现在使用shiro作为权限认证已经越来越多,并且最近打算使用jeesite进行一个公司内部cms系统的系统的开发,结果发现很多坑,其框架就是使用shiro作为认证授权框架。所以打算对shiro进行学习。
从官网直接说明,shiro的核心和功能点分别是:认证、授权、会话管理、加密;web支持、缓存、并发、测试、记住我(jeesite也使用了该功能),其介绍如下:
Shiro targets what the Shiro development team calls “the four cornerstones of application security” - Authentication, Authorization, Session Management, and Cryptography:
Authentication: Sometimes referred to as ‘login’, this is the act of proving a user is who they say they are.
Authorization: The process of access control, i.e. determining ‘who’ has access to ‘what’.
Session Management: Managing user-specific sessions, even in non-web or EJB applications.
Cryptography: Keeping data secure using cryptographic algorithms while still being easy to use.
There are also additional features to support and reinforce these concerns in different application environments, especially:
Web Support: Shiro’s web support APIs help easily secure web applications.
Caching: Caching is a first-tier citizen in Apache Shiro’s API to ensure that security operations remain fast and efficient.
Concurrency: Apache Shiro supports multi-threaded applications with its concurrency features.
Testing: Test support exists to help you write unit and integration tests and ensure your code will be secured as expected.
“Run As”: A feature that allows users to assume the identity of another user (if they are allowed), sometimes useful in administrative scenarios.
“Remember Me”: Remember users’ identities across sessions so they only need to log in when mandatory.
首先进行demo的搭建:
1、创建maven项目,并在其官网copy shiro的和slf4j的依赖,并配置slf4j的配置文件信息:
<!-- https://mvnrepository.com/artifact/org.apache.shiro/shiro-core -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.4.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12 -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.7.25</version>
<scope>test</scope>
</dependency>
2、创建key、value的shiro ini 配置文件于 src/main/resources目录下,[users] 存储用户信息,项目中一般该信息存储于数据库中。
3、登录的用户信息
package demo.netty_lihongmin.controller;
import org.apache.catalina.security.SecurityUtil;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
public class ShiroMain {
public static void main(String[] args) {
//读取配置文件,初始化工厂
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:");
//获取SecurityManager实例
SecurityManager instance = factory.getInstance();
//把实例绑定到工具类
SecurityUtils.setSecurityManager(instance);
//得到当前执行的用户
Subject subject = SecurityUtils.getSubject();
// 创建token令牌的用户信息(一般为前端登陆的用户名和密码信息)
UsernamePasswordToken token = new UsernamePasswordToken("zhangsan", "123");
try {
subject.login(token);
System.out.println("用户登陆成功!!!");
} catch (Exception e) {
// TODO: handle exception
e.printStackTrace();
}
subject.logout();
}
}
