本文介绍如下两种 shiro 认证与授权方式,一般在开发中都会使用第二种。demo使用maven构建,具体如下:
0、 pom.xml配置:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>iamck.study</groupId>
<artifactId>shiro</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>war</packaging>
<name>shiro</name>
<url>http://maven.apache.org</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.3.2</version>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.2</version>
</dependency>
</dependencies>
</project>
一、默认realm验证
1、配置文件 shiro-login-demo.ini
#格式: 用户名=密码,角色1,角色2
[users]
ck=123456,admin
#格式:角色=权限1,权限2
[roles]
admin=add
teacher=update
2、创建 MyShiro.java
package iamck.study.shiro.login_auth_demo;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.util.Factory;
public class MyShiro {
// 创建SecurityManager的工厂factory
private final static Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro-login-demo.ini");
// 实例化securityManager
private final static SecurityManager securityManager = factory.getInstance();
public static void init() {
// 将securityManager绑定到SecurityUtils,方便后续全局使用
SecurityUtils.setSecurityManager(securityManager);
}
}
3、创建 LoginService.java
package iamck.study.shiro.login_auth_demo.service;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
public class LoginService {
//登录操作
public void login(){
//获取subject,即用户主体
Subject subject = SecurityUtils.getSubject();
//用户账号密码
String username="ck";
String password="123456";
//设置登录token
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
//登录
subject.login(token);
}
}
4、创建测试类 LoginDemoTest.java
package iamck.study.shiro;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.subject.Subject;
import org.junit.Test;
import iamck.study.shiro.login_auth_demo.MyShiro;
import iamck.study.shiro.login_auth_demo.service.LoginService;
public class LoginDemoTest {
@Test
public void test(){
//初始化
MyShiro.init();
LoginService loginService = new LoginService();
Subject subject= SecurityUtils.getSubject();
System.out.println("登录了吗?"+subject.isAuthenticated());
loginService.login();
System.out.println("登录了吗?"+subject.isAuthenticated());
System.out.println("是admin角色吗?"+subject.hasRole("admin"));
System.out.println("是teacher角色吗?"+subject.hasRole("teache"));
System.out.println("有add权限吗?"+subject.isPermitted("add"));
System.out.println("有del权限吗?"+subject.isPermitted("del"));
}
}
测试结果:
登录了吗?false
登录了吗?true
是admin角色吗?true
是teacher角色吗?false
有add权限吗?true
有del权限吗?false
注意:此处使用的realm其实就是org.apache.shiro.realm.text.IniRealm
二、自定义Realm验证
接着前面的demo,我们继续看看自定义Realm验证的简单实现。
1、创建自定义reaml类 SimpleRealm.java
package iamck.study.shiro.login_auth_demo.realm;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
public class SimpleRealm extends AuthorizingRealm{
/**
* 授权
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
//在实际开发中,开发者根据自身情况自行获取用户信息。此处简化如下:
String role="admin";
String permission ="add";
//设置权限信息
SimpleAuthorizationInfo sai = new SimpleAuthorizationInfo();
sai.addRole(role);
sai.addStringPermission(permission);
return sai;
}
/**
* 验证
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
//在实际开发中,开发者根据自身情况自行获取用户信息。此处简化如下:
String name = "ck";
String pwd = "123456";
UsernamePasswordToken upt = (UsernamePasswordToken) token;
String username = upt.getUsername();
String password = new String(upt.getPassword());
if(name.equals(username)&&pwd.equals(password)){
return new SimpleAuthenticationInfo(username,password,"myRealm");
}
System.out.println("用户名或密码不正确!");
return null;
}
}
2、在配置文件中新增如下内容
[main]
myRealm=iamck.study.shiro.login_auth_demo.realm.SimpleRealm
securityManager.realms=$myRealm
3、运行上述测试类,结果如下:
登录了吗?false
登录了吗?true
是admin角色吗?true
是teacher角色吗?false
有add权限吗?true
有del权限吗?false