"Based SpringBoot + Shiro rights management to achieve" the paper notes
First, the basic information
Title: Implementation of rights management SpringBoot + Shiro's
Source: Chengdu University of Information Engineering and Science University, Chengdu, 610100
Keywords: Shiro framework; SpringBoot framework; rights management
Second, research
- Shiro outlined
- Apache Shiro is a has many of the features of a comprehensive security framework, Shiro provides a clean and intuitive API, which cleanly handle authentication, authorization, session management and enterprise encryption. Shiro is easy to use and understand, at the same time is very powerful, able to authenticate users to verify their identity, user access control is performed to determine whether the user is assigned a certain security role to determine whether the user is allowed to do.
- Shiro among Session function is created in the corresponding application in the session programming paradigm, which is independent of the container relationship, so Shiro supports the use of Session API in any environment, even without the Web or EJB container. Shiro can also validate access control or during the lifetime of the session, react to events in identity.
- Apache Shiro's architecture has three main concepts: Subject, SecurityManager and Realms. Where Subject is a relatively abstract concept, we will generally understood as a Subject object is anything that can interact with an application of the "user", but it is also possible that a tripartite program, can be understood as any "thing" we are interacting with the system Subject. In the framework of Shiro completed by Subject login, logoff, checking permissions, access Session and so on. Shiro of SecurityManager is the heart, Shiro is the most crucial components; all specific security operations are controlled by SecurityManager; SecurityManager manages all Subject, and all operations on the Subject by the SecurityManager interact. Realms serve as "bridges" or "connector" Shiro between the application and data security for user authentication and authorization; Realms essentially on a specific secure DAO: It encapsulates the details connected to the data source, so Shiro the relevant data required is available. When configuring Shiro, you must specify at least one Realm to use for authentication and authorization. SecurityManager can configure multiple Realms, but at least needs one.
- Pom configuration file
xml <! --集成shiro--> <dependency> <group|d> org.apache.shiro </group|d> <artifact|d> shiro-spring </artifact|d> <version> 1.4.0 </version> </dependency> - Custom Reaml
@Component public class MyShiroUserRealm extends AuthorizingRealm { @Autowired UserServiceImpl userService; /** * 用于授权 * * @param principa|s * @return 授权信息 */ @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { UserInforMation userInfo = (UserInforMation) principals.getPrimaryPrincipal(); //用户权限列表 Set<String> userPermsSet = userService.getUserPermissions(userInfo); SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo(); authorizationInfo.setStringPermissions(userPermsSet); return info; } /** * 用于认证 * * @param token * @return 认证信息 * @throws AuthenticationException */ @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { //用户信息获取 String userNameInput = (String) token.getPrincipal(); String passwordInput = new String((char[]) token.getCredentials()); //查询用户信息 UserInforMation user = userService.findld(userNameInput); //用户不存在 if (user == null) { throw new UnknownAccountException("用户账号不存在! "); } //密码错误 if (!passwordInput.equals(user.getPassword())) { throw new IncorrectCredentialsException("账号用户名或者密码错误! "); } //账号被注销 if (user.getState().equals("0")) { throw new LockedAccountException("账户已被注销! "); } System.out.println("用户登陆成功! "); SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user, user.getPassword(), user.getName()); return info; } }CONCLUSIONS
- By using Shiro security framework in SpringBoot project provides the ability to secure access control for the project, while enabling user authentication, authorization, session management, and other functions. Any program that requires security control, security control program to Shiro, Shiro use simple and easy to use with SpringBoot quick and easy development, reduce the security controls for the project to write a lot of code duplication work.
IV References
- . [1] Wang Shan Wen SpringBoot + Shiro rights management [J]. Based on computer programming skills and maintenance, 2019, (9): 160-161,173.