Between work in this framework has been used before shiro access control, until all remain in use, not too much to understand this knowledge, it is now time for the study of what this framework uses Shiro rights .
What Shiro that?
Apache Shiro is a powerful and flexible open source security framework that cleanly handle authentication, authorization, session management and enterprise encryption.
The primary goal of Apache Shiro is easy to use and understand. Sometimes security is very complex, even painful, but it does not have to be.
The framework should cover up as much as possible complicated place, revealing a clean and intuitive API, efforts to simplify the developer on the security of their applications.
Very often a lot of people prefer using Spring Security and Shiro Spring provided by comparison, we also compare the content.
Apache Shiro is a Java security framework.
Currently, Apache Shiro more and more people, because it is fairly simple, compared to Spring Security, Spring Security is not likely to do powerful, but may not need so complicated stuff in the actual work, so small and simple to use Shiro is enough.
So, our work often are used directly to Shiro security control.
We then introduced over, in Shiro to see what is the use? 1. Verify the user to verify their identity 2. Control of the implementation of user access
For instance, we can use to determine whether a user is assigned a security role. Then the man in the end to judge the project to have any authority to deal with, if that means that there are two individuals, one administrator, he has CRUD functionality, while the other is a user only has to check the function, there is no increase deletion functions, be controlled by Shiro, this effect can be achieved.
We can look at the official website for the Apache Shiro, what features it will contain.
We look at it every module represents what does this mean?
Authentication: authentication, sometimes also referred to as the "Login", which is a testament user is who they say they are the act.
Authorization: authorization, access control process, which is absolutely "who" to access the "what" authorized to answer security questions such as "whether to allow the user to edit account", "the user is allowed to view this page", "whether the user you can visit "to this button? "These are the decisions of users have access to, and therefore represents an authorization check.
Cryptography: cryptography is by hiding information or convert it into meaningful information to protect the poor from access to the practice, so no one else can read it. Shiro focused on two core elements of cryptography: Use the public or private key encryption password data, such as passwords and data encryption irreversible hash (also called a message digest).
The main objective of Shiro Cryptography is the use of traditionally very complex area, and that others while providing powerful cryptographic functions easily.
Session Management: Session session, the session is your user data carried by the barrel for some time when using your application. Traditionally, the session dedicated to the Web or EJB environment. no longer! Shiro supports any application environment of the session. In addition, Shiro also offers many other powerful features to help you manage the session.
Web Support: Shiro's web API support to easily help protect Web applications. Web is mainly used to program a good support.
Caching: Cache, Apache Shiro he was in the first layer citizens, to ensure fast and safe and efficient operation.
Concurrency: shiro use its concurrency features to support multi-threaded applications.
Testing: Testing support exists to help you write unit tests and integration tests and make sure you can be as safe as expected.
"Run As": This is actually there is allow a user to assume the identity of another user function, when sometimes in the management of the script is very effective.
Remember Me: Remember the user's identity in the session, so they only need to sign in when forced.
Shiro core
Shiro fact, there are three core components, Subject, SecurityManager and Realms.
Subject: Subject is essentially a currently executing user-specific security "view." Given the "User" The term usually means a person, but a Subject can be a person, but it also can represent a third-party service, daemon account, cron job, or any other similar things - basically currently working with software any thing interaction.
All Subject instances are bound to (and this is a must) on a SecurityManager. When you interact with a Subject, those interactions into interaction with a particular subject SecurityManager interacting. Subject believe we can be a facade, SecurityManager is the real performer.
SecurityManager: security manager, which means that all safety-related operations will interact with the SecurityManager, and he managed this Subject, it is actually the core of the heart Shiro Shiro architecture. And as an "umbrella" subject to coordination within the security components together form an object graph.
Realms: domain, Shiro acquired from safety data (such as users, roles, permissions) from the Realm, that is SecurityManager to authenticate users, it needs to obtain the appropriate user from the Realm are compared to determine the identity of the user is legitimate; need from the Realm to give the user the role / permissions to verify that the user can operate; can Realm as dataSource, i.e. secure data source.
When configuring Shiro, you must specify at least one Realm to use for authentication and / or authorization. SecurityManager may configure multiple Realms, but at least one is a must.
We can shiro control authority by a simple login to see.
We graphically to understand it, and then write a simple code
The figure is designed to shiro role privileges,
And then we can look at it illustrates the specific login
I explain this figure.
