1, authorize: a person's identity by granting him access to certain permissions resources.
2, permission particle size: divided into coarse and fine-grained.
Coarse-grained: crud on the user. That typically operations on the table.
Fine-grained: operating on the record. Such as: only allows for the user's query id 1 salary.
Shiro general management of privileges is coarse-grained. For example: menus, buttons, url. Generally fine-grained permissions are controlled by the business.
3, the role: a collection of permissions.
4. The authority represents the rule: Resources: Operation: Example. Wildcards can be expressed:
Such as: user: add expressed user has permission to add, user: * denotes permissions for all operations on the user.
user: delete: 100, represents the identity of the user has permission to delete a record 100.
5, Shiro of Authority Process
6, Coding
(1) New java project
(2) edit the configuration file shiro.ini
1 [users] 2 zhangsan=1111,role1 3 lisi=1111,role2 4 5 [roles] 6 role1=user:add,user:update,user:delete 7 role2=user:*
(3) encoding test
1 package com.sun123.shiro; 2 3 import java.util.Arrays; 4 5 import org.apache.shiro.SecurityUtils; 6 import org.apache.shiro.authc.AuthenticationException; 7 import org.apache.shiro.authc.UsernamePasswordToken; 8 import org.apache.shiro.config.IniSecurityManagerFactory; 9 import org.apache.shiro.mgt.SecurityManager; 10 import org.apache.shiro.subject.Subject; 11 import org.apache.shiro.util.Factory; 12 13 public class AuthorizationDemo { 14 15 public static void main(String[] args) { 16 Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini"); 17 SecurityManager securityManager = factory.getInstance(); 18 SecurityUtils.setSecurityManager(securityManager); 19 Subject subject = SecurityUtils.getSubject(); 20 21 UsernamePasswordToken token = new UsernamePasswordToken("zhangsan", "1111"); 22 23 try { 24 // authentication 25 subject.login (token); 26 is } the catch (of AuthenticationException E) { 27 e.printStackTrace (); 28 System.out.println ( "authentication failure" ); 29 } 30 31 is // role-based authorization 32 Boolean In Flag = subject.hasRole ( "role2" ); 33 is System.out.println (In Flag); 34 is // determines whether a plurality of roles 35 subject.hasRoles (Arrays.asList ( "role1", "role2" )) ; 36 // can detect whether a role by checkRole, if you do not have that role, is thrown AuthorizerException 37 [ // subject.checkRole ( "role2"); 38 is // it can simultaneously detect a plurality of roles 39 // subject.checkRoles ( "role1", "role2"); 40 // based authorization resource 41 is In Flag = Subject .isPermitted ( "User: Delete" ); 42 is System.out.println (In Flag); 43 is 44 is // determines whether a plurality of rights 45 In Flag = subject.isPermittedAll ( "User: the Add", "User: Update", " user: Delete " ); 46 is System.out.println (In Flag); 47 // by checkPermission detecting whether the user has a permission authentication, if not, an exception is thrown 48 subject.checkPermission (" user: dd "); 49 50 } 51 }
7, check the permissions of the way there are three Shiro
(1) Programming the formula
IF (subject.hasRole ( "Administrator" )) { // operate a resource }
(2) when executing the specified formula annotation method detects whether the permissions
@RequiresRoles ( "Administrator" ) public void List () { // query data }
(3) Tags
1 <%@ page language="java" contentType="text/html; charset=ISO-8859-1" 2 pageEncoding="ISO-8859-1"%> 3 <%@taglib prefix="shiro" uri="http://shiro.apache.org/tags"%> 4 <!DOCTYPE html> 5 <html> 6 <head> 7 <meta charset="ISO-8859-1"> 8 <title>Insert title here</title> 9 </head> 10 <body> 11 <shiro:hasPermission name="user:update"> 12 <a href="#">更新</a> 13 </shiro:hasPermission> 14 </body> 15 </html>
8, the authorization process
(1) obtain the main subject
(2) determining whether the authenticated body
(3) call subject.isPermitted *, or the judge for permission to hasRole *
① Subject DelegatingSubject by its implementation class to call the method, the class will be treated to a securityManager
② securityManager DefaultSecurityManager by its implementation class for processing, class isPermitted processed, the nature of the parent AuthorizingSecurityManager handled. Such processing the Authorizer (authorizer)
③ Authorizer ModularRealmAuthorizer its implementation class can be called to process the corresponding class Realm to obtain data in the class has PermissionResolver permissions string parsing in the corresponding Realm also has a corresponding class calls WildcardPermission PermissionResolver to be WildcardPermissionResolver resolve permission string.
④ return the results.