安全验证框架shiro(三)
主要还是对shiro在web项目使用的一下简要说明与实例。
首先看该项目配置相关的信息,使用的idea,创建maven项目,并在pom.xml中加入如下依赖:
<!-- slf4j作为日志框架配合logback,jcl-over-slf4j相当于把jcl(common-logging)转接由slf4j实现 -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.21</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>1.7.21</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>1.1.7</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>commons-dbcp</groupId>
<artifactId>commons-dbcp</artifactId>
<version>1.4</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.41</version>
</dependency>
<!-- Shiro dependencies: -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>${shiro.version}</version>
</dependency>
<!-- servlet -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
<version>2.1</version>
</dependency>
<dependency>
<groupId>jstl</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>同时web.xml配置如下:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<display-name>shiro-simple-web</display-name>
<context-param>
<param-name>shiroConfigLocations</param-name>
<param-value>/WEB-INF/shiro.ini</param-value>
</context-param>
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
<!--<init-param>-->
<!--<param-name>configPath</param-name>-->
<!--<param-value>/WEB-INF/shiro.ini</param-value>-->
<!--</init-param>-->
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
</web-app>由于没有借助spring等工具,shiro相关的配置通过shrio.ini完成:
[main]
#form提交的地址必须是authc.loginUrl相同
authc.loginUrl = /login.jsp
authc.successUrl= /pages/index.html
roles.unauthorizedUrl = nonrole.jsp
perms.unauthorizedUrl = nunperm.jsp
#securityManager=org.apache.shiro.mgt.DefaultWebSecurityManager
dataSource=org.apache.commons.dbcp.BasicDataSource
dataSource.driverClassName=com.mysql.jdbc.Driver
dataSource.url=jdbc:mysql://127.0.0.1:3306/shiro
dataSource.username=root
dataSource.password=123456
jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.dataSource=$dataSource
myRealm=com.sucl.shiro.realm.MyRealm
securityManager.realms=$jdbcRealm
#多realm
#覆盖默认的securityManager
#securityManager=org.apache.shiro.mgt.DefaultSecurityManager
#authenticator
#authenticator=org.apache.shiro.authc.pam.ModularRealmAuthenticator
#authenticationStrategy=org.apache.shiro.authc.pam.AtLeastOneSuccessfulStrategy
#authenticator.authenticationStrategy=$authenticationStrategy
#securityManager.authenticator=$authenticator
#authorizer
#authorizer=org.apache.shiro.authz.ModularRealmAuthorizer
#permissionResolver=org.apache.shiro.authz.permission.WildcardPermissionResolver
#authorizer.permissionResolver=$permissionResolver
#securityManager.authorizer=$authorizer
[urls]
/login.jsp = authc
/index.jsp = authc
/logout = logout
/static/** = anon
/pages/** = authc
/** = authc之前是通过定义login页面,提交请求到指定路径,然后通过Subject.login(token)完成。今天直接通过authc完成自动登录。
对于shiro作为轻量级的安全框架主要是其内部将负责的认证、鉴权都已完成,我们需要做的仅定义认证鉴权相关的逻辑关系。站在开发者的角度,shiro的整个处理过程包含以下几点:
- 创建token,一般通过form表单提交配置authc,即FormAuthenticationFilter,创建UsernamePasswordToken
- 由Subject.login(Token)进行登录认证,其实是有SecurityManager完成
- 最终调用Realm对应的doGetAuthenticationInfo方法,构建SimpleAuthenticationInfo对象,此对象有两个参数principal、credentials,第一个对象在鉴权时用到,认证时shiro只会验证credentials
- 调用Realm对应的doGetAuthorizationInfo方法,通过上一步的principal的后去对应的角色、权限信息,并封装到SimpleAuthorizationInfo即可
对与我们,若果需要扩展,比如多表登录,同表多字段登录,就可以对其中的的几个关键对象进行扩展,token、principal、SimpleAuthenticationInfo、SimpleAuthorizationInfo,具体做法下次和springmvc整合提供。
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
腾讯云开发者
