Shiro 简介:
Apache Shiro is a Java security framework. Powerful, easy to use Java security framework that provides an intuitive and comprehensive authentication, authorization, encryption and session management solution for developers.
In fact, the main function is to manage Shiro application of all security-related, while supporting a variety of implementations possible. Shiro is based on the well-drive interfaces and object-oriented design principles, supports a variety of custom behavior. Shiro default implementation provided to enable them to perform the same function with other security framework, which is what we've been trying to not get it!
Apache Shiro fairly simple, compared to Spring Security, Spring Security is not likely to do powerful, but may not need so complicated stuff in the actual work, so use small and simple Shiro sufficient. For Talia in the end which is good, this does not have to tangle, more simple solution to the problem just fine project.
Shiro can very easily develop enough good applications, it not only can be used in JavaSE environment, it can also be used in a JavaEE environment. Shiro can help us: authentication, authorization, encryption, session management, integration with Web, caching. Is not that what we want to do, and Shiro's API is very simple;
Shiro basic functions:
Authentication : authentication / login, verify that the user is not have the appropriate identification;
The Authorization : Authorization that the competence to verify, verify that a user has authenticated a privilege; that is, whether the user can do things such as common: verify that a user has a role. Or fine-grained verify whether a user has a permission for a resource;
Manager the Session : Session management, that is, after the user logs in one session, in the absence of exit, it's all the information in the session; the session can be ordinary JavaSE environment, it can be as Web environment;
Cryptography : encryption, secure data, such as encrypted passwords stored in the database, instead of storing the plaintext;
Support Web: Web support can be very easily integrated into the Web environment;
Caching : Cache, such as users log in, their user information, with roles / permissions do not have to check every time, this can increase efficiency;
Concurrency: shiro support concurrent verification multithreaded applications, such as opening that is another thread in a thread, permissions can be automatically propagated in the past;
Testing: provide test support;
Run As: allows a user to pretend to another user (if they allow) the identity of access;
Remember Me: Remember me, this is a very common feature, ie after the first login, then do not come back next time logged.
Shiro certification process:
As shown, the object is the application code to directly interact Subject, i.e. outside the core API to Shiro.
Subject : the main body representing the current "user", the user is not necessarily a specific person, and any current stuff is Subject interactive applications, such as web crawlers, robots; is an abstract concept; all are bound to the Subject SecurityManager with all the interactive Subject will be entrusted to the SecurityManager; it can be considered a Subject entrance, SecurityManager is the actual executor.
SecurityManager: security manager, that all safety-related operations will interact with the SecurityManager, and it manages all Subject, responsible for authentication, authorization, session, cache management, is the interaction between the core Shiro, responsible for components, similar to SpringMVC frame front controller DispatcherServlet.
Realm : domain, Shiro Safety Data (such as users, roles, permissions) from the Realm, namely SecurityManager to authenticate users, you need to get the user information response from the Realm compared confirmation, including identity information, permissions information, and role information. Realm DataSource similar data source, there may be a plurality.
Application code for user authentication and authorization by Subject, Subject entrusted to the SecurityManager. SecurityManager injection Realm, and to obtain information to legitimate users and permissions, and then judge. The user's information and permissions required developers injected into the Realm.
Shiro control precision:
- Notes control authority only way in approach control, can not control the class level of access;
- The filter is controlled according to a control URL access. * Allows the use of matching URL, so support coarse-grained / fine-grained control.
Shiro ten filters:
| Filters referred |
Java class corresponding |
Features |
|---|---|---|
| anon |
org.apache.shiro.web.filter.authc.AnonymousFilter |
It can directly access without user authentication |
| authc |
org.apache.shiro.web.filter.authc.FormAuthenticationFilter |
Need to go through certification |
| authcBasic |
org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter |
http basic authentication |
| user |
org.apache.shiro.web.filter.authc.UserFilter |
User needs that currently exist, are not necessarily certified |
| logout |
org.apache.shiro.web.filter.authc.LogoutFilter |
Log out, Log out |
| port |
org.apache.shiro.web.filter.authz.PortFilter |
Set the access port number (not used) |
| perms |
org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter |
It indicates that the user has passed the required certification, and has normal access privileges to respond |
| roles |
org.apache.shiro.web.filter.authz.RolesAuthorizationFilter |
It indicates that the user has passed the required certification, and has the admin role can normally access |
| ssl |
org.apache.shiro.web.filter.authz.SslFilter |
Expressed the need for the requested URL security protocol https (not used) |
| rest |
org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter |
The request identifies access mode |
eg: a small example of shiro certification
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<parent>
<artifactId>shiro-study</artifactId>
<groupId>com.syy.shiro</groupId>
<version>1.0-SNAPSHOT</version>
</parent>
<modelVersion>4.0.0</modelVersion>
<artifactId>shiro-authentication</artifactId>
<dependencies>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
</dependency>
</dependencies>
</project>public class AuthorizationTest {
SimpleAccountRealm simpleAccountRealm = new SimpleAccountRealm();
@Before
public void addUser(){
simpleAccountRealm.addAccount("mark","123456","admin","user");
}
@Test
public void testAuthentication(){
//1. 构建SecurityManager环境
DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager();
//1.2 将用户登录信息的数据源配置到SecurityManager环境中
defaultSecurityManager.setRealm(simpleAccountRealm);
//2. 主题提交认证请求
//2.1 SecurityUtils设置SecurityManager环境
SecurityUtils.setSecurityManager(defaultSecurityManager);
//2.2 获取shiro的Subject主体类
Subject subject = SecurityUtils.getSubject();
//2.2 创建token(用户信息)
UsernamePasswordToken token = new UsernamePasswordToken("mark","123456");
//2.3 主体提交认证
subject.login(token);
//2.4 是否认证通过
System.out.println("等录-是否认证通过:"+subject.isAuthenticated());
//2.5 验证用户是否具有admin角色;未授权异常:UnauthorizedException
//subject.checkRole("admin1");
subject.checkRoles("user","admin1");
//3.用户退出
subject.logout();
System.out.println("登出-是否认证通过:"+subject.isAuthenticated());
}
}