1.Shiro_授权流程分析
(1). 授权需要继承 AuthorizingRealm 类, 并实现其 doGetAuthorizationInfo 方法
(2). AuthorizingRealm 类继承自 AuthenticatingRealm, 但没有实现 AuthenticatingRealm 中的 doGetAuthenticationInfo, 所以认 证和授权只需要继承 AuthorizingRealm 就可以了. 同时实现他的两个抽象方法.
public class TestRealm extends AuthorizingRealm {
//用于授权的方法
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
// TODO Auto-generated method stub
return null;
}
//用于认证的方法
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
// TODO Auto-generated method stub
return null;
}
}
2.授权实现
package com.yang.shiro.realm;
import java.util.HashSet;
import java.util.Set;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.LockedAccountException;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.crypto.hash.SimpleHash;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
import org.springframework.stereotype.Component;
@Component
public class ShiroRealm extends AuthorizingRealm {
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
// TODO Auto-generated method stub
System.out.println("2:"+token.hashCode());
System.out.println("token:"+token);
//1.把AuthenticationToken 转换为 UsernamePasswordToken
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
//2.从 UsernamePasswordToken 中来获取username
String username = upToken.getUsername();
//3.调用数据库的方法从数据库中查询 username 对应的用户记录,这里就不获取了
System.out.println("从数据库中获取username:" + username + "所对应的用户信息。");
//4.若用户信息不存在,则可抛出 UnknownAccountException 异常
if("unknown".equals(username)) {
throw new UnknownAccountException("用户不存在!");
}
//5.根据用户信息的情况,决定是否需要抛出其它的 AuthenticationException 异常
if("monster".equals(username)) {
throw new LockedAccountException("用户被锁定!");
}
//6.根据用户的情况,来构建 AuthenticationInfo 对象并返回,通常使用的实现类:SimpleAuthenticationInfo
//以下信息是从数据库中获取的。
//(1)principal:认证的实体信息。可以是username,也可以是数据表对应的用户的实体类对象
Object principal = username;
//(2)credentials:密码
Object credentials = null;
if ("admin".equals(username)) {
credentials = "038bdaf98f2037b31f1e75b5b4c9b26e";
}else if("user".equals(username)) {
credentials = "098d2c478e9c11555ce2823231e02ec1";
}
//(3)realmName:当前realm对象的name,调用父类的getName()方法即可
String realmName = getName();
System.out.println("realmName:" + realmName);
//(4) 盐值
ByteSource credentialsSalt = ByteSource.Util.bytes(username);
SimpleAuthenticationInfo info = null;//new SimpleAuthenticationInfo(principal, credentials, realmName);
info = new SimpleAuthenticationInfo(principal, credentials, credentialsSalt, realmName);
return info;
}
public static void main(String[] args) {
String hashAlgorithmName = "MD5";
Object credentials = "123456";
Object salt = ByteSource.Util.bytes("user");
int hashIterations = 1024;
Object result = new SimpleHash(hashAlgorithmName, credentials, salt, hashIterations);
System.out.println(result);
}
//授权会被shiro回调的方法
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
//1. 从 PrincipalCollection 中获取用户登录的信息
Object principal = principals.getPrimaryPrincipal();
//2. 利用用户登录的信息来获取当前用户的角色或权限
Set<String> roles = new HashSet<>();
roles.add("user"); 这里无论登录的是user 还是 admin 都存放一个user角色,赋予权限
if ("admin".equals(principal)) {
roles.add("admin");
}
//3. 创建SimpleAuthorizationInfo,并设置其refes熟悉
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(roles);
//4.返回SimpleAuthorizationInfo对象。
return info;
}
}
配置这个realm:
<!--
3.配置Realm
3.1直接配置实现了org.apache.shiro.realm.Realm接口的Realm;
-->
<!-- id设置名称,class对应写的类 -->
<bean id="jdbcRealm" class="com.yang.shiro.realm.ShiroRealm">
<property name="credentialsMatcher">
<bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<!-- 指定加密方式和次数 -->
<property name="hashAlgorithmName" value="MD5"></property>
<property name="hashIterations" value="1024"></property>
</bean>
</property>
</bean>