Apache Shiro知识点总览

1. 名词解释

2. 权限认证

3. 授权

4. ini文件配置

5. jsp标签授权

6. Shiro会话机制

7. 自定义Realm

8. 加密、解密

9. 特性

10. 与spring整合

名词解释

Subject：认证主体

Reaml：认证来源[jdbc、property、text、jndi]

权限认证

谁访问什么资源

权限：页面

角色：权限的集合

用户：subject

授权

为角色分配权限

例如：admin = user : *

ini文件配置

[main]

authc.loginUrl = /login

roles.unauthorizedUrl = /unauthorized

perms.unauthorizedUrl = /unauthorized.jsp

[users]

jack = 123,admin

[roles]

admin = user : *

[urls]

/login = anon

/admin = authc

/student = roles[teacher]

/teacher = perms["user:create"]

Url匹配规则

/admin        匹配/admin

/admin?      匹配/admin1

/admin*       匹配/admin123

/admin/**    匹配/admin/1/2/3

jsp标签授权

依赖

• shiro-web.jar

• <%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>

例如：

<shiro:guest>    Hi there!  Please

<a href="login.jsp">Login</a> or

<a href="signup.jsp">Signup</a> today!

</shiro:guest>

Shiro会话机制

Subject currentUser = SecurityUtils.getSubject();

Session session = currentUser.getSession();

session.setAttribute( "someKey", someValue);

getSession calls work in any application, even non-web applications.

自定义Realm

Most people choose to subclass the AuthorizingRealm abstract class instead of starting from scratch. This class implements common authentication and authorization workflow to save you time and effort.

加密、解密

例如：

new Md5Hash(data)

特性

• Web Support: Shiro’s web support APIs help easily secure web applications.

• Caching: Caching is a first-tier citizen in Apache Shiro’s API to ensure that security operations remain fast and efficient.

• Concurrency: Apache Shiro supports multi-threaded applications with its concurrency features.

• Testing: Test support exists to help you write unit and integration tests and ensure your code will be secured as expected.

• “Run As”: A feature that allows users to assume the identity of another user (if they are allowed), sometimes useful in administrative scenarios.

• “Remember Me”: Remember users’ identities across sessions so they only need to log in when mandatory.

与spring整合

web.xml

<!-- The filter-name matches name of a 'shiroFilter' bean inside applicationContext.xml -->

<filter>

<filter-name>shiroFilter</filter-name>

<filter-class>

org.springframework.web.filter.DelegatingFilterProxy

</filter-class>

<init-param>

<param-name>targetFilterLifecycle</param-name>

<param-value>true</param-value>

</init-param>

</filter>...

<!-- Make sure any request you want accessible to Shiro is filtered. /* catches all --><!-- requests.  Usually this filter mapping is defined first (before all others) to --><!-- ensure that Shiro works in subsequent filters in the filter chain:             -->

<filter-mapping>

<filter-name>shiroFilter</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

applicationContext.xml

<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">

<property name="securityManager" ref="securityManager"/>

<property name="loginUrl" value="/login.jsp"/>

<property name="successUrl" value="/home.jsp"/>

<property name="unauthorizedUrl" value="/unauthorized.jsp"/>

<property name="filterChainDefinitions">

<value>

# some example chain definitions:

/admin/** = authc, roles[admin]

/docs/** = authc, perms[document:read]

/** = authc

# more URL-to-FilterChain definitions here

</value>

</property>

</bean>

<bean id="someFilter" class="..."/>

<bean id="anotherFilter" class="..."> ...

</bean>...

<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">

<property name="realm" ref="myRealm"/>

</bean>

<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>

<bean id="myRealm" class="...">    ...

</bean>