Shiro学习--Apache Shiro Tutorial 环境搭建

最新推荐文章于 2024-04-09 18:12:28 发布
最新推荐文章于 2024-04-09 18:12:28 发布
阅读量215 收藏
点赞数
分类专栏: java 文章标签: apache 学习 java docker perl
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/m0_67400972/article/details/126496309
版权

1 Shiro介绍

Apache Shiro介绍

参考

http://shiro.apache.org/introduction.html

这里写图片描述

Shiro 包括

  • Authentication: Sometimes referred to as ‘login’, this is the act of
    proving a user is who they say they are.

  • Authorization: The process of access control, i.e. determining ‘who’
    has access to ‘what’.

  • Session Management: Managing user-specific sessions, even in non-web
    or EJB applications.

  • Cryptography: Keeping data secure using cryptographic algorithms
    while still being easy to use.

第一个是认证,第二个是授权,第三个会话管理,第四个是加密。

2 Apache Shiro Tutorial 环境搭建

Apache Shiro Tutorial

参考

http://shiro.apache.org/tutorial.html

pom依赖

    <dependencies>
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-core</artifactId>
            <version>1.2.2</version>
        </dependency>
        <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>slf4j-simple</artifactId>
            <version>1.7.5</version>
        </dependency>
    </dependencies>

The first thing to understand in enabling Shiro in an application is that almost everything in Shiro is related to a central/core component called the SecurityManager. For those familiar with Java security, this is Shiro’s notion of a SecurityManager - it is NOT the same thing as the java.lang.SecurityManager.

Shiro SecurityManager is the core of a Shiro environment for an application and one SecurityManager must exist per application. So, the first thing we must do in our Tutorial application is set-up the SecurityManager instance.

Shiro的核心就是SecurityManager。
所以第一件事情就是使用 SecurityManager

Shiro provides a default ‘common denominator’ solution via text-based INI configuration. People are pretty tired of using bulky XML files these days, and INI is easy to read, simple to use, and requires very few dependencies. You’ll also see later that with a simple understanding of object graph navigation, INI can be used effectively to configure simple object graphs like the SecurityManager.

Shiro提供了一个默认的基于文本的INI配置。

创建ini文件

src/main/resources/shiro.ini

# =============================================================================
# Tutorial INI configuration
#
# Usernames/passwords are based on the classic Mel Brooks' film "Spaceballs" :)
# =============================================================================

# -----------------------------------------------------------------------------
# Users and their (optional) assigned roles
# username = password, role1, role2, ..., roleN
# -----------------------------------------------------------------------------
[users]
root = secret, admin
guest = guest, guest
presidentskroob = 12345, president
darkhelmet = ludicrousspeed, darklord, schwartz
lonestarr = vespa, goodguy, schwartz

# -----------------------------------------------------------------------------
# Roles with assigned permissions
# roleName = perm1, perm2, ..., permN
# -----------------------------------------------------------------------------
[roles]
admin = *
schwartz = lightsaber:*
goodguy = winnebago:drive:eagle5

测试

package com.shiro.test;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * Created by GWCheng on 2016/3/6.
 */
public class Tutorial {
    private static final transient Logger log = LoggerFactory.getLogger(Tutorial.class);

    public static void main(String[] args) {
        log.info("My First Apache Shiro Application");

        //1.
        IniSecurityManagerFactory factory = new IniSecurityManagerFactory("classpath:shiro.ini");

        //2.
        SecurityManager securityManager = factory.getInstance();

        //3.
        SecurityUtils.setSecurityManager(securityManager);

        System.exit(0);
    }
}

项目结构

这里写图片描述

到这里虽然并没有任何输出,可是Shiro的环境确实已经搭建完成。

3 更进一步

Now that our SecurityManager is set-up and ready-to go, now we can start doing the things we really care about - performing security operations.

