shiro的加载方式
1:加载user/password的ini配置文件
[users]
zhang=123
wang=123
2:加载single-realm的ini配置文件
#声明一个realm
myRealm1=com.github.zhangkaitao.shiro.chapter2.realm.MyRealm1
#指定securityManager的realms实现
securityManager.realms=$myRealm1
3:加载multi-realm的ini配置文件
#声明一个realm
myRealm1=com.github.zhangkaitao.shiro.chapter2.realm.MyRealm1
myRealm2=com.github.zhangkaitao.shiro.chapter2.realm.MyRealm2
#指定securityManager的realms实现
securityManager.realms=$myRealm1,$myRealm2
4:通过jdbc-realm验证用户,会自动赋值给指定realm类的属性名
jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
dataSource=com.alibaba.druid.pool.DruidDataSource
dataSource.driverClassName=com.mysql.jdbc.Driver
dataSource.url=jdbc:mysql://localhost:3306/shiro
dataSource.username=root
#dataSource.password=
jdbcRealm.dataSource=$dataSource
securityManager.realms=$jdbcRealm
#指定securityManager的authenticator实现
authenticator=org.apache.shiro.authc.pam.ModularRealmAuthenticator
securityManager.authenticator=$authenticator
#指定securityManager.authenticator的authenticationStrategy
#FirstSuccessfulStrategy成功验证一个realm即可,返回验证成功的认证信息
#AtLeastOneSuccessfulStrategy成功验证一个realm即可,返回所有realm验证成功的认证信息(ModularRealmAuthenticator默认)
#AllSuccessfulStrategy必须成功验证所有realm,返回所有realm验证成功的认证信息
allSuccessfulStrategy=org.apache.shiro.authc.pam.AllSuccessfulStrategy
securityManager.authenticator.authenticationStrategy=$allSuccessfulStrategy
注意:可以自定义authenticationStrategy,需继承抽AbstractAuthenticationStrategy类
授权
1:ini配置角色权限的格式,可以用hasRole/hasAllRoles判断用户是否具有某个或者所有角色,isPermitted/isPermittedAll判断用户是否具有某个权限或者所有权限
[users]
zhang=123,role1,role2
wang=123,role1
[roles]
#权限通配符:";"表示资源/操作/实例的分割;","表示操作的分割;"*"表示任意资源/操作/实例。
#shiro对权限字符串缺失部分的处理,user:view=user:view:*,可以理解为前缀匹配
role1=user:create,user:update
role2=user:create,user:delete
#role3=role4
role3=system:user:create;system:user:update;system:user:delete;system:user:view
role4=system:user:create,update,delete,view
#role5=role6
role5=system:user:*
role6=system:user
#对资源user的1 实例拥有view权限,实例就是具体到某条记录
role7=system:user:view:1
role8=system:user:update,delete:1
role9=system:user:auth:*
#对资源user拥有所有权限
role10=system:user:*:*
2:改变验证权限的类,如下ini配置
[main]
#自定义authorizer
authorizer=org.apache.shiro.authz.ModularRealmAuthorizer
#自定义permissionResolver
#permissionResolver=org.apache.shiro.authz.permission.WildcardPermissionResolver
permissionResolver=com.github.zhangkaitao.shiro.chapter3.permission.BitAndWildPermissionResolver
authorizer.permissionResolver=$permissionResolver
#自定义rolePermissionResolver
rolePermissionResolver=com.github.zhangkaitao.shiro.chapter3.permission.MyRolePermissionResolver
authorizer.rolePermissionResolver=$rolePermissionResolver
securityManager.authorizer=$authorizer
#自定义realm 一定要放在securityManager.authorizer赋值之后(因为调用setRealms会将realms设置给authorizer,并给各个Realm设置permissionResolver和rolePermissionResolver)
realm=com.github.zhangkaitao.shiro.chapter3.realm.MyRealm
securityManager.realms=$realm
配置
1:无ini配置,纯java代码
DefaultSecurityManager securityManager = new DefaultSecurityManager();
//设置authenticator
ModularRealmAuthenticator authenticator = new ModularRealmAuthenticator();
