1. Create a simple shiro project
- Create the shiro.ini configuration file under src
[users]
admin = 123,role1
[roles]
role1 = printer:print
Username: adminPassword
: 123
Assign role1 to the admin account. Multiple roles are separated by commas
. Role1 has printer:print
this permission. The writing of this permission will be discussed later.
- HelloWorld
package com.shiro.helloworld; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.IncorrectCredentialsException; import org.apache.shiro.authc.LockedAccountException; import org.apache.shiro.authc.UnknownAccountException; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.config.IniSecurityManagerFactory; import org.apache.shiro.mgt.SecurityManager; import org.apache.shiro.session.Session; import org.apache.shiro.subject.Subject; import org.apache.shiro.util.Factory; import org.slf4j.Logger; import org.slf4j.LoggerFactory; public class HelloWorld { //If you don't use logs, you can also use System.out.println() directly, so you don't need to configure log4j.properties private static final transient Logger log = LoggerFactory.getLogger(HelloWorld.class); public static void main(String[] args) { //Get an instance of SecurityManager Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini"); SecurityManager securityManager = factory.getInstance(); SecurityUtils.setSecurityManager(securityManager); Subject currenUser = SecurityUtils.getSubject(); //Use of session Session session = currenUser.getSession(); session.setAttribute("key", "value"); String value = (String) session.getAttribute("key"); log.info("value:"+value); //if not authenticated if(!currenUser.isAuthenticated()){ UsernamePasswordToken token = new UsernamePasswordToken("admin","123"); token.setRememberMe(true); try { currenUser.login(token); } catch (UnknownAccountException uae) { log.info("No such user: " + token.getPrincipal()); } catch (IncorrectCredentialsException ice) { log.info( token.getPrincipal() + "Incorrect password!"); } catch (LockedAccountException lae) { log.info( token.getPrincipal() + "locked, please contact administrator"); }catch (AuthenticationException ae) { //other unknown exception } } if(currenUser.getPrincipal() != null) log.info("User"+currenUser.getPrincipal() +"Login successful"); //Is there a role of role1 if(currenUser.hasRole("role1")){ log.info("has role role1"); }else{ log.info("No role role1"); } //Do you have permission to print to the printer? if(currenUser.isPermitted("printer:print")){ log.info("Can print to the printer"); }else { log.info("Cannot print to printer"); } //sign out currenUser.logout(); System.exit(0); } }
- In fact, we use shiro to do two things: 1. Verify the identity of the user, 2. Verify whether the user has permission to perform an operation
2. Shiro's permissions
2.1 Simple strings
Use a simple string to represent a permission, such as: queryPrinter
2.2 Multi-level management
-
printer:print
The first part is the domain (printer) where the permission is operated, and the second part is the operation to be performed
-
multiple values
Multiple values are separated by commas, such as role1 = printer:print,printer:query
does not have to be in the form of xxx:yyyy, you can also use a simple string directly -
You can use * to indicate all
For example , printer:* means that you can perform any operation on the printer,
or *:query means that you have query operations in any field
2.2 Instance-level access control
-
This situation typically uses three components—the first is the domain, the second is the operation, and the third is the instance that is implemented. Such as: printer:query:lp7200
Wildcards can also be used to define, such as:
printer:print:*
printer: :
printer:*:lp7200
printer:query, print:lp7200 -
Partially omitted: the missing part means that the user has access to all values that match it
printer:print is equivalent to printer:print:*
printer is equivalent to printer: :
but remember: parts can only be omitted from the end of the string, ie
printer:lp7200 is not equivalent to printer:*: lp7200