让我们更进一步

When securing our applications, probably the most relevant questions we ask ourselves are “Who is the current user” or “Is the current user allowed to do X” It is common to ask these questions as we’re writing code or designing user interfaces: applications are usually built based on user stories, and you want functionality represented (and secured) based on a per-user basis. So, the most natural way for us to think about security in our application is based on the current user. Shiro’s API fundamentally represents the notion of ‘the current user’ with its Subject concept.

当我们确保我们的系统安全的时候,我们经常会问:当前用户是谁?他有做xxx的权限吗?最常见的思考方式就是通过当前用户来考虑系统的安全性。Shiro的API是通过Subject来描述当前用户的。

通过以下代码得到当前用户

Subject currentUser = SecurityUtils.getSubject();

Using SecurityUtils.getSubject(), we can obtain the currently executing Subject. Subject is a security term that basically means “a security-specific view of the currently executing user”. It is not called a ‘User’ because the word ‘User’ is usually associated with a human being. In the security world, the term ‘Subject’ can mean a human being, but also a 3rd party process, cron job, daemon account, or anything similar. It simply means ‘the thing that is currently interacting with the software’. For most intents and purposes though, you can think of the Subject as Shiro’s ‘User’ concept.

通过SecurityUtils.getSubject()我们就可以获得当前正在执行的用户,用户通常是指正在与软件交互的。可以将Subject理解为Shiro的用户。

Now that you have a Subject, what can you do with it

If you want to make things available to the user during their current session with the application, you can get their session:

Session session = currentUser.getSession();
session.setAttribute( "someKey", "aValue" );

官方的解释还是有点太繁琐,我们直接上代码

完整的测试代码

Tutorial.java

package com.shiro.test;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * Created by GWCheng on 2016/3/6.
 */
public class Tutorial {
    private static final transient Logger log = LoggerFactory.getLogger(Tutorial.class);

    public static void main(String[] args) {
        log.info("My First Apache Shiro Application");

        // 1、获取SecurityManager工厂,此处使用Ini配置文件初始化SecurityManager 
        IniSecurityManagerFactory factory = new IniSecurityManagerFactory("classpath:shiro.ini");

        //2、得到SecurityManager实例 并绑定给SecurityUtils
        SecurityManager securityManager = factory.getInstance();
        SecurityUtils.setSecurityManager(securityManager);

        // 得到当前用户 get the currently executing user:
        Subject currentUser = SecurityUtils.getSubject();

        // 不需要web容器,也可以Do some stuff with a Session (no need for a web or EJB container!!!)
        Session session = currentUser.getSession();
        session.setAttribute("someKey", "aValue");
        // 拿到刚才设置的session
        String value = (String) session.getAttribute("someKey");
        if (value.equals("aValue")) {
            log.info("Retrieved the correct value! [" + value + "]");
        }

        // 让我们登录当前用户,来看看用户的角色和权限
        // let's login the current user so we can check against roles and permissions:
        if (!currentUser.isAuthenticated()) {
            // lonestarr是 shior.ini中的用户,vespa是lonestarr的密码
            UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa");
            // 记住我功能
            token.setRememberMe(true);
            try {
                // 登录
                currentUser.login(token);
            } catch (UnknownAccountException uae) {
                log.info("There is no user with username of " + token.getPrincipal());
            } catch (IncorrectCredentialsException ice) {
                log.info("Password for account " + token.getPrincipal() + " was incorrect!");
            } catch (LockedAccountException lae) {
                log.info("The account for username " + token.getPrincipal() + " is locked.  " +
                        "Please contact your administrator to unlock it.");
            }
            // ... catch more exceptions here (maybe custom ones specific to your application?
            catch (AuthenticationException ae) {
                // unexpected condition?  error?
            }
        }

        // say who they are:
        // print their identifying principal (in this case, a username):
        log.info("User [" + currentUser.getPrincipal() + "] logged in successfully.");

        //test a role:
        if (currentUser.hasRole("schwartz")) {
            log.info("May the Schwartz be with you!");
        } else {
            log.info("Hello, mere mortal.");
        }

