閱讀874 返回首頁    go 阿裏雲 go 技術社區[雲棲]

shiro

核心概念:Subject, SecurityManager, and Realms

  • ###Subject ####Subject is a security term that basically means "the currently executing user" #####Acquiring the Subject
    import org.apache.shiro.subject.Subject;
    import org.apache.shiro.SecurityUtils;
    ……
    Subject currentUser = SecurityUtils.getSubject();

#####如果拿到了subject,shiro90%的事情都可以做了例如

-  login
- logout
- access their session
- execute authorization checks

  • SecurityManager

    The SecurityManager manages security operations for all users.

    How do we set up a SecurityManager?
    如果是web應用,我們通常會在web.xml指定一個Shiro Servlet Filter,它會創建一個SecurityManager 實例。SecurityManager 一般是一個單例,他的默認實現是POJO,配置形式有如下幾種方式:
    • normal Java code
    • Spring XML
    • YAML
    • .properties
    • .ini files ###### ini files是最常用的,因為 INI is easy to read, simple to use, and requires very few dependencies。for example ####1.用ini配置shiro [main] cm = org.apache.shiro.authc.credential.HashedCredentialsMatcher cm.hashAlgorithm = SHA-512 cm.hashIterations = 1024 # Base64 encoding (less text): cm.storedCredentialsHexEncoded = false iniRealm.credentialsMatcher = $cm [users] jdoe = TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJpcyByZWFzb2 asmith = IHNpbmd1bGFyIHBhc3Npb24gZnJvbS文件ciBhbXNoZWG5vdCB ##### INI File解析 ######1). main區域是用來配置SecurityManager 對象的,這裏設置了兩個對象,crm以及iniRealm。並且m對象設置了一些參數。然後將crm賦值給了iniRealm對象。 ######2). users區域用來指定靜態的用戶賬號。 ####2.java類加載ini配置文件 ``` import org.apache.shiro.SecurityUtils; import org.apache.shiro.config.IniSecurityManagerFactory; import org.apache.shiro.mgt.SecurityManager; import org.apache.shiro.util.Factory;

    //1. Load the INI configuration
    Factory factory =
    new IniSecurityManagerFactory("classpath:shiro.ini");

    //2. Create the SecurityManager
    SecurityManager securityManager = factory.getInstance();

    //3. Make it accessible
    SecurityUtils.setSecurityManager(securityManager);

    #####代碼解析
######1)加載ini配置文件
######2)創建SecurityManager實例
######3)讓SecurityManager實例可以被應用訪問

  • Realms

    A Realm acts as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data

    做用戶賬號(security-related data)和登錄(authentication)以及訪問控製(authorization )之間的交互
    Shiro 提供多種開箱即用的安全數據源:
    • LDAP
    • elational databases :JDBC
    • text configuration sources : INI , properties files,
    • and more

Authentication

 1. 獲取用戶的登錄名 (principals),和密碼(credentials).
 2. 將上一步獲取的信息提交給係統
 3. 如果跟係統期待的匹配,用戶是已認證的,否則是未認證的
用戶登錄
//1. Acquire submitted principals and credentials:
AuthenticationToken token =
new UsernamePasswordToken(username, password);
//2. Get the current Subject:
Subject currentUser = SecurityUtils.getSubject();
//3. Login:
currentUser.login(token);
處理失敗的情況
//3. Login:
try {
    currentUser.login(token);
} catch (IncorrectCredentialsException ice) { …
} catch (LockedAccountException lae) { …
}
…
catch (AuthenticationException ae) {…
}

Authorization

Authorization is essentially access control - controlling what your users can access in your application
Authorization是用來控製用戶可以訪問應用的哪些resource和webpage
Subject API 讓我們以非常簡便的方式做role和permission校驗.Subject Api Permission Document例如:
if ( subject.hasRole(“administrator”) ) {
    //show the ‘Create User’ button
} else {
    //grey-out the button?
}  
……
if ( subject.isPermitted(“user:create”) ) {
    //show the ‘Create User’ button
} else {
    //grey-out the button?
}
 ……
if ( subject.isPermitted(“user:delete:jsmith”) ) {
    //delete the ‘jsmith’ user
} else {
    //don’t delete ‘jsmith’
}

Session Management

Shiro enables a Session programming paradigm for any application - from small daemon standalone applications to the largest clustered web applications.
Shiro’s architecture allows for pluggable Session data stores,And it is container independent.
實例
Session session = subject.getSession();
Session session = subject.getSession(boolean create);
session.getAttribute(“key”, someValue);
Date start = session.getStartTimestamp();
Date timestamp = session.getLastAccessTime();
session.setTimeout(millis);

Cryptography

  • Web Support

    Shiro ships with a robust web support module to help secure web applications.ReferShiro Web

    ShiroFilter in web.xml

    image

    URL-Specific Filter Chains

    Shiro supports security-specific filter rules through its innovative URL filter chaining capability
    Shiro支持一種創造性的URL安全過濾器,例如
    [urls]
/assets/** = anon
/user/signup = anon
/user/** = user
/rpc/rest/** = perms[rpc:invoke], authc
/** = authc
    左邊是URL是web應用的相對路徑,右邊是過濾器鏈

    JSP Tag Library

    image

    Web Session Management

    1.Default Http Sessions
    Shiro defaults its session infrastructure to use the existing Servlet Container sessions that we’re all used to.
    2.Shiro’s Native Sessions in the Web Tier

最後更新:2017-08-13 22:28:24

  上一篇:go  為什麼.TM明明不便宜,卻還是備受業界大佬們青睞?
  下一篇:go  雲服務器 ECS 建站教程:部署Linux主機管理係統WDCP