Shiro框架快速上手(Quickstart)
文章目录
前言
一、shiro框架简介
1、权限管理
基本上涉及到用户参与的系统都要进行权限管理,权限管理属于系统安全的范畴,权限管理实现对用户访问系统的控制(比如vip权限,高低权限的分配),按照安全规则或者安全策略控制用户可以访问而且只能访问自己被授权的资源。
2、用户身份认证
身份认证,就是判断一个用户是否为合法用户的处理过程。最常用的简单身份认证方式是系统通过核对用户输入的用户名和口令,看其是否与系统中存储的该用户的用户名和口令一致,来判断用户身份是否正确。
二、Shiro的快速上手
1.导入相关依赖
代码如下(示例):
<!-- https://mvnrepository.com/artifact/org.apache.shiro/shiro-core -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.7.1</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.slf4j/jcl-over-slf4j -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>2.0.0-alpha1</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12 -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>2.0.0-alpha1</version>
</dependency>
<!-- https://mvnrepository.com/artifact/log4j/log4j -->
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
2.编写配置文件
1、log4j.properties
代码如下(示例):
log4j.rootLogger=INFO, stdout
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d %p [%c] - %m %n
# General Apache libraries
log4j.logger.org.apache=WARN
# Spring
log4j.logger.org.springframework=WARN
# Default Shiro logging
log4j.logger.org.apache.shiro=INFO
# Disable verbose logging
log4j.logger.org.apache.shiro.util.ThreadContext=WARN
log4j.logger.org.apache.shiro.cache.ehcache.EhCache=WARN
2、shiro.ini
代码如下(示例):
[users]
# user 'root' with password 'secret' and the 'admin' role
root = secret, admin
# user 'guest' with the password 'guest' and the 'guest' role
guest = guest, guest
# user 'presidentskroob' with password '12345' ("That's the same combination on
# my luggage!!!" ;)), and role 'president'
presidentskroob = 12345, president
# user 'darkhelmet' with password 'ludicrousspeed' and roles 'darklord' and 'schwartz'
darkhelmet = ludicrousspeed, darklord, schwartz
# user 'lonestarr' with password 'vespa' and roles 'goodguy' and 'schwartz'
lonestarr = vespa, goodguy, schwartz
# -----------------------------------------------------------------------------
# Roles with assigned permissions
#
# Each line conforms to the format defined in the
# org.apache.shiro.realm.text.TextConfigurationRealm#setRoleDefinitions JavaDoc
# -----------------------------------------------------------------------------
[roles]
# 'admin' role has all permissions, indicated by the wildcard '*'
admin = *
# The 'schwartz' role can do anything (*) with any lightsaber:
schwartz = lightsaber:*
# The 'goodguy' role is allowed to 'drive' (action) the winnebago (type) with
# license plate 'eagle5' (instance specific id)
goodguy = winnebago:drive:eagle5
3、Quickstart.java
代码如下(示例):
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.realm.text.IniRealm;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Simple Quickstart application showing how to use Shiro's API.
*
* @since 0.9 RC2
*/
public class Quickstart {
private static final transient Logger log = LoggerFactory.getLogger(Quickstart.class);
public static void main(String[] args) {
// The easiest way to create a Shiro SecurityManager with configured
//最简单的方法创建一个shiro安全管理,要根据我们的shiro.ini配置去创建
// realms, users, roles and permissions is to use the simple INI config.
// We'll do that by using a factory that can ingest a .ini file and
// return a SecurityManager instance:
// Use the shiro.ini file at the root of the classpath
// (file: and url: prefixes load from files and urls respectively):
/*这里不能用IniSecurityManagerFactory,这里是shiro源码中的,但是该类已经过期停用了
* 这里要用DefaultSecuritySecurityManager类*/
DefaultSecurityManager defaultSecurityManager=new DefaultSecurityManager();
IniRealm iniRealm=new IniRealm("classpath:shiro.ini");
defaultSecurityManager.setRealm(iniRealm);
// for this simple example quickstart, make the SecurityManager
// accessible as a JVM singleton. Most applications wouldn't do this
// and instead rely on their container configuration or web.xml for
// webapps. That is outside the scope of this simple quickstart, so
// we'll just do the bare minimum so you can continue to get a feel
// for things.
