SecurityManager是Shiro的绝对核心,不同于java.lang.SecurityManager,每个应用程序都要有一个SecurityManager.

所以我们第一件事就是配置一个SecurityManager实例.

配置:

我们可以直接实例化SecurityManager类,Shiro的SecurityManger的实现有很多配置选项和内部组件.

可以通过文本类型的配置文件配置.Shiro提供了ini格式的配置文件.

相较于xml,ini更加易读,也无需太多依赖.

可以简单配置简单对象图,如SecurityManager.

    public static void main(String[] args) {

    log.info("My First Apache Shiro Application");

    //1.工厂模式,通过配置文件来构建工厂
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini"); //2.通过工厂来得到SecurityManager的实例
SecurityManager securityManager = factory.getInstance(); //3.设置(2)中得到的实例为当前进程的SecurityManager
SecurityUtils.setSecurityManager(securityManager);
//4.根据(3)中的设置,getSubject()可以使用了.得到主题对象(或者称之为Shiro的'用户')
Subject currentUser = SecurityUtils.getSubject();
//5. Shiro的session不需要HTTP环境,但能提供其相似功能以及额外的优势
Session session = currentUser.getSession();
session.setAttribute( "someKey", "aValue" );

Shiro will automatically use its Enterprise Session Management by default.这意味着在任何层,任意开发环境,你可以在你的程序中得到相同的API.

这打开了新世界的大门: 一些程序需要session不再被迫使用HttpSession或者EJB Stateful Session Beans.

任何客户端数据都可以共享session数据.

===我们可以获得一个Subject以及他们的Session. 以上的Subject实例代表着当前用户.

note:谁是当前用户呢?

Well, they’re anonymous - that is, until they log in at least once. So, let’s do that:

if ( !currentUser.isAuthenticated() ) {
//collect user principals and credentials in a gui specific manner
//such as username/password html form, X509 certificate, OpenID, etc.
//We'll use the username/password example here since it is the most common.
UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa"); //this is all you have to do to support 'remember me' (no config - built in!):
token.setRememberMe(true); currentUser.login(token);
}

以上是最简单的方法了.

但是登录失败了呢?可以捕捉一系列排序号的指定异常来精确诊断哪一步出问题了.

try {
currentUser.login( token );
//if no exception, that's it, we're done!
} catch ( UnknownAccountException uae ) {
//username wasn't in the system, show them an error message?
} catch ( IncorrectCredentialsException ice ) {
//password didn't match, try again?
} catch ( LockedAccountException lae ) {
//account for that username is locked - can't login. Show them a message?
}
... more types exceptions to check if you want ...
} catch ( AuthenticationException ae ) {
//unexpected condition - error?
}

更多异常参考:Authentication异常的详细信息

Handy Hint:

Security best practice is to give generic login failure messages to users because you do not want to aid an attacker trying to break into your system.

Ok, so by now, we have a logged in user. What else can we do?

Let’s say who they are:

//print their identifying principal (in this case, a username):
log.info( "User [" + currentUser.getPrincipal() + "] logged in successfully." );

We can also test to see if they have specific role or not:

if ( currentUser.hasRole( "schwartz" ) ) {
log.info("May the Schwartz be with you!" );
} else {
log.info( "Hello, mere mortal." );
}

We can also see if they have a permission to act on a certain type of entity:

if ( currentUser.isPermitted( "lightsaber:weild" ) ) {
log.info("You may use a lightsaber ring. Use it wisely.");
} else {
log.info("Sorry, lightsaber rings are for schwartz masters only.");
}

Also, we can perform an extremely powerful instance-level permission check - the ability to see if the user has the ability to access a specific instance of a type:

if ( currentUser.isPermitted( "winnebago:drive:eagle5" ) ) {
log.info("You are permitted to 'drive' the 'winnebago' with license plate (id) 'eagle5'. " +
"Here are the keys - have fun!");
} else {
log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!");
}

Piece of cake, right?

Finally, when the user is done using the application, they can log out:

currentUser.logout(); //removes all identifying information and invalidates their session too.

[Shiro] tutorial 1 :SecurityManager and Subject的更多相关文章

  1. Shiro源码分析之Subject和SecurityManager

    Subject 毫无疑问,Subject是Shiro最重要的一个概念. “Subject”只是一个安全术语,意味着应用程序用户的特定于安全性的“视图”.Shiro Subject实例代表单个应用程序用 ...

