Shiro-00-shiro 概览

RBAC

RBCA

RBCA zh_CN

Shiro

Apache Shiro 是一个强大且易于使用的 Java 安全框架，负责执行身份验证、授权、加密和会话管理。
通过 Shiro 的易于理解的 API，您可以快速而轻松地保护任何应用程序，从最小的移动应用到最大的 Web 和企业应用。
Shiro 提供了应用程序安全 API，用于执行以下方面：

• 身份验证 - 验证用户身份，通常称为用户“登录”
  
• 授权 - 访问控制
  
• 加密 - 保护或隐藏数据免受窥探
  
• 会话管理 - 每个用户的时限敏感状态
  

    Subject->SecurityManager:    SecurityManager->Realms:

shiro

shiro zh_CN

Hello world

• pom.xml
  

1. <dependencies>
2.     <dependency>
3.         <groupId>junit</groupId>
4.         <artifactId>junit</artifactId>
5.         <version>4.9</version>
6.     </dependency>
7.     <dependency>
8.         <groupId>commons-logging</groupId>
9.         <artifactId>commons-logging</artifactId>
10.         <version>1.1.3</version>
11.     </dependency>
12.     <dependency>
13.         <groupId>org.apache.shiro</groupId>
14.         <artifactId>shiro-core</artifactId>
15.         <version>1.2.2</version>
16.     </dependency>
17. </dependencies>

复制代码

• shiro.ini
  

create this file under the classpath.

1. [users]
2. ryo=123
3. wang=123

复制代码

• ShiroTest.java
  

1. @Test
2. public void testHelloworld() {
3.     Factory<SecurityManager> factory =
4.             new IniSecurityManagerFactory("classpath:shiro.ini");
6.     org.apache.shiro.mgt.SecurityManager securityManager = factory.getInstance();
7.     SecurityUtils.setSecurityManager(securityManager);
8.     Subject subject = SecurityUtils.getSubject();
9.     UsernamePasswordToken token = new UsernamePasswordToken("ryo", "123");
11.     try {
12.         subject.login(token);
13.     } catch (AuthenticationException e) {
14.         //login falied
15.     }
17.    assertEquals(true, subject.isAuthenticated());   //assert user has logined.
19.    //logout
20.    subject.logout();
21. }

复制代码

Realms

Realms（领域）充当 Shiro 与您的应用程序安全数据之间的“桥梁”或“连接器”。
当需要实际与安全相关的数据进行交互，例如从用户帐户执行身份验证（登录）和授权（访问控制）时，Shiro 会查找配置为应用程序的一个或多个领域中的许多信息。

• Realm.java
  

1. public interface Realm {
2.     String getName();   //返回一个唯一的Realm名字
4.     boolean supports(AuthenticationToken var1); //判断此Realm是否支持此Token
6.     AuthenticationInfo getAuthenticationInfo(AuthenticationToken var1) throws AuthenticationException;  //根据Token获取认证信息
7. }

复制代码

• MyRealm.java
  

1. public class MyRealm implements Realm {
2.     @Override
3.     public String getName() {
4.         return "firstRealm";
5.     }
7.     @Override
8.     public boolean supports(AuthenticationToken authenticationToken) {
9.         //仅支持UsernamePasswordToken类型的Token
10.         return authenticationToken instanceof UsernamePasswordToken;
11.     }
13.     @Override
14.     public AuthenticationInfo getAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
15.         String username = (String) authenticationToken.getPrincipal();      //get username
16.         String password = new String((char[]) authenticationToken.getCredentials());    //get password
17.         if (!"ryo".equals(username)) {
18.             throw new UnknownAccountException();
19.         }
20.         if (!"123".equals(password)) {
21.             throw new IncorrectCredentialsException();
22.         }
24.         //如果身份认证验证成功，返回一个AuthenticationInfo实现；
25.         return new SimpleAuthenticationInfo(username, password, getName());
26.     }
27. }

复制代码

• shiro-realm.ini
  

create this file under the classpath.

1. #declear realm
2. firstRealm=com.ryo.shiro.MyRealm
3. #point the realms impls of securityManager
4. securityManager.realms=$firstRealm

复制代码

• test()
  

1. @Test
2. public void testRealm() {
3.     Factory<SecurityManager> factory =
4.             new IniSecurityManagerFactory("classpath:shiro-realm.ini");
5.     org.apache.shiro.mgt.SecurityManager securityManager = factory.getInstance();
6.     SecurityUtils.setSecurityManager(securityManager);
7.     Subject subject = SecurityUtils.getSubject();
8.     UsernamePasswordToken token = new UsernamePasswordToken("ryo", "123");
10.     try {
11.         subject.login(token);
12.     } catch (AuthenticationException e) {
13.     }
15.     assertEquals(true, subject.isAuthenticated());
17.     subject.logout();
18. }

