目录
shiro简介
Apache Shiro是一个强大且易用的Java安全框架,执行身份验证、授权、密码学和会话管理,当然权限颗粒度粗但相对Spring Security简单易上手。
准备工作
https://start.spring.io/
shiro简单例子入门
shiro认证
subject:主体,可以是用户也可以是程序,主体要访问系统,系统需要对主体进行认证、授权。
securityManager:安全管理器,主体进行认证和授权都是通过securityManager进行,是shiro的心脏。
realm:域,领域,相当于数据源,通俗意义的DAO层,通过realm存取认证、授权相关数据。
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.realm.SimpleAccountRealm;
import org.apache.shiro.subject.Subject;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.springframework.boot.test.context.SpringBootTest;
@SpringBootTest
public class ShiroTests {
SimpleAccountRealm simpleAccountRealm = new SimpleAccountRealm();
@BeforeEach
public void addUser(){
simpleAccountRealm.addAccount("Mark","123456");
}
//入门开始 1
@Test
public void shiroTest(){
//1、构建SecurityManager环境
DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager();
defaultSecurityManager.setRealm(simpleAccountRealm);
//2、主体提交认证请求
SecurityUtils.setSecurityManager(defaultSecurityManager);
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken("Mark","123456");
subject.login(token);
System.out.println("isAuthenticated:"+subject.isAuthenticated());
subject.logout();
System.out.println("isAuthenticated:"+subject.isAuthenticated());
}
}
如果想要看错误结果把用户Mark改成zhangsan即可
运行结果:
shiro授权
上面我们知道了如何验证,下面我们演示如何授权,添加角色代码,admin代码演示
@SpringBootTest
public class ShiroTests {
SimpleAccountRealm simpleAccountRealm = new SimpleAccountRealm();
@BeforeEach
public void addUser(){
//添加角色admin
simpleAccountRealm.addAccount("Mark","123456","admin");
}
//入门开始 1
@Test
public void shiroTest(){
//1、构建SecurityManager环境
DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager();
defaultSecurityManager.setRealm(simpleAccountRealm);
//2、主体提交认证请求
SecurityUtils.setSecurityManager(defaultSecurityManager);
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken("Mark","123456");
subject.login(token);
//授权,检查角色
subject.checkRole("admin");
System.out.println("isAuthenticated:"+subject.isAuthenticated());
subject.logout();
System.out.println("isAuthenticated:"+subject.isAuthenticated());
}
}
如果把角色admin改为其他则错误,下面是正确的运行结果
Realm
IniRealm
下面完成测试功能检测用户和密码是否正确?角色是否是admin? 角色是否有删除、更新功能?
新建个user.ini文件,目录结构
[users]
Mark=123456,admin
[roles]
admin=user:delete,user:update
//自定义IniRealm
@Test
public void iniRealmTest() {
IniRealm iniRealm = new IniRealm("classpath:user.ini");
//1、构建SecurityManager环境
DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager();
defaultSecurityManager.setRealm(iniRealm);
//2、主体提交认证请求
SecurityUtils.setSecurityManager(defaultSecurityManager);
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken("Mark","123456");
subject.login(token);
//检查角色是否是admin
subject.checkRole("admin");
//检查角色是否有删除权限
subject.checkPermission("user:delete");
System.out.println("isAuthenticated:"+subject.isAuthenticated());
}
运行结果:
JdbcRealm
pom.xml添加依赖关系
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.49</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.1.10</version>
</dependency>
建表
SET FOREIGN_KEY_CHECKS=0;
-- ----------------------------
-- Table structure for roles_permissions
-- ----------------------------
DROP TABLE IF EXISTS `roles_permissions`;
CREATE TABLE `roles_permissions` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`role_name` varchar(255) DEFAULT NULL,
`permission` varchar(255) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8mb4;
-- ----------------------------
-- Records of roles_permissions
-- ----------------------------
INSERT INTO `roles_permissions` VALUES ('1', 'admin', 'user:select');
-- ----------------------------
-- Table structure for test_user
-- ----------------------------
DROP TABLE IF EXISTS `test_user`;
CREATE TABLE `test_user` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`user_name` varchar(255) DEFAULT NULL,
`password` varchar(255) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8mb4;
-- ----------------------------
-- Records of test_user
-- ----------------------------
INSERT INTO `test_user` VALUES ('1', 'lisi', '123456');
-- ----------------------------
-- Table structure for test_user_role
-- ----------------------------
DROP TABLE IF EXISTS `test_user_role`;
CREATE TABLE `test_user_role` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`user_name` varchar(255) DEFAULT NULL,
`role_name` varchar(255) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8mb4;
-- ----------------------------
-- Records of test_user_role
-- ----------------------------
INSERT INTO `test_user_role` VALUES ('1', 'lisi', 'user');
-- ----------------------------
-- Table structure for users
-- ----------------------------
DROP TABLE IF EXISTS `users`;
CREATE TABLE `users` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(255) NOT NULL,
`password` varchar(255) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8mb4;
-- ----------------------------
-- Records of users
-- ----------------------------
INSERT INTO `users` VALUES ('1', 'Mark', '123456');
-- ----------------------------
-- Table structure for user_roles
-- ----------------------------
DROP TABLE IF EXISTS `user_roles`;
CREATE TABLE `user_roles` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(255) DEFAULT NULL,
