首先什么是shiro?

shiro是apache下面的一个开源项目,下面是其网站上对其的一段说明:

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.

弱弱的翻译一下:apache shiro是一个强大且易于使用的java安全框架,使用它可以进行

1:认证

2:鉴权

3:加密

4:会话管理

通过shiro简单易懂的api,可以简单快速的为任何应用程序提供安全保护。


什么是认证?

认证就是登陆一个系统之前,认证就是系统通过用户的输入去辨别登陆的用户是谁,认证过程中,用户需要提供一些输入让系统辨别且信任你。

The Shiro framework is designed to make authentication as clean and intuitive as possible while providing a rich set of features. Below is a highlight of the Shiro authentication features.

shiro框架在提供丰富功能的同时提供了直观简单的使用方式,下面是shiro提供的几种认证功能。

  • Subject Based - Almost everything you do in Shiro is based on the currently executing user, called a Subject. And you can easily retrieve the Subject anywhere in your code. This makes it easier for you to understand and work with Shiro in your applications.

           Subjecet-在shiro中几乎所有的操作都是基于当前指定的用户,也称为subject,在代码的任何位置都可以轻易的访问到subject,这使在你的项目中使用shiro变得更易于理解

  • Single Method call - The authentication process is a single method call. Needing only one method call keeps the API simple and your application code clean, saving you time and effort.

     单个方法调用-认证过程仅仅是一个方法的调用,这让你应用的代码更加简洁,给你节省了时间

  • Rich Exception Hierarchy - Shiro offers a rich exception hierarchy to offered detailed explanations for why a login failed. The hierarchy can help you more easily diagnose code bugs or customer services issues related to authentication. In addition, the richness can help you create more complex authentication functionality if needed.

    丰富的异常体系-shiro提供了丰富的异常以便于更加详细的了解登陆失败的原因,这些异常让我们方便定位以及修改bug

  • ‘Remember Me’ built in - Standard in the Shiro API is the ability to remember your users if they return to your application. You can offer a better user experience to your them with minimal development effort

    remember me功能内置的支持:shiro中remember me功能的api可以给你应用更好的用户体验。

  • Pluggable data sources - Shiro uses pluggable data access objects (DAOs), called Realms, to connect to security data sources like LDAP and Active Directory. To help you avoid building and maintaining integrations yourself, Shiro provides out-of-the-box realms for popular data sources like LDAP, Active Directory, Kerberos, and JDBC. If needed, you can also create your own realms to support specific functionality not included in the basic realms.

      可 插拔的数据源-shiro使用被称为Reamls的可插拔的数据连接对象来连接你的数据源,例如:LDAP,避免你自己去构建以及维护这些交 互,shiro内置提供了几种常用的数据源接入机制,如果有必要,你可以自己创建特殊的Reaml来提供基础Reamls所不支持的功能。

  • Login with one or more realms - Using Shiro, you can easily authenticate a user against one or more realms and return one unified view of their identity. In addition, you can customize the authentication process with Shiro’s notion of an authentication strategy. The strategies can be setup in configuration files so changes don’t require source code modifications– reducing complexity and maintenance effort.

      通过一个或者多个realms进行登录认证-使用shiro可以轻易的认证一个用户并提供一个统一的试图,此外我们还可以定制化认   证的策略,我们可以在配置文件中进行配置而不必修改代码。



什么是鉴权?

鉴权也被成为权限控制,判断是否有权限访问某个资源,shiro对鉴权提供的支持:

  • Checks based on roles or permissions - Since the complexity of authorization differs greatly between applications, Shiro is designed to be flexible, supporting both role-based security and permission-based security based on your projects needs.

提供基于角色和权限的方式进行鉴权


  • Powerful and intuitive permission syntax - As an option, Shiro provides an out-of-the-box permission syntax, called Wildcard Permissions, that help you model the fine grained access policies your application may have. By using Shiro’s Wildcard Permissions you get an easy-to-process and human readable syntax. Moreoever, you don’t have to go through the time-consuming effort and complexity of creating your own method for representing your access policies.

