shiro.ini implements authorization
Premise: Must be authorized after passing the authentication
1. Authorization Overview
Authorization, also called access control, is to control who can access which resources (such as accessing pages / editing data / page operations, etc.) in the application. Several key objects to be understood in authorization: Subject, Resource, Permission, Role.
2. Introduction of key objects
1, the main body
The subject, the user accessing the application, uses Subject in Shiro to represent the user. The user is only allowed to access the corresponding resources after authorization.
2. Resources
Anything a user can access in an application, such as accessing JSP pages, viewing / editing certain data, accessing a business method, printing text, etc. are resources. Users can only access after authorization.
3. Permission
The atomic authorization unit in the security policy, through permissions, we can indicate whether the user has the right to operate a certain resource in the application. That is, the permission means whether the user can access a certain resource in the application, such as: accessing the user list page to view / add / modify / delete user data (that is, CRUD (additional search, change and delete) permission control), print documents, etc. Wait. . .
4. Role
Roles represent a collection of operations, which can be understood as a collection of permissions. In general, we will grant user roles rather than permissions, that is, users can have a set of permissions, which is more convenient when granting permissions. Typical examples are: project manager, technical director, CTO, development engineer, etc. are all roles, different roles have a different set of permissions.
3. Authorization process
4. Description of related methods
1 subject. HasRole ("") ; Determine whether there is a role
2 subject. HasRoles (List) ; Separately judge whether the user has every content in List
3 subject.hasAllRoles (Collection) ; returns boolean, requiring all role users in the parameter to have.
4 subject. IsPermitted ("") ; determine whether it has permission.
5 subject. IsPermittedAll ("") ; determine whether it has permissions.
shiro.ini
#配置用户
[users]
zhangsan=123456,role1
lisi=123456,role2
wangwu=123456,role3
zhaoliu=123456,role2,role3
sunqi=123456,role4
#声明角色
[roles]
role1=user:query,user:add,user:update,user:delete,user:export
role2=user:query,user:add
role3=user:query,user:export
role4=*:*TestAuthorizationApp.java
package com.sxt.shiro;
import java.util.Arrays;
import java.util.List;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* shiro的认证使用shiro.ini文件
*
*/
@SuppressWarnings("deprecation")
public class TestAuthorizationApp {
// 日志输出工具
private static final transient Logger log = LoggerFactory.getLogger(TestAuthorizationApp.class);
public static void main(String[] args) {
String username = "zhangsan";
String password = "123456";
log.info("My First Apache Shiro Application");
// 1,创建安全管理器的工厂对象 org.apache.shiro.mgt.SecurityManager; 不能使用java.lang.SecurityManager
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
// 2,使用工厂创建安全管理器
SecurityManager securityManager = factory.getInstance();
// 3,把当前的安全管理器绑定当到线的线程
SecurityUtils.setSecurityManager(securityManager);
// 4,使用SecurityUtils.getSubject得到主体对象
Subject subject = SecurityUtils.getSubject();
// 5,封装用户名和密码
AuthenticationToken token = new UsernamePasswordToken(username, password);
// 6,得到认证
try {
subject.login(token);
System.out.println("认证通过");
} catch (AuthenticationException e) {
System.out.println("用户名或密码不正确");
}
//subject.logout();//退出的方法
//判断用户是否认证通过
boolean authenticated = subject.isAuthenticated();
System.out.println("是否认证通过:"+authenticated);
//角色判断
boolean hasRole1 = subject.hasRole("role1");
System.out.println("是否有role1的角色:"+hasRole1);
//分别判断集合里面的角色 返回数组
List<String> roleIdentifiers=Arrays.asList("role1","role2","role3");
boolean[] hasRoles = subject.hasRoles(roleIdentifiers);
for (boolean b : hasRoles) {
System.out.println(b);
}
//判断当前用户是否有roleIdentifiers集合里面的所有角色
boolean hasAllRoles = subject.hasAllRoles(roleIdentifiers);
System.out.println(hasAllRoles);
//权限判断
boolean permitted = subject.isPermitted("user:query");
System.out.println("判断当前用户是否有user:query的权限 "+permitted);
boolean[] permitted2 = subject.isPermitted("user:query","user:add","user:export");
for (boolean b : permitted2) {
System.out.println(b);
}
boolean permittedAll = subject.isPermittedAll("user:query","user:add","user:export");
System.out.println(permittedAll);
}
}
