Shiro is a Java security framework that supports functions such as authentication, authorization, and session management. To integrate Shiro into a Java web application, you need to complete the following steps:
-
Add the Shiro library (shiro-core and shiro-web) to your project's dependencies
-
Configure Shiro filters in your web.xml so that Shiro authentication and authorization logic is executed before each request
-
Write Shiro Realm in your program to handle user authentication and role/permission authorization logic
-
Use the Shiro API in your programs to manage sessions and perform other security-related operations
Here is a simple example configuration:
1. Add the following dependencies to the pom.xml file:
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.7.1</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.7.1</version>
</dependency>2. Add the following configuration in web.xml:
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>1. Write a custom Shiro Realm class. This class needs to implement the org.apache.shiro.realm.Realm interface, and rewrite the methods in it, including obtaining user information, checking passwords, obtaining user roles and permission lists, etc.
public class MyRealm implements Realm {
@Override
public String getName() {
return "MyRealm";
}
@Override
public boolean supports(AuthenticationToken token) {
return token instanceof UsernamePasswordToken;
}
@Override
public AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String username = (String) token.getPrincipal();
String password = new String((char[]) token.getCredentials());
// 从数据库或其他源获取用户信息并验证密码
if ("user".equals(username) && "password".equals(password)) {
return new SimpleAuthenticationInfo(username, password, getName());
} else {
throw new AuthenticationException("用户名或密码不正确");
}
}
@Override
public AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals) {
String username = (String) principals.getPrimaryPrincipal();
// 从数据库或其他源获取用户的角色和权限信息
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
info.addRole("admin");
info.addStringPermission("user:create");
return info;
}
}1. Then you can use Shiro API in the program for identity authentication and authorization, for example:
public void login(String username, String password) {
// 将用户名和密码封装到UsernamePasswordToken中,然后调用Subject进行认证
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
Subject currentUser = SecurityUtils.getSubject();
currentUser.login(token);
}
public void checkPermission(String permission) {
// 调用Subject的isPermitted方法检查当前用户是否具有指定的权限
Subject currentUser = SecurityUtils.getSubject();
if (currentUser.isPermitted(permission)) {
// 允许操作
} else {
// 拒绝操作
}
}
public void checkRole(String role) {
// 调用Subject的hasRole方法检查当前用户是否具有指定的角色
Subject currentUser = SecurityUtils.getSubject();
if (currentUser.hasRole(role)) {
// 允许操作
} else {
// 拒绝操作
}
}Make it here today! Run in small steps, let's work together!