1、登陆操作 携带用户名密码给subject,subject调用自己的登陆方法传递用户名和密码给权限管理器,权限管理器将用户名密码传递给开发人员编写的realm的认证方法,realm根据用户名到数据库中查找是否存在该用户,若存在将认证信息存入到session中
/** 参数1:登陆标识* 参数2:正确的密码* 参数3:认证|授权器的名字*/SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user, user.getPassword(), this.getClass().getName());
2、权限管理器会自动判断传递的密码与正确密码是否一致
3、访问3类资源(页面) 过滤器寻找权限管理器判断该用户是否拥有xxx权限,权限管理器从session中取出认证信息对象,返回给realm,realm判断该用户拥有什么权限,封装到授权信息中返回给权限管理器,权限管理器将判断的结果返回给过滤器
4、访问3类资源(xxx添加需要访问service)(对于过滤器来说属于2类资源),在执行方法时,会到达前置通知(esrvice方法上添加注解@RequiresPermissions("courier:list")),权限通知寻找权限管理器判断该用户是否拥有xxx权限,权限管理器从session中取出认证信息对象,返回给realm,realm判断该用户拥有什么权限,封装到授权信息中返回给权限管理器,权限管理器将判断的结果返回给权限通知
其实简单来说 /userAction_login ---------->请求先到达权限过滤器shiroFilter,先判断是几类资源
登录属于一类资源直接放行到——------>userActon中(userAction中调用执行subject对象(使用入口是一个操作入口对象,里面有登陆方法,登出方法,获取当前对象方法)的登陆方法subject.login方法(携带着用户名,密码)
————>subject对象调用 securityManager的login方法 权限管理器不能判断用户和密码是对的需要
————>ream认证|授权器(开发人员编写,判断用户名是否存在,拥有什么权限)————>处理完后把认证信息对象返回给securityManager()如果认证信息没有问题,权限管理器会把认证信息存入session(证明认证登陆过了)
可以自定义一个Realm;
@Service("MyRealm")public class MyRealm extends AuthorizingRealm{ //父类接口Realm@Autowiredprivate UserDao ud;@Autowiredprivate RoleService rs;@Autowiredprivate PermissionService ps;@Override//授权protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {User user = (User) principals.getPrimaryPrincipal();SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();List<Role> roles = rs.findByUser(user);if(roles != null && roles.size() > 0){for (Role role :roles) {info.addRole(role.getKeyword());}}List<Permission> permissions = ps.findByUser(user);if(permissions != null && permissions.size() > 0) {for (Permission permission :permissions) {info.addStringPermission(permission.getKeyword());}}return info;}@Override//认证protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken t) throws AuthenticationException {UsernamePasswordToken token = (UsernamePasswordToken) t;String username = token.getUsername();User user = ud.findByUsername(username);if(user != null){/** 参数1:登陆标识* 参数2:正确的密码* 参数3:认证|授权器的名字*/SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user, user.getPassword(), this.getClass().getName());//ActionContext.getContext().getSession().put("loginUser", user);return info;} else {return null;}}}
登陆完以后访问页面资源(页面资源属于三类资源需要权限),
shiroFilter(已经配置了哪些资源是一类哪些资源是三类)
————>访问权限管理器,找权限管理器判断是否有xxx权限(权限管理器本身不能做出判断),权限管理器把之前登陆时保存在session中的认证信息取出
交给————>realm判断(realm中认证方法是登陆时候调用的),realm查询数据库获得权限,把权限信息返还给————>权限管理器。
权限管理器根据realm的授权信息判断是否拥有xxx权限, 判断后把结果通知给————>权限管理器,权限管理器ShiraFilter 如果没有权限跳转到响应页面。
这其实就是一个简单的shiro框架的设计,可能个人设计的有点小毛病,只是一个测试,大家自行体会
总结
Shiro是一个功能很齐全的框架,使用起来也很容易,总结一下 三大核心内容:
1.Subject2.SecurityManager3.Realms
Shiro 功能强大、且 简单、灵活。是Apache 下的项目比较可靠,且不跟任何的框架或者容器绑定,可以独立运行
所以这个权限控制框架,大家理解了么?有想法的咱们可以共同交流一下。
关注公众号,大家可以在公众号后台回复“博客园”,免费获得作者 Java 知识体系/面试必看资料。
Java 极客技术公众号,是由一群热爱 Java 开发的技术人组建成立,专注分享原创、高质量的 Java 文章。如果您觉得我们的文章还不错,请帮忙赞赏、在看、转发支持,鼓励我们分享出更好的文章。