一、简介
如果你正想学习权限方面的知识,或者正打算把Shiro作为权限组件集成到自己的web application中,或许正在为Shiro如何实现CAPTCHA(验证码)功能而伤透脑筋。那么,本文正是为你准备的。本文简单介绍权限方面的基础知识并以实际例子,带你进入Shiro的世界。
二、权限基础
a)<wbr><wbr><wbr> 认证(你是谁?)<br>
判断你(被认证者)是谁的过程。通常被认证者提供用户名和密码。<br><br>
常见的认证包含如下几种<br>
匿名认证:允许访问资源,不做任何类型的安全检查。<br>
表单认证:访问资源之前,需要提交包含用户名和密码的表单。这是web application最常用的认证方式。这个过程一般会接合Session,只在第一次(新会话)访问资源时提交认证表单。<br>
基本HTTP认证:基于RFC 2617的一种认证方式。<br>
用户认证:Filter that allows access to resources if the accessor is a known user, which is defined as having a known principal. This means that any user who is authenticated or remembered via a 'remember me' feature will be allowed access from this filter.<br><br>
b)<wbr><wbr><wbr> 授权(你可以做什么?)<br>
判断被认证者(你)是否能做什么操作的过程。<br>
端口授权:必须通过指定的某个端口才能访问资源。<br>
Permission授权:Filter that allows access if the current user has the permissions specified by the mapped value, or denies access if the user does not have all of the permissions specified.<br>
Role授权:Filter that allows access if the current user has the roles specified by the mapped value, or denies access if the user does not have all of the roles specified.<br><br>
perms <wbr><wbr><wbr> org.apache.shiro.web.filter.authz.PermissionsAuthorization<wbr>Filter<br>
port <wbr><wbr><wbr> org.apache.shiro.web.filter.authz.PortFilter<br>
roles <wbr><wbr><wbr> org.apache.shiro.web.filter.authz.RolesAuthorizationFilter<wbr><br>
ssl <wbr><wbr><wbr> org.apache.shiro.web.filter.authz.SslFilter<br><br>
c)<wbr><wbr><wbr> 加密<br>
使用技术手段(如:MD5、SHA等)把待加密的数据变为密文(如:信息摘要等)过程。<br><br>
d)<wbr><wbr><wbr> RBAC<br>
基于角色的访问控制(Role-Based Access Control)。<br>
e)<wbr><wbr><wbr> Realm<br>
data access object for an application’s security components (users,roles, permissions)<br><br>
f)<wbr><wbr><wbr> Permission<br>
最小粒度的授权,不与用户关联。<br>
例如:导出报表、查看id号为“PO20090008”的采购单、创建FAQ。<br>
g)<wbr><wbr><wbr> Role<br>
Permission的集合。<br></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr>
三、Shiro特点
简单
功能强大
能独立运行,不依赖其它框架或容器
包含了认证、授权、Session管理、加密
易于扩展
四、web application 集成Shiro
接下来,按照如下步骤开始我们的Shiro之旅:
a)<wbr><wbr><wbr> 数据模型<br><br><a href="http://photo.blog.sina.com.cn/showpic.html#blogid=76a8f8780100r2c9&url=http://s2.sinaimg.cn/orignal/76a8f878g76cb0669a9a1" target="_blank"><img title="应用Shiro到Web<wbr>Application(基础)" name="image_operate_66181306143586290" alt="应用Shiro到Web<wbr>Application(基础)" src="http://s2.sinaimg.cn/middle/76a8f878g76cb0669a9a1&690" width="664" height="140"></a><br><br><br>
用户账号Account,可以简单的理解为用户。<br>
一个账号可以拥有多个角色(Role)。<br>
一个角色包含了多个权限(Permission)。<br><wbr><br><br>
b)<wbr><wbr><wbr> 创建工程,新建实体,添加与Shiro相关的Jar包<br>
如果你正在全用Eclipse:<br>
File--New--Other--Web--Dynamic Web Project<br><br>
在 /WEB-INFO/lib/目录下添加如下Jar包<br><br><a href="http://photo.blog.sina.com.cn/showpic.html#blogid=76a8f8780100r2c9&url=http://s4.sinaimg.cn/orignal/76a8f878ga3ee4322ebc3" target="_blank"></a><img src="http://hi.csdn.net/attachment/201109/30/3638307_1317353580bBf2.jpg" alt=""><br><br><br><wbr><br>
相关Jar包,你可以在http://incubator.apache.org/shiro/download.html<br>
c)<wbr><wbr><wbr> 配置web.xml,添加过滤器<br></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr>
<wbr><wbr><wbr><wbr><wbr> <filter></wbr></wbr></wbr></wbr></wbr>
<wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> <filter-name>ShiroFilter</filter-name></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr>
<wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> <filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr>
<wbr><wbr><wbr><wbr><wbr> </filter></wbr></wbr></wbr></wbr></wbr>
<wbr><wbr><wbr><wbr><wbr> <filter-mapping></wbr></wbr></wbr></wbr></wbr>
<wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> <filter-name>ShiroFilter</filter-name></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr>
<wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> <url-pattern> / *</url-pattern></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr>
</filter-mapping>
d)<wbr><wbr><wbr> INI配置<br>
[main]<br>
#SHA256加密<br>
sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher<wbr><br><br>
#realm<br>
myRealm = com.wearereading.example.shiro.MyShiroRealm<br>
myRealm.credentialsMatcher = $sha256Matcher<br><br>
#缓存<br>
myRealm.authorizationCachingEnab<wbr>led = true<br>
