用户–角色–权限
shiro_conf.ini
#对用户的信息进行配置
[users]
#用户的账号和密码
zhangsan=123456
lisi=654321
AuthenticationTest
public void loginTest(){
// 创建securityMangager工厂
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro_conf.ini");
// 创建securityManager对象
SecurityManager sm = factory.getInstance();
// 将securityManager设置到运行环境中
SecurityUtils.setSecurityManager(sm);
// 从securityUtils获取一个主体对象
Subject subject = SecurityUtils.getSubject();
// 在执行前创建一个令牌
UsernamePasswordToken token = new UsernamePasswordToken("lisi","654321");
try {
subject.login(token);
} catch (AuthenticationException e) {
e.printStackTrace();
}
// 是否认证通过
boolean authenticated = subject.isAuthenticated();
System.out.println("是否认证通过:"+authenticated )
// 执行登出操作
subject.logout();
boolean authenticated2 = subject.isAuthenticated();
System.out.println("是否认证通过:"+authenticated2)
}
是否认证通过:true
是否认证通过:false
自定义Realm
shiro_custom.ini
[main]
#自定义realm
customRealm = com.666.shiro.CustomRealm
#将自定义realm设置到securityManager中,相当于Sprig注入
securityManager.realms = $customRealm
CustomRealm(模拟从数据库中取出数据操作)
public class CustomRealm extends AuthorizingRealm{
public void setName(String name){
super.setName("customRealm");
}
// 认证
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException{
// token用户输入的信息
// 第一步 从token中取出身份信息(principle)
String usercode = (String) token.getPrincipal();
// 第二步 根据用于输入的usercode从数据库中查询
//if(userMapper.selectPasswordByName != null){ }
// 模拟从数据库中查询数据 假设取到数据为123456
String password = "123456";
// 如果查询不到则返回null,如果查询到则返回authenticationInfo
SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(usercode,password,this.getName());
return authenticationInfo;
}
// 授权
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
// 从principals获取主身份信息
String usercode = (String) principals.getPrimaryPrincipal();
// 根据身份信息获取权限信息
// 连接数据库,模拟从数据库中获取权限数据,封装成list 假设拿到"user:create"和"user:delete"的权限信息
List<String> permissionList = new ArrayList<String>();
permissionList.add("user:create");//用户创建权限
permissionList.add("user:delete");//用户删除权限
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
// 将上面查询到的授权信息设置authorizationInfo中
authorizationInfo.addStringPermissions(permissionList);
return authorizationInfo;
}
}
AuthenticationTest(认证测试)
public void customRealm() {
// 创建securityManager的工厂
Factory<SecurityManager> factory =
new IniSecurityManagerFactory("classpath:shiro_custom.ini");
// 创建securityManager对象
SecurityManager sm = factory.getInstance();
// 将securityManager设置到运行环境中
SecurityUtils.setSecurityManager(sm);
// 从securityUtils获取一个主体对象
Subject subject = SecurityUtils.getSubject();
// 在执行前创建一个令牌
UsernamePasswordToken token = new UsernamePasswordToken("zhangsan","123456");
// 执行认证的加载
try {
subject.login(token);
} catch (AuthenticationException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
// 是否认证通过
boolean authenticated = subject.isAuthenticated();
System.out.println("是否认证通过:"+authenticated);
// 执行登出操作
subject.logout();
// 是否认证通过
boolean authenticated2 = subject.isAuthenticated();
System.out.println("是否认证通过:"+authenticated2);
是否认证通过:true
是否认证通过:false
}
AuthorizationTest(权限测试)
public void testAuthorization(){
// 创建securityManager工厂
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro_custom,ini");
SecurityManager sm = factory.getInstance();
// 吧securityManager设置到运行环境中,
SecurityUtils.setSecurityManager(sm);
// 创建主体
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken("zhangsan","123456");
// 执行认证
try {
subject.login(token);
} catch (AuthenticationException e) {
e.printStackTrace();
}
// 认证的状态
System.out.println("认证的状态:"+subject.isAuthenticated());
// 认证成功之后才能进行授权
boolean permitted = subject.isPermitted("user:create");
System.out.println("单个权限判断:"+permitted);
boolean permittedAll = subject.isPermittedAll("user:create","user:delete");
System.out.println("多个权限判断:"+permittedAll);
认证的状态:true
单个权限判断:true
多个权限判断:true
}
shiro_permission.ini(写死的权限)
#用户
[users]
#用户张三的凭证(密码)是123456,此用户拥有role1,role2的角色
zhangsan=123456,role1,role2
lisi=123456,role2
#权限
[roles]
#角色role1对资源user拥有create,update的权限
role1=user:ceeate,user:update
#角色role2对资源user拥有create,delete的权限
role2=user:create,user:delete
role3=user:create
AuthorizationTest(权限测试)
public void testAuthorization(){
Factory<SecurityManager> factory = new IniSecurityManagerFactory(classpath:shiro_permission.ini);
SecurityManager sm = factory.getInstance();
SecurityUtils.setSecurityManager(sm);
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken("zhangsan","123456");
try {
subject.login(token);
} catch (AuthenticationException e) {
e.printStackTrace();
}
// 认证的状态
System.out.println("认证的状态:"+subject.isAuthenticated());
// 执行认证成功后才能进行授权
// 基于角色的授权,参数为角色的唯一标识
boolean hasRole = subject.hasRole("role1");
System.out.println("具有单个角色:"+hasRole);
// hasRoles有多个角色
boolean hasAllRoles = subject.hasAllRoles(Arrays.asList("role1","role2"));
System.out.println("具有多个角色:"+hasAllRoles);
// 使用checkRole方法进行授权,如果不通过则抛出异常
subject.checkRole("role1");
// 基于资源的授权,参数就是权限的唯一标识
boolean permitted = subject.isPermitted("user:create");
System.out.println("具有单个权限:"+permitted);
boolean permittedAll = subject.isPermittedAll("user:create","user:update");
System.out.println("具有多个权限:"+permittedAll);
}