第一节:权限认证核心要素
权限认证,也就是访问控制,即在应用中控制谁能访问哪些资源。
在权限认证中,最核心的三个要素是:权限,角色和用户;
权限,即操作资源的权利,比如访问某个页面,以及对某个模块的数据的添加,修改,删除,查看的权利;
角色,是权限的集合,一中角色可以包含多种权限;
用户,在 Shiro 中,代表访问系统的用户,即 Subject;
第二节:授权
1,编程式授权
1.1 基于角色的访问控制
1.2 基于权限的访问控制
2,注解式授权
3,Jsp 标签授权
基于角色的访问控制
就是说,查看用户都有哪些角色
(1)shiro_role.ini
[users]
java1234=123456,role1,role2
jack=123,role1
用户名=密码,角色1,角色2,…
工具类 ShiroUtil.java
package java123.common.com;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
public class ShiroUtil {
public static Subject getSubject(String classpath,String name,String password){
// 读取配置文件,初始化SecurityManager工厂
Factory<SecurityManager> factory=new IniSecurityManagerFactory(classpath);
// 获取securityManager实例
SecurityManager securityManager=factory.getInstance();
// 把securityManager实例绑定到SecurityUtils
SecurityUtils.setSecurityManager(securityManager);
// 得到当前执行的用户
Subject currentUser=SecurityUtils.getSubject();
// 创建token令牌,用户名/密码
UsernamePasswordToken token=new UsernamePasswordToken(name,password);
// 身份认证
try {
currentUser.login(token);
System.out.println("身份认证成功");
//得到当前用户名称
System.out.println(currentUser.getPrincipal());
} catch (AuthenticationException e) {
// TODO Auto-generated catch block
System.out.println("身份认证失败");
e.printStackTrace();
}
return currentUser;
}
}
测试类 RoleTest.java
package java123.shiro.com;
import java.util.Arrays;
import java123.common.com.ShiroUtil;
import org.apache.shiro.subject.Subject;
import org.junit.Test;
public class RoleTest {
//has验证 有返回值 值为Boolean
@Test
public void testHasRole(){
Subject subject= ShiroUtil.getSubject("classpath:shiro_role.ini","jack","123");
//验证一个用户拥有单个角色
Boolean bool= subject.hasRole("role1");
System.out.println(bool?"Jack有role1角色":"Jack没有role1角色");
//验证一个用户有多个角色,逐个判断
boolean[] bools=subject.hasRoles(Arrays.asList("role1","role2"));
System.out.println(bools[0]+","+bools[1]);
//判断是否拥有多个角色,一次性判断
boolean allBool=subject.hasAllRoles(Arrays.asList("role1","role2","role3"));
System.out.println(allBool);
}
//check验证 无返回值 不成功会报出异常
@Test
public void testCheckRole(){
Subject subject= ShiroUtil.getSubject("classpath:shiro_role.ini","jack","123");
//验证一个用户拥有单个角色
subject.checkRole("role1");
//验证一个用户有多个角色,逐个判断
subject.checkRoles(Arrays.asList("role1","role2"));
//判断是否拥有多个角色,一次性判断
subject.checkRoles("role1","role2","role3");
}
}
基于权限的访问控制
(1)shiro_permission.ini
[users]
java1234=123456,role1,role2
jack=123,role1
[roles]
role1=user:select
role2=user:add,user:update,user:delete
角色=user:权限1,权限2,权限3…
(2)ShiroUtil.java
package java123.common.com;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
public class ShiroUtil {
public static Subject getSubject(String classpath,String name,String password){
// 读取配置文件,初始化SecurityManager工厂
Factory<SecurityManager> factory=new IniSecurityManagerFactory(classpath);
// 获取securityManager实例
SecurityManager securityManager=factory.getInstance();
// 把securityManager实例绑定到SecurityUtils
SecurityUtils.setSecurityManager(securityManager);
// 得到当前执行的用户
Subject currentUser=SecurityUtils.getSubject();
// 创建token令牌,用户名/密码
UsernamePasswordToken token=new UsernamePasswordToken(name,password);
// 身份认证
try {
currentUser.login(token);
System.out.println("身份认证成功");
//得到当前用户名称
System.out.println(currentUser.getPrincipal());
} catch (AuthenticationException e) {
// TODO Auto-generated catch block
System.out.println("身份认证失败");
e.printStackTrace();
}
return currentUser;
}
}
(3)PermissionTest.java
package java123.shiro.com;
import java.util.Arrays;
import java123.common.com.ShiroUtil;
import org.apache.shiro.subject.Subject;
import org.junit.Test;
public class PermissionTest {
@Test
public void testPermission1(){
Subject subject= ShiroUtil.getSubject("classpath:shiro_permission.ini","java1234","123456");
//校验用户java1234有没有用户查询权限
System.out.println(subject.isPermitted("user:select"));
}
@Test
public void testPermission2(){
Subject subject= ShiroUtil.getSubject("classpath:shiro_permission.ini","jack","123");
//校验用户jack有没有删除 更新权限
boolean[] bool=subject.isPermitted("user:delete","user:update");
System.out.println(bool[0]+","+bool[1]);
Boolean bool1=subject.isPermittedAll("user:delete","user:update");
System.out.println(bool1);
}
@Test
public void testCheckPermission(){
Subject subject= ShiroUtil.getSubject("classpath:shiro_permission.ini","jack","123");
//校验用户jack有没有删除 更新权限
subject.checkPermission("user:delete");
subject.checkPermissions("user:delete","user:update");
}
}