1. Environment preparation
1. Shiro does not rely on containers, just create a maven project directly
2. Add dependencies
<dependencies>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.9.0</version>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.2</version>
</dependency>
</dependencies>
2. INI file
Shiro obtains permission-related information through the database or
through the ini configuration file.
1. Create ini file
![](https://img-blog.csdnimg.cn/f0bf9834719e4d3da4e8872efb533f67.png)
3. Login authentication
1. Login authentication concept
(1) Identity verification: Generally, it is necessary to provide some identification information such as identity ID to indicate the identity of the login person.
email, username/password to prove.
(2) In shiro, users need to provide principals (identity) and credentials (proof) to shiro.
And the app can authenticate the user:
(3) Principals: Identity, that is, the identification attribute of the subject, which can be any attribute, such as user name, email, etc., unique
That’s it. A principal can have multiple principals, but there is only one Primary principals, usually username/
Email/mobile phone number.
(4) Credentials: Proof/credentials, that is, security values known only to the subject, such as passwords/digital certificates, etc.
(5) The most common combination of principals and credentials is username/password
2. Basic login authentication process
(1) Collect user identity/credentials, such as username/password
(2) Call Subject.login to log in. If it fails, you will get the corresponding AuthenticationException.
Exception, the user will be prompted with an error message based on the exception; otherwise, the login will be successful.
(3) Create a custom Realm class and inherit the org.apache.shiro.realm.AuthenticatingRealm class,
Implement the doGetAuthenticationInfo() method
![](https://img-blog.csdnimg.cn/c7202fb88baf4728b2284f06b054d2fa.png)
3. Login authentication example
Create a test class, obtain the authentication object, and perform login authentication, as follows:
![](https://img-blog.csdnimg.cn/eaa7c4a90165475b93bacc5fda062fdd.png)
![](https://img-blog.csdnimg.cn/a6910193fa41477b92ed7e9f1f886582.png)
4. Identity authentication process
(1) First call Subject.login(token) to log in, which will automatically be delegated to SecurityManager
(2) SecurityManager is responsible for the real authentication logic; it will delegate it to Authenticator for identity verification
verify;
(3) Authenticator is the real authenticator and the core authentication entry point in Shiro API. This
You can customize your own implementation here;
(4) Authenticator may delegate to the corresponding AuthenticationStrategy for multi-Realm identity
Verification, by default ModularRealmAuthenticator will call AuthenticationStrategy for multi-Realm
Authentication;
(5) Authenticator will pass the corresponding token into Realm and obtain authentication information from Realm, such as
If no exception is returned/thrown, the authentication failed. Multiple Realms can be configured here, which will be in the corresponding order
and strategies for access.
4. Role and authorization
1. Authorization concept
(1)
Authorization
, also called
access control, is to control who accesses which resources in the application
(such as accessing pages/editing data/
page
operations, etc.). Several key objects that need to be understood in authorization: Subject, Resource, Rights
Permission and Role.
(2)
Subject
: The user who accesses the application. Subject is used to represent the user
in Shiro .
User only
Access to the corresponding resources is only allowed with authorization.
(3)
Resource
:
URL that users can access in the application
, such as accessing JSP pages, viewing/editing
Certain data, access to a business method, printed text, etc. are all resources. Users can access only after authorization.
(4)
Permission
: The atomic authorization unit in the security policy. Through permissions, we can express it in the application.
Does the user have the authority to operate a certain resource?
That is, permissions indicate whether the user can access a certain resource in the application
, such as: access
Ask the user list page to view/add/modify/delete user data (that is, many times it is CRUD (add, check, modify, delete)).
limited control), etc. Permission represents whether the user has the right to operate a certain resource, that is, the operation permission reflected on a certain resource
Not allowed.
(5) Shiro supports coarse-grained permissions (such as all permissions of the user module) and fine-grained permissions (the permissions to operate a certain user).
limit, that is, instance level)
(6)
Role
(Role)
:
A collection of permissions
. Generally, users will be given roles instead of permissions, that is, users can
Having a set of permissions makes it easier to grant permissions. Typical examples include: project manager, technical director, CTO, development engineer
Engineers, etc. are all roles, and different roles have different sets of permissions.
2. Authorization method
(1) Programming: Completed by writing if/else authorization code block
![](https://img-blog.csdnimg.cn/efd2956a1e7f4610a038a46f016366c7.png)
(2) Annotation type: This is completed by placing corresponding annotations on the executed Java method. If there is no permission, the corresponding exception will be thrown.
often
(3) JSP/GSP tag: Completed through the corresponding tag on the JSP/GSP page
3. Authorization process
(1) First call the Subject.isPermitted*/hasRole* interface, which will be delegated to SecurityManager, and
SecurityManager will then delegate to Authorizer;
(2) Authorizer is the real authorizer. If it calls isPermitted("user:view"), it will first pass
Convert the string into the corresponding Permission instance through the Permission
Resolver ;
(3) Before authorization, it will call the corresponding Realm to obtain the corresponding role/permission of the Subject to match the incoming
roles/permissions;
(4) The Authorizer will determine whether the Realm's role/permission matches the incoming one. If there are multiple Realms, it will delegate
Perform loop judgment on ModularRealmAuthorizer. If it matches isPermitted*/hasRole*, it will return
true, otherwise false is returned to indicate authorization failure.
![](https://img-blog.csdnimg.cn/a5f3859f72114b009549b60acf7d93b0.png)
4. Authorization instance
(1) Obtain role information
(2) Determine permission information
5. Shiro encryption
In actual system development, some sensitive information needs to be encrypted, such as user passwords. Shiro has a lot of built-in
Commonly used encryption algorithms, such as MD5 encryption. Shiro makes it easy to use message encryption.
1. Use Shiro for password encryption
![](https://img-blog.csdnimg.cn/9f05c26725d64531a9bf37c9f2e01f0c.png)
6. Shiro custom login authentication
Shiro's default login authentication is without encryption. If you want to implement encrypted authentication, you need to customize login authentication.
Custom Realm.
1. Customized login authentication
![](https://img-blog.csdnimg.cn/171476b12ccf49998c8ff52206c3d7ed.png)
2. Add configuration information in shiro.ini