1. shiro core filter defined in the enumeration class DefaultFilter in a total of 11, which corresponds to path configuration which interceptor for processing
// // Source code recreated from a .class file by IntelliJ IDEA // (powered by Fernflower decompiler) // package org.apache.shiro.web.filter.mgt; import java.util.LinkedHashMap; import java.util.Map; import javax.servlet.Filter; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import org.apache.shiro.util.ClassUtils; import org.apache.shiro.web.filter.authc.AnonymousFilter; import org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter; import org.apache.shiro.web.filter.authc.FormAuthenticationFilter; import org.apache.shiro.web.filter.authc.LogoutFilter; import org.apache.shiro.web.filter.authc.UserFilter; import org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter; import org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter; import org.apache.shiro.web.filter.authz.PortFilter; import org.apache.shiro.web.filter.authz.RolesAuthorizationFilter; import org.apache.shiro.web.filter.authz.SslFilter; import org.apache.shiro.web.filter.session.NoSessionCreationFilter; public enum DefaultFilter { anon(AnonymousFilter.class), authc(FormAuthenticationFilter.class), authcBasic(BasicHttpAuthenticationFilter.class), logout(LogoutFilter.class), noSessionCreation(NoSessionCreationFilter.class), perms(PermissionsAuthorizationFilter.class), port(PortFilter.class), rest(HttpMethodPermissionFilter.class), roles(RolesAuthorizationFilter.class), ssl(SslFilter.class), user(UserFilter.class); private final Class<? extends Filter> filterClass; private DefaultFilter(Class<? extends Filter> filterClass) { this.filterClass = filterClass; } public Filter newInstance() { return (Filter)ClassUtils.newInstance(this.filterClass); } public Class<? extends Filter> getFilterClass() { return this.filterClass; } public static Map<String, Filter> createInstanceMap(FilterConfig config) { Map<String, Filter> filters = new LinkedHashMap(values().length); DefaultFilter[] var2 = values(); int var3 = var2.length; for(int var4 = 0; var4 < var3; ++var4) { DefaultFilter defaultFilter = var2[var4]; Filter filter = defaultFilter.newInstance(); if (config != null) { try { filter.init(config); } catch (ServletException var9) { String msg = "Unable to correctly init default filter instance of type " + filter.getClass().getName(); throw new IllegalStateException(msg, var9); } } filters.put(defaultFilter.name(), filter); } return filters; } }
Specific role:
- authc : org.apache.shiro.web.filter.authc.FormAuthenticationFilter
- Login authentication is required to access
- user:org.apache.shiro.web.filter.authc.UserFilter
- User interceptor, expressed the need for the presence of the user.
- anon:org.apache.shiro.web.filter.authc.AnonymousFilter
- Anonymous interceptors, resources, or tourists anonymous users do not need to sign in to access, usually used to filter static resources.
- roles:org.apache.shiro.web.filter.authz.RolesAuthorizationFilter
- Interceptor role authorization, verify that the user has a yes or no role.
- Parameters can write more, represent some character to come through, write roles [ "admin, user"] multiple parameters, when there are multiple parameters, the user must also have the parameters of each character to come through
- perms:org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter
- Authorizing interceptor, verify that the user has permission
- Parameters can write more, some expressed the need permission to come through, write perms multiple parameters [ "user, admin"], when there are multiple parameters must be considered by each parameter
- authcBasic:org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter
- httpBasic authentication interceptors.
- logout:org.apache.shiro.web.filter.authc.LogoutFilter
- Exit interceptor, after the execution will jump directly to the
shiroFilterFactoryBean.setLoginUrl()url settings
- Exit interceptor, after the execution will jump directly to the
- port: org.apache.shiro.web.filter.authz.PortFilter
- Interceptor port, through the port.
- ssl:org.apache.shiro.web.filter.authz.SslFilter
- ssl interceptors, only requests to come through with https protocol.
2. Shiro path of Filter Configuration
- /admin/video /user /pub
- Path wildcard support?, , *, Note the wildcard match does not include a directory separator "/"
- Hearts can match all, without * can prefix match, but more colons you need to match multiple *
URL权限采取第一次匹配优先的方式
? : 匹配一个字符,如 /user? , 匹配 /user3,但不匹配/user/;
* : 匹配零个或多个字符串,如 /add* ,匹配 /addtest,但不匹配 /user/1
** : 匹配路径中的零个或多个路径,如 /user/** 将匹 配 /user/xxx 或 /user/xxx/yyy
例子
/user/**=filter1
/user/add=filter2
请求 /user/add 命中的是filter1拦截器
- Performance issues: wildcard string matching will be more complex than that, so performance will be weaker, recommended way is to use string matching
3. shiro data encryption and decryption
shiro Data security is mainly handled by the Shiro in the CredentialsMatcher
- What is hashing algorithm
- Usually called the hash, simply means that the message of any length A to the compression function of the message digest of a fixed length, suitable for storing passwords, such as MD5
- What is salt (salt) 667788 - "aabbcc
- If the encrypted data is obtained directly through the hash function, decrypting the corresponding site is easily brute force, which will normally be added to an application specific automated process, such as user id, examples: encrypted data = MD5 (plain text user passwords + ID), cracks the difficulty will be greater, you can use multiple hashes, such as multiple md5
- Shiro inside CredentialsMatcher, to verify the password is correct,
-
源码:AuthenticatingRealm -> assertCredentialsMatch()一般会自定义验证规则 @Bean public HashedCredentialsMatcher hashedCredentialsMatcher(){ HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher(); //散列算法,使用MD5算法; hashedCredentialsMatcher.setHashAlgorithmName("md5"); //散列的次数,比如散列两次,相当于 md5(md5("xxx")); hashedCredentialsMatcher.setHashIterations(2); return hashedCredentialsMatcher; }
-