Simple use of rights management -shiro
Article Directory
- Simple use of rights management --shiro
- authority management
- 1. What is Rights Management
- 2. What is the identity
- 3, the user name and password authentication process
- 4, key objects
- 5. What is the authorization process
- 6, the basic permissions model
- 7, generic permissions model
- 8, the current market generic rights management framework
- Simple use of shiro
authority management
1. What is Rights Management
Rights Management belongs to the category of safety management, simply means that the user access control
2. What is the identity
Determine whether a user is a legitimate user of this process is called authentication.
The most common is a simple authentication by user name and password, if your user name and password exist in the database, so that you are legal or not legal
3, the user name and password authentication process
4, key objects
- Subject: subject
- User access to the system, procedures, certification in how they referred to above are subject
- Simply put, who is going to certification then this theme is Who
- Primcipal: identity
- Subject identity is above identity authentication, identity must be unique
- Uniqueness: phone number, user name, e-mail address
- It simply is affirmed that the information you bring to authenticate Well, this is what Primcipal
- credential: credential information
- Password, security information (token)
5. What is the authorization process
6, the basic permissions model
Permissions model is what?
Simply put, the model is equivalent to a routine, the routine simply means that we are doing the project, if the project encountered a variety of different identities of users (roles) to use this system, but also the different identities of those users when you have different access rights to the database when we set up this routine
Mall project: Platform buyers and sellers ====> Role
Users also have different identities of different access rights
Role is actually a set of rights
资源:官方的解释:一切能够被计算机识别的图片、文字、文件等等都成为资源
项目开发中所指的这个资源:指的是页面上的所有的按钮、图片、文字、超链接。。。
7、通用的权限模型
7.1、表里面到底都有哪些字段
用户表
用户id 用户名 ....
角色表
角色id 角色名字 角色描述
用户角色表
用户id 角色id
权限资源表
权限资源id 权限名字 权限的描述 type(per|res) resName resPath 显示区域的编码
角色权限表
角色id 权限的id
8、目前市场上通用的权限管理框架
shiro Spring Security OAuth2
Spring Security 这个框架是有依赖性的 Spring
OAuth2:第三方登陆、公众平台
shiro:这个框架有个优点,没有框架的依赖、任何平台都可以用
shiro的简单使用
9、shiro是什么
简单说shiro就是一个负责授权和认证的框架
- Apache Shiro提供了认证、授权、加密和会话管理功能,将复杂的问题隐藏起来,提供清晰直观的API使开发者可以很轻松地开发自己的程序安全代码。并且在实现此目标时无须依赖第三方的框架、容器或服务,当然也能做到与这些环境的整合,使其在任何环境下都可拿来使用。
- Shiro将目标集中于Shiro开发团队所称的“四大安全基石”-认证(Authentication)、授权(Authorization)、会话管理(Session Management)和加密(Cryptography):
- 认证(Authentication):用户身份识别。有时可看作为“登录(login)”,它是用户证明自己是谁的一个行为。
- 授权(Authorization):访问控制过程,好比决定“认证(who)”可以访问“什么(what)”.