SecurityUtils.setSecurityManager(defaultSecurityManager);
// Now that a simple Shiro environment is set up, let's see what you can do:
// get the currently executing user:
//这里开始才是真正的重点,这里我们获得真实的用户
Subject currentUser = SecurityUtils.getSubject();
//拿到用户的session信息,通过getSession的方法
Session session = currentUser.getSession();
session.setAttribute("someKey", "aValue");
String value = (String) session.getAttribute("someKey");
if (value.equals("aValue")) {
log.info("Retrieved the correct value! [" + value + "]");
}
// let's login the current user so we can check against roles and permissions:
if (!currentUser.isAuthenticated()) {
//token令牌
UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa");
token.setRememberMe(true);
try {
currentUser.login(token);
} catch (UnknownAccountException uae) {
log.info("There is no user with username of " + token.getPrincipal());
} catch (IncorrectCredentialsException ice) {
log.info("Password for account " + token.getPrincipal() + " was incorrect!");
} catch (LockedAccountException lae) {
log.info("The account for username " + token.getPrincipal() + " is locked. " +
"Please contact your administrator to unlock it.");
}
// ... catch more exceptions here (maybe custom ones specific to your application?
catch (AuthenticationException ae) {
//unexpected condition? error?
}
}
//say who they are:
//print their identifying principal (in this case, a username):
log.info("User [" + currentUser.getPrincipal() + "] logged in successfully.");
//test a role:
if (currentUser.hasRole("schwartz")) {
log.info("May the Schwartz be with you!");
} else {
log.info("Hello, mere mortal.");
}
//test a typed permission (not instance-level)
if (currentUser.isPermitted("lightsaber:wield")) {
log.info("You may use a lightsaber ring. Use it wisely.");
} else {
log.info("Sorry, lightsaber rings are for schwartz masters only.");
}
//a (very powerful) Instance Level permission:
if (currentUser.isPermitted("winnebago:drive:eagle5")) {
log.info("You are permitted to 'drive' the winnebago with license plate (id) 'eagle5'. " +
"Here are the keys - have fun!");
} else {
log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!");
}
//all done - log out!
currentUser.logout();
System.exit(0);
}
}
shiro源码可以到gitee码云上去找。
三、shiro-springBoot的整合
- 创建springBoot项目,导入相关的依赖
<dependencies>
<!--shiro整个spring,最重要的三大类
Subject:用户
Security:管理所有用户
Realm: 连接数据
-->
<!-- https://mvnrepository.com/artifact/org.apache.shiro/shiro-spring -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.7.1</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
- 编写controller层,测试springboot的启动
package com.tao.springboot02shiro.controller;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class ShiroController {
@RequestMapping({"/","/index"})
public String toIndex(Model model){
model.addAttribute("msg","HelloShiro");
return "index";
}
//在templates目录下创建add和update页面
//便于后续测试
@RequestMapping("/user/add")
public String add(){
return "/user/add";
}
@RequestMapping("/user/update")
public String update(){
return "/user/update";
}
}
- 测试成功后,配置config层,编写ShiroConfig类
package com.tao.springboot02shiro.config;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class ShiroConfig {
//ShiroFilterFactoryBean: 3
@Bean
public ShiroFilterFactoryBean factoryBean(@Qualifier("securityManager") DefaultWebSecurityManager securityManager){
