getting Started:
the main method of direct execution: https: //blog.csdn.net/a907691592/article/details/80559904
Use Profiles way: https: //blog.csdn.net/qq_26525215/article/details/78059488
Source understand:
shiro password contrast Source: https: //blog.csdn.net/acmman/article/details/78446008
shiro + spring + springmvc + mybatis integrity: https: //blog.csdn.net/u012031380/article/details/68921883
shiro important concept: https: //www.cnblogs.com/Java3y/p/8615275.html
Shiro implementation of the principle:
1,
Use FormAuthenticationFilter worrying too much to achieve, works as follows:
When the user is not authenticated, the request loginurl authentication, user identity and password to submit the data to the user loginurl
FormAuthenticationFilter taken request to intercept the username and password (two parameter names are configurable)
FormAuthenticationFilter call realm pass a token (username and password)
When authentication based on username realm querying user information (stored in Activeuser include userid, usercode, username, menus).
If you can not find, realm returns null, FormAuthenticationFilter filling a parameter (record exception information) to request the domain
2,
When the call controller of a method, since this method adds @RequiresPermissions ( "item: query") , shiro call realm get the right information in the database, see "item: query" whether there is data in the authority, if there is no denial access, if authorized by it.
When the show a jsp the page, if you encounter a page <shiro: hasPermission name = "item: update"> , shiro call realm get the right information in the database, see item: update data exists in the authority, if it does not exist access Denied, if you authorized.
Question: As long as encounter notes or jsp authorized label will call the realm method to query the database, you need to use the cache to resolve this problem.
3,
shiro provides caching of authentication information and authorization information. shiro is off by default authentication information is cached, cached authorization information for shiro enabled by default. The main cache authorization information, because the amount of data authorization.
User authentication.
The first time user authorization: Call realm query the database
The second time a user license: do not call realm querying the database, remove the licensing information (permissions identifiers) directly from the cache.
If the user exits normally, the cache is automatically cleared.
If the user exits abnormally, the cache is automatically cleared.
If you modify a user's permissions, and the user does not exit the system, modify the permissions can not take effect immediately.
Require manual programming:
Called after permission to modify the realm of clearCache method to clear the cache.
When the code below normal development to be placed in service call.
In service , the permission to modify the call realm method.
In the realm definition clearCached Method: