;
    }

可以看出,是从当前线程上下文中获取得到的;而它代表的是:A Subject represents state and security operations for a single application user. These operations include authentication (login/logout), authorization (access control), and session access. It is Shiro’s primary mechanism for single-user security functionality.

UsernamePasswordToken:
一个包含用户名和密码的令牌,这是需要去校验的用户信息,Subject提供了login(token)方法;

Realm
realm是shiro中一个比较重要的接口,它提供了供应用进行安全实体如:用户、角色和权限的认证和授权操作。对接的数据源可以是jdbc、file system i/o、jpa等

    String getName();

    boolean supports(AuthenticationToken token);

    AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException;

但是在使用过程中,大家一般不会直接去实现Realm接口进行自定义操作,而是往往继承它的子类:AuthenticatingRealm 、AuthorizingRealm;一般只需要继承AuthorizingRealm便可以,因为它同时继承了AuthenticatingRealm;有以下两个方法需要实现:

@Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
        //进行授权认证
        return null;
    }

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
        //进行身份验证
        return new SimpleAuthenticationInfo(username, password, "myRealm");
    }

当然,需要注意的是自定义的Realm实现类需要在初始化的配置文件或者是spring的xml中进行添加,注给RealmSecurityManager的realms属性

 private Collection<Realm> realms;
 public void setRealms(Collection<Realm> realms) {
        if (realms == null) {
            throw new IllegalArgumentException("Realms collection argument cannot be null.");
        }
        if (realms.isEmpty()) {
            throw new IllegalArgumentException("Realms collection argument cannot be empty.");
        }
        this.realms = realms;
        afterRealmsSet();
    }
展开阅读全文

没有更多推荐了,返回首页