1. shiro default comes realm and common usage
- realm effect: Shiro Safety Data from the Realm
- The default comes realm: idae view the realm of inheritance, there is a default realm and implement a custom inherited
- Two concepts
- principal: main label, there can be multiple, but needs to have a unique, common user name, phone number, email, etc.
- credential: credential, it is the general password
- So in general we say principal + credential on account + password
- Development, often custom realm, that is integrated AuthorizingRealm, rewrite AuthorizingRealm method of getAuthorizationInfo
2. Shiro built-ini realm operation
Creating shiro.ini configuration file in the resource directory springboot resources, the contents will be copied into the following
. 1 [Users]
2 # = format name password, role1, role2, .. Rolen
. 3 Jack = 456, User
. 4 xdclass = 123, the root, ADMIN
. 5 # format = Role permission1, permission2 ... permissionN can use wildcards
6 # permissions the following configured user for all video: find, video: buy, if you need to configure video all operations crud the user = video: *
7 [the roles]
8 user = video: the Find, video: Buy
9 # the following defines the visitor role has All rights merchandise modules inquiries, purchase rights and the comments module
10 visitor = Good: the Find, Good: Buy, the comment: *
11 # 'ADMIN' Role has All the permissions, Indicated by at the wildcard '*'
12 ADMIN = *
xdclass = 123, root, admin represents, xdclass the user password 123, having a root and admin two roles,
user = video:find,video:buy 表示,普通用户角色具有视频的查看,购买权限,
admin = * 表示admin角色具有所有的权限
测试代码:
1 package net.xdclass.xdclassshiro;
2
3 import org.apache.shiro.SecurityUtils;
4 import org.apache.shiro.authc.UsernamePasswordToken;
5 import org.apache.shiro.config.IniSecurityManagerFactory;
6 import org.apache.shiro.mgt.DefaultSecurityManager;
7 import org.apache.shiro.mgt.SecurityManager;
8 import org.apache.shiro.realm.SimpleAccountRealm;
9 import org.apache.shiro.subject.Subject;
10 import org.apache.shiro.util.Factory;
11 import org.junit.Before;
12 import org.junit.Test;
13
14 /**
15 * iniRealm操作
16 */
17 public class QuicksStratTest5_2 {
18
19 @Test
20 public void testAuthentication() {
21 //通过配置文件创建SecurityManager工厂
22 Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
23 // 获取SecurityManager实例
24 SecurityManager securityManager = factory.getInstance();
25 //设置当前上下文
26 SecurityUtils.setSecurityManager(securityManager);
27
28 //获取当前subject(application应用的user)
29 Subject subject = SecurityUtils.getSubject();
30 // 模拟用户输入
31 UsernamePasswordToken usernamePasswordToken = new UsernamePasswordToken("jack","456");
32 //
33 subject.login(usernamePasswordToken);
34 System.out.println("认证结果(是否已授权):" + subject.isAuthenticated()); //认证结果(是否已授权):true
35 //最终调用的是org.apache.shiro.authz.ModularRealmAuthorizer.hasRole方法
36 System.out.println("是否有对应的角色:" + subject.hasRole("root")); //是否有对应的角色:false
37 //获取登录 账号
38 System.out.println("getPrincipal():" + subject.getPrincipal()); //getPrincipal():jack
39 //校验角色,没有返回值,校验不通过,直接跑出异常
40 subject.checkRole("user");
41 // user jack有video的find权限,执行通过
42 subject.checkPermission("video:find");
43 // 是否有video:find权限:true
44 System.out.println("是否有video:find权限:" + subject.isPermitted("video:find"));
45 // 是否有video:delete权限:false
46 System.out.println("是否有video:delete权限:" + subject.isPermitted("video:delete"));
47 //user jack没有video的删除权限,执行会报错:org.apache.shiro.authz.UnauthorizedException: Subject does not have permission [video:delete]
48 subject.checkPermission("video:delete");
49 // subject.logout();
50 // System.out.println("logout后认证结果:" + subject.isAuthenticated());
51 }
52
53 @Test
54 public void testAuthentication2() {
55 //通过配置文件创建SecurityManager工厂
56 Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
57 // 获取SecurityManager实例
58 SecurityManager securityManager = factory.getInstance();
59 //设置当前上下文
60 SecurityUtils.setSecurityManager(securityManager);
61 //获取当前subject(application应用的user)
62 Subject subject = SecurityUtils.getSubject();
63 // 模拟用户输入
64 UsernamePasswordToken usernamePasswordToken = new UsernamePasswordToken("xdclass","123");
65 subject.login(usernamePasswordToken);
66 System.out.println("认证结果(是否已授权):" + subject.isAuthenticated()); // 认证结果(是否已授权):true
67 //最终调用的是org.apache.shiro.authz.ModularRealmAuthorizer.hasRole方法
68 System.out.println("是否有admin角色:" + subject.hasRole("admin")); //是否有admin角色:true
69 System.out.println("是否有root角色:" + subject.hasRole("root")); //是否有root角色:true
70 //获取登录 账号
71 System.out.println("getPrincipal():" + subject.getPrincipal()); //getPrincipal():xdclass
72 // admin角色具有所有权限
73 subject.checkPermission("video:find");
74 // 是否有video:find权限:true
75 System.out.println("是否有video:find权限:" + subject.isPermitted("video:find")); //是否有video:find权限:true
76 // 是否有video:delete权限:true
77 System.out.println("是否有video:delete权限:" + subject.isPermitted("video:delete")); // 是否有video:find权限:true
78 // 结果为true,如果subject.checkPermission校验不通过,则抛出异常
79 subject.checkPermission("video:delete");
80 }
81 }