权限认证
权限认证也就是访问控制,即在应用中控制谁能访问哪些资源
权限认证核心要素
- 权限 : 即操作资源的权利,比如访问某个页面,以及对某个模块的数据的添加,修改,删除,查看的权利
- 角色 : 是权限的集合,一种角色可以包含多种权限
- 用户 : 在 Shiro 中,代表访问系统的用户,即Subject
授权方式
- 编程式授权
- 基于角色的访问控制
- 基于权限的访问控制
- 注解式授权
- Jsp 标签授权
编程式授权实现
抽取公共代码生成 ShiroUtil
package com.zhen.common;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
public class ShiroUtil {
public static Subject login(String configFile,String userName,String password){
//读取配置文件,初始化SecurityManager工厂
Factory<SecurityManager> factory = new IniSecurityManagerFactory(configFile);
//获取securityManager实例
SecurityManager securityManager = factory.getInstance();
//把securityManager绑定到SecurityUtils
SecurityUtils.setSecurityManager(securityManager);
//获取当前用户
Subject currentUser = SecurityUtils.getSubject();
//创建token令牌,用户名/密码
UsernamePasswordToken token = new UsernamePasswordToken(userName, password);
try {
//身份认证
currentUser.login(token);
System.out.println("身份认证成功!");
} catch (AuthenticationException e) {
e.printStackTrace();
System.out.println("身份认证失败!");
}
return currentUser;
}
}
基于角色的访问控制
- 新建 shiro_role.ini文件,两个用户,两种角色
[users] zhen=123,role1,role2 jack=jack,role1
- 新建测试类
package com.zhen.shiro; import java.util.ArrayList; import java.util.List; import org.apache.shiro.subject.Subject; import org.junit.Test; import com.zhen.common.ShiroUtil; import junit.framework.TestCase; //基于角色的 public class RoleTest extends TestCase { @Test public void testHasRole(){ String configFile = "classpath:shiro_role.ini"; String userName = "jack"; String password = "jack"; Subject currentUser = ShiroUtil.login(configFile, userName, password); if (currentUser.hasRole("role2")) { System.out.println(userName+"有 role2 权限"); }else{ System.out.println(userName+"没有 role2 权限"); } currentUser.logout(); } @Test public void testHasRoles(){ String configFile = "classpath:shiro_role.ini"; String userName = "jack"; String password = "jack"; Subject currentUser = ShiroUtil.login(configFile, userName, password); List<String> roles = new ArrayList<String>(); roles.add("role1"); roles.add("role2"); //返回一个boolean数组 boolean[] results = currentUser.hasRoles(roles); for (int i = 0; i < results.length; i++) { if(results[i]){ System.out.println(userName+"有 "+roles.get(i)+" 权限"); }else{ System.out.println(userName+"没有 "+roles.get(i)+" 权限"); } } currentUser.logout(); } @Test public void testHasAllRoles(){ String configFile = "classpath:shiro_role.ini"; String userName = "zhen"; String password = "123"; Subject currentUser = ShiroUtil.login(configFile, userName, password); List<String> roles = new ArrayList<String>(); roles.add("role1"); roles.add("role2"); //是否拥有所有权限 boolean result = currentUser.hasAllRoles(roles); if(result){ System.out.println(userName+"有 所有权限"); }else{ System.out.println(userName+"没有 所有权限"); } currentUser.logout(); } @Test public void testCheckRoles(){ //check 没有返回值,没有该权限的话就会抛异常 String configFile = "classpath:shiro_role.ini"; String userName = "jack"; String password = "jack"; Subject currentUser = ShiroUtil.login(configFile, userName, password); List<String> roles = new ArrayList<String>(); roles.add("role1"); roles.add("role2"); currentUser.checkRole(roles.get(1)); currentUser.logout(); } }
基于权限的访问控制
- 新建 Shiro_permission.ini文件,内容如下:
[users] zhen=123,role1,role2 jack=jack,role1 [roles] role1=user:select role2=user:add,user:update,user:delete
role1 对应有 user:select 权限
role2 对应有 user:add , user:update , user:delete 权限 - 新建测试类,代码如下:
package com.zhen.shiro; import org.apache.shiro.subject.Subject; import org.junit.Test; import com.zhen.common.ShiroUtil; import junit.framework.TestCase; //基于权限的 public class PermissionTest extends TestCase { @Test public void testIsPermission(){ String configFile = "classpath:shiro_permission.ini"; String userName = "zhen"; String password = "123"; Subject currentUser = ShiroUtil.login(configFile, userName, password); System.out.println(currentUser.isPermitted("user:add")?"有add权限":"没有add权限"); System.out.println(currentUser.isPermitted("user:select")?"有select权限":"没有select权限"); boolean[] results = currentUser.isPermitted("user:add","user:select"); System.out.println(results[0]?"有add权限":"没有add权限"); System.out.println(results[1]?"有select权限":"没有select权限"); System.out.println(currentUser.isPermittedAll("user:add","user:select")?"有user:add&user:select权限":"user:add&user:select权限不全有"); currentUser.logout(); } @Test public void testCheckPermission(){ String configFile = "classpath:shiro_permission.ini"; String userName = "zhen"; String password = "123"; Subject currentUser = ShiroUtil.login(configFile, userName, password); currentUser.checkPermission("user:add"); currentUser.checkPermission("user:select"); currentUser.checkPermissions("user:add","user:select"); currentUser.logout(); } }