核心概念:Subject, SecurityManager, and Realms
import org.apache.shiro.subject.Subject;
import org.apache.shiro.SecurityUtils;
……
Subject currentUser = SecurityUtils.getSubject();
#####如果拿到了subject,shiro90%的事情都可以做了例如
- login
- logout
- access their session
- execute authorization checks
The SecurityManager manages security operations for all users.
How do we set up a SecurityManager?
如果是web应用,我们通常会在web.xml指定一个Shiro Servlet Filter,它会创建一个SecurityManager 实例。SecurityManager 一般是一个单例,他的默认实现是POJO,配置形式有如下几种方式:
- normal Java code
- Spring XML
- YAML
- .properties
- .ini files
ini files是最常用的,因为 INI is easy to read, simple to use, and requires very few dependencies。for example
1.用ini配置shiro
[main]
cm = org.apache.shiro.authc.credential.HashedCredentialsMatcher
cm.hashAlgorithm = SHA-512
cm.hashIterations = 1024
# Base64 encoding (less text):
cm.storedCredentialsHexEncoded = false
iniRealm.credentialsMatcher = $cm
[users]
jdoe = TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJpcyByZWFzb2
asmith = IHNpbmd1bGFyIHBhc3Npb24gZnJvbS文件ciBhbXNoZWG5vdCB
INI File解析
1). main区域是用来配置SecurityManager 对象的,这里设置了两个对象,crm以及iniRealm。并且m对象设置了一些参数。然后将crm赋值给了iniRealm对象。
2). users区域用来指定静态的用户账号。
2.java类加载ini配置文件
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.util.Factory;
//1. Load the INI configuration
Factory<SecurityManager> factory =
new IniSecurityManagerFactory("classpath:shiro.ini");
//2. Create the SecurityManager
SecurityManager securityManager = factory.getInstance();
//3. Make it accessible
SecurityUtils.setSecurityManager(securityManager);
代码解析
1)加载ini配置文件
2)创建SecurityManager实例
3)让SecurityManager实例可以被应用访问
Authentication
1. 获取用户的登录名 (principals),和密码(credentials).
2. 将上一步获取的信息提交给系统
3. 如果跟系统期待的匹配,用户是已认证的,否则是未认证的
用户登录
//1. Acquire submitted principals and credentials:
AuthenticationToken token =
new UsernamePasswordToken(username, password);
//2. Get the current Subject:
Subject currentUser = SecurityUtils.getSubject();
//3. Login:
currentUser.login(token);
处理失败的情况
//3. Login:
try {
currentUser.login(token);
} catch (IncorrectCredentialsException ice) { …
} catch (LockedAccountException lae) { …
}
…
catch (AuthenticationException ae) {…
}
Authorization
Authorization is essentially access control - controlling what your users can access in your application
Authorization是用来控制用户可以访问应用的哪些resource和webpage
if ( subject.hasRole(“administrator”) ) {
//show the ‘Create User’ button
} else {
//grey-out the button?
}
……
if ( subject.isPermitted(“user:create”) ) {
//show the ‘Create User’ button
} else {
//grey-out the button?
}
……
if ( subject.isPermitted(“user:delete:jsmith”) ) {
//delete the ‘jsmith’ user
} else {
//don’t delete ‘jsmith’
}
Session Management
Shiro enables a Session programming paradigm for any application - from small daemon standalone applications to the largest clustered web applications.
Shiro’s architecture allows for pluggable Session data stores,And it is container independent.
实例
Session session = subject.getSession();
Session session = subject.getSession(boolean create);
session.getAttribute(“key”, someValue);
Date start = session.getStartTimestamp();
Date timestamp = session.getLastAccessTime();
session.setTimeout(millis);
Cryptography
Shiro ships with a robust web support module to help secure web applications.ReferShiro Web
ShiroFilter in web.xml
####URL-Specific Filter Chains
#####Shiro supports security-specific filter rules through its innovative URL filter chaining capability
######Shiro支持一种创造性的URL安全过滤器,例如
[urls]
/assets/** = anon
/user/signup = anon
/user/** = user
/rpc/rest/** = perms[rpc:invoke], authc
/** = authc
左边是URL是web应用的相对路径,右边是过滤器链
JSP Tag Library
Web Session Management
1.Default Http Sessions
Shiro defaults its session infrastructure to use the existing Servlet Container sessions that we’re all used to.
2.Shiro’s Native Sessions in the Web Tier