强大且直观的权限规则,shiro提供通配符进行权限的校验,使用通配符规则可读性较高

  • Multiple enforcement options – Authorization checks in Shiro can be done through in-code checks, JDK 1.5 annotations, AOP, and JSP/GSP Taglibs. Shiro’s goal is to give you the choice to use the option you think are best based on your preferences and project needs.

多种鉴权方式可选,可以使用jdk1.5中的注解,aop或者jsp标签

  • Strong caching support - Any of the modern open-source and/or enterprise caching products can be plugged in to Shiro to provide a fast and efficient user-experience. For authorization, caching is crucial for performance in larger environments or with more complex policies using back-end security data sources.

高效的缓存支持

  • Supports any data model - Shiro can support any data model for access control– it doesn’t force a model on you. Your realm implementation ultimately decides how your permissions and roles are grouped together and whether to return a “yes” or a “no” answer to Shiro. This feature allows you to architect your application in the manner you chose and Shiro will bend to support you.

支持任何类型的数据模型



再来看看shiro几个关键的概念:

Subject:Subject我们在上面说过,Subject一般来说代表当前登录的用户,我们可以在自己的代码中很容易的获取到Subject对象

 
  1. Subject currentUser = SecurityUtils.getSubject();  

获得Subject对象之后我们可以通过Subject对象进行授权检查。

 
  1. AuthenticationToken token = new UsernamePasswordToken(username, password);  
  2. Subject.isPermitted()/checkRoles()  
  3. Subject.login(token)//登录操作  
  4. Subject.logout()//退出登录操作  

SecurityManager:Subject 代表某一个用户,而SecurityManager就是对这些Subject进行管理的对象,在web项目中使用shiro的时候,我们通常在xml文件 中配置好SecurityManager对象,然后就不会跟它打太多的交道,而仅仅是访问Subject的api.

 
  1. //这里我们使用spring和shiro进行集成  
  2. <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">  
  3.         <property name="realm" ref="shiroDbRealm" />  
  4.         <property name="cacheManager" ref="shiroEhcacheManager" />  
  5. </bean>  


Realms:shiro中使用Realms这个概念表示与数据进行交互的那一层,封装了数据源连接的细节,我们可以实现不同的realms来连接不同的数据源,通过realms读取用户数据用于认证和鉴权。




下面我们使用shiro和spring集成,对web项目进行控制,shiro与spring的集成灰常的简单。

在已经配置好的spring项目中,我们在xml中加入:

 
  1. <filter>  
  2.     <filter-name>shiroFilter</filter-name>  
  3.     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>  
  4.     <init-param>  
  5.         <param-name>targetFilterLifecycle</param-name>  
  6.         <param-value>true</param-value>  
  7.     </init-param>  
  8. </filter>  
  9. <filter-mapping>  
  10.     <filter-name>shiroFilter</filter-name>  
  11.     <url-pattern>/*</url-pattern>  
  12. </filter-mapping>  

这 个时候我们可能想DelegatingFilterProxy是个什么东东,难道这个就是shiro的入口么?但是通过查看这个类是位于spring- web这个jar包中的,根本就不属于shiro的一部分,那么也不可能是shiro的入口,我们跟进去发现这个类继承了抽象类 GenericFilterBean,而GenericFilterBean实现了Filter接口,应用程序启动的时候应该会调用 GenericFilterBean.init()方法:该方法设置了filter的配置,另外调用了方法initFilterBean(),这个方法在 子类中进行实现。

DelegatingFilterProxy类中对initFilterBean方法进行了实现:

 
  1. @Override  
  2.     protected void initFilterBean() throws ServletException {  
  3.         synchronized (this.delegateMonitor) {  
  4.             if (this.delegate == null) {  
  5.                 // If no target bean name specified, use filter name.  
  6.                 if (this.targetBeanName == null) {  
  7.                     this.targetBeanName = getFilterName();  
  8.                 }  
  9.                 // Fetch Spring root application context and initialize the delegate early,  
  10.                 // if possible. If the root application context will be started after this  
  11.                 // filter proxy, we'll have to resort to lazy initialization.  
  12.                 WebApplicationContext wac = findWebApplicationContext();  
  13.                 if (wac != null) {  
  14.                     this.delegate = initDelegate(wac);  
  15.                 }  
  16.             }  
  17.         }  
  18.     }  


