一、shiro框架简介
Apache Shiro是Java的一个安全框架。其内部架构如下:
下面来介绍下里面的几个重要类:
Subject:主体,应用代码直接交互的对象就是Subject。代表了当前用户,这个用户不一定表示人。(可以暂时理解为用户)
SecurityManager:安全管理器,它管理着所有的Subject。是整个shiro框架的核心,它还其它组件交互。
Authenticator:认证器,负责主体认证。(可以暂时理解为判断是否登陆成功)
Authorizer:授权器,用来决定主体是否有权限进行相应的操作。(可以暂时理解为登陆成功后你拥有哪些权限)
Realm:安全数据源,Shiro从Realm获取安全数据(如用户、角色、权限)从而进行验证。一般需要自定义的。
二、shiro框架认证和授权实现
下面介绍一个自定义realm的demo,来讲解shiro的认证和授权
1、maven项目添加jar包依赖
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.imooc</groupId> <artifactId>shiro</artifactId> <version>1.0-SNAPSHOT</version> <dependencies> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> <version>1.4.0</version> </dependency> <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <version>RELEASE</version> </dependency> </dependencies> </project>
2、自定义Realm
package realm; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.crypto.hash.Md5Hash; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.apache.shiro.util.ByteSource; import java.util.HashMap; import java.util.HashSet; import java.util.Set; public class CustomRealm extends AuthorizingRealm { HashMap<String,String> hashMap=new HashMap<String, String>(); Set<String> set=new HashSet<String>(); //存储了账号和md5和盐值加密后的密码 { hashMap.put("asdfgh","003dc55c5d91addfead4a4fa347c4f2d"); //可以先忽略这个 super.setName("abc"); } //取出所需的角色和权限,构建simpleAuthorizationInfo对象返回,进行权限认证 protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { String name= (String) principalCollection.getPrimaryPrincipal(); Set<String> roles=getRoleByName(name); SimpleAuthorizationInfo simpleAuthorizationInfo=new SimpleAuthorizationInfo(); simpleAuthorizationInfo.setRoles(roles); return simpleAuthorizationInfo; } //存储了账号和对应的角色 private Set<String> getRoleByName(String name) { Set<String> set=new HashSet<String>(); set.add("admin"); return set; } //取出所需的密码,构建simpleAuthenticationInfo对象返回,与UsernamePasswordToken进行认证对比 protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { String name= (String) authenticationToken.getPrincipal(); String password=getPasswordByname(name); if(password==null){ return null; } SimpleAuthenticationInfo simpleAuthenticationInfo=new SimpleAuthenticationInfo(name,password,"abc"); simpleAuthenticationInfo.setCredentialsSalt(ByteSource.Util.bytes("asdfgh")); return simpleAuthenticationInfo; } private String getPasswordByname(String name) { String password=hashMap.get(name); return password; } //003dc55c5d91addfead4a4fa347c4f2d这个密码就是从这里的出来的 public static void main(String agrs[]){ Md5Hash md5Hash=new Md5Hash("123456","asdfgh"); System.out.println(md5Hash.toString()); } }
3、测试类
package shirotest; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.authc.credential.HashedCredentialsMatcher; import org.apache.shiro.mgt.DefaultSecurityManager; import org.apache.shiro.realm.text.IniRealm; import org.apache.shiro.subject.Subject; import org.junit.Test; import realm.CustomRealm; public class CustomRealmTest { @Test public void Test(){ CustomRealm customRealm=new CustomRealm(); //构件SercurityManager的环境 DefaultSecurityManager defaultSecurityManager=new DefaultSecurityManager(); //设置自定义的Realm defaultSecurityManager.setRealm(customRealm); //加密 HashedCredentialsMatcher hashedCredentialsMatcher=new HashedCredentialsMatcher(); hashedCredentialsMatcher.setHashAlgorithmName("md5"); hashedCredentialsMatcher.setHashIterations(1); customRealm.setCredentialsMatcher(hashedCredentialsMatcher); //主体提交认证请求 SecurityUtils.setSecurityManager(defaultSecurityManager); Subject subject= SecurityUtils.getSubject(); UsernamePasswordToken token=new UsernamePasswordToken("asdfgh","123456"); subject.login(token); System.out.println("认证是否成功:"+subject.isAuthenticated()); subject.checkRoles("admin"); } }
以上就是就shiro框架的简单介绍,该demo的地址:https://github.com/professorxin/Java_Demo/tree/master/shiro