轻量级安全框架-Shiro

已于 2022-05-03 14:35:32 修改
阅读量225 收藏
点赞数
分类专栏: Shiro 文章标签: java 分布式 后端
于 2022-05-03 14:33:34 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/u014161463/article/details/124554760
版权

目录

shiro
1.简介

Apache Shiro 是 Java 的一个安全框架。目前,使用 Apache Shiro 的人越来越多,因为它相当简单,对比 Spring Security,可能没有 Spring Security 做的功能强大,但是在实际工作时可能并不需要那么复杂的东西,所以使用小而简单的 Shiro 就足够了。对于它俩到底哪个好,这个不必纠结,能更简单的解决项目问题就好了。

而构建一个后台应用,权限校验管理是很重要的安全措施,这其中主要包含

  • 用户认证 - 用户身份识别,即登录
  • 用户授权 - 访问控制
  • 密码加密 - 加密敏感数据防止被偷窥
  • 会话管理 - 与用户相关的时间敏感的状态信息
2.整体结构与重要组件

image

从以上也可以看出,Shiro 不提供维护用户 / 权限,而是通过 Realm 让开发人员自己注入。

  • Subject: 主体,代表了当前的用户,这个用户不一定是一个具体的人,与当前应用交互的任何东西都是Subject,如网络爬虫,机器人等;即一个抽象概念;

  • SecurityManger安全管理器;即所有与安全有关的操作都会与它交互;它管理这所有的Subject,且负责进行认证和授权,及会话等管理;可以看出它是Shiro的心脏。

  • Realm: 域,Shiro从Realm获取安全数据(如用户/角色/权限),就是说SecurityManger要验证用户身份,需要从Realm获取用户信息进行比较以确定用户身份是否合法;也需要从Realm得到用户相应角色/权限来验证用户是否可进行操作;可以把Realm看成DataSource,即安全数据源。

  • Authenticator: 认证器,负责主题认证的,这是一个扩展点,可以自定义实现。

  • Authrizer:授权器,或者访问控制器,用来决定主体是否有权限进行相应的操作;即控制着用户能访问应用中的哪些功能。

  • SessionManager:session管理器;

  • SessionDAO:session的数据访问对象;

  • CacheManager:缓存控制器;

  • Cryptography:密码模块,Shiro 提高了一些常见的加密组件用于如密码加密 / 解密的。

从demo开始分析

官网例子:http://shiro.apache.org/tutorial.html

  • shiro.ini
# -----------------------------------------------------------------------------
# Users and their (optional) assigned role
# username = password, role1, role2, ..., roleN
# -----------------------------------------------------------------------------
[users]
root = secret,admin
guest =guest,guest
presidentskroob =12345,president
darkhelmet =ludicrousspeed,darklord,schwartz
lonestarr =vespa,goodguy,schwartz

# -----------------------------------------------------------------------------
# Roles with assigned permissions
# roleName = perm1, perm2, ..., permN
# -----------------------------------------------------------------------------
[roles]
admin = *
schwartz =lightsaber:*
goodguy =winnebago:drive:eagle5

上面的代码,root=secret,admin表示,用户名是root,密码是secret,角色是admin;
schwartz=lightsaber:标识角色schwartz拥有权限lightsaber:,这个文件可以看成是一个Relam,其实就是shiro默认的IniRealm

  • 测试类ShiroTest
@Slf4j
public class ShiroTest {

    public static void main(String[] args) {
        log.info("My First Apache Shiro Application");

        Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
        SecurityManager securityManager = factory.getInstance();
        SecurityUtils.setSecurityManager(securityManager);

        // get the currently executing user:
        Subject currentUser = SecurityUtils.getSubject();

        // Do some stuff with a Session (no need for a web or EJB container!!!)
        Session session = currentUser.getSession();
        session.setAttribute("someKey", "aValue");
        String value = (String) session.getAttribute("someKey");
        if (value.equals("aValue")) {
            log.info("Retrieved the correct value! [" + value + "]");
        }

