名词解释
Subject:认证主体
Reaml:认证来源[jdbc、property、text、jndi]
权限认证
谁访问什么资源
权限:页面
角色:权限的集合
用户:subject
授权
为角色分配权限
例如:admin = user : *
ini文件配置
[main]
authc.loginUrl = /login
roles.unauthorizedUrl = /unauthorized
perms.unauthorizedUrl = /unauthorized.jsp
[users]
jack = 123,admin
[roles]
admin = user : *
[urls]
/login = anon
/admin = authc
/student = roles[teacher]
/teacher = perms["user:create"]
Url匹配规则
/admin 匹配/admin
/admin? 匹配/admin1
/admin* 匹配/admin123
/admin/** 匹配/admin/1/2/3
jsp标签授权
依赖
shiro-web.jar
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
例如:
<shiro:guest> Hi there! Please
<a href="login.jsp">Login</a> or
<a href="signup.jsp">Signup</a> today!
</shiro:guest>
Shiro会话机制
Subject currentUser = SecurityUtils.getSubject();
Session session = currentUser.getSession();
session.setAttribute( "someKey", someValue);
getSession calls work in any application, even non-web applications.
自定义Realm
Most people choose to subclass the AuthorizingRealm abstract class instead of starting from scratch. This class implements common authentication and authorization workflow to save you time and effort.
加密、解密
例如:
new Md5Hash(data)
特性
与spring整合
<!-- The filter-name matches name of a 'shiroFilter' bean inside applicationContext.xml -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>...
<!-- Make sure any request you want accessible to Shiro is filtered. /* catches all --><!-- requests. Usually this filter mapping is defined first (before all others) to --><!-- ensure that Shiro works in subsequent filters in the filter chain: -->
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/login.jsp"/>
<property name="successUrl" value="/home.jsp"/>
<property name="unauthorizedUrl" value="/unauthorized.jsp"/>
<property name="filterChainDefinitions">
<value>
# some example chain definitions:
/admin/** = authc, roles[admin]
/docs/** = authc, perms[document:read]
/** = authc
# more URL-to-FilterChain definitions here
</value>
</property>
</bean>
<bean id="someFilter" class="..."/>
<bean id="anotherFilter" class="..."> ...
</bean>...
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="myRealm"/>
</bean>
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<bean id="myRealm" class="..."> ...
</bean>