shiro is a powerful and easy to use security framework (including authentication and authorization), it is simpler than spring security, and it does not depend on any container that can be integrated with many frameworks.
Shiro is the core security manager (SecurityManagement), which mainly consists of four modules:
1.Authentication: authentication module is mainly used to verify the subject's identity and credentials, subject here, including but not limited to the user.
2.Authorization: authorization module and is used to query the database corresponding to the user's roles and privileges out and cached for subsequent user permission judgment using the resource operations;
3.Session management: a session manager, a session management request is subject;
4.cryptography: encryption, mainly on the certificate encryption (one-way, which is the subject you forget your password only reason to create a new password).
shiro also supports web, supports caching mechanism to support concurrent and unit testing, and so on.
Because today I school certification module, so talk about today briefly for authentication modules.
Steps are as follows:
1. Create a java project;
2. Import shiro related jar package:
commons-beanutils-1.9.3.jar
commons-logging-1.2.jar
jcl-over-slf4j-1.7.12.jar
log4j-1.2.16.jar
shiro-all-1.4.1.jar
slf4j-api-1.7.25.jar
slf4j-log4j12-1.6.4.jar
3. Create shiro data files (.ini files used here to provide data simulation database)
4. Write code flow
The first two steps are omitted here, please do not create projects and guide their own package of Baidu 00.
The following is a test file with shiro.ini:
[users] zhangsan=11111
Where [users] are subject to store the identity and credentials of the directory, the following is zhangsan identity, and 11111 is proof or password here when we give specific data, but the practical application of data from a database query should be out but we here on this first simple test.
Then write authentication code:
package test; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.config.IniSecurityManagerFactory; import org.apache.shiro.mgt.SecurityManager; import org.apache.shiro.subject.Subject; import org.apache.shiro.util.Factory; import org.slf4j.Logger; import org.slf4j.LoggerFactory; public class TestAuthencation {
//日志打印 private final static Logger logger = LoggerFactory.getLogger(TestAuthencation.class);
public static voidmain (String [] args) { // 1. Create securityManagement plant (read configuration files) Factory's <the SecurityManager> Factory = new new IniSecurityManagerFactory ( " CLASSPATH: shiro.ini " );
// 2. Create instance securityManagement the SecurityManager securityManager = Factory .getInstance ();
// 3. SecurityUtils into the securityManagement disposed in SecurityUtils.setSecurityManager (securityManager);
// 4. examples subject acquired by SecurityUtils the Subject subject = SecurityUtils.getSubject ();
the try { // 5. the user name and password get token UsernamePasswordToken token =new new UsernamePasswordToken ( " zhangsan " , " 1111 " );
// 6. calls subject.login () method to authenticate the user token subject.login (token);
// 7. Verify to determine whether the successful landing IF (subject.isAuthenticated ()) { System. OUT .println ( " successful landing " ); } } the catch (AuthenticationException E) { // TODO Auto-Generated the catch Block logger.error ( " user name or password wrong! " ); } } }
From the above code you can see the full certification process shiro, which subject.login (token) This method will jump AuthenticatingRealm shiro inside the user authentication data query, of course, we can also customize the realm, just create a new realm class to inherit AuthenticatingRealm or AuthorizingRealm, then implement authentication and authorization method can write your own authentication logic.
Certification aspects Exceptions can occur, so we need to catch the exception and print exception log to troubleshoot error, where common abnormalities in the above code AuthenticationException and below it a subclass such as UnknowAccountException (username error exception) and IncorrectCredentialsException (user certificate error exception), etc. It should be noted, fuzzy tips for these anomalies, we need, such as the above code user name or password is wrong, but can not say when an exception error occurs when the user name prompt the user to direct the user name abnormalities, this will let people know exactly when the wrong user name or password, give some unscrupulous people take advantage of, although there are abnormal number of login attempts too much, but try to avoid output clear tips!
Certification Process Summary:
1. First, read the .ini file for the security manager of the factory Factory;
2. The plant then generates SecurityManagement instance;
3. The security manager set to an instance SecurityUtils go;
4. Subject generated by SecurityUtils;
The user token is generated by UsernamePasswordToken (by passing the user identity and credentials);
6. Call subject.login (token) to authenticate the user information;
7. By subject.isAuthenticated () method to determine if the user verification is successful;
8. need to verify some abnormality capture, and print a reasonable message log.
The above is what I learned today shiro part of the certification, and so I finished school I will continue to update the authorization module to share my income study, we have nothing to add and share welcomed in the comments area!