        // let's login the current user so we can check against roles and permissions:
        if (!currentUser.isAuthenticated()) {
            UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa");
            token.setRememberMe(true);
            try {
                currentUser.login(token);
            } catch (UnknownAccountException uae) {
                log.info("There is no user with username of " + token.getPrincipal());
            } catch (IncorrectCredentialsException ice) {
                log.info("Password for account " + token.getPrincipal() + " was incorrect!");
            } catch (LockedAccountException lae) {
                log.info("The account for username " + token.getPrincipal() + " is locked.  " +
                        "Please contact your administrator to unlock it.");
            }
            // ... catch more exceptions here (maybe custom ones specific to your application?
            catch (AuthenticationException ae) {
                //unexpected condition?  error?
            }
        }

        //say who they are:
        //print their identifying principal (in this case, a username):
        log.info("User [" + currentUser.getPrincipal() + "] logged in successfully.");

        //test a role:
        if (currentUser.hasRole("schwartz")) {
            log.info("May the Schwartz be with you!");
        } else {
            log.info("Hello, mere mortal.");
        }

        //test a typed permission (not instance-level)
        if (currentUser.isPermitted("lightsaber:wield")) {
            log.info("You may use a lightsaber ring.  Use it wisely.");
        } else {
            log.info("Sorry, lightsaber rings are for schwartz masters only.");
        }

        //a (very powerful) Instance Level permission:
        if (currentUser.isPermitted("winnebago:drive:eagle5")) {
            log.info("You are permitted to 'drive' the winnebago with license plate (id) 'eagle5'.  " +
                    "Here are the keys - have fun!");
        } else {
            log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!");
        }

        //all done - log out!
        currentUser.logout();

        System.exit(0);
    }
}

从上面的实例中,我们可以看到常用的API:

#获取当前用户
Subject currentUser = SecurityUtils.getSubject();
#判断用户是否已经认证
currentUser.isAuthenticated();
#用户登录凭证
UsernamePasswordToken token =new UsernamePasswordToken("用户名","密码");
#记住我
token.setRememberMe(true);
#登录校验
currentUser.login(token);
#判断是否有角色权限
currentUser.hasRole("超管");
#判断是否有资源操作权限
currentuser.isPermitted("发货");

其实稍微梳理一下,可以发现上面代码主要有两个步骤:

认证

#用户登录凭证
UsernamePasswordToken token =new UsernamePasswordToken("用户名","密码");
#记住我
token.setRememberMe(true);
#登录校验
currentUser.login(token);

授权

#判断是否有角色权限
currentUser.hasRole("超管");
#判断是否有资源操作权限
currentuser.isPermitted("发货");

接下来,我们去探讨一下shiro的认证与授权流程,并从源码层去解析一下shiro各个组件之间的关系。

3.认证

身份验证,即在应用中证明他是本人。一般提供一些标识来验证,例如用户名/密码等
在shiro中,用户需要提供 principals(身份)credentials(凭证) 给shiro,从而验证用户身份。
image

大致的shiro认证流程如下:

  1. Subject进行login操作,参数是封装了用户信息的token,例如UsernamePasswordToken,也可以自定义token对象进行特殊信息的传递。
  2. SecurityManager进行登录操作。
  3. SecurityManager委托给Authenticator进行认证逻辑处理。
  4. 调用AuthenticationStrategy进行单个或多Realm身份验证。
  5. 调用对应的Realm进行校验,可以自定义CredentialsMatcher实现token的比较规则,例如: HashedCredentialsMatcher,认证失败则抛对应异常

debug追踪shiro源码的流程:

#登录
currentUser.login(token);

#Subject调用SecurityManager
public void login(AuthenticationToken token) {
   Subject subject = this.securityManager.login(this, token);
}