ShiroFilterFactoryBean factoryBean=new ShiroFilterFactoryBean();
//设置安全管理器
factoryBean.setSecurityManager(securityManager);
return factoryBean;
}
//DefaultWebSecurityManager: 2
@Bean(name = "securityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm") UserRealm userRealm){
DefaultWebSecurityManager securityManager=new DefaultWebSecurityManager();
//关联UserRealm
securityManager.setRealm(userRealm);
return securityManager;
}
//Realm: 1
@Bean
public UserRealm userRealm(){
return new UserRealm();
}
}
这里的UserRealm为自定义类
package com.tao.springboot02shiro.config;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
public class UserRealm extends AuthorizingRealm {
//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("执行了->授权doGetAuthorizationInfo方法");
return null;
}
//认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
System.out.println("执行了—>认证doGetAuthenticationInfo方法");
return null;
}
}
到这里我们的shiro-springBoot整合的环境就搭建好了
3.1 shiro实现登录拦截
- 前期准备工作,创建简单的网页
2. controller层的实现
@Controller
public class ShiroController {
@RequestMapping({"/","/index"})
public String toIndex(Model model){
model.addAttribute("msg","HelloShiro");
return "index";
}
@RequestMapping("/user/add")
public String add(){
return "/user/add";
}
@RequestMapping("/user/update")
public String update(){
return "/user/update";
}
@RequestMapping("/toLogin")
public String toLogin(){
return "login";
}
}
- config层的实现(基于前期环境搭建的ShiroConfig类)
package com.tao.springboot02shiro.config;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.LinkedHashMap;
import java.util.Map;
@Configuration
public class ShiroConfig {
//ShiroFilterFactoryBean: 3
@Bean
public ShiroFilterFactoryBean factoryBean(@Qualifier("securityManager") DefaultWebSecurityManager securityManager){
ShiroFilterFactoryBean factoryBean=new ShiroFilterFactoryBean();
//设置安全管理器
factoryBean.setSecurityManager(securityManager);
Map<String, String> definitionMap = new LinkedHashMap<>();
/*
anon:无需认证(登录)既可访问
authc:需要认证才可以访问
user: 必须拥有记住我功能才能访问(少用)
perms: 拥有对某个资源的权限才能访问
role: 拥有某个角色权限才可以访问
*/
definitionMap.put("/user/*","authc");
//设置拦截器
factoryBean.setFilterChainDefinitionMap(definitionMap);
//如若被拦截,直接走我们的toLogin请求
factoryBean.setLoginUrl("/toLogin");
return factoryBean;
}
//DefaultWebSecurityManager: 2
@Bean(name = "securityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm") UserRealm userRealm){
DefaultWebSecurityManager securityManager=new DefaultWebSecurityManager();
//关联UserRealm
securityManager.setRealm(userRealm);
return securityManager;
}
//Realm: 1
@Bean
public UserRealm userRealm(){
return new UserRealm();
}
}
3.2 shiro实现用户认证
- 编写controller层的ShiroController
@RequestMapping("/login")
public String login(@RequestParam("username") String username, String password,Model model){
Subject subject= SecurityUtils.getSubject();
//token是令牌,每个用户在执行登录提交时会获得一个验证身份的令牌
UsernamePasswordToken token=new UsernamePasswordToken(username,password);
//那么该用户subject在点击登录时,会走到自定义的UserRealm的认证方法中,执行认证方法
try{
//若认证未通过,则会报异常
subject.login(token);
return "index";
}catch (UnknownAccountException uae){//用户名异常
model.addAttribute("msg","用户名错误");
return "login";
}catch (IncorrectCredentialsException ice){//密码验证异常
model.addAttribute("msg","密码错误");
return "login";
}
}
- 编写UserRealm自定义类,这个类有授权和认证的方法
该类是由SecurityManager要验证用户身份,得通过Realm类获取相应的用户信息来认证
