一、项目说明
项目环境:jdk1.7+tomcat7+idea2018+maven+shiro1.3.2
源代码github地址:https://github.com/tmAlj/shiro/tree/master/helloshiro
实现目标:通过shiro源代码中的quickstart例子的代码解读,了解shiro验证,授权执行的大致流程
综合实例:基于shiro的按钮级别的权限管理系统
二、helloshiro示例
(1)新建maven工程,名称为helloshiro
(2)配置pom.xml中依赖(下载地址:http://mvnrepository.com/)
<dependencies>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.3.2</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>1.6.4</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.7.2</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
</dependencies>
(3)配置log4j.properties
log4j.rootLogger=INFO, stdout
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d %p [%c] - %m %n
# General Apache libraries
log4j.logger.org.apache=WARN
# Spring
log4j.logger.org.springframework=WARN
# Default Shiro logging
log4j.logger.org.apache.shiro=TRACE
# Disable verbose logging
log4j.logger.org.apache.shiro.util.ThreadContext=WARN
log4j.logger.org.apache.shiro.cache.ehcache.EhCache=WARN
(3)配置shiro.ini
注:该文件配置用户(账号/密码),角色,权限等。作为用户验证授权的参考值,可持久化到数据库中
[users]
# user 'root' with password 'secret' and the 'admin' role
root = secret, admin
# user 'guest' with the password 'guest' and the 'guest' role
guest = guest, guest
# user 'presidentskroob' with password '12345' ("That's the same combination on
# my luggage!!!" ;)), and role 'president'
presidentskroob = 12345, president
# user 'darkhelmet' with password 'ludicrousspeed' and roles 'darklord' and 'schwartz'
darkhelmet = ludicrousspeed, darklord, schwartz
# user 'lonestarr' with password 'vespa' and roles 'goodguy' and 'schwartz'
lonestarr = vespa, goodguy, schwartz
# -----------------------------------------------------------------------------
# Roles with assigned permissions
#
# Each line conforms to the format defined in the
# org.apache.shiro.realm.text.TextConfigurationRealm#setRoleDefinitions JavaDoc
# -----------------------------------------------------------------------------
[roles]
# 'admin' role has all permissions, indicated by the wildcard '*'
admin = *
# The 'schwartz' role can do anything (*) with any lightsaber:
schwartz = lightsaber:*
# The 'goodguy' role is allowed to 'drive' (action) the winnebago (type) with
# license plate 'eagle5' (instance specific id)
goodguy = winnebago:drive:eagle5
(4)测试代码
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Simple Quickstart application showing how to use Shiro's API.
*
* @since 0.9 RC2
*/
public class Quickstart {
private static final transient Logger log = LoggerFactory.getLogger(Quickstart.class);
public static void main(String[] args) {
// 通过shiro.ini的方式创建一个securityManager对象,shiro.ini中配置了用户,角色,资源等信息
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance();
// 将securityManager对象交给SecurityUtils管理,以便和后面的Subject对象产生关系
SecurityUtils.setSecurityManager(securityManager);
// 得到一个Subject对象,该对象为访问系统任意用户
Subject currentUser = SecurityUtils.getSubject();
// 得到Session对象,和servlet中的Session类似,同时可以给该对象设置属性等
Session session = currentUser.getSession();
session.setAttribute("someKey", "aValue");
String value = (String) session.getAttribute("someKey");
if (value.equals("aValue")) {
log.info("===============session=>"+value);
}
// 通过Subject对象的isAuthenticated判断该用户是否已经验证
if (!currentUser.isAuthenticated()) {
// 如果该用户未验证,得到用户的账号和密码,使用UsernamePasswordToken的方式生成一个该用户的token凭证
UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa");
// 开启记住我的功能,这里可以通过获取用户的提交的信息,判断是否选择记住我来决定开启或关闭
token.setRememberMe(true);
try {
// 通过Subject对象的login来验证用户的身份
currentUser.login(token);
// 如果用户身份验证不通过会抛出相应的异常,可以通过抛出的异常来设置返回给前台的信息
} catch (UnknownAccountException uae) {
// UnknownAccountException账号不存在异常
log.info("===============账号不存在异常=>"+token.getPrincipal());
} catch (IncorrectCredentialsException ice) {
// IncorrectCredentialsException密码错误异常
log.info("===============密码错误异常=>"+token.getPrincipal());
} catch (LockedAccountException lae) {
// LockedAccountException账户被锁定异常
log.info("===============账户被锁定异常=>"+token.getPrincipal());
}
// DisabledAccountException帐号被禁用异常
// ExcessiveAttemptsException登录失败次数过多异常
// ExpiredCredentialsException凭证过期异常等等...
catch (AuthenticationException ae) {
// AuthenticationException即验证不通过异常,为前面几个异常的父类
}
}
// 通过Subject对象的hasRole方法判断当前用户是否拥有某个角色
// 这里比对的角色,权限都是在shiro.ini中配置的,常用的是从数据库中动态加载
if (currentUser.hasRole("schwartz")) {
log.info("===============用户拥有schwartz角色");
} else {
log.info("===============用户不拥有schwartz角色");
}
// 通过Subject对象的isPermitted方法判断当前用户是否拥有某个权限
if (currentUser.isPermitted("lightsaber:weild")) {
log.info("===============用户拥有lightsaber:weild权限");
} else {
log.info("===============用户不拥有lightsaber:weild权限");
}
//a (very powerful) Instance Level permission:
// 通过Subject对象的isPermitted方法判断当前用户是否拥有某个权限,相比上面判断,该判断粒度更小
if (currentUser.isPermitted("winnebago:drive:eagle5")) {
log.info("===============用户拥有winnebago:drive:eagle5权限");
} else {
log.info("===============用户不拥有winnebago:drive:eagle5权限");
}
// 通过Subject对象的logout方法退出登录
currentUser.logout();
System.exit(0);
}
}
附:
shiro官方源代码下载地址(该项目为源代码中shiro-root-1.3.2\samples\quickstart中的例子):http://www.apache.org/dyn/closer.cgi/shiro/1.3.2/shiro-root-1.3.2-source-release.zip