复制代码

multi-realm

• define another realm SecondRealm.java
  

1. public class SecondRealm implements Realm {
2.     public String getName() {
3.         return "secondRealm";
4.     }
6.     public boolean supports(AuthenticationToken authenticationToken) {
7.         return authenticationToken instanceof UsernamePasswordToken;
8.     }
10.     public AuthenticationInfo getAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
11.         String username = (String) authenticationToken.getPrincipal();
12.         String password = new String((char[]) authenticationToken.getCredentials());
13.         if (!"wang".equals(username)) {
14.             throw new UnknownAccountException();
15.         }
16.         if (!"123".equals(password)) {
17.             throw new IncorrectCredentialsException();
18.         }
19.         return new SimpleAuthenticationInfo(username, password, getName());
20.     }
21. }

复制代码

• define shiro-multi-realm.ini
  

1. [main]
2. #define
3. firstRealm=com.ryo.shiro.FirstRealm
4. secondRealm=com.ryo.shiro.SecondRealm
5. #use
6. securityManager.realms=$firstRealm,$secondRealm

复制代码

• test()
  

1. @Test
2. public void testMultiRealm() {
3.     Factory<SecurityManager> factory =
4.             new IniSecurityManagerFactory("classpath:shiro-multi-realm.ini");
6.     org.apache.shiro.mgt.SecurityManager securityManager = factory.getInstance();
7.     SecurityUtils.setSecurityManager(securityManager);
9.     Subject subject = SecurityUtils.getSubject();
10.     UsernamePasswordToken token = new UsernamePasswordToken("wang", "123");
12.     try {
13.         subject.login(token);
14.     } catch (AuthenticationException e) {
15.         e.printStackTrace();
16.     }
18.     Assert.assertEquals(true, subject.isAuthenticated());
20.     subject.logout();
21. }

复制代码

Notice
The realm worked only after you used it.
JDBC Realm

• Add jars info your pom.xml, here I user MySQL and druid datasource for test.
  

1. <dependency>
2.     <groupId>mysql</groupId>
3.     <artifactId>mysql-connector-java</artifactId>
4.     <version>5.1.25</version>
5. </dependency>
6. <dependency>
7.     <groupId>com.alibaba</groupId>
8.     <artifactId>druid</artifactId>
9.     <version>0.2.23</version>
10. </dependency>

复制代码

• Here are some sql to init database.
  

1. DROP DATABASE IF EXISTS shiro;
2. CREATE DATABASE shiro;
3. USE shiro;
5. CREATE TABLE users (
6.   id            BIGINT AUTO_INCREMENT,
7.   username      VARCHAR(100),
8.   password      VARCHAR(100),
9.   password_salt VARCHAR(100),
10.   CONSTRAINT pk_users PRIMARY KEY (id)
11. )
12.   CHARSET = utf8
13.   ENGINE = InnoDB;
14. CREATE UNIQUE INDEX idx_users_username ON users (username);
16. CREATE TABLE user_roles (
17.   id        BIGINT AUTO_INCREMENT,
18.   username  VARCHAR(100),
19.   role_name VARCHAR(100),
20.   CONSTRAINT pk_user_roles PRIMARY KEY (id)
21. )
22.   CHARSET = utf8
23.   ENGINE = InnoDB;
24. CREATE UNIQUE INDEX idx_user_roles ON user_roles (username, role_name);
26. CREATE TABLE roles_permissions (
27.   id         BIGINT AUTO_INCREMENT,
28.   role_name  VARCHAR(100),
29.   permission VARCHAR(100),
30.   CONSTRAINT pk_roles_permissions PRIMARY KEY (id)
31. )
32.   CHARSET = utf8
33.   ENGINE = InnoDB;
34. CREATE UNIQUE INDEX idx_roles_permissions ON roles_permissions (role_name, permission);
36. INSERT INTO users (username, password) VALUES ('wang', '123');
37. INSERT INTO users (username, password) VALUES ('ryo', '123');

复制代码

• shiro-jdbc-realm.ini
  

1. [main]
2. jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
3. dataSource=com.alibaba.druid.pool.DruidDataSource
4. dataSource.driverClassName=com.mysql.jdbc.Driver
5. dataSource.url=jdbc:mysql://localhost:3307/shiro
6. dataSource.username=root
7. dataSource.password=${youOwnSQLPassword}
8. jdbcRealm.dataSource=$dataSource
9. securityManager.realms=$jdbcRealm
12. ;1、varName=className    auto create an instance of class.
13. ;2、varName.property=val         auto call the set()
14. ;3、$varname             reference an object define before;

复制代码

• test()
  