  2. shiro错误No SecurityManager accessible to the calling code

    Shire在Web.xml中shiroFilter的Mapping配置错误 org.apache.shiro.UnavailableSecurityManagerException: No Secur ...

  3. shiro实战系列(十)之Subject

    毫无疑问,在 Apache Shiro 中最重要的概念就是 Subject.'Subject'仅仅是一个安全术语,是指应用程序用户的特定 安全的“视图”.一个 Shiro Subject 实例代表了一 ...

  4. Shiro的认证原理(Subject#login的背后故事)

    登录操作一般都是我们触发的: Subject subject = SecurityUtils.getSubject(); AuthenticationToken authenticationToken ...

  5. Shiro遇到的SecurityManager红色警告

    问题如图 需要添加一个导入 import org.apache.shiro.mgt.SecurityManager; 这样就不会报错了

  6. SpringBoot2整合Shiro报错 UnavailableSecurityManagerException: No SecurityManager accessible to the calling code 【已解决】

    SpringBoot集成Shiro报错 UnavailableSecurityManagerException: No SecurityManager accessible to the callin ...

  7. Apache Shiro系列教程之二:十分钟上手Shiro

    在本教程中,我们会写一个简单的.仅仅输出一些内容命令行程序,从而对Shiro有一个大体的感觉. 一.准备工作 本教程需要Java1.5+,并且我们用Maven生成项目,当然Maven不是必须的,你也可 ...

  8. Apache Shiro Architecture--官方文档

    原文地址:http://shiro.apache.org/architecture.html Apache Shiro's design goals are to simplify applicati ...

  9. shiro入门实例,基于ini配置

    基于ini或者关系数据库的,其实都是一样的,重要的是思想. # ==================================================================== ...

随机推荐

  1. .net如何引用该命名空间

    一.在.Net中如何引用该命名空间 (1)System.Windows.Threading 该命名空间在程序集WindowsBase(WindowsBase.dll)下 (2)System.Windo ...

  2. HDU 2196树形DP(2个方向)

    HDU 2196 [题目链接]HDU 2196 [题目类型]树形DP(2个方向) &题意: 题意是求树中每个点到所有叶子节点的距离的最大值是多少. &题解: 2次dfs,先把子树的最大 ...

  3. kafka安装教程

    今天需要在新机器上安装一个kafka集群,其实kafka我已经装了十个不止了,但是没有一个是为生产考虑的,因此比较汗颜,今天好好地把kafka的安装以及配置梳理一下: 1,kafka版本选取: 现在我 ...

  4. redis 简单的注册

    首页写一个页面 <form method="post" action="hreg.php"> Name:<input type="t ...

  5. delphi 判断端口(Port)是否被占用(转载)

    function IsPortUsed(aPort: Integer): Boolean; var _vSock: TSocket; _vWSAData: TWSAData; _vAddrIn: TS ...

  6. pthread_cond_wait虚假唤醒

    pthread_cond_wait中的while()不仅仅在等待条件变量前检查条件cond_is_false是否成立,实际上在等待条件变量后也检查条件cond_is_false是否成立.在多线程等待的 ...

  7. python基础_格式化输出(%用法和format用法)

      目录 %用法 format用法 %用法 1.整数的输出 %o —— oct 八进制%d —— dec 十进制%x —— hex 十六进制 1 >>> print('%o' % 2 ...

  8. 神经机器翻译 - NEURAL MACHINE TRANSLATION BY JOINTLY LEARNING TO ALIGN AND TRANSLATE

    论文:NEURAL MACHINE TRANSLATION BY JOINTLY LEARNING TO ALIGN AND TRANSLATE 综述 背景及问题 背景: 翻译: 翻译模型学习条件分布 ...

  9. 【Django视图与网址进阶004】

    一.在网页上做加减法 1. 采用 /add/?a=4&b=5 这样GET方法进行 django-admin.py startproject zqxt_views cd zqxt_views p ...

  10. Android系统应用Mms之短信会话列表加载流程一

    1. ConversationList短息会话列表界面 1. 开始进行加载 ConversationList: protected void onStart(){ ... // 进行异步查询 star ...