shiro学习笔记

shiro学习笔记

shiro的三个核心组件:Subject SecurityManager Realms

Subject主体,代表了当前的用户,这个用户不一定是具体的人,与当前应用交互的任何东西都是Subject,所有的Subject都绑定到SecurityManager,与Subject的交互都委托给SecurityManager处理,可以把Subject当做是一个门面,SecurityManager才是真正的执行者。
SecurityManager:安全管理器,即所有的与安全有关的交互都会和它交互,他是shiro的核心,而且他管理着Subject提供安全管理的各种服务。
Realm:shiro和应用安全数据之间的桥梁或连接器,也就是说,当用户执行登录或者授权的时候,shiro会在配置的Realm中查找用户及其权限信息,配置shiro中必须要有shiro,可以配置多个
一个简单的shiro应用:
​ ①应用代码通过Subject来进行认证和授权,而Subject又委托给SecurityManager。
​ ②我们需要给shiro的SecurityManager注入Realm,从而让SecurityManager能够得到合法的用户及其权限进行判断。
shiro的配置:
自定义Realm(实现认证和授权):

public class OwnRealm extend AuthorizingRealm{
    //用户认证
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        UsernamePasswordToken usernamePasswordToken=(UsernamePasswordToken)authenticationToken;
        String username=usernamePasswordToken.getUsername();
        String password=new String(usernamePasswordToken.getPassword());
        QueryWrapper<User> qw = new QueryWrapper<>();
        qw.eq("userName",username);
        User user=userDao.selectOne(qw);//利用mybatisplus查询数据库
        if(user==null){
            throw new UnknowAccountException("用户不存在");
        }
        SimpleAuthenticationInfo simpleAuthenticationInfo=new SimpleAuthenticationInfo(user.getUserName(),user.getPassWord(),getName());
        return simpleAuthenticationInfo;
    }
    //用户授权
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        //获取登录的用户名
        String userName=(String)principalCollection.getPrimaryPrincipal();
        HashSet<String> roles=new HashSet<String>();
        HashSet<String> permission=new HashSet<String>();
        Role role=roleDao.queryRoleByUserName(userName);
        if(role==null){
            return null;
        }
        if("admin".equals(role.getRoleName())){
            roles.add("admin");
            roles.add("user");
            permission.add("add");
        }
        if("user".equals(role.getRoleName())){
            role.add("user");
            permission.add("delete");
        }
        SimpleAuthorizationInfo simpleAuthorizationInfo=new SimpleAuthorizationInfo();
        simpleAuthorizationInfo.setRoles(roles);
        simpleAuthorizationInfo.setStringPermission(permission);
        return simpleAuthorizationInfo;
    }
}
@Configuration
public class ShiroConfig{
    
    @Bean
    public Realm realm(){
        return new OwnRealm();
    }
    
    @Bean
    public SecurityManager securityManager(Realm realm){
        DefaultWebSecurityManager defaultWebSecurityManager=new DefaultWebSecurityManager();
        defaultWebSecurityManager.setRealm(realm);
        return defaultWebSecurityManager;
    }
    
    @Bean
    public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager){
        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
        shiroFilterFactoryBean.setSecurityManager(securityManager);
        shiroFilterFactoryBean.setLoginUrl("/");//登录页面跳转地址
        shiroFilterFactoryBean.setSuccessUrl("/success");//登录成功页面跳转地址
        shiroFilterFactoryBean.setUnauthorizedUrl("/noAuthorized");//无权限页面跳转地址
//        HashMap<String, String> hashmap = new HashMap<>();
//        hashmap.put("/login","anon");//表示login地址无需验证
//        hashmap.put("/doLogin","anon");
//        hashmap.put("/logout","logout");//logout登出后清除用户内存
//        hashmap.put("/admin/**","authc,roles[admin]");//admin/**地址需要admin用户身份
//        shiroFilterFactoryBean.setFilterChainDefinitionMap(hashmap);
        return shiroFilterFactoryBean;
    }
    
    //如果需要使用注解来鉴权的话需要添加如下的Bean
    @Bean//开启注解(需要使用AOP功能)
    public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator(){
        DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
        defaultAdvisorAutoProxyCreator.setProxyTargetClass(true);
        return defaultAdvisorAutoCreator;
    }
    @Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager){
        AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new 	AuthorizationAttributeSourceAdvisor();
        authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
        return authorizationAttributeSourceAdvisor;
    }

}
上一篇:Shiro框架


下一篇:OCS2007R2升级LyncSrv2013 PART1:基础准备