其实关于shiro的博客介绍特别多,这里记录一下自己的学习过程。
Shiro是一个强大易用的Java安全框架,提供了认证、授权、加密和会话管理等功能。先简单的学习一下它的认证和授权。
shiro的认证过程
先使用测试类的方式来验证:
SimpleAccountRealm
- 认证过程
SimpleAccountRealm realm = new SimpleAccountRealm(); @Before public void addUser() { realm.addAccount("admin", "123456"); } @Test public void testAuthentication() { //创建一个SecurityManager对象 DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager(); defaultSecurityManager.setRealm(realm); //主体提交认证请求 SecurityUtils.setSecurityManager(defaultSecurityManager); Subject subject = SecurityUtils.getSubject(); UsernamePasswordToken token = new UsernamePasswordToken("admin", "123456"); subject.login(token); System.out.println("isAuthenticated:"+subject.isAuthenticated()); }
当用户名和密码正确是打印出true
-
授权过程
SimpleAccountRealm realm = new SimpleAccountRealm(); @Before public void addUser() { realm.addAccount("admin", "123456","admin","user"); } @Test public void testAuthentication() { //创建一个SecurityManager对象 DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager(); defaultSecurityManager.setRealm(realm); //主体提交认证请求 SecurityUtils.setSecurityManager(defaultSecurityManager); Subject subject = SecurityUtils.getSubject(); UsernamePasswordToken token = new UsernamePasswordToken("admin", "123456"); subject.login(token); System.out.println("isAuthenticated:"+subject.isAuthenticated()); subject.checkRoles("admin","user"); //subject.logout(); }
需要注意的是:SimpleAccountRealm不支持权限
IniRealm:
- 认证过程
IniRealm realm = new IniRealm("classpath:user.ini"); @Before public void addUser() { realm.addAccount("admin", "123456","admin","user"); } @Test public void testAuthentication() { //创建一个SecurityManager对象 DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager(); defaultSecurityManager.setRealm(realm); //主体提交认证请求 SecurityUtils.setSecurityManager(defaultSecurityManager); Subject subject = SecurityUtils.getSubject(); UsernamePasswordToken token = new UsernamePasswordToken("admin", "123456"); subject.login(token); System.out.println("isAuthenticated:"+subject.isAuthenticated()); //subject.checkRoles("admin","user"); //subject.logout(); } 其中user.ini为resources下的一个文件,里面的内容为: [users] admin=123456
- 授权过程
修改user.ini中的内容如下[users] admin=123456,admin [roles] admin=user:delete
同时修改测试类的代码如下:
IniRealm realm = new IniRealm("classpath:user.ini"); @Test public void testAuthentication() { //创建一个SecurityManager对象 DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager(); defaultSecurityManager.setRealm(realm); //主体提交认证请求 SecurityUtils.setSecurityManager(defaultSecurityManager); Subject subject = SecurityUtils.getSubject(); UsernamePasswordToken token = new UsernamePasswordToken("admin", "123456"); subject.login(token); System.out.println("isAuthenticated:"+subject.isAuthenticated()); //subject.checkRoles("admin","user"); //subject.logout(); subject.checkRole("admin"); subject.checkPermission("user:delete"); }
自定义realm
创建Myrealm继承AuthorizingRealm
Map<String, String> map = new HashMap<String, String>(); { map.put("admin", "123456"); super.setName("MyRealm");//这个名字可以随便取 } @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { //从主体传过来的认证信息中获取用户名 String userName = (String)principals.getPrimaryPrincipal(); //模拟从数据库获取角色和权限 Set<String> roleSet = getRoleByUserName(userName); Set<String> permissionSet = getPermissinByUserName(userName); SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo(); authorizationInfo.addRoles(roleSet); authorizationInfo.addStringPermissions(permissionSet); return authorizationInfo; } @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { //从主体传过来的认证信息中获取用户名 String userName = (String)token.getPrincipal(); //根据用户名获取密码,模拟从数据库获取 String password = getPassWord(userName); if(password == null) { return null; } SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(userName, password, "MyRealm"); return simpleAuthenticationInfo; } private String getPassWord(String userName) { String password = map.get(userName); return password; } /** * 从数据库获取角色 * @param userName * @return */ private Set<String> getRoleByUserName(String userName) { Set<String> set = new HashSet<String>(); set.add("admin"); set.add("aaaaa"); return set; } private Set<String> getPermissinByUserName(String userName) { Set<String> set = new HashSet<String>(); set.add("user:delete"); set.add("user:update"); return set; }
测试类:
public class RealmTest { @Test public void testAuthentication() { MyRealm realm = new MyRealm(); //创建一个SecurityManager对象 DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager(); defaultSecurityManager.setRealm(realm); //主体提交认证请求 SecurityUtils.setSecurityManager(defaultSecurityManager); Subject subject = SecurityUtils.getSubject(); UsernamePasswordToken token = new UsernamePasswordToken("admin", "123456"); subject.login(token); System.out.println("isAuthenticated:"+subject.isAuthenticated()); subject.checkRole("aaaaa"); subject.checkPermission("user:delete"); //subject.checkRoles("admin","user"); //subject.logout(); } }