package com.tao.springboot02shiro.config;
import com.tao.springboot02shiro.Service.UserService;
import com.tao.springboot02shiro.pojo.User;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
public class UserRealm extends AuthorizingRealm {
@Autowired
UserService userService;
//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("执行了->授权doGetAuthorizationInfo方法");
return null;
}
//认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
System.out.println("执行了—>认证doGetAuthenticationInfo方法");
//之所以会跳到认证请看我最后总结的shiro框架执行的流程
//这些数据应该在我们的数据库当中取
String username="admin";
String password="123456";
UsernamePasswordToken myToken= (UsernamePasswordToken) authenticationToken;
if(!myToken.getUsername().equals(username)){
return null; //UnknownAccountException 返回空,则报这个异常
}
//密码验证shiro帮我们做了,为的是防止密码的泄露,所以我们不做处理
return new SimpleAuthenticationInfo("",password,"");
}
}
3.3.shiro整合mybatis
1.导入相关的依赖(shiro整合mybatis的前期准备,这是都要用到的依赖
并且这里用到了Druid的数据源)
<dependencies>
<!-- https://mvnrepository.com/artifact/log4j/log4j -->
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
<!-- https://mvnrepository.com/artifact/mysql/mysql-connector-java -->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.22</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.mybatis.spring.boot/mybatis-spring-boot-starter -->
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.1.4</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.alibaba/druid -->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.1.21</version>
</dependency>
<!--shiro整合spring,最重要的三大类
Subject:用户
Security:管理所有用户
Realm: 连接数据
-->
<!-- https://mvnrepository.com/artifact/org.apache.shiro/shiro-spring -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.7.1</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
- application.yaml的配置(.properties也行,笔者更偏向yaml的语法,注意url中我连接的是自己的数据库)
spring:
datasource:
password: whathappy245104
username: root
driver-class-name: com.mysql.cj.jdbc.Driver
url: jdbc:mysql://localhost:3306/mybati?useSSL=false&useUnicode=true&characterEncoding=utf-8&serverTimezone=UTC
type: com.alibaba.druid.pool.DruidDataSource
#druid数据源专有配置
initialSize: 5
minIdle: 5
maxActive: 20
maxWait: 60000
timeBetweenEvictionRunsMillis: 60000
minEvictableIdleTimeMillis: 300000
validationQuery: SELECT 1 FROM DUAL
testWhileIdle: true
testOnBorrow: false
testOnReturn: false
poolPreparedStatements: true
#配置监控统计拦截的filters,stat:监控统计、log4j:日志记录、wall:防御sql注入
#如果允许报错,java.lang.ClassNotFoundException: org.apache.Log4j.Properity
#则导入log4j 依赖就行
filters: stat,wall,log4j
maxPoolPreparedStatementPerConnectionSize: 20
useGlobalDataSourceStat: true
connectionProperties: druid.stat.mergeSql=true;druid.stat.slowSqlMillis=500
mybatis:
type-aliases-package: com.tao.springboot02shiro.pojo
mapper-locations: classpath:mybatis/mapper/*.xml
- 连接数据库,这里的用户表需要自己创建,包括id,username,password即可
- controller层的编写
package com.tao.springboot02shiro.controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
@Controller
public class ShiroController {
@RequestMapping({"/","/index"})
public String toIndex(Model model){
model.addAttribute("msg","HelloShiro");
return "index";
}
@RequestMapping("/user/add")
public String add(){
return "/user/add";
}
@RequestMapping("/user/update")
public String update(){
return "/user/update";
}