        // test a typed permission (not instance-level)
        // 测试用户的权限,因为lonestarr在schwartz组中
        // schwartz = lightsaber:*  schwartz组有权限
        if (currentUser.isPermitted("lightsaber:weild")) {
            log.info("You may use a lightsaber ring.  Use it wisely.");
        } else {
            log.info("Sorry, lightsaber rings are for schwartz masters only.");
        }

        // a (very powerful) Instance Level permission:
        if (currentUser.isPermitted("winnebago:drive:eagle5")) {
            log.info("You are permitted to 'drive' the winnebago with license plate (id) 'eagle5'.  " +
                    "Here are the keys - have fun!");
        } else {
            log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!");
        }

        // all done - log out!
        // 退出
        currentUser.logout();

        System.exit(0);
    }
}

输出结果

这里写图片描述

shiro.ini的解释如下,再配上注释,应该很清晰了!

这里写图片描述

总结

这篇文章主要讲了如何配置并启动Shiro,别介绍了Shiro的两个核心概念SecurityManager和Subject。

后序会介绍不用其他特性。

ok,Shiro环境搭建就到这里!

参考文献

http://shiro.apache.org/tutorial.html

m0_67400972
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
shiro-redis-tutorial:shiro-redis教程
05-13
shiro-redis-tutorial 这是一个教程,可帮助您了解如何使用shiro-redis 。 本教程使用shiro.ini配置shiroshiro-redis 。 如何使用它? 使用以下注释将shiro-redis-tutorial克隆到磁盘: git clone https://github.com/alexxiyang/shiro-redis-tutorial.git 在src / main / resources / shiro.ini中修改redis服务连接配置。 例如redisManager.host , redisManager.expire等。 # Redis host. If you don't specify host the default value is 127.0.0.1:6379 redisManager.host = 192.168.56
shiro-core-1.7.1 jar
07-12
shiro shiro-core-1.7.1 jar shiro漏洞
Shiro——01,环境搭建
最新发布
weixin_42858422的博客
04-09 565
官网:http://shiro.apache.org/是一款主流的 Java 安全框架,不依赖任何容器,可以运行在 Java SE和 Java EE 项目中,它的主要作用是对访问系统的用户进行身份认证、授权、会话管理、加密等操作。Shiro 就是用来解决安全管理的系统化框架。
make后gcc出现不全_安装篇:Linux CentOS7环境下gcc升级
weixin_39637711的博客
11-02 483
简短介绍大家好,今天给大家分享gcc编译器的升级方法。在linux系统中其实已经自带了gcc编译器,但是版本比较低。目前有些开源工具例如:Apache Doris在安装时需要更高版本的gcc 5.3.1+以上版本编译器才能编译c++代码。那么我们就了解下gcc升级方法(从 4.8.5 升级到 10.2.0 )。01—gcc升级步骤1、查看当前gcc版本##看出当前系统gcc版本.默...
SSM整合shiro的简单框架搭建,JSP项目
05-21
SSM框架整合shiro安全框架,适合新手下载看看是怎么具体搭建的,了解下里面的逻辑。
Day39项目saas-export项目-apache shiro框架**
翁老师的教学团队
11-06 336
Shiro简介 (1)Shiro是什么? Apache Shiro是一个强大且易用的Java安全框架/权限框架 本质:预先定义好的权限代码(过滤器,RBAC模型设计,JSP标签等) (2)Shiro有什么用? 执行身份验证、授权(查询有什么权限)、密码学(md5,sha1)和会话管理 (3)Shiro有什么特点? 常见的权限框架有apache Shiro ,与spring Security等 Shiro的功能组成 (1)有四大功能 》认证,授权,加密,会话管理 (2)认证:判断账号密码 Authen