#SecurityManager委托给Authenticator--AuthenticatingSecurityManager
public AuthenticationInfo authenticate(AuthenticationToken token)  {
   return this.authenticator.authenticate(token);
}
#Authenticator认证器调用Realm进行验证--AbstractAuthenticator
public final AuthenticationInfo authenticate(AuthenticationToken token) {
    AuthenticationInfo info = doAuthenticate(token);
}
protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) {
        assertRealmsConfigured();
        Collection<Realm> realms = getRealms();
        if (realms.size() == 1) {
            return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);
        } else {
            return doMultiRealmAuthentication(realms, authenticationToken);
        }
    }
#Realm进行多个Realm或单个Realm验证,(多个Realm可以指定验证策略)--AuthenticatingRealm
public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) {
        AuthenticationInfo info = getCachedAuthenticationInfo(token);
        if (info == null) {
            //otherwise not cached, perform the lookup:
            info = doGetAuthenticationInfo(token);
            log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info);
            if (token != null && info != null) {
                cacheAuthenticationInfoIfPossible(token, info);
            }
        } else {
            log.debug("Using cached authentication info [{}] to perform credentials matching.", info);
        }

        if (info != null) {
            assertCredentialsMatch(token, info);
        } else {
            log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}].  Returning null.", token);
        }

        return info;
    }
  # Realm进行数据源操作--SimpleAccountRealm
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)  {
        UsernamePasswordToken upToken = (UsernamePasswordToken) token;
        SimpleAccount account = getUser(upToken.getUsername());

        if (account != null) {

            if (account.isLocked()) {
                throw new LockedAccountException("Account [" + account + "] is locked.");
            }
            if (account.isCredentialsExpired()) {
                String msg = "The credentials for account [" + account + "] are expired";
                throw new ExpiredCredentialsException(msg);
            }

        }

        return account;
    }
  #匹配规则
  protected void assertCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) throws AuthenticationException {
        CredentialsMatcher cm = getCredentialsMatcher();
        if (cm != null) {
            if (!cm.doCredentialsMatch(token, info)) {
                //not successful - throw an exception to indicate this:
                String msg = "Submitted credentials for token [" + token + "] did not match the expected credentials.";
                throw new IncorrectCredentialsException(msg);
            }
        } else {
            throw new AuthenticationException("A CredentialsMatcher must be configured in order to verify " +
                    "credentials during authentication.  If you do not wish for credentials to be examined, you " +
                    "can configure an " + AllowAllCredentialsMatcher.class.getName() + " instance.");
        }
    }

ok,一条线下来,从login到委托给authenticator,再最后调用realm的doGetAuthenticationInfo方法。

所以,从源码上来看,如果要实现shiro的认证逻辑,至少要准备一个Realm组件、和初始化securityManager组件。

4.授权

授权,也叫访问控制,即在应用中控制谁能访问那些资源(如访问页面/编辑数据/操作按钮等)。在授权中有几个关键对象:主体(Subject)、资源(Resource)、权限(Permission)、角色(Role)

image

大致的shiro授权流程如下:

  • 调用Subject.isPermitted/hasRole接口
  • 委托给SecurityManager
  • SercurityManager委托Authorizer
  • Authorizer会判断Realm的角色、权限是否和传入的匹配
  • 匹配如isPermitted/hasRole会返回true,否则返回false

debug追踪shiro源码过程

  1. url请求被shiro拦截器拦截–AuthorizingMethodInterceptor
public Object invoke(MethodInvocation methodInvocation) throws Throwable {
    assertAuthorized(methodInvocation);
    return methodInvocation.proceed();
}
protected abstract void assertAuthorized(MethodInvocation methodInvocation) throws AuthorizationException;
  1. 获取所有Shiro拦截器进行循环执行,一共5个过滤器
public abstract class AnnotationsAuthorizingMethodInterceptor extends AuthorizingMethodInterceptor {

protected void assertAuthorized(MethodInvocation methodInvocation) throws AuthorizationException {
    //default implementation just ensures no deny votes are cast:
    Collection<AuthorizingAnnotationMethodInterceptor> aamis = getMethodInterceptors();
    if (aamis != null && !aamis.isEmpty()) {
        for (AuthorizingAnnotationMethodInterceptor aami : aamis) {
            if (aami.supports(methodInvocation)) {
                aami.assertAuthorized(methodInvocation);
            }
        }
    }
}
}

public AnnotationsAuthorizingMethodInterceptor() {
    methodInterceptors = new ArrayList<AuthorizingAnnotationMethodInterceptor>(5);
    #角色拦截器
    methodInterceptors.add(new RoleAnnotationMethodInterceptor());
    #权限拦截器
    methodInterceptors.add(new PermissionAnnotationMethodInterceptor());
    methodInterceptors.add(new AuthenticatedAnnotationMethodInterceptor());
    methodInterceptors.add(new UserAnnotationMethodInterceptor());
    methodInterceptors.add(new GuestAnnotationMethodInterceptor());
    }