cache=org.apache.shiro.cache.ehcache.EhCacheManager<br>
myRealm.cacheManager=$cache<br><br>
[filters]<br>
shiro.loginUrl = /login.jsp<br>
#authc=org.apache.shiro.web.filter.authc.FormAuthenticationFilter<wbr><br>
authc.successUrl =/background.jsp<br>
perms.unauthorizedUrl =/401.jsp<br><br>
[urls]<br>
/login.jsp=authc<br>
/logout.jsp=anon<br>
/about.jsp=anon<br>
/background.jsp=authc<br><br>
/faq/test.jsp=authc<br>
/faq/list.jsp=authc,perms["faq:list"]<br>
/faq/view.jsp=authc,perms["faq:view"]<br><br>
位置:<br>
配置参数可以写在web.xml文件中,也可以单独文件形式存放在本地类根路径、文件系统以及网络环境中。<br>
Shiro INI Inline Config 和External Config<br><br>
public class MyShiroRealm extends AuthorizingRealm{<br><br><wbr><wbr><wbr><br><wbr><wbr><wbr> protected AuthorizationInfo doGetAuthorizationInfo(<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> PrincipalCollection principals) {<br><wbr><wbr><wbr><wbr><wbr><wbr> String username = (String) principals.fromRealm(<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> getName()).iterator().next();<br><wbr><wbr><wbr><wbr><wbr><wbr><br><wbr><wbr><wbr><wbr><wbr><wbr> if( username != null ){<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> AccountManager accountManager = new AccountManagerImpl();<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> Collection<Role> myRoles = accountManager.getRoles( username );<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> if( myRoles != null ){<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> for( Role each:myRoles ){<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> info.addRole(each.getName());<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> info.addStringPermissions( each.getPermissionsAsString() );<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> }<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> return info;<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> }<br><wbr><wbr><wbr><wbr><wbr><wbr> }<br><wbr><wbr><wbr><wbr><wbr><wbr><br><wbr><wbr><wbr><wbr><wbr><wbr> return null;<br><wbr><wbr><wbr> }<br><br><wbr><wbr><wbr><br><wbr><wbr><wbr> protected AuthenticationInfo doGetAuthenticationInfo(<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> AuthenticationToken authcToken ) throws AuthenticationException {<br><wbr><wbr><wbr><wbr><wbr><wbr> UsernamePasswordToken token = (UsernamePasswordToken) authcToken;<br><wbr><wbr><wbr><wbr><wbr><wbr> String accountName = token.getUsername();<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><br><wbr><wbr><wbr><wbr><wbr><wbr> //用户名密码验证<br><wbr><wbr><wbr><wbr><wbr><wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr>
分享到:
相关推荐
赠送jar包:shiro-web-1.3.2.jar; 赠送原API文档:shiro-web-1.3.2-javadoc.jar; 赠送源代码:shiro-web-1.3.2-sources.jar; 包含翻译后的API文档:shiro-web-1.3.2-javadoc-API文档-中文(简体)版.zip 对应...
shiro web集成方向api,chm格式的。
shiro-web-1.2.0.jar
shiro-web-1.2.4
shiro-web-1.2.3.jar包
shiro与web项目整合,包含整体权限表结构 项目需求与真实项目类似
赠送jar包:shiro-web-1.3.2.jar 赠送原API文档:shiro-web-1.3.2-javadoc.jar 赠送源代码:shiro-web-1.3.2-sources.jar 包含翻译后的API文档:shiro-web-1.3.2-javadoc-API文档-中文(简体)-英语-对照版.zip ...
赠送jar包:shiro-web-1.4.0.jar; 赠送原API文档:shiro-web-1.4.0-javadoc.jar; 赠送源代码:shiro-web-1.4.0-sources.jar; 赠送Maven依赖信息文件:shiro-web-1.4.0.pom; 包含翻译后的API文档:shiro-web-...
该文档详细地介绍了如何将shiro框架应用到web项目中,对开发很有帮助
shiro-web例子源代码,前端用的是bootstrap-table knockout ,不是很完整,只是作为理解的依据
,了解到 Shiro 是一个简单易 用且功能强大的安全框架,可以与很多第三方框架良好地耦合,并且可以在任何应 用环境中使用。接着通过介绍 Shiro 的四个基本功能:认证、授权、会话管理、加 密的相关知识,以及其...
shiro web 1 2 2 jar
赠送jar包:shiro-web-1.2.3.jar; 赠送原API文档:shiro-web-1.2.3-javadoc.jar; 赠送源代码:shiro-web-1.2.3-sources.jar; 赠送Maven依赖信息文件:shiro-web-1.2.3.pom; 包含翻译后的API文档:shiro-web-...
Apache Shiro是Java的一个安全框架,旨在简化身份验证和授权。Shiro在JavaSE和JavaEE项目中都可以使用。它主要用来处理身份认证,授权,企业会话管理和加密等。
赠送jar包:shiro-web-1.2.3.jar; 赠送原API文档:shiro-web-1.2.3-javadoc.jar; 赠送源代码:shiro-web-1.2.3-sources.jar; 赠送Maven依赖信息文件:shiro-web-1.2.3.pom; 包含翻译后的API文档:shiro-web-...
赠送jar包:shiro-web-1.4.0.jar; 赠送原API文档:shiro-web-1.4.0-javadoc.jar; 赠送源代码:shiro-web-1.4.0-sources.jar; 赠送Maven依赖信息文件:shiro-web-1.4.0.pom; 包含翻译后的API文档:shiro-web-...
shiro与springMVC项目整合,并实现了常用的功能
shiro安全框架集成web简介,用户初步了解shiro的简单案例
shiro在web的实现,使用jsp实现,给html实现了登陆测试。
Shiro基础教程-跟着开哥学Shiro Web或Standalone Application Security Framework