3-7 基于SpringBoot的Apache Shiro环境快速搭建与配置实操
易的博客
08-04 207
去网站上 spring.io https://start.spring.io/ 去网站拉一个模板下拉 下载一个模板 打开后看一下 使用的pom.xml 我们要用到数据库 使用一个数据库的管理 阿里巴巴的druid 这个是sping非常常用的工具包经常使用的 字符串日期操作都使用这个 springfra...
Shiro 学习(一)基于SpringBoot的Apache Shiro环境快速搭建与配置
weixin_33739646的博客
05-31 230
2019独角兽企业重金招聘Python工程师标准>>> ...
【SaaS - Export项目】Apache Shiro框架搭建
mighty_Jon的博客
11-09 173
Apache Shiro框架搭建 Shiro简介Shiro架构图Shiro搭建步骤shiro的依赖web.xml中配置的过滤器applicationContext-shiro.xmlAuthRealm Shiro简介 1.Apache Shiro是一个强大且易用的Java安全框架/权限框架 本质:预先定义好的权限代码(过滤器,RBAC模型设计,JSP标签等) 2.作用 防止有一些通过输入链接绕过菜单直接到控制器进行的访问 1)认证(Authentication):判断账号密码是否正确 2)检查授权(Auth
shiro-core 低版本漏洞检测
01-31
shiro-core 低版本漏洞检测工具
shiro-core-1.4.0-API文档-中文版.zip
07-12
Maven坐标:org.apache.shiro:shiro-core:1.4.0; 标签:apacheshiro、core、中文文档、jar包、java; 使用方法:解压翻译后的API文档,用浏览器打开“index.html”文件,即可纵览文档内容。 人性化翻译,文档中的...
spring mvc、apache shiro、mysql 框架搭建,基于maven构建
07-26
spring mvc、apache shiro、mysql 框架搭建,基于maven构建
shiro-core-1.6.0.jar
08-20
该资源是目前最新的shiro-core核心包,暂时魏安全性较高的版本,没有发现漏洞版本。提供登录安全性的校验,该资源来自官网,仅供学习参考,请前往官网下载
基于SpringBoot的Apache Shiro环境快速搭建与配置(一)
荒的博客
05-13 171
测试
shiro环境的简单搭建
Jz_Stu的博客
08-02 641
spring boot简单搭建一个Shiro项目demo 文章目录spring boot简单搭建一个Shiro项目demo前言使用步骤1.数据库表的设计2.导入所需的依赖以及对应的配置3.导入所需的依赖以及对应的配置 前言 搭建一个shiro的项目demo,体验shiro的权限控制功能以及数据库表的简单设计。 使用步骤 1.数据库表的设计 主要分为三张主要表和两张关联表,分别是: 1)三张主表:用户表(user)、角色表(user)和权限表(permission) 2)两张关联表:用户角色表(u
Shiro环境搭建与Spring整合)
weixin_34415923的博客
08-14 133
环境搭建与Spring整合(Maven项目中) 1. 导入依赖 <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-all</artifactId> <version>1.2.3</version> </dependenc...
shiro环境搭建
weixin_33675507的博客
03-09 173
参考shiro官方文档进行学习 http://shiro.apache.org/java-authentication-guide.html 1.环境搭建 采用eclipse + maven + jetty插件的方式 使用版本1.2.4 pom文件内容 1 <project xmlns="http://maven.apache.org/POM/4.0.0" ...
基于SpringBoot的Apache Shiro环境快速搭建与配置(二)
荒的博客
05-21 139
SpringBoot启动类如下: package com.mmall.demo; import org.mybatis.spring.annotation.MapperScan; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.context.annotati
shiro-550和shiro-721漏洞的异同点
06-06
Shiro-550和Shiro-721漏洞都是Apache Shiro框架的安全漏洞,但它们的漏洞类型和漏洞影响不同。 Shiro-550漏洞是Apache Shiro框架中的一种远程代码执行漏洞,攻击者可以通过构造恶意的序列化数据包,触发远程代码...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值