3.角色Handler进行解析方法上面的注解

package org.apache.shiro.authz.aop;

import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.annotation.Logical;
import org.apache.shiro.authz.annotation.RequiresRoles;

import java.lang.annotation.Annotation;
import java.util.Arrays;

public class RoleAnnotationHandler extends AuthorizingAnnotationHandler {

    /**
     * Default no-argument constructor that ensures this handler looks for
     * {@link org.apache.shiro.authz.annotation.RequiresRoles RequiresRoles} annotations.
     */
    public RoleAnnotationHandler() {
        super(RequiresRoles.class);
    }

    /**
     * Ensures that the calling <code>Subject</code> has the Annotation's specified roles, and if not, throws an
     * <code>AuthorizingException</code> indicating that access is denied.
     *
     * @param a the RequiresRoles annotation to use to check for one or more roles
     * @throws org.apache.shiro.authz.AuthorizationException
     *          if the calling <code>Subject</code> does not have the role(s) necessary to
     *          proceed.
     */
    public void assertAuthorized(Annotation a) throws AuthorizationException {
        if (!(a instanceof RequiresRoles)) return;

        RequiresRoles rrAnnotation = (RequiresRoles) a;
        String[] roles = rrAnnotation.value();

        if (roles.length == 1) {
            getSubject().checkRole(roles[0]);
            return;
        }
        if (Logical.AND.equals(rrAnnotation.logical())) {
            getSubject().checkRoles(Arrays.asList(roles));
            return;
        }
        if (Logical.OR.equals(rrAnnotation.logical())) {
            // Avoid processing exceptions unnecessarily - "delay" throwing the exception by calling hasRole first
            boolean hasAtLeastOneRole = false;
            for (String role : roles) if (getSubject().hasRole(role)) hasAtLeastOneRole = true;
            // Cause the exception if none of the role match, note that the exception message will be a bit misleading
            if (!hasAtLeastOneRole) getSubject().checkRole(roles[0]);
        }
    }

}

4.权限handler进行验证

package org.apache.shiro.authz.aop;

import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.annotation.Logical;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.apache.shiro.subject.Subject;

import java.lang.annotation.Annotation;

public class PermissionAnnotationHandler extends AuthorizingAnnotationHandler {

    public PermissionAnnotationHandler() {
        super(RequiresPermissions.class);
    }

    protected String[] getAnnotationValue(Annotation a) {
        RequiresPermissions rpAnnotation = (RequiresPermissions) a;
        return rpAnnotation.value();
    }

 
    public void assertAuthorized(Annotation a) throws AuthorizationException {
        if (!(a instanceof RequiresPermissions)) return;

        RequiresPermissions rpAnnotation = (RequiresPermissions) a;
        String[] perms = getAnnotationValue(a);
        Subject subject = getSubject();

        if (perms.length == 1) {
            subject.checkPermission(perms[0]);
            return;
        }
        if (Logical.AND.equals(rpAnnotation.logical())) {
            getSubject().checkPermissions(perms);
            return;
        }
        if (Logical.OR.equals(rpAnnotation.logical())) {
            // Avoid processing exceptions unnecessarily - "delay" throwing the exception by calling hasRole first
            boolean hasAtLeastOnePermission = false;
            for (String permission : perms) if (getSubject().isPermitted(permission)) hasAtLeastOnePermission = true;
            // Cause the exception if none of the role match, note that the exception message will be a bit misleading
            if (!hasAtLeastOnePermission) getSubject().checkPermission(perms[0]);
            
