一 授权流程图
二 实战
1 新建pom
<dependencies>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>RELEASE</version>
</dependency>
</dependencies>
2 授权测试
package com.liuyanzhao.test;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.realm.SimpleAccountRealm;
import org.apache.shiro.subject.Subject;
import org.junit.Before;
import org.junit.Test;
public class AuthenticationTest {
SimpleAccountRealm simpleAccountRealm = new SimpleAccountRealm();
@Before
public void addUser() {
simpleAccountRealm.addAccount("Tom","1234567","admin");
}
@Test
public void testAuthentication() {
//1、构建SecurityManager环境
DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager();
defaultSecurityManager.setRealm(simpleAccountRealm);
//2、主体提交认证请求
SecurityUtils.setSecurityManager(defaultSecurityManager);
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken("Tom","1234567");
subject.login(token);
System.out.println("isAuthenticated:"+subject.isAuthenticated());
subject.checkRole("admin"); //登录用户是否具有admin权限
}
}
三 测试结果
isAuthenticated:true
四 源码研究
subject.checkRoles("admin", "user");
public class DelegatingSubject implements Subject {
public void checkRoles(String... roleIdentifiers) throws AuthorizationException {
securityManager.checkRoles(getPrincipals(), roleIdentifiers);
public abstract class AuthorizingSecurityManager extends AuthenticatingSecurityManager {
public void checkRoles(PrincipalCollection principals, String... roles) throws AuthorizationException {
this.authorizer.checkRoles(principals, roles);
public class ModularRealmAuthorizer implements Authorizer, PermissionResolverAware, RolePermissionResolverAware {
public void checkRoles(PrincipalCollection principals, String... roles) throws AuthorizationException {
checkRole(principals, role);
public void checkRole(PrincipalCollection principals, String role) throws AuthorizationException {
if (!hasRole(principals, role)) {
public boolean hasRole(PrincipalCollection principals, String roleIdentifier) {
if (((Authorizer) realm).hasRole(principals, roleIdentifier)) {
public abstract class AuthorizingRealm extends AuthenticatingRealm
public boolean hasRole(PrincipalCollection principal, String roleIdentifier) {
AuthorizationInfo info = getAuthorizationInfo(principal);
protected boolean hasRole(String roleIdentifier, AuthorizationInfo info) {
return info != null && info.getRoles() != null && info.getRoles().contains(roleIdentifier);