如果没有设置targetBeanName属性,那么就使用过滤器的名字作为beanName

 
  1. <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">  
  2.         <property name="securityManager" ref="securityManager" />  
  3.         <property name="loginUrl" value="/login" />  
  4.         <property name="successUrl" value="/management/index" />  
  5.         <property name="filters">  
  6.             <map>  
  7.                 <!-- <entry key="authc" value-ref="baseFormAuthenticationFilter"/> -->  
  8.                 <!-- 是否启用验证码检验 -->  
  9.                 <entry key="authc" value-ref="captchaFormAuthenticationFilter" />  
  10.                 <entry key="user" value-ref="dWZUserFilter" />  
  11.             </map>  
  12.         </property>  
  13.         <property name="filterChainDefinitions">  
  14.             <value>  
  15.                 /Captcha.jpg = anon  
  16.                 /styles/** = anon  
  17.                 /login/timeout = anon  
  18.                 /login = authc  
  19.                 /logout = logout  
  20.                 /** = user  
  21.             </value>  
  22.         </property>  
  23.     </bean>  

我们在web.xml中配置的过滤器名称是shiroFilter,然后我们在spring的配置文件中以该名字配置一个bean

 
  1.     <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">  
  2.         <property name="realm" ref="shiroDbRealm" />  
  3.                  <!--  缓存用户的授权信息  -->  
  4.                 <property name="cacheManager" ref="shiroEhcacheManager" />  
  5.         </bean>  
  6.         <bean id="shiroEhcacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">  
  7.                  <property name="cacheManagerConfigFile" value="classpath:ehcache/ehcache-shiro.xml" />  
  8.         </bean>  
  9.         <bean id="shiroDbRealm" class="com.mbb.ShiroDbRealm" depends-on="userDAO, userRoleDAO, moduleDAO, organizationRoleDAO,captchaService">  
  10.           
  11.         </bean>  

ShiroDbRealm是我们自定义实现的realms用于查询用户数据。

 
    1. public class ShiroDbRealm extends AuthorizingRealm {  
    2.         //实现用户的认证  
    3.         protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) throws AuthenticationException {  
    4.              User user = userService.get(authcToken.getUsername());  
    5.              ShiroUser shiroUser = new ShiroUser(user.getId(), user.getUsername(), user);  
    6. <pre code_snippet_id="239402" snippet_file_name="blog_20140316_8_5493693" name="code" class="html">             return new SimpleAuthenticationInfo(shiroUser, user.getPassword(),ByteSource.Util.bytes(salt), getName());  
    7. </pre> }<br>  
    8. //实现用户的鉴权<br>  
    9. protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {<br>  
    10. Collection<?collection = principals.fromRealm(getName());<br>  
    11.         if (CollectionUtils.isEmpty(collection)) {<br>  
    12.             return null;<br>  
    13.         }<br>  
    14.         ShiroUser shiroUser = (ShiroUser) collection.iterator().next();<br>  
    15.         <br>  
    16.         List<UserRoleuserRoles = userRoleService.find(shiroUser.getId());<br>  
    17.         List<OrganizationRoleorganizationRoles = organizationRoleService<br>  
    18.                 .find(shiroUser.getUser().getOrganization().getId());<br>  
    19.         <br>  
    20.         SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();<br>  
    21.         info.addStringPermissions(makePermissions(userRoles, organizationRoles, shiroUser));<br>  
    22.         <br>  
    23.         return info;<br>  
    24. }<br>  
    25. }  
    26. <pre></pre>  
    27. <p></p>  
    28. <pre></pre>  
    29. <br>  
    30. <br>  
    31. <p></p>  
    32. <p><br>  
    33. </p>  
    34. <br>  
    35. <p></p>  
    36. <ul style="">  
    37. <br>  
    38. </ul>  
    39. <br>  
    40. <p></p