        }
    }
}

5.举权限验证的例子,角色同理,getSubject().isPermitted(permission)进行验证,
并委托给SecurityManager

    public boolean isPermitted(String permission) {
        return hasPrincipals() && securityManager.isPermitted(getPrincipals(), permission);
    }

7.SecurityManager委托Authorizer

public abstract class AuthorizingSecurityManager extends AuthenticatingSecurityManager {
    
        public boolean hasRole(PrincipalCollection principals, String roleIdentifier) {
        return this.authorizer.hasRole(principals, roleIdentifier);
        }
        
        public boolean isPermitted(PrincipalCollection principals, String permissionString) {
        return this.authorizer.isPermitted(principals, permissionString);
    }
}

8.Authorizer调用Realm进行验证

public abstract class AuthorizingRealm extends AuthenticatingRealm
        implements Authorizer, Initializable, PermissionResolverAware, RolePermissionResolverAware {
        
   public boolean isPermitted(PrincipalCollection principals, Permission permission) {
        AuthorizationInfo info = getAuthorizationInfo(principals);
        return isPermitted(permission, info);
    }
}

9.通过Realm进行获取授权信息 getAuthorizationInfo(principals)

    protected AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals) {

        if (info == null) {
            // Call template method if the info was not found in a cache
            info = doGetAuthorizationInfo(principals);
            // If the info is not null and the cache has been created, then cache the authorization info.
            if (info != null && cache != null) {
                if (log.isTraceEnabled()) {
                    log.trace("Caching authorization info for principals: [" + principals + "].");
                }
                Object key = getAuthorizationCacheKey(principals);
                cache.put(key, info);
            }
        }

        return info;
    }

10.调用自定义Realm的doGetAuthorizationInfo覆盖方法进行获取授权信息

public class AuthRealm extends AuthorizingRealm {

    @Autowired
    private ShiroService shiroService;

    @Override
    /**
     * 授权 获取用户的角色和权限
     *@param  [principals]
     *@return org.apache.shiro.authz.AuthorizationInfo
     */
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
        //1. 从 PrincipalCollection 中来获取登录用户的信息
        User user = (User) principals.getPrimaryPrincipal();
        //Integer userId = user.getUserId();
        //2.添加角色和权限
        SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
        for (Role role : user.getRoles()) {
            //2.1添加角色
            simpleAuthorizationInfo.addRole(role.getRoleName());
            for (Permission permission : role.getPermissions()) {
                //2.1.1添加权限
                simpleAuthorizationInfo.addStringPermission(permission.getPermission());
            }
        }
        return simpleAuthorizationInfo;
    }

    @Override
    /**
     * 认证 判断token的有效性
     *@param  [token]
     *@return org.apache.shiro.authc.AuthenticationInfo
     */
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
        //获取token,既前端传入的token
        String accessToken = (String) token.getPrincipal();
        //1. 根据accessToken,查询用户信息
        SysToken tokenEntity = shiroService.findByToken(accessToken);
        //2. token失效
        if (tokenEntity == null || tokenEntity.getExpireTime().isBefore(LocalDateTime.now())) {
            throw new IncorrectCredentialsException("token失效,请重新登录");
        }
        //3. 调用数据库的方法, 从数据库中查询 username 对应的用户记录
        User user = shiroService.findByUserId(tokenEntity.getUserId());
        //4. 若用户不存在, 则可以抛出 UnknownAccountException 异常
        if (user == null) {
            throw new UnknownAccountException("用户不存在!");
        }
        //5. 根据用户的情况, 来构建 AuthenticationInfo 对象并返回. 通常使用的实现类为: SimpleAuthenticationInfo
        SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user, accessToken,this.getName());
        return info;
    }
}

11.最后继续执行第8步的isPermitted方法验证

    protected boolean isPermitted(Permission permission, AuthorizationInfo info) {
        Collection<Permission> perms = getPermissions(info);
        if (perms != null && !perms.isEmpty()) {
            for (Permission perm : perms) {
                if (perm.implies(permission)) {
                    return true;
                }
            }
        }
        return false;
    }
spring跟shiro整合配置
/**
 * shrio配置文件
 */
@Configuration
public class ShiroConfig {