1. @Test
2. public void testJDBCRealm() {
3.     Factory<org.apache.shiro.mgt.SecurityManager> factory =
4.             new IniSecurityManagerFactory("classpath:shiro-jdbc-realm.ini");
6.     org.apache.shiro.mgt.SecurityManager securityManager = factory.getInstance();
7.     SecurityUtils.setSecurityManager(securityManager);
9.     Subject subject = SecurityUtils.getSubject();
10.     UsernamePasswordToken token = new UsernamePasswordToken("ryo", "123");
12.     try {
13.         subject.login(token);
14.     } catch (AuthenticationException e) {
15.         e.printStackTrace();
16.     }
18.     Assert.assertEquals(true, subject.isAuthenticated());
20.     subject.logout();
21. }

复制代码

Authenticator

• 在单领域应用程序中，ModularRealmAuthenticator 将直接调用单个领域。
  
• 如果您希望使用自定义的 Authenticator 实现配置 SecurityManager，您可以在 shiro.ini 中进行配置，例如：
  

1. [main]
2. authenticator = com.foo.bar.CustomAuthenticator
4. securityManager.authenticator = $authenticator

复制代码

SecurityManager.java

1. public interface SecurityManager extends Authenticator, Authorizer, SessionManager {
2. }

复制代码

Authenticator.java

1. public interface Authenticator {
2.     AuthenticationInfo authenticate(AuthenticationToken var1) throws AuthenticationException;
3. }

复制代码

AuthenticationStrategy

当为应用程序配置了两个或更多领域时，ModularRealmAuthenticator 依赖于内部的 AuthenticationStrategy 组件来确定身份验证尝试成功或失败的条件。
        AuthenticationStrategy 类        描述                AtLeastOneSuccessfulStrategy        如果一个或多个领域成功验证，则将考虑整体尝试成功。如果没有一个验证成功，则尝试失败。                FirstSuccessfulStrategy        仅使用从第一个成功验证的领域返回的信息。所有后续领域将被忽略。如果没有一个验证成功，则尝试失败。                AllSuccessfulStrategy        所有配置的领域必须成功验证才能考虑整体尝试成功。如果有任何一个验证不成功，则尝试失败。    1、这里定义了三个用于测试的领域：

• FirstRealm    ryo/123  成功，返回 ryo/123
  
• SecondRealm   wang/123 成功，返回 wang/123
  
• ThirdRealm    ryo/123 成功，返回 ryo@gmail.com/123
  

2、shiro-authenticator-all-success.ini
ModularRealmAuthenticator 默认使用 AtLeastOneSuccessfulStrategy 实现，因为这是最常用的策略。
但是，如果需要，您可以配置不同的策略。

1. [main]
2. #point out securityManager's authenticator  
3. authenticator=org.apache.shiro.authc.pam.ModularRealmAuthenticator  
4. securityManager.authenticator=$authenticator  
5.   
6. #Point out securityManager.authenticator's authenticationStrategy  
7. allSuccessfulStrategy=org.apache.shiro.authc.pam.AllSuccessfulStrategy  
8. securityManager.authenticator.authenticationStrategy=$allSuccessfulStrategy  
10. #Define and use realms
11. firstRealm=com.ryo.shiro.FirstRealm
12. secondRealm=com.ryo.shiro.SecondRealm
13. thirdRealm=com.ryo.shiro.ThirdRealm
14. securityManager.realms=$firstRealm,$thirdRealm

复制代码

3、AuthenticatorTest.java

1. @Test
2. public void testAllSuccessfulStrategyWithSuccess() {
3.     Subject subject = getSubjectByPath("classpath:shiro-authenticator-all-success.ini");
5.     UsernamePasswordToken token = new UsernamePasswordToken("ryo", "123");
6.     subject.login(token);
8.     PrincipalCollection principalCollection = subject.getPrincipals();
9.     assertEquals("ryo,ryo@gmail.com", principalCollection.toString());
10. }
12. private Subject getSubjectByPath(String configFilePath) {
13.     Factory<SecurityManager> factory = new IniSecurityManagerFactory(configFilePath);
15.     SecurityManager securityManager = factory.getInstance();
16.     SecurityUtils.setSecurityManager(securityManager);
17.     return SecurityUtils.getSubject();
18. }

复制代码

提示
如果您想自己创建自己的 AuthenticationStrategy 实现，您可以使用 org.apache.shiro.authc.pam.AbstractAuthenticationStrategy 作为起点。

• OnlyOneAuthenticatorStrategy.java
  

[code]public class OnlyOneAuthenticatorStrategy extends AbstractAuthenticationStrategy {    //Simply returns the aggregate argument without modification.    @Override    public AuthenticationInfo beforeAllAttempts(Collection