Authenticator : 认证器,管理登入、登出
Authorizer : 授权器,管理主体有哪些权限
Session Manager : session管理器
Session DAO : session的增删改查
Cache Manager : 缓存管理器
Realms : shiro与数据源之间的桥梁,获取认证信息、权限数据、角色数据都是通过realms获取的
1、Shiro认证
创建SecurityManager->主体提交认证请求->SecurityManager认证->Authenticator认证->Realms验证
SimpleAccountRealm
DefaultSecurityManager
SecurityUtils
UsernamePasswordToken
用户名不正确:找不到用户名异常
密码不正确:不正确的凭证异常
subject.login(token);
subject.isAuthenticated();
2、Shiro授权
创建SecurityManager->主题授权->SecurityManager授权->Authorizer授权->Realm获取角色权限数据
subject.checkRoles("admin","user1");
3、Realm
内置Realm:IniRealm JdbcRealm
IniRealm iniRealm = new IniRealm("classpath:user.ini");
subject.checkPermission("user:delete");
user.ini文件内容如下:
[Users]
Mark=123456,admin
[roles]
admin=user:delete,user:update
DruidDataSource druidDataSource = new DruidDataSource();
druidDataSource.setUrl("jdbc:mysql://localhost:3306/test");
druidDataSource.setUsername("root");
druidDataSource.setPassword("root");
JdbcRealm jdbcRealm = new JdbcRealm();
jdbcRealm.setDataSource(dataSource);
jdbcRealm.setPermissionsLookupEnabled(true);
select password from users where username = ?
select passwork,password_salt from users where username = ?
select role_name from user_roles where username = ?
select permission from roles_permissions where role_name = ?
users表:id,username,password
user_roes表:id,Mark,admin
roles_permissions表:id,role_name,permission
JdbcRealm
String sql = "select password from test_user where user_name = ?";
jdbcRealm.setAuthenticationQuery(sql);
String roleSql = "select role_name from test_user_role where user_name = ?";
jdbcRealm.setUserRolesQuery(roleSql);
自定义授权,新增CustomRealm类,需要继承AuthorizingRealm抽象类,实现它的抽象方法(这里用集合模拟从数据库/缓存中获取数据)
SimpleAuthorizationInfo:授权信息
SimpleAuthenticationInfo:认证信息