@RequestMapping("/toLogin")
public String toLogin(){
return "login";
}
@RequestMapping("/login")
public String login(@RequestParam("username") String username, String password,Model model){
Subject subject= SecurityUtils.getSubject();
//token是令牌,每个用户在执行登录提交时会获得一个验证身份的令牌
UsernamePasswordToken token=new UsernamePasswordToken(username,password);
//那么该用户subject在点击登录时,会走到自定义的UserRealm的认证方法中,执行认证方法
try{
//若认证未通过,则会报异常
subject.login(token);
return "index";
}catch (UnknownAccountException uae){//用户名异常
model.addAttribute("msg","用户名错误");
return "login";
}catch (IncorrectCredentialsException ice){//密码验证异常
model.addAttribute("msg","密码错误");
return "login";
}
}
}
- userRealm的改变,整合mybatis的目的就是为了Realm能从mybatis中获取用户信息来验证用户的身份(代码是由重复,稍微整改)
//认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
System.out.println("执行了—>认证doGetAuthenticationInfo方法");
//之所以会跳到认证请看我最后总结的shiro框架执行的流程
//这些数据应该在我们的数据库当中取
/*String username="admin";
String password="123456";*/
UsernamePasswordToken myToken= (UsernamePasswordToken) authenticationToken;
User user=userService.queryUserByName(myToken.getUsername());
/*if(!myToken.getUsername().equals(username)){
return null; //UnknownAccountException 返回空,则报这个异常
}*/
if(user==null){
return null; //UnknownAccountException报异常
}
//密码验证shiro帮我们做了,为的是防止密码的泄露,所以我们不做处理
return new SimpleAuthenticationInfo("",user.getPwd(),"");
}
3.4 shiro请求授权实现
- 在shiroConfig类中设置授权信息,拥有此授权的用户才可以访问我们的页面
@Bean
public ShiroFilterFactoryBean factoryBean(@Qualifier("securityManager") DefaultWebSecurityManager securityManager){
ShiroFilterFactoryBean factoryBean=new ShiroFilterFactoryBean();
//设置安全管理器
factoryBean.setSecurityManager(securityManager);
Map<String, String> definitionMap = new LinkedHashMap<>();
/*
anon:无需认证(登录)既可访问
authc:需要认证才可以访问
user: 必须拥有记住我功能才能访问(少用)
perms: 拥有对某个资源的权限才能访问
role: 拥有某个角色权限才可以访问
*/
//授权,正常情况下,未经授权会跳到未经授权页面
//注意授权要放在拦截上,不然拦截在前,就不会走授权了
definitionMap.put("/user/add","perms[user:add]");
//拦截
definitionMap.put("/user/*","authc");
//设置拦截器(请求过滤)
factoryBean.setFilterChainDefinitionMap(definitionMap);
//如若被拦截,直接走我们的toLogin请求
factoryBean.setLoginUrl("/toLogin");
factoryBean.setUnauthorizedUrl("/Noauth");
return factoryBean;
}
- 在UserRealm类中给用户授权,UserRealm从数据库中取出对应用户的权限,并在授权方法上添加上对应的权限
@Autowired
UserService userService;
//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("执行了->授权doGetAuthorizationInfo方法");
SimpleAuthorizationInfo info=new SimpleAuthorizationInfo();
//info.addStringPermission("user:add");
Subject subject= SecurityUtils.getSubject();
User user= (User) subject.getPrincipal();
info.addStringPermission(user.getPerms());
return info;
}
我们在登录页面也就是表单提交走/login请求时–>subject.login()–>Subject作为主体,会将一切的安全管理交由SecurityManager来做,而后SecuriyManager要验证用户的信息身份–>Realm去获取相应的用户再作比较(认证,授权)。
总结
一、重要对象
-
Subject:主体
访问系统的用户,主体可以是用户、程序等,进行认证的都称为主体; -
Principal:身份信息
是主体(subject)进行身份认证的标识,标识必须具有唯一性,如用户名、手机号、邮箱地址等,一个主体可以有多个身份,但是必须有一个主身份(以一个作为该主体的唯一标识符)(Primary Principal)。 -
credential:凭证信息
是只有主体自己知道的安全信息,如密码、证书等。
二、重要方法
- Subject currentUser = SecurityUtils.getSubject();(获得主体,即subject)
- Session session = currentUser.getSession();(通过主体去getSession(),获得用户session信息)
- currentUser.isAuthenticated();(判断用户是否被认证)
- currentUser.getPrincipal();(获取当前用户的唯一标识符)
- currentUser.hasRole(“schwartz”);(设置用户的角色)
- currentUser.isPermitted(“lightsaber:wield”); (用户权限)
- currentUser.logout(); (注销)