首页 > 其他分享 >shiro 的快速开始

shiro 的快速开始

时间:2024-05-18 15:41:44浏览次数:25  
标签:log 开始 shiro apache org 快速 log4j Shiro

  1. Shiro 是什么

    Apache Shiro 是 Java 的一个安全(权限)框架。Shiro 可以非常容易的开发出足够好的应用,其不仅可以用在 JavaSE 环境,也可以用在 JavaEE 环境。Shiro 可以完成:认证、授权、加密、会话管理、与Web 集成、缓存等。

  2. 支持的功能

    • Authentication:身份认证/登录,验证用户是不是拥有相应的身份

    • Authorization:授权,即权限验证,验证某个已认证的用户是否拥有某个权限;即判断用户是否能进行什么操作,如:验证某个用户是否拥有某个角色。或者细粒度的验证某个用户对某个资源是否具有某个权限

    • Session Management:会话管理,即用户登录后就是一次会话,在没有退出之前,它的所有信息都在会话中;会话可以是普通JavaSE环境,也可以是Web 环境的

    • Cryptography:加密,保护数据的安全性,如密码加密存储到数据库,而不是明文存储

    • Web Support:Web 支持,可以非常容易的集成到Web 环境

    • Caching:缓存,比如用户登录后,其用户信息、拥有的角色/权限不必每次去查,这样可以提高效率

    • Concurrency:Shiro支持多线程应用的并发验证,即如在一个线程中开启另一个线程,能把权限自动传播过去

    • Testing:提供测试支持

    • “Run As”:允许一个用户假装为另一个用户(如果他们允许)的身份进行访问

    • Remember Me:记住我,这个是非常常见的功能,即一次登录后,下次再来的话不用登录了

  3. shiro的架构

    • Subject:应用代码直接交互的对象是Subject,也就是说Shiro的对外API 核心就是Subject。Subject 代表了当前“用户”,这个用户不一定是一个具体的人,与当前应用交互的任何东西都是Subject,如网络爬虫,机器人等;与Subject 的所有交互都会委托给SecurityManager;Subject 其实是一个门面,SecurityManager才是实际的执行者

    • SecurityManager:安全管理器;即所有与安全有关的操作都会与SecurityManager交互;且其管理着所有Subject;可以看出它是Shiro的核心,它负责与Shiro的其他组件进行交互,它相当于SpringMVC中DispatcherServlet的角色

    • Realm:Shiro从Realm 获取安全数据(如用户、角色、权限),就是说SecurityManager要验证用户身份,那么它需要从Realm 获取相应的用户进行比较以确定用户身份是否合法;也需要从Realm 得到用户相应的角色/权限进行验证用户是否能进行操作;可以把Realm 看成DataSource

  4. 快速实践

    • 导入依赖
    <dependencies>
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-core</artifactId>
            <version>1.5.3</version>
        </dependency>
    
        <!-- configure logging -->
        <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>jcl-over-slf4j</artifactId>
            <version>1.7.26</version>
        </dependency>
        <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>slf4j-log4j12</artifactId>
            <version>1.7.26</version>
        </dependency>
        <dependency>
            <groupId>log4j</groupId>
            <artifactId>log4j</artifactId>
            <version>1.2.17</version>
        </dependency>
    </dependencies>
    
    • 配置文件:日志的配置
    log4j.rootLogger=INFO, stdout
    
    log4j.appender.stdout=org.apache.log4j.ConsoleAppender
    log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
    log4j.appender.stdout.layout.ConversionPattern=%d %p [%c] - %m %n
    
    # General Apache libraries
    log4j.logger.org.apache=WARN
    
    # Spring
    log4j.logger.org.springframework=WARN
    
    # Default Shiro logging
    log4j.logger.org.apache.shiro=INFO
    
    # Disable verbose logging
    log4j.logger.org.apache.shiro.util.ThreadContext=WARN
    log4j.logger.org.apache.shiro.cache.ehcache.EhCache=WARN
    
    • 从官网导入shiro.ini文件
    [users]
    # user 'root' with password 'secret' and the 'admin' role
    root = secret, admin
    # user 'guest' with the password 'guest' and the 'guest' role
    guest = guest, guest
    # user 'presidentskroob' with password '12345' ("That's the same combination on
    # my luggage!!!" ;)), and role 'president'
    presidentskroob = 12345, president
    # user 'darkhelmet' with password 'ludicrousspeed' and roles 'darklord' and 'schwartz'
    darkhelmet = ludicrousspeed, darklord, schwartz
    # user 'lonestarr' with password 'vespa' and roles 'goodguy' and 'schwartz'
    lonestarr = vespa, goodguy, schwartz
    
    # -----------------------------------------------------------------------------
    # Roles with assigned permissions
    # 
    # Each line conforms to the format defined in the
    # org.apache.shiro.realm.text.TextConfigurationRealm#setRoleDefinitions JavaDoc
    # -----------------------------------------------------------------------------
    [roles]
    # 'admin' role has all permissions, indicated by the wildcard '*'
    admin = *
    # The 'schwartz' role can do anything (*) with any lightsaber:
    schwartz = lightsaber:*
    # The 'goodguy' role is allowed to 'drive' (action) the winnebago (type) with
    # license plate 'eagle5' (instance specific id)
    goodguy = winnebago:drive:eagle5
    