`role_name` varchar(255) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8mb4;
-- ----------------------------
-- Records of user_roles
-- ----------------------------
INSERT INTO `user_roles` VALUES ('1', 'Mark', 'admin');
java代码
DruidDataSource dataSource = new DruidDataSource();
{
dataSource.setUrl("jdbc:mysql://localhost:3306/shiro_test?useSSL=false");
dataSource.setUsername("root");
dataSource.setPassword("123456");
}
//JdbcRealm
@Test
public void shiroJdbcRealmTest() {
JdbcRealm jdbcRealm = new JdbcRealm();
jdbcRealm.setDataSource(dataSource);
//权限开关,默认是关着的
jdbcRealm.setPermissionsLookupEnabled(true);
//1、构建SecurityManager环境
DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager();
defaultSecurityManager.setRealm(jdbcRealm);
//2、主体提交认证请求
SecurityUtils.setSecurityManager(defaultSecurityManager);
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken("Mark","123456");
subject.login(token);
System.out.println("isAuthenticated:"+subject.isAuthenticated());
//检查角色是否是admin
subject.checkRole("admin");
//检查角色是否有查询权限
subject.checkPermission("user:select");
}
运行结果
customSqlRealm (使用自己写的SQL查询)
@Test
public void customSqlRealmTest(){
JdbcRealm jdbcRealm = new JdbcRealm();
jdbcRealm.setDataSource(dataSource);
jdbcRealm.setPermissionsLookupEnabled(true);
//查询认证用户和密码是否正确
String sql = "select password from test_user where user_name = ?";
jdbcRealm.setAuthenticationQuery(sql);
//查询验证角色
String roleSql = "select role_name from test_user_role where user_name = ?";
jdbcRealm.setUserRolesQuery(roleSql);
//1、构建SecurityManager环境
DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager();
defaultSecurityManager.setRealm(jdbcRealm);
//2、主体提交认证请求
SecurityUtils.setSecurityManager(defaultSecurityManager);
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken("lisi","123456");
subject.login(token);
System.out.println("isAuthenticated:"+subject.isAuthenticated());
//检查角色是否是user
subject.checkRole("user");
}
运行结果
自定义Realm
代码
package com.demo.shiro.realm;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
public class CustomRealm extends AuthorizingRealm {
//模拟从数据库中的数据
Map<String, String> userMap = new HashMap<>(16);
{
userMap.put("Mark", "123456");
super.setName("customRealm");
}
//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
String userName = (String) principalCollection.getPrimaryPrincipal();
//从数据库或者缓存中获取角色数据
Set<String> roles = getRolesByUserName(userName);
Set<String> permissions = getPermissonsByUserName(userName);
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
simpleAuthorizationInfo.setRoles(roles);
simpleAuthorizationInfo.setStringPermissions(permissions);
return simpleAuthorizationInfo;
}
private Set<String> getPermissonsByUserName(String userName) {
Set<String> sets = new HashSet<>();
sets.add("user:delete");
sets.add("user:add");
return sets;
}
private Set<String> getRolesByUserName(String userName) {
Set<String> sets = new HashSet<>();
sets.add("admin");
sets.add("user");
return sets;
}
//认证 主体传过来的认证信息
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
//1.从主体传过来的认证信息中,获取用户名
String userName = (String) authenticationToken.getPrincipal();
//2.通过用户名到数据库中获取凭证
String password = getPasswordByUserName(userName);
if (password == null) {
return null;
}
SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo("Mark", password, "customRealm");
return authenticationInfo;
}
/**
* 模拟数据库中查询凭证
*
* @param userName
* @return
*/
private String getPasswordByUserName(String userName) {
return userMap.get(userName);
}
}
测试类
@Test
public void customRealmTest(){
CustomRealm customRealm = new CustomRealm();
//1、构建SecurityManager环境
DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager();
defaultSecurityManager.setRealm(customRealm);
//2、主体提交认证请求
SecurityUtils.setSecurityManager(defaultSecurityManager);
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken("Mark","123456");
subject.login(token);
System.out.println("isAuthenticated:"+subject.isAuthenticated());
subject.checkRole("admin");
subject.checkPermissions("user:add","user:delete");
}
运行结果
shiro加密
添加修改上面代码
@Test
public void customRealmTest(){
CustomRealm customRealm = new CustomRealm();
//1、构建SecurityManager环境
DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager();
defaultSecurityManager.setRealm(customRealm);
//加密
HashedCredentialsMatcher matcher = new HashedCredentialsMatcher();
matcher.setHashAlgorithmName("md5");
//计算几次
matcher.setHashIterations(1);
customRealm.setCredentialsMatcher(matcher);
//---------------代码省略和上面代码一样----------
}
@Test
public void md5(){
//加盐码
Md5Hash md5Hash = new Md5Hash("123456","Mark");
System.out.println(md5Hash.toString());
}
public class CustomRealm extends AuthorizingRealm {
//模拟从数据库中的数据
Map<String, String> userMap = new HashMap<>(16);
{
userMap.put("Mark", "283538989cef48f3d7d8a1c1bdf2008f");
super.setName("customRealm");
}
//认证 主体传过来的认证信息
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
//--------------代码省略和上面一样
SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo("Mark", password, "customRealm");
//加盐码
authenticationInfo.setCredentialsSalt(ByteSource.Util.bytes("Mark"));
return authenticationInfo;
}
}
运行结果
下一章讲shiro集成Spring。