    /**
     * 注册shiro的Filter,拦截请求
     */
    @Bean
    public FilterRegistrationBean filterRegistrationBean(SecurityManager securityManager) throws Exception {
        FilterRegistrationBean filterRegistration = new FilterRegistrationBean();
        filterRegistration.setFilter((Filter) shiroFilter(securityManager).getObject());
        filterRegistration.addInitParameter("targetFilterLifecycle", "true");
        filterRegistration.setAsyncSupported(true);
        filterRegistration.setEnabled(true);
        filterRegistration.setDispatcherTypes(DispatcherType.REQUEST);

        return filterRegistration;
    }

    @Bean
    public Authenticator authenticator() {
        ModularRealmAuthenticator authenticator = new ModularRealmAuthenticator();
        //设置两个Realm,一个用于用户登录验证和访问权限获取;一个用于jwt token的认证
        authenticator.setRealms(Arrays.asList(jwtRealm(), jwtUserRealm()));
        //设置多个realm认证策略,一个成功即跳过其它的
        authenticator.setAuthenticationStrategy(new FirstSuccessfulStrategy());
        return authenticator;
    }

    /**
     * 禁用session, 不保存用户登录状态。保证每次请求都重新认证。
     * 需要注意的是,如果用户代码里调用Subject.getSession()还是可以用session,
     * 如果要完全禁用,要配合下面的noSessionCreation的Filter来实现
     */
    @Bean
    protected SessionStorageEvaluator sessionStorageEvaluator() {
        DefaultWebSessionStorageEvaluator sessionStorageEvaluator = new DefaultWebSessionStorageEvaluator();
        sessionStorageEvaluator.setSessionStorageEnabled(false);
        return sessionStorageEvaluator;
    }

    @Bean
    public DefaultWebSecurityManager securityManager() {
        DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
        manager.setAuthenticator(authenticator());
        manager.setAuthorizer(authorizer());
        return manager;
    }

    @Bean
    public Authorizer authorizer() {
        ModularRealmAuthorizer authorizer = new ModularRealmAuthorizer();
        //设置授权Realm
        authorizer.setRealms(Arrays.asList(jwtRealm(), jwtUserRealm()));
        return authorizer;
    }

    @Bean
    public HashedCredentialsMatcher hashedCredentialsMatcher() {
        HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher();
        //加密方式
        hashedCredentialsMatcher.setHashAlgorithmName("md5");
        //加密次数
        hashedCredentialsMatcher.setHashIterations(2);
        //存储散列后的密码是否为16进制
        hashedCredentialsMatcher.isStoredCredentialsHexEncoded();
        return hashedCredentialsMatcher;
    }

    @Bean("jwtUserRealm")
    public Realm jwtUserRealm() {
        return new JwtUserRealm(hashedCredentialsMatcher());
    }

    @Bean("jwtRealm")
    public Realm jwtRealm() {
        return new JwtRealm();
    }

    /**
     * 设置过滤器
     */
    @Bean("shiroFilter")
    public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
        ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
        factoryBean.setSecurityManager(securityManager);
        Map<String, Filter> filterMap = factoryBean.getFilters();
        filterMap.put("authcToken", createAuthFilter());
        factoryBean.setFilters(filterMap);
        factoryBean.setFilterChainDefinitionMap(shiroFilterChainDefinition().getFilterChainMap());
        return factoryBean;
    }

    public JwtAuthFilter createAuthFilter() {
        return new JwtAuthFilter();
    }

    @Bean
    protected ShiroFilterChainDefinition shiroFilterChainDefinition() {
        DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
        chainDefinition.addPathDefinition("/bloom/**", "noSessionCreation,authcToken");
        return chainDefinition;

    @Bean
    public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
        return new LifecycleBeanPostProcessor();
    }

    @Bean
    public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(
        DefaultWebSecurityManager securityManager) {
        AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();
        advisor.setSecurityManager(securityManager);
        return advisor;
    }

