1、授权的概念
对资源访问管理的控制,即对认证通过的用户授予可以访问那些资源的权限
2、授权的三种实现方式
通过逻辑代码实现
Subject subject = SecurityUtils.getSubject();
if(subject.hasRole("管理员")){
//表示有权限,可以访问权限具有的资源
}else{
//表示未有权限,访问不了没有权限的资源
}
通过注解方式实现
@RequiresRoles("管理员")
public void query(){
//判断是否有次权限,才执行此方法里的内容
}
通过jsp页面中引入shiro标签
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
<!--shiro标签内容-->
<shiro:hasRole name="管理员">
<!--如果有此有此权限,则显示权限对应内容-->
</shiro:hasrole>
在上面三种授权方式中,往往用到的是后两种,可以具体掌握下
自定义realm授权实现
shiro.ini文件
#[users]
#账号zhouym,密码12345
#zhouym=12345
[main]
#自定义 realm
customRealm=com.zhouym.realm.MyRealm
#将realm设置到securityManager
securityManager.realms=$customRealm
自定义realm
package com.zhouym.realm;
import java.util.ArrayList;
import java.util.List;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.SimpleByteSource;
/**
* @author Administrator
*
*/
public class MyRealm extends AuthorizingRealm {
//认证方法
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String principal = (String)token.getPrincipal();
if (!"zhouym".equals(principal)) {
return null;
}
String password = "d6b0ab7f1c8ab8f514db9a6d85de160a";
AuthenticationInfo info = new SimpleAuthenticationInfo(principal, password, new SimpleByteSource("abc"),"myrealm");
return info;
}
//授权方法
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
//获取当前账号
String username = (String)principals.getPrimaryPrincipal();
System.out.println(username);
List<String> roles = new ArrayList<>();
roles.add("r1");
roles.add("r2");
roles.add("r3");
List<String> list = new ArrayList<>();
list.add("order:create");
list.add("order:update");
list.add("order:delete");
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
//添加角色
info.addRole("r1");
info.addRoles(roles);
//添加权限
info.addStringPermission("user:query");
info.addStringPermissions(list);
return info;
}
}
测试类
package com.zhouym.junit;
import java.util.Arrays;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.crypto.hash.Md5Hash;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
import org.junit.Test;
public class JunitTest {
@Test
public void test() {
//获取SecurityManager工厂对象
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
//通过factory对象获取SecurityManager对象
SecurityManager securityManager = factory.getInstance();
//将securityManager设置到当前环境中
SecurityUtils.setSecurityManager(securityManager);
//获取subject主体对象
Subject subject = SecurityUtils.getSubject();
//绑定认证信息
AuthenticationToken token = new UsernamePasswordToken("zhouym", "12345");
//执行认证操作
try {
subject.login(token);
System.out.println("登录成功");
} catch (UnknownAccountException e) {
System.out.println("账号错误");
}catch (IncorrectCredentialsException e) {
System.out.println("密码错误");
}
//判断是否登录状态
System.out.println(subject.isAuthenticated());
//认证通过后进项权限认证
System.out.println(subject.getPrincipal()+"是否有role角色:"+subject.hasRole("role1"));
System.out.println(subject.getPrincipal()+"是否有role角色:"+subject.hasRole("role3"));
boolean[] roles = subject.hasRoles(Arrays.asList("role1","role2"));
System.out.println(subject.getPrincipal()+"是否具有role1和role2角色:"+roles[0]+","+roles[1]);
//验证权限
System.out.println(subject.getPrincipal()+"是否具有create和update权限:"+subject.isPermitted("user:create")+","+subject.isPermitted("user:update"));
System.out.println(subject.isPermittedAll("user:create","user:update"));
}
}