Shiro源码分析（十）——鉴权流程

最新推荐文章于 2023-03-27 14:26:17 发布

MIKE2333

最新推荐文章于 2023-03-27 14:26:17 发布

阅读量338

点赞数

分类专栏： Shiro 文章标签： java

本文链接：https://blog.csdn.net/MIKE2333/article/details/122154159

版权

Shiro 专栏收录该内容

13 篇文章 1 订阅

订阅专栏

2021SC@SDUSC

一.Demo代码

在shiro源码的quickstart目录下有QuickStart.java文件。其中有对Shiro最简单使用的Demo。

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.ini.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.lang.util.Factory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class Quickstart {

    private static final transient Logger log = LoggerFactory.getLogger(Quickstart.class);


    public static void main(String[] args) {
        Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
        SecurityManager securityManager = factory.getInstance();

        SecurityUtils.setSecurityManager(securityManager);

        Subject currentUser = SecurityUtils.getSubject();

        if (!currentUser.isAuthenticated()) {
            UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa");
            token.setRememberMe(true);
            try {
                currentUser.login(token);
            } catch (UnknownAccountException uae) {
                log.info("There is no user with username of " + token.getPrincipal());
            } catch (IncorrectCredentialsException ice) {
                log.info("Password for account " + token.getPrincipal() + " was incorrect!");
            } catch (LockedAccountException lae) {
                log.info("The account for username " + token.getPrincipal() + " is locked.  " +
                        "Please contact your administrator to unlock it.");
            }
            catch (AuthenticationException ae) {
            }
        }

        log.info("User [" + currentUser.getPrincipal() + "] logged in successfully.");

		// 测试一个角色:
        if (currentUser.hasRole("schwartz")) {
            log.info("May the Schwartz be with you!");
        } else {
            log.info("Hello, mere mortal.");
        }

        // 测试类型化权限(而不是实例级)
        if (currentUser.isPermitted("lightsaber:wield")) {
            log.info("You may use a lightsaber ring.  Use it wisely.");
        } else {
            log.info("Sorry, lightsaber rings are for schwartz masters only.");
        }

        // 实例级权限:
        if (currentUser.isPermitted("winnebago:drive:eagle5")) {
            log.info("You are permitted to 'drive' the winnebago with license plate (id) 'eagle5'.  " +
                    "Here are the keys - have fun!");
        } else {
            log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!");
        }

        currentUser.logout();

        System.exit(0);
    }
}

二.解读ini文件

认证和鉴权是shiro的两大主要功能，在demo中，各个角色的权限在一份ini文件中进行定义，其中包括了每个用户的用户名、密码，该用户的角色以及该角色的权限。

# =============================================================================
# Quickstart 的 INI Realm 配置
#
# 对于那些可能不理解本文件中的引用的人来说，这些定义都是基于Mel Brooks的经典电影《Spaceballs》。
# =============================================================================

# -----------------------------------------------------------------------------
# 用户及其分配的角色
#
# 每一行都符合org.apache.shiro.realm.text中定义的格式。
# -----------------------------------------------------------------------------
[users]
# 用户root的密码是secret，角色是admin
root = secret, admin

# 用户guest的密码是guest，角色是guest
guest = guest, guest

# 用户presidentskroob的密码是12345，角色是president
presidentskroob = 12345, president

# 用户darkhelmet的密码是ludicrousspeed，角色为darklord和schwartz
darkhelmet = ludicrousspeed, darklord, schwartz

# 用户lonestarr的密码是vespa，角色为goodguy和schwartz
lonestarr = vespa, goodguy, schwartz

# -----------------------------------------------------------------------------
# 各个角色的权限
# 
# 每一行都符合org.apache.shiro.realm.text中定义的格式。
# -----------------------------------------------------------------------------
[roles]
# admin角色拥有所有权限，用通配符*表示
admin = *

# schwartz角色可以用任何lightsaber做任何事情
schwartz = lightsaber:*

# goodguy角色被允许驾驶（动作）牌照为eagle5（实例的特定id）的winnebago（类型）
goodguy = winnebago:drive:eagle5

三.源码分析

我们针对鉴权部分的源码进行分析

		// 测试一个角色:
		// 判断当前用户的角色是否为schwartz
        if (currentUser.hasRole("schwartz")) { // 1
            log.info("May the Schwartz be with you!");
        } else {
            log.info("Hello, mere mortal.");
        }

        // 测试类型化权限(而不是实例级)
        // 判断当前用户是否被允许使用lightsaber执行wield动作
        if (currentUser.isPermitted("lightsaber:wield")) { // 2
            log.info("You may use a lightsaber ring.  Use it wisely.");
        } else {
            log.info("Sorry, lightsaber rings are for schwartz masters only.");
        }

        // 实例级权限:
        // 判断当前用户是否被允许驾驶牌照为eagle5的winnebago
        if (currentUser.isPermitted("winnebago:drive:eagle5")) { // 3
            log.info("You are permitted to 'drive' the winnebago with license plate (id) 'eagle5'.  " +
                    "Here are the keys - have fun!");
        } else {
            log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!");
        }