}
shiro内置过滤器

在项目中,有一些url请求是不必被拦截来校验角色或者权限的,例如登录、验证码接口等。所以shiro通过内置过滤器来解决这个问题

public enum DefaultFilter {

    #无需认证即可访问
    anon(AnonymousFilter.class),
    #需要认证才能访问
    authc(FormAuthenticationFilter.class),
    authcBasic(BasicHttpAuthenticationFilter.class),
    logout(LogoutFilter.class),
    noSessionCreation(NoSessionCreationFilter.class),
    perms(PermissionsAuthorizationFilter.class),
    port(PortFilter.class),
    rest(HttpMethodPermissionFilter.class),
    roles(RolesAuthorizationFilter.class),
    ssl(SslFilter.class),
    user(UserFilter.class);
}
geekolaf
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Spring Boot进阶(84):Spring Boot集成Shiro:安全、简单、快捷 | 超级详细,建议收藏
**My Coding Family**
04-17 1388
Spring Boot集成Shiro:安全、简单、快捷,一文搞定它。
shiro轻量级安全框架
weixin_50616848的博客
03-05 3067
shiro安全框架主要核心功能为认证和授权,认证即验证用户信息,是否能登陆,授权即用户是否有权限取执行该请求,方法等。 1、shiro本质是一条过滤器链: anno :无需任何认证即可访问; authc :必须认证后才可以访问; perms:必须具有指定用户权限才可以访问,如perms[user],说明必须有user权限才能访问 user : 必须有记住我才能访问; role :必须具有某个角色才能访问。 2、springBoot整合shiro (1)创建对自定义用户认证和授权方法 .
软件的安全开发模型
W0ngk,一个安全菜鸡,一直在模仿,尚未有超越。
12-30 3491
文章目录一、软件开发模型1、软件生命周期2、软件工程与开发模型二、软件安全开发模型1、微软的安全开发生命周期模型(SDL)2、McGraw 的内建安全模型(BSI)3、NIST安全开发生命周期模型4、OWASP的轻量级应用安全过程(CLASP) 一、软件开发模型 1、软件生命周期 如正常事务的诞生一样,软件也有其孕育、诞生、成长、成熟和消亡的阶段,一般称其过程为软件生命周期。 通常情况下,概括的说,软件生命周期由定义、开发和维护三个时期组成,灭一个阶段又可以划分为若干阶段。 软件定义时期: 定义时期通常是确
基于springmvc的轻量级安全认证框架
08-08
抛弃Shiro、Spring Security等安全框架繁琐的配置,改为注解实现权限管理,配合Spring MVC的RequestMapping注解,完美实现细粒度的权限控制。
java脑洞 springboot 轻量级JWT安全框架
02-10 381
脑洞的由来 场景一:项目转用JWT做权限认证,刚开始选用shiro+jwt,但是发现对于一个无状态认证来说,shiro太重了,原本便捷的功能反而显得很多余 功能需求 从请求中获得token 校验token合法性和时效性 拦截请求校验权限 Git地址 https://gitee.com/wqrzsy/lp-demo/tree/master/lp-springboot-jwt 更多demo请关注 ...
最新apache shiro轻量级的安全认证授权框架
04-03
apache shiro轻量级的安全认证授权框架让你快速搭建中下型企业安全认证模块
spring-boot-shiro:spring-boot-shiro前后端分离实现
05-14
shiro属于轻量级框架,相对于security简单的多,也没有security那么复杂。所以我这里也是简单介绍一下shiro的使用。 2、非常简单;其基本功能点如下图所示: Authentication:身份认证/登录,验证用户是不是拥有相应...
AdminLTE-admin 轻量级权限管理框架.rar
最新发布
07-04
adminlte-boot基于Springboot、Shiro、Mybatis plus、shiro-redis开发的精简后台基础系统。 包含用户管理,角色管理,菜单管理,定时任务,图标工具,文章分类,文章列表等基础业务模块。 使用AdminLTE作为前端UI框架,...
springboot-2.0-shiro.rar
07-13
springboot与shiroShiro是Apache旗下的一个开源项目,它是一个非常易用的安全框架,提供了包括认证、授权、加密、会话管理等功能,与...Shiro属于轻量级框架,相对于Spring Security简单很多,并没有security那么复杂。
