1
步骤 解压缩
unzip shiro-root-1.4.1-source-release.zip
进入目录
cd shiro-root-1.4.1/samples/quickstar
运行
mvn compile exec:java
概念 subject/session,然后判断user是否登录,没有则用subject(user)来使用 token登录,
subject 是用户,但不这么叫,安全领域都这么做,session的好处是 不需要web
Subject currentUser = SecurityUtils.getSubject();
Session session = currentUser.getSession();
session.setAttribute( "someKey", "aValue" );
if ( !currentUser.isAuthenticated() ) {
//collect user principals and credentials in a gui specific manner
//such as username/password html form, X509 certificate, OpenID, etc.
//We'll use the username/password example here since it is the most common.
//(do you know what movie this is from? ;)
UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa");
//this is all you have to do to support 'remember me' (no config - built in!):
token.setRememberMe(true);
currentUser.login(token);
}
如果失败的话会有四种 错误
try {
currentUser.login( token );
//if no exception, that's it, we're done!
} catch ( UnknownAccountException uae ) {
//username wasn't in the system, show them an error message?
} catch ( IncorrectCredentialsException ice ) {
//password didn't match, try again?
} catch ( LockedAccountException lae ) {
//account for that username is locked - can't login. Show them a message?
}
... more types exceptions to check if you want ...
} catch ( AuthenticationException ae ) {
//unexpected condition - error?
}
获取 principal就是用户名,判断角色和权限
log.info( "User [" + currentUser.getPrincipal() + "] logged in successfully." );
if ( currentUser.hasRole( "schwartz" ) ) {
log.info("May the Schwartz be with you!" );
} else {
log.info( "Hello, mere mortal." );
}
检测访问特定类型的示例
if ( currentUser.isPermitted( "lightsaber:weild" ) ) {
log.info("You may use a lightsaber ring. Use it wisely.");
} else {
log.info("Sorry, lightsaber rings are for schwartz masters only.");
}
用户的退出
currentUser.logout();
2 具体的流程
1) 认证,remberme就是记住了用户标示,有两个概念 主体和 凭证,主体Principals 是用户名,凭证是秘钥Credentials
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
//"Remember Me" built-in:
token.setRememberMe(true);
2)登录
3)处理异常,和上面代码一样,处理异常确保有人是否是黑客输入了错误密码
4) 记住我和认证过是互斥的,记住我只记住了名字,认证是登录后的认证
记住我不适合做敏感操作,比如买书会推荐给你,但 交易会让强制登录
,退出后建议重定向新页面为了清理cookie,因为也要清理rememberme
认证流程就是上四个,涉及到了realm
授权的流程:
分为单个realm和多个,单个直接,多个会有策略,如必须全部,第三个第一个必须成功,其他无所谓,任何一个等等
配置文件例子
[main]
...
authenticator = com.foo.bar.CustomAuthenticator
securityManager.authenticator = $authenticator
AtLeastOneSuccessfulStrategy
FirstSuccessfulStrategy
AllSuccessfulStrategy
策略配置:
[main]
...
authcStrategy = org.apache.shiro.authc.pam.FirstSuccessfulStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy
还有认证的顺序排序:
http://shiro.apache.org/authentication.html
3 ) 授权
http://shiro.apache.org/authorization.html#Authorization-ObjectbasedPermissionChecks
各种的 check / is / role /permission/ string /object
检查的,权限的,字符串的,对象的,全部的,单个的等等的组合
4)各种注解版
@RequiresPermissions("account:create")
@RequiresRoles("administrator")
