Mentioned Shiro, had introduced first introduced RBAC
RBAC description:
RBAC role-based access control (Role-Based Access Control) In RBAC, permissions associated with the role, the user by becoming members of appropriate roles and permissions to get those roles. This greatly simplifies administrative privileges. Such levels of management are interdependent, privileges granted to the role, but the role also gives users permission to do so design is clear, easy to manage.
In the RBAC model inside, there are three basic components are: users, roles and permissions.
By defining roles RBAC permissions and user privileges granted to a role in order to control the user to achieve a logical separation of users and permissions, which greatly facilitates the management authority, before explaining, first introduce some terms:
User (User): Each user has a unique identification UID, different roles and grant
Role (role): Different roles have different permissions
Permission (permission): Access
User - Role Mapping: Mapping the relationship between users and roles
Roles - Permissions Mapping: mapping between roles and permissions
:( rights management consists of two parts: user authentication, user authorization)
As long as the user to participate in management systems generally have rights management, rights management to achieve control of user access to the system, to realize that they have been authorized users can access resources in accordance with safety rules.
User Authentication:
Key objects:
subject: the body, understood as a user, the program may be, have to go to access the system resources, the system needs to authenticate the subject.
principal: identity information, usually only one subject there are several identifiable information, but has a primary identity information (primary principal)
credential: credential information can be passwords, certificates, fingerprints.
Summary: The need to provide identity and credential information during the authentication body.
User authorization:
User authorization, simply understood as access control, user authentication through after the system to control user access to resources, users have access to resources before access.
User authorization process:
Key Objects
Authorization is the process of understanding: who to what (which) were how to operate.
who: i.e. the main subject, subject to access control system after the authentication.
what(which):资源(Resource),subject必须具备资源的访问权限才可访问该 资源。资源比如:系统用户列表页面、商品修改菜单、商品id为001的商品信息。
资源分为资源类型和资源实例:
系统的用户信息就是资源类型,相当于java类。
系统中id为001的用户就是资源实例,相当于new的java对象。
how:权限/许可(permission) ,针对资源的权限或许可,subject具有permission访问资源,如何访问/操作需要定义permission,权限比如:用户添加、用户修改、商品删除。
shiro介绍
shiro是apache的一个开源框架,是一个权限管理的框架,实现 用户认证、用户授权,功能强大、且 简单、灵活,且不跟任何的框架或者容器绑定,可以独立运行。
spring中有spring security (原名Acegi),是一个权限框架,使用起来很方便,和spring依赖过于紧密。
shiro架构
shiro入门
1.创建springboot工程并导入依赖
将shiro的依赖加入项目就可以使用shiro提供的功能了,shiro-core是核心包必须选用,还提供了与web整合的shiro-web、与spring整合的shiro-spring以及缓存shiro-ehcache。
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>1.2.3</version>
</dependency>
2.在resources目录下创建shiro.ini文件,IEDA需要安装*.ini并重启方可生效
#对用户的配置 [users] #对用户的用户名和密码的配置 jack=123 tom=456
3.创建测试类
package com.wn.authentication; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.config.IniSecurityManagerFactory; import org.apache.shiro.mgt.SecurityManager; import org.apache.shiro.subject.Subject; import org.apache.shiro.util.Factory; import org.junit.Test; public class AuthenticationDemo { // 用户登陆和退出 @Test public void testLoginAndLogout() { // 创建securityManager工厂,通过ini配置文件创建securityManager工厂 Factory<SecurityManager> factory = new IniSecurityManagerFactory( "classpath:shiro.ini"); // 创建SecurityManager SecurityManager securityManager = factory.getInstance(); // 将securityManager设置当前的运行环境中 SecurityUtils.setSecurityManager(securityManager); // 从SecurityUtils里边创建一个subject Subject subject = SecurityUtils.getSubject(); // 在认证提交前准备token(令牌) // 这里的账号和密码 将来是由用户输入进去 UsernamePasswordToken token = new UsernamePasswordToken("jack", "123"); try { // 执行认证提交 subject.login(token); } catch (AuthenticationException e) { // TODO Auto-generated catch block e.printStackTrace(); } // 是否认证通过 boolean isAuthenticated = subject.isAuthenticated(); System.out.println("是否认证通过:" + isAuthenticated); // 退出操作 subject.logout(); // 是否认证通过 isAuthenticated = subject.isAuthenticated(); System.out.println("是否认证通过:" + isAuthenticated); } }
带上图片:第二测试的是关闭的时候。
使用realm:
1.创建自定义realm
package com.wn.realm; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; public class realmDemo extends AuthorizingRealm { private String realmName = "realmDemo"; //认证 protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { //从token中取出用户信息 //用户名,身份信息 String principal = (String)authenticationToken.getPrincipal(); System.out.println(principal); //密码,凭证 Object credentials = authenticationToken.getCredentials(); //类型转化 String password = new String((char[]) credentials); System.out.println(password); if("jack".equals(principal) && "123".equals(password)){ SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(principal,password,realmName); return simpleAuthenticationInfo; } return null; } //授权 protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { return null; } }
2.在resource目录下创建shiro-realm.ini(注意:realm路径别配置错了)
[main] #自定义realm realmDemo=com.qf.realm.realmDemo #将realm设置到securityManager securityManager.realms=$realmDemo
3.在AuthenticationDemo类中添加方法进行测试
// 用户登陆和退出
@Test
public void testRealm() {
// 创建securityManager工厂,通过ini配置文件创建securityManager工厂
Factory<SecurityManager> factory = new IniSecurityManagerFactory(
"classpath:realm.ini");
// 创建SecurityManager
SecurityManager securityManager = factory.getInstance();
// 将securityManager设置当前的运行环境中
SecurityUtils.setSecurityManager(securityManager);
// 从SecurityUtils里边创建一个subject
Subject subject = SecurityUtils.getSubject();
// 在认证提交前准备token(令牌)
// 这里的账号和密码 将来是由用户输入进去
UsernamePasswordToken token = new UsernamePasswordToken("jack", "123");
try {
// 执行认证提交
subject.login(token);
} catch (AuthenticationException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
// 是否认证通过
boolean isAuthenticated = subject.isAuthenticated();
System.out.println("是否认证通过:" + isAuthenticated);
// 退出操作
subject.logout();
// 是否认证通过
isAuthenticated = subject.isAuthenticated();
System.out.println("是否认证通过:" + isAuthenticated);
}
