身份验证:在shiro中用户需要提供principals和credentias给shiro从而应用能验证用户身份。
principals:身份,即主体标识属性。
credentials:证明/凭证即只有主体知道的安全值,如密码/数字证书。
最常见的principals和credentials组合就是用户名/密码。
简单的验证:
pom.xml
<!-- shiro dependency-->
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.9</version>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.1.3</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.2</version>
</dependency>
shiro.ini
[users]
zhang=123
wang=123
testHelloworld
public void testHelloWorld(){
//1、获取SecurityManager工厂,此处使用Ini配置文件初始化SecurityManager
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
//2、得到SecurityManager实例 并绑定给SecurityUtils
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);
//3、得到Subject及创建用户名/密码身份验证Token(即用户身份/凭证)
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken("wang","123");
try {
//4、登录,即身份验证
subject.login(token);
}catch (AuthenticationException e){
System.out.println("验证失败");
e.printStackTrace();
}
System.out.println("验证结果:"+ subject.isAuthenticated());
Assert.assertEquals(true,subject.isAuthenticated());
//退出
subject.logout();
}
自定义Realm
public class MyRealm1 implements Realm {
@Override
public String getName() {
return "myrealm1";
}
@Override
public boolean supports(AuthenticationToken token) {
return token instanceof UsernamePasswordToken;
}
@Override
public AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String username = (String)token.getPrincipal();
String password = new String((char[]) token.getCredentials());
if(!"zhang".equals(username)){
throw new UnknownAccountException();
}
if(!"123".equals(password)){
throw new IncorrectCredentialsException();
}
return new SimpleAuthenticationInfo(username,password,getName());
}
}
需要继承Realm类,并重写其getName(),supports(),getAuthenticationInfo()方法,需修改shiro.ini
#myRealm1=com.yuanqs.realm.MyRealm1
#securityManager.realms=$myRealm1
这样自定义的MyRealm1即可生效,测试还是调之前的方法。
最常用的调用数据库的Reaml的配置如下:
jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
dataSource=com.alibaba.druid.pool.DruidDataSource
dataSource.driverClassName=com.mysql.jdbc.Driver
dataSource.url=jdbc:mysql://localhost:3306/shiro
dataSource.username=root
dataSource.password=root
jdbcRealm.dataSource=$dataSource
securityManager.realms=$jdbcRealm