轻量级权限控制框架 Light Security 1.0.1 发布
weixin_34072159的博客
04-21 287
百度智能云 云生态狂欢季 热门云产品1折起>>> Light Security是一个基于jwt的...
Apache Shiro学习笔记(三)用户授权isPermitted过程
weixin_33724046的博客
07-27 1416
鲁春利的工作笔记,好记性不如烂笔头Shiro配置文件(shiro-authorize-permission.ini)[main] #定义变量 #变量名=全类名 [users] #用户名=密码,角色1,角色2,...,角色N lucl=123,role1,role2 zs=123,role1 [roles] #角色=权限1,权限2,...,权限N role1=use...
shiro角色权限验证
qq_30881357的博客
10-09 1791
shiro提供了对外验证角色和权限的API,都是通过Subject来调用。 @Test public void auth(){ Subject subject=SecurityUtils.getSubject(); UsernamePasswordToken token=new UsernamePasswordToken("zhang", "123"); subject.login
Shiro---授权源码分析
Apple_Andy的博客
09-14 358
一.步骤总结 1.首先调用Subject.isPermitted/hasRole接口,其会委托给SecurityManager,而SecurityManage接着委托给Authorizer 2.Authorizer是真正的授权者,如果我们调用如.isPermitted(“user:view”),其首先会通过PermissionResolver把字符串换成相应的permission实例 3.在进行授权之前,其会调用相应的realm获取Subject相应的角色/权限用于匹配传入的角色/权限 4.Authoriz
Shiro安全框架的基本使用与相关开发笔记
Sidney_Jack_1101的博客
01-24 162
Shiro是一个功能强大、灵活的开源安全框架,可以干净地处理身份验证、授权、会话管理和加密。本文将记录Shiro相关的开发笔记。 Shiro官网给出的架构图: 从下图中可以看出Shiro主要有Subject(用户),ShiroSecurityManager(操作管理用户) 和Realm(操作安全数据进行授权,认证)组成 Shiro官网:Apache Shiro | Simple. Java. Security. 首先引入相关依赖 <dependency> ..
阿里P8架构师仅用五步教你如何搭建SpringSecurity安全框架
m0_67778103的博客
08-20 999
为了不影响大家的阅读体验,就不把篇幅继续拉长了,需要完整版的小伙伴私信“666”即可。
Shiro的鉴权方式
不忘初心,方能始终。
02-25 9900
一、 怎么用 Shiro 支持三种方式的授权 编程式:通过写 if/else 授权代码块完成: Subject subject = SecurityUtils.getSubject(); if(subject.hasRole(“admin”)) { //有权限 } else { //无权限 } 注解式:通过在执行的 Java 方法上放置相应的注解完成: @Require...
Shiro系列-Shiro简介
初学者
10-26 2014
导语   Apache Shiro是一个Java安全框架,现在在很多的场景下使用Shiro的人越来越多。因为它与Spring Security 相比较来说相对比较简单,从功能上来讲也没有Spring Security那么强大,但是在实际的工作和开发中并不是需要太强大的东西。当然先学习简单的东西,然后再去了解复杂的东西相对来说比较简单。 简单介绍   对于Shiro来说不仅可以使用到JavaSE...
Shiro源码分析-----认证流程/授权流程----------Subject
zhouzhiwengang的专栏
12-29 8890
源码分析的第二篇以Subject的初始化为题。 一、回顾Apache Shiro创建Subject的步骤如下:  //1、获取SecurityManager工厂,此处使用Ini配置文件初始化SecurityManager Factory factory = new IniSecurityManagerFactory("classpath:s
sa-token框架和springsecurity和shiro的区别
06-11
- sa-token:专注于会话管理,提供了轻量级的权限认证和角色认证功能,支持多种会话存储方案。 - Spring Security:提供了完整的安全框架,包含认证、授权、攻击防护等各种安全特性,但是配置相对复杂。 - Shiro:...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值