shiro框架基础

一、shiro框架简介

Apache Shiro是Java的一个安全框架。其内部架构如下：

下面来介绍下里面的几个重要类：

Subject:主体，应用代码直接交互的对象就是Subject。代表了当前用户，这个用户不一定表示人。(可以暂时理解为用户)

SecurityManager:安全管理器，它管理着所有的Subject。是整个shiro框架的核心，它还其它组件交互。

Authenticator:认证器，负责主体认证。(可以暂时理解为判断是否登陆成功)

Authorizer:授权器，用来决定主体是否有权限进行相应的操作。(可以暂时理解为登陆成功后你拥有哪些权限)

Realm:安全数据源，Shiro从Realm获取安全数据（如用户、角色、权限）从而进行验证。一般需要自定义的。

二、shiro框架认证和授权实现

下面介绍一个自定义realm的demo，来讲解shiro的认证和授权

1、maven项目添加jar包依赖

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.imooc</groupId>
    <artifactId>shiro</artifactId>
    <version>1.0-SNAPSHOT</version>

    <dependencies>

        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-core</artifactId>
            <version>1.4.0</version>
        </dependency>

        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <version>RELEASE</version>
        </dependency>

    </dependencies>

</project>

2、自定义Realm

package realm;

import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.crypto.hash.Md5Hash;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;

import java.util.HashMap;
import java.util.HashSet;
import java.util.Set;

public class CustomRealm extends AuthorizingRealm {

    HashMap<String,String> hashMap=new HashMap<String, String>();
    Set<String> set=new HashSet<String>();

    //存储了账号和md5和盐值加密后的密码
    {
        hashMap.put("asdfgh","003dc55c5d91addfead4a4fa347c4f2d");
        //可以先忽略这个
        super.setName("abc");
    }


    //取出所需的角色和权限，构建simpleAuthorizationInfo对象返回，进行权限认证
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        String name= (String) principalCollection.getPrimaryPrincipal();
        Set<String> roles=getRoleByName(name);
        SimpleAuthorizationInfo simpleAuthorizationInfo=new SimpleAuthorizationInfo();
        simpleAuthorizationInfo.setRoles(roles);
        return simpleAuthorizationInfo;
    }


    //存储了账号和对应的角色
    private Set<String> getRoleByName(String name) {
        Set<String> set=new HashSet<String>();
        set.add("admin");
        return set;
    }



    //取出所需的密码，构建simpleAuthenticationInfo对象返回，与UsernamePasswordToken进行认证对比
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        String name= (String) authenticationToken.getPrincipal();
        String password=getPasswordByname(name);
        if(password==null){
            return null;
        }
        SimpleAuthenticationInfo simpleAuthenticationInfo=new SimpleAuthenticationInfo(name,password,"abc");
        simpleAuthenticationInfo.setCredentialsSalt(ByteSource.Util.bytes("asdfgh"));
        return simpleAuthenticationInfo;
    }

    private String getPasswordByname(String name) {
        String password=hashMap.get(name);
        return password;
    }

    
    //003dc55c5d91addfead4a4fa347c4f2d这个密码就是从这里的出来的
    public static void main(String agrs[]){
        Md5Hash md5Hash=new Md5Hash("123456","asdfgh");
        System.out.println(md5Hash.toString());
    }
}

3、测试类

package shirotest;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.realm.text.IniRealm;
import org.apache.shiro.subject.Subject;
import org.junit.Test;
import realm.CustomRealm;

public class CustomRealmTest {

    @Test
    public void Test(){

        CustomRealm customRealm=new CustomRealm();
        //构件SercurityManager的环境
        DefaultSecurityManager defaultSecurityManager=new DefaultSecurityManager();
        //设置自定义的Realm
        defaultSecurityManager.setRealm(customRealm);

        //加密
        HashedCredentialsMatcher hashedCredentialsMatcher=new HashedCredentialsMatcher();
        hashedCredentialsMatcher.setHashAlgorithmName("md5");
        hashedCredentialsMatcher.setHashIterations(1);
        customRealm.setCredentialsMatcher(hashedCredentialsMatcher);

        //主体提交认证请求
        SecurityUtils.setSecurityManager(defaultSecurityManager);
        Subject subject= SecurityUtils.getSubject();

        UsernamePasswordToken token=new UsernamePasswordToken("asdfgh","123456");
        subject.login(token);
        System.out.println("认证是否成功:"+subject.isAuthenticated());

        subject.checkRoles("admin");
    }
}

以上就是就shiro框架的简单介绍，该demo的地址：https://github.com/professorxin/Java_Demo/tree/master/shiro