authenticator.setAuthenticationStrategy(new AtLeastOneSuccessfulStrategy());
securityManager.setAuthenticator(authenticator);
//设置authorizer
ModularRealmAuthorizer authorizer = new ModularRealmAuthorizer();
authorizer.setPermissionResolver(new WildcardPermissionResolver());
securityManager.setAuthorizer(authorizer);
//设置Realm
DruidDataSource ds = new DruidDataSource();
ds.setDriverClassName("com.mysql.jdbc.Driver");
ds.setUrl("jdbc:mysql://localhost:3306/shiro");
ds.setUsername("root");
ds.setPassword("");
JdbcRealm jdbcRealm = new JdbcRealm();
jdbcRealm.setDataSource(ds);
jdbcRealm.setPermissionsLookupEnabled(true);
securityManager.setRealms(Arrays.asList((Realm) jdbcRealm));
//将SecurityManager设置到SecurityUtils 方便全局使用
SecurityUtils.setSecurityManager(securityManager);
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken("zhang", "123");
subject.login(token);
2:ini配置
Factory<org.apache.shiro.mgt.SecurityManager> factory =
new IniSecurityManagerFactory("classpath:shiro-config.ini");
org.apache.shiro.mgt.SecurityManager securityManager = factory.getInstance();
//将SecurityManager设置到SecurityUtils 方便全局使用
SecurityUtils.setSecurityManager(securityManager);
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken("zhang", "123");
subject.login(token);
[main]
#覆盖默认的securityManager
#securityManager=org.apache.shiro.mgt.DefaultSecurityManager
#authenticator
authenticator=org.apache.shiro.authc.pam.ModularRealmAuthenticator
authenticationStrategy=org.apache.shiro.authc.pam.AtLeastOneSuccessfulStrategy
authenticator.authenticationStrategy=$authenticationStrategy
securityManager.authenticator=$authenticator
#authorizer
authorizer=org.apache.shiro.authz.ModularRealmAuthorizer
permissionResolver=org.apache.shiro.authz.permission.WildcardPermissionResolver
authorizer.permissionResolver=$permissionResolver
securityManager.authorizer=$authorizer
#realm
dataSource=com.alibaba.druid.pool.DruidDataSource
dataSource.driverClassName=com.mysql.jdbc.Driver
dataSource.url=jdbc:mysql://localhost:3306/shiro
dataSource.username=root
#dataSource.password=
jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.dataSource=$dataSource
jdbcRealm.permissionsLookupEnabled=true
securityManager.realms=$jdbcRealm
加密解密待完善--密码处理相关
realm详解--留待后面看源码,详细处理
与web继承--看了spring关于web这块源码之后再来细看
拦截器,使用spring的比较好,不复杂,简单易懂
1:user 拦截器只要用户登录(isRemembered()==true or isAuthenticated()==true)过即可访问成
2:authc 拦截器会判断用户是否是通过Subject.login(isAuthenticated()==true)登录的
会话管理
1:会话管理器SessionManager
2:会话监听器SessionListener
3:会话存储/持久化SessionDAO-CachingSessionDAO
4:会话验证SessionValidationScheduler
5:sessionFactory 是创建会话的工厂
缓存
1:Cache,CacheManager,CacheManagerAware
2:Realm缓存 CachingRealm实现了CacheManagerAware
3:建议废弃shiro的缓存,实现自己的缓存或者使用spring的缓存SpringCacheManagerWrapper
和spring集成
1:就是将之前的ini配置文件整合成为了bean配置,注意查看和之前的ini配置对比,其实就是将set改成了property设置,注入值,最终的一个bean还是securityManager
2:shiro在spring中可以使用注解判断角色权限@RequiresRoles("admin"),因为spirng支持aop,如果不具备该角色抛出UnauthorizedException异常,可以采用spring的@ExceptionHandler来捕捉异常
SSL后续多研究再来完成这部分吧
SSO结合zheng吧
OAuth2后续多看一点
只允许一个人登录
1:扩展KickoutSessionControlFilter
网友评论