[Shiro] tutorial 1 :SecurityManager and Subject

　　SecurityManager是Shiro的绝对核心,不同于java.lang.SecurityManager,每个应用程序都要有一个SecurityManager.

所以我们第一件事就是配置一个SecurityManager实例.

配置:

我们可以直接实例化SecurityManager类,Shiro的SecurityManger的实现有很多配置选项和内部组件.

可以通过文本类型的配置文件配置.Shiro提供了ini格式的配置文件.

相较于xml,ini更加易读,也无需太多依赖.

可以简单配置简单对象图,如SecurityManager.

    public static void main(String[] args) {

    log.info("My First Apache Shiro Application");

    //1.工厂模式,通过配置文件来构建工厂
    Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");

    //2.通过工厂来得到SecurityManager的实例
    SecurityManager securityManager = factory.getInstance();

    //3.设置(2)中得到的实例为当前进程的SecurityManager
    SecurityUtils.setSecurityManager(securityManager);
    //4.根据(3)中的设置,getSubject()可以使用了.得到主题对象(或者称之为Shiro的'用户')
    Subject currentUser = SecurityUtils.getSubject();
    //5. Shiro的session不需要HTTP环境,但能提供其相似功能以及额外的优势
    Session session = currentUser.getSession();
    session.setAttribute( "someKey", "aValue" );

Shiro will automatically use its Enterprise Session Management by default.这意味着在任何层,任意开发环境,你可以在你的程序中得到相同的API.

这打开了新世界的大门: 一些程序需要session不再被迫使用HttpSession或者EJB Stateful Session Beans.

任何客户端数据都可以共享session数据.

===我们可以获得一个Subject以及他们的Session. 以上的Subject实例代表着当前用户.

note:谁是当前用户呢?

Well, they’re anonymous - that is, until they log in at least once. So, let’s do that:

if ( !currentUser.isAuthenticated() ) {
    //collect user principals and credentials in a gui specific manner
    //such as username/password html form, X509 certificate, OpenID, etc.
    //We'll use the username/password example here since it is the most common.
    UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa");

    //this is all you have to do to support 'remember me' (no config - built in!):
    token.setRememberMe(true);

    currentUser.login(token);
}

以上是最简单的方法了.

但是登录失败了呢?可以捕捉一系列排序号的指定异常来精确诊断哪一步出问题了.

try {
    currentUser.login( token );
    //if no exception, that's it, we're done!
} catch ( UnknownAccountException uae ) {
    //username wasn't in the system, show them an error message?
} catch ( IncorrectCredentialsException ice ) {
    //password didn't match, try again?
} catch ( LockedAccountException lae ) {
    //account for that username is locked - can't login.  Show them a message?
}
    ... more types exceptions to check if you want ...
} catch ( AuthenticationException ae ) {
    //unexpected condition - error?
}

更多异常参考:Authentication异常的详细信息

Handy Hint:

Security best practice is to give generic login failure messages to users because you do not want to aid an attacker trying to break into your system.

Ok, so by now, we have a logged in user. What else can we do?

Let’s say who they are:

//print their identifying principal (in this case, a username):
log.info( "User [" + currentUser.getPrincipal() + "] logged in successfully." );

We can also test to see if they have specific role or not:

if ( currentUser.hasRole( "schwartz" ) ) {
    log.info("May the Schwartz be with you!" );
} else {
    log.info( "Hello, mere mortal." );
}

We can also see if they have a permission to act on a certain type of entity:

if ( currentUser.isPermitted( "lightsaber:weild" ) ) {
    log.info("You may use a lightsaber ring.  Use it wisely.");
} else {
    log.info("Sorry, lightsaber rings are for schwartz masters only.");
}

Also, we can perform an extremely powerful instance-level permission check - the ability to see if the user has the ability to access a specific instance of a type:

if ( currentUser.isPermitted( "winnebago:drive:eagle5" ) ) {
    log.info("You are permitted to 'drive' the 'winnebago' with license plate (id) 'eagle5'.  " +
                "Here are the keys - have fun!");
} else {
    log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!");
}

Piece of cake, right?

Finally, when the user is done using the application, they can log out:

currentUser.logout(); //removes all identifying information and invalidates their session too.