【Shiro】Basic use

Enterprise 2023-09-17 01:10:20 views: null

1. Environment preparation

1. Shiro does not rely on containers, just create a maven project directly
2. Add dependencies 
<dependencies>
     <dependency>
         <groupId>org.apache.shiro</groupId>
         <artifactId>shiro-core</artifactId>
     <version>1.9.0</version>
     </dependency>
     <dependency>
         <groupId>commons-logging</groupId>
         <artifactId>commons-logging</artifactId>
         <version>1.2</version>
     </dependency>
</dependencies>

2. INI file

Shiro obtains permission-related information through the database or through the ini configuration file.
1. Create ini file

3. Login authentication

1. Login authentication concept
(1) Identity verification: Generally, it is necessary to provide some identification information such as identity ID to indicate the identity of the login person.
email, username/password to prove.
(2) In shiro, users need to provide principals (identity) and credentials (proof) to shiro.
And the app can authenticate the user:
(3) Principals: Identity, that is, the identification attribute of the subject, which can be any attribute, such as user name, email, etc., unique
That’s it. A principal can have multiple principals, but there is only one Primary principals, usually username/
Email/mobile phone number.
(4) Credentials: Proof/credentials, that is, security values ​​known only to the subject, such as passwords/digital certificates, etc.
(5) The most common combination of principals and credentials is username/password
2. Basic login authentication process
(1) Collect user identity/credentials, such as username/password
(2) Call Subject.login to log in. If it fails, you will get the corresponding AuthenticationException.
Exception, the user will be prompted with an error message based on the exception; otherwise, the login will be successful.
(3) Create a custom Realm class and inherit the org.apache.shiro.realm.AuthenticatingRealm class,
Implement the doGetAuthenticationInfo() method
3. Login authentication example
Create a test class, obtain the authentication object, and perform login authentication, as follows:
4. Identity authentication process
(1) First call Subject.login(token) to log in, which will automatically be delegated to SecurityManager
(2) SecurityManager is responsible for the real authentication logic; it will delegate it to Authenticator for identity verification
verify;
(3) Authenticator is the real authenticator and the core authentication entry point in Shiro API. This
You can customize your own implementation here;
(4) Authenticator may delegate to the corresponding AuthenticationStrategy for multi-Realm identity
Verification, by default ModularRealmAuthenticator will call AuthenticationStrategy for multi-Realm
Authentication;
(5) Authenticator will pass the corresponding token into Realm and obtain authentication information from Realm, such as
If no exception is returned/thrown, the authentication failed. Multiple Realms can be configured here, which will be in the corresponding order
and strategies for access.

4. Role and authorization

1. Authorization concept (1) Authorization , also called access control, is to control who accesses which resources in the application (such as accessing pages/editing data/
page
operations, etc.). Several key objects that need to be understood in authorization: Subject, Resource, Rights
Permission and Role.
(2) Subject : The user who accesses the application. Subject is used to represent the user in Shiro . User only
Access to the corresponding resources is only allowed with authorization.
(3) Resource : URL that users can access in the application , such as accessing JSP pages, viewing/editing
Certain data, access to a business method, printed text, etc. are all resources. Users can access only after authorization.
(4) Permission : The atomic authorization unit in the security policy. Through permissions, we can express it in the application.
Does the user have the authority to operate a certain resource? That is, permissions indicate whether the user can access a certain resource in the application , such as: access
Ask the user list page to view/add/modify/delete user data (that is, many times it is CRUD (add, check, modify, delete)).
limited control), etc. Permission represents whether the user has the right to operate a certain resource, that is, the operation permission reflected on a certain resource
Not allowed.
(5) Shiro supports coarse-grained permissions (such as all permissions of the user module) and fine-grained permissions (the permissions to operate a certain user).
limit, that is, instance level)
(6) Role (Role) : A collection of permissions . Generally, users will be given roles instead of permissions, that is, users can
Having a set of permissions makes it easier to grant permissions. Typical examples include: project manager, technical director, CTO, development engineer
Engineers, etc. are all roles, and different roles have different sets of permissions.
2. Authorization method
(1) Programming: Completed by writing if/else authorization code block
(2) Annotation type: This is completed by placing corresponding annotations on the executed Java method. If there is no permission, the corresponding exception will be thrown.
often

 

(3) JSP/GSP tag: Completed through the corresponding tag on the JSP/GSP page 

 

3. Authorization process
(1) First call the Subject.isPermitted*/hasRole* interface, which will be delegated to SecurityManager, and
SecurityManager will then delegate to Authorizer;
(2) Authorizer is the real authorizer. If it calls isPermitted("user:view"), it will first pass
Convert the string into the corresponding Permission instance through the Permission Resolver ;
(3) Before authorization, it will call the corresponding Realm to obtain the corresponding role/permission of the Subject to match the incoming
roles/permissions;
(4) The Authorizer will determine whether the Realm's role/permission matches the incoming one. If there are multiple Realms, it will delegate
Perform loop judgment on ModularRealmAuthorizer. If it matches isPermitted*/hasRole*, it will return
true, otherwise false is returned to indicate authorization failure.

 

4. Authorization instance
(1) Obtain role information

 

(2) Determine permission information 

5. Shiro encryption

In actual system development, some sensitive information needs to be encrypted, such as user passwords. Shiro has a lot of built-in
Commonly used encryption algorithms, such as MD5 encryption. Shiro makes it easy to use message encryption.
1. Use Shiro for password encryption

6. Shiro custom login authentication

Shiro's default login authentication is without encryption. If you want to implement encrypted authentication, you need to customize login authentication.
Custom Realm.
1. Customized login authentication

2. Add configuration information in shiro.ini

Guess you like

Origin blog.csdn.net/weixin_45481821/article/details/132926900
Recommended
Ranking
ElasticSearch-- data modeling best practices
Permission Maintenance - Shadow User Backdoor
Refactor the code using MVP mode
Quantitative investment-fundamental model-PVC multi-factor model
Spark Big Data Processing Lecture Notes 3.2 Mastering RDD Operators
Blazor page components (2)
Erlernen von Kenntnissen zur Android-Entwicklung – Kodierung, Verschlüsselung, Hash, Serialisierung und Zeichensätze
About Qi high in JAVA study notes SORM summary detailed personal explanation
Will you calculate the accuracy of the rope displacement sensor in the measurement?
OPENJTAG debugging learning (3): debugging using the gdb command line
Daily
More
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)

Code World

© 2018 codetd.com