概念
授权,又称作为访问控制,是对资源的访问管理的过程,即对于认证通过的用户,授予他可以访问某些资源的权限。
授权流程图
简单授权实现
在shiro-permession.ini文件中设置
[users]
#用户admin的密码是123456,此用户具有role2角色
coco=123456,role1
admin=123456,role1,role2
[roles]
#角色role1对资源user拥有create、update、delete权限
role1=user:create,user:update,user:delete
#角色role2对资源user拥有create权限
role2=user:create
#角色role3对资源user拥有select权
role3=user:select
验证角色和权限
@Test
public void demoTree(){
// 装入 INI 配置
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro-permession.ini");
//创建SecurityManager对象
SecurityManager instance = factory.getInstance();
//使SecurityManager可以访问
SecurityUtils.setSecurityManager(instance);
//接受提交的用户名和密码:
UsernamePasswordToken tooken = new UsernamePasswordToken("admin","123456");
//获取当前主体
Subject subject = SecurityUtils.getSubject();
try {
subject.login(tooken);
} catch (UnknownAccountException e) {
System.out.println("用户名错误!");
}
catch (IncorrectCredentialsException e) {
System.out.println("密码错误!");
}
System.out.println("是否认证成功:" + subject.isAuthenticated());
//粗颗粒度授权 ===> 角色验证
System.out.println(subject.getPrincipal()+" 是否具有role1角色====> "+subject.hasRole("role1"));
System.out.println(subject.getPrincipal()+" 是否具有role2角色====> "+subject.hasRole("role2"));
System.out.println(subject.getPrincipal()+" 是否具有role3角色====> "+subject.hasRole("role3"));
System.out.println(subject.getPrincipal()+" 是否具有role1和role2角色====> "+subject.hasAllRoles(Arrays.asList("role1","role2")));
//subject.checkRole("role1");
//细颗粒度授权 ===> 资源验证
System.out.println(subject.getPrincipal()+" 是否具有user:create资源权限====> "+subject.isPermitted("user:create"));
System.out.println(subject.getPrincipal()+" 是否具有user:delete资源权限====> "+subject.isPermitted("user:delete"));
System.out.println(subject.getPrincipal()+" 是否具有user:delete,user:update资源权限====> "+subject.isPermittedAll("user:delete","user:update"));
}
输出结果
是否认证成功:true
admin 是否具有role1角色====> true
admin 是否具有role2角色====> true
admin 是否具有role3角色====> false
admin 是否具有role1和role2角色====> true
admin 是否具有user:create资源权限====> true
admin 是否具有user:delete资源权限====> true
admin 是否具有user:delete,user:update资源权限====> true
注意
subject.checkRole("role1");
subject.checkPermission("user:create");
检查是否存在该角色和权限,如果不存在则会抛异常
自定义Realm授权
重写授权的方法
注意:这里认证方法中采用的是明文认证
public class ShiroRealmsOne extends AuthorizingRealm{
/**
* 认证
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String username =(String)token.getPrincipal();
if(!"admin".equals(username)){
return null;
}
//String pwd = "123456"; 密码
//String salt = "copy"; 盐值
// acd1b8d62a8369c3d6278ea6f663407b 两次迭代加密后的密码
String salt = "copy";
ByteSource saltByte = ByteSource.Util.bytes(salt);
String password = "123456";
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(username,password,this.getName());
return info;
}
/**
* 授权
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
String username = (String)principals.getPrimaryPrincipal();
List<String> list = new ArrayList<String>();
list.add("project:create");
list.add("user:delete");
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
info.addStringPermissions(list);
return info;
}
}
shiro-realms.ini文件
[main]
shiroUserRealm=com.sumeng.shiro.ShiroRealmsOne
securityManager.realms=$shiroUserRealm
测试
@Test
public void demoTree(){
// 装入 INI 配置
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro-realms.ini");
//创建SecurityManager对象
SecurityManager instance = factory.getInstance();
//使SecurityManager可以访问
SecurityUtils.setSecurityManager(instance);
//接受提交的用户名和密码:
UsernamePasswordToken tooken = new UsernamePasswordToken("admin","123456");
//获取当前主体
Subject subject = SecurityUtils.getSubject();
try {
subject.login(tooken);
} catch (UnknownAccountException e) {
System.out.println("用户名错误!");
}
catch (IncorrectCredentialsException e) {
System.out.println("密码错误!");
}
System.out.println("是否认证成功:" + subject.isAuthenticated());
//细颗粒度授权 ===> 资源验证
System.out.println(subject.getPrincipal()+" 是否具有user:create资源权限====> "+subject.isPermitted("user:create"));
System.out.println(subject.getPrincipal()+" 是否具有user:delete资源权限====> "+subject.isPermitted("user:delete"));
System.out.println(subject.getPrincipal()+" 是否具有project:create资源权限====> "+subject.isPermitted("project:create"));
System.out.println(subject.getPrincipal()+" 是否具有user:delete,project:create资源权限====> "+subject.isPermittedAll("user:delete","project:create"));
}
输出结果
是否认证成功:true
admin 是否具有user:create资源权限====> false
admin 是否具有user:delete资源权限====> true
admin 是否具有project:create资源权限====> true
admin 是否具有user:delete,project:create资源权限====> true