Shiro:Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.
In short, shiro is a powerful and easy to use Java security framework that performs authentication, authorization, cryptography and answer management
concept
Authentication certification that is who are you? Its infinitive is authenicate, can be translated as proof identification confirmed
Authorization Authorization that is what can you do? Whose infinitive is authorize, can be translated as authorization, approval
Run Process
First look at the flow chart
User written code Application
Subject body represents the current "user", the user is not necessarily a specific person, and any current applications that interact thing is Subject
SecurityManager security manager all safety-related operations will interact with the SecurityManager, and it manages all of the Subject
Realm Realm domain Shiro obtained from the safety data, if SecurityManager to authenticate users, need to get the user from the Realm are compared to determine the identity of the user is legitimate; the Realm can be seen as DataSource, namely security data sources
Shiro were four main ways of access control:
1. Subject programmatically by access control in the program
2. Configure Filter to achieve Url level coarse-grained access control
3. Configure proxy control annotation-based fine-grained permissions
4. Shiro display access control implemented custom label page in the page
Custom Realm
We need to inherit AuthorizingRealm, two methods parent class rewrite:
import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.subject.PrincipalCollection; public class CustomizeAuthorizingRealm extends org.apache.shiro.realm.AuthorizingRealm { @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { //todo return null; }
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
//todo
return null;
}
}
doGetAuthenticationInfo
Obtain information related to authentication: User information according to first acquire the incoming user name;
If the User is empty, then throw the account did not find abnormal UnknownAccountException;
If the user but found locked locked throw an exception LockedAccountException;
The last generation AuthenticationInfo information, to the indirect parent AuthenticatingRealm use CredentialsMatcher judge password match, if not match the password will throw error exception IncorrectCredentialsException;
Also, if password retry here too will throw exceed the number of retries abnormal ExcessiveAttemptsException;
When assembling SimpleAuthenticationInfo information, need to pass: identity information (user name), credentials (encrypted passwords), salt (username + salt), CredentialsMatcher salt is used to encrypt and password passed in clear text cipher text password here match
This method returns the value AuthenticationInfo
doGetAuthorizationInfo
PrincipalCollection is a collection of identity, if passed now before a Realm, that directly call getPrimaryPrincipal can get the user name;
Then get the right information based on user roles and name calling UserService Interface
Reference article https://www.cnblogs.com/maofa/p/6407102.html
END