- 会话管理(SessionManagement):管理用户的会话(sessions),甚至在没有WEB或EJB容器的环境中。管理用户与时间相关的状态。
- 加密(Cryptography):使用加密算法保护数据更加安全,防止数据被偷窥。
10、shiro能干什么
认证、授权、Cache的管理、Session的管理、rememberMe功能的实现、登陆、退出…
11、shiro的整体架构是什么
11.1、shiro中常见的名词解释
- Subject: landing the user (user program), then the certification body who is who
- Principal: user name (user information may also be encapsulated in)
- Credential: Password
- Token: token (username + password package) ---- encapsulated objects for authenticating
- This object is not isolated before and after this token
- Security Manager: Security Manager (shiro just use a framework then the object is indispensable)
- Authenticator: Authenticator (mainly to do user authentication, simply tell you that it's time to make the landing of identity verification)
- Authrizer: authorizer (simply put, is used for the authorized user's)
- Realm: Objects user authentication and authorization when and interact with the database (there doing things is packaged into a token database queries and then take the data from the authentication and authorization)
12, shiro first helloworld program
12.1, guide package
<!--导入shiro的包-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-all</artifactId>
<version>1.3.2</version>
</dependency>
12.2, create a file in the resource database simulation
shiro.ini -> only is the end of the .ini file, and the idea of reading as a way to set properties the way, or do not take effect
[users]
kongming=123
dan=456
12.3, write test code to complete the user authentication
/**
* 测试shiro是否正常使用
*/
@Test
public void shiro1() {
// 获取安全管理器工厂
IniSecurityManagerFactory iniSecurityManagerFactory = new IniSecurityManagerFactory("classpath:shiro.ini");
// 通过安装管理器工厂获取安全管理器
SecurityManager securityManager = iniSecurityManagerFactory.createInstance();
// 将安全管理器设置到运行环境中
SecurityUtils.setSecurityManager(securityManager);
// 获取当前操作的主体(subject)
Subject subject = SecurityUtils.getSubject();
// 此处的 用户名和密码,是由前端传过来的,此处直接赋值,模拟测试数据
// 利用用户名和密码,创建token
UsernamePasswordToken token = new UsernamePasswordToken("kongming", "123");
// 传递token进行验证
subject.login(token);
// 输出用户认证状态
System.out.println("用户的认证状态:" + subject.isAuthenticated());
// 用户退出
subject.logout();
// 再次打印用户认证状态
System.out.println("用户的认证状态:" + subject.isAuthenticated());
}
/*
认证成功:打印出---》 true false
认证失败:抛出异常:org.apache.shiro.authc.IncorrectCredentialsException: Submitted credentials for token [org.apache.shiro.authc.UsernamePasswordToken - kongming, rememberMe=false] did not match the expected credentials.
*/
13, implementation of custom realm
13.1, import dependencies
java.lang.NoClassDefFoundError: org/apache/commons/logging/LogFactory
/*
出现这个错误的原因是: 缺少日志支持的依赖,需要导入 log4j 和 commons-logging 这2个依赖
*/
<!-- log4j -->
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
<version>1.18.10</version>
</dependency>
13.2, create entity classes
@Data
@AllArgsConstructor
@NoArgsConstructor
public class User {
private String username;
private String password;
}
13.3, custom realm
UserRealm.java
package com.fu.shiro.realm;
import com.fu.shiro.pojo.User;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
public class UserRealm extends AuthorizingRealm {
@Override
public String getName() {
return "UserRealm";
}
/**
* 认证
* @param authenticationToken 令牌
* @return 返回认证信息
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
// 1. 通过token获取用户名
String username = (String) authenticationToken.getPrincipal();
// 2. 通过用户名到数据库查询用户信息
// User user = userService.getUserByName(user);
// 如果查不到用户,直接返回 null,这里模拟 if(null == user)
if (!username.equals("kongming")) {
return null;
}
// 此处模拟已经查询到用户信息
User user = new User("kongming", "123");
// 3. 返回认证信息对象
return new SimpleAuthenticationInfo(user.getUsername(), user.getPassword(), getName());
}
/**
* 授权
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
return null;
}
}
13.4 Writing Configuration
shiro-realm.ini custom implementation class specified realm
[main]
customRealm=com.fu.shiro.realm.UserRealm
securityManager.realms=$customRealm
13.5, Test
/**
* 测试 使用自定义realm完成身份认证
*/
@Test
public void shiro2() {
// 获取安全管理器工厂
IniSecurityManagerFactory iniSecurityManagerFactory = new IniSecurityManagerFactory("classpath:shiro-realm.ini");
// 通过安装管理器工厂获取安全管理器
SecurityManager securityManager = iniSecurityManagerFactory.createInstance();
// 将安全管理器设置到运行环境中
SecurityUtils.setSecurityManager(securityManager);
// 获取当前操作的主体(subject)
Subject subject = SecurityUtils.getSubject();
// 此处的 用户名和密码,是由前端传过来的,此处直接赋值,模拟测试数据
// 利用用户名和密码,创建token
UsernamePasswordToken token = new UsernamePasswordToken("kongming", "123");
// 传递token进行验证
subject.login(token);
// 输出用户认证状态
System.out.println("用户的认证状态:" + subject.isAuthenticated());
// 用户退出
subject.logout();
// 再次打印用户认证状态
System.out.println("用户的认证状态:" + subject.isAuthenticated());
}