    • 启动类:quick start
    /*
     * Licensed to the Apache Software Foundation (ASF) under one
     * or more contributor license agreements.  See the NOTICE file
     * distributed with this work for additional information
     * regarding copyright ownership.  The ASF licenses this file
     * to you under the Apache License, Version 2.0 (the
     * "License"); you may not use this file except in compliance
     * with the License.  You may obtain a copy of the License at
     *
     *     http://www.apache.org/licenses/LICENSE-2.0
     *
     * Unless required by applicable law or agreed to in writing,
     * software distributed under the License is distributed on an
     * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
     * KIND, either express or implied.  See the License for the
     * specific language governing permissions and limitations
     * under the License.
     */
    
    import org.apache.shiro.SecurityUtils;
    import org.apache.shiro.authc.*;
    import org.apache.shiro.config.IniSecurityManagerFactory;
    import org.apache.shiro.mgt.SecurityManager;
    import org.apache.shiro.session.Session;
    import org.apache.shiro.subject.Subject;
    import org.apache.shiro.util.Factory;
    import org.slf4j.Logger;
    import org.slf4j.LoggerFactory;
    
    
    /**
     * Simple Quickstart application showing how to use Shiro's API.
     * 简单入门Shiro使用API
     *
     * @since 0.9 RC2
     */
    public class Quickstart {
    
        private static final transient Logger log = LoggerFactory.getLogger(Quickstart.class);
    
    
        public static void main(String[] args) {
    
            // The easiest way to create a Shiro SecurityManager with configured
            // realms, users, roles and permissions is to use the simple INI config.
            // We'll do that by using a factory that can ingest a .ini file and
            // return a SecurityManager instance:
    
            // Use the shiro.ini file at the root of the classpath
            // (file: and url: prefixes load from files and urls respectively):
            // 读取配置文件:
            Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
            SecurityManager securityManager = factory.getInstance();
    
            // for this simple example quickstart, make the SecurityManager
            // accessible as a JVM singleton.  Most applications wouldn't do this
            // and instead rely on their container configuration or web.xml for
            // webapps.  That is outside the scope of this simple quickstart, so
            // we'll just do the bare minimum so you can continue to get a feel
            // for things.
            SecurityUtils.setSecurityManager(securityManager);
    
            // Now that a simple Shiro environment is set up, let's see what you can do:
    
            // get the currently executing user:
            // 获取当前的用户对象 Subject
            Subject currentUser = SecurityUtils.getSubject();
    
            // Do some stuff with a Session (no need for a web or EJB container!!!)
            //通过当前用户拿到Shiro的Session 可以脱离web存值取值
            Session session = currentUser.getSession();
            session.setAttribute("someKey", "aValue");
            String value = (String) session.getAttribute("someKey");
            if (value.equals("aValue")) {
                log.info("Retrieved the correct value! [" + value + "]");
            }
    
            // let's login the current user so we can check against roles and permissions:
            //判断当前的用户是否被认证
            if (!currentUser.isAuthenticated()) {
                //Token 令牌
                UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa");
                //设置记住我
                token.setRememberMe(true);
                try {
                    //执行登录操作
                    currentUser.login(token);
                } catch (UnknownAccountException uae) {
                    log.info("There is no user with username of " + token.getPrincipal());
                } catch (IncorrectCredentialsException ice) {
                    log.info("Password for account " + token.getPrincipal() + " was incorrect!");
                } catch (LockedAccountException lae) {
                    log.info("The account for username " + token.getPrincipal() + " is locked.  " +
                            "Please contact your administrator to unlock it.");
                }
                // ... catch more exceptions here (maybe custom ones specific to your application?
                catch (AuthenticationException ae) {
                    //unexpected condition?  error?
                }
            }
    
            //say who they are:
            //print their identifying principal (in this case, a username):
            log.info("User [" + currentUser.getPrincipal() + "] logged in successfully.");
    
            //test a role:
            // 检查角色
            if (currentUser.hasRole("schwartz")) {
                log.info("May the Schwartz be with you!");
            } else {
                log.info("Hello, mere mortal.");
            }
    
            //test a typed permission (not instance-level)
            //粗粒度
            if (currentUser.isPermitted("lightsaber:wield")) {
                log.info("You may use a lightsaber ring.  Use it wisely.");
            } else {
                log.info("Sorry, lightsaber rings are for schwartz masters only.");
            }
    
            //a (very powerful) Instance Level permission:
            //细粒度
            if (currentUser.isPermitted("winnebago:drive:eagle5")) {
                log.info("You are permitted to 'drive' the winnebago with license plate (id) 'eagle5'.  " +
                        "Here are the keys - have fun!");
            } else {
                log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!");
            }
    
            //all done - log out!
            //注销
            currentUser.logout();
    
            //结束
            System.exit(0);
        }
    }
    

标签:log,开始,shiro,apache,org,快速,log4j,Shiro
From: https://www.cnblogs.com/hytip/p/18199382

相关文章

  • Celery快速使用
    安装#0创建Python项目#1创建虚拟环境#2安装celerypipinstallcelery#3安装redis(消息队列和结果存储使用redis)pipinstallredis#4安装eventlet(win平台,如果是mac,linux不需要)pipinstalleventlet快速使用celery_demo.py--主文件fromceleryimportCel......
  • Windows Security Baselines(安全基线指南) 是由微软提供的一个安全配置集合,旨在帮助组
    安全基线指南-WindowsSecurity|MicrosoftLearnWindowsSecurityBaselines(安全基线)是由微软提供的一个安全配置集合,旨在帮助组织和管理员快速部署一套推荐的安全设置,以增强Windows操作系统及其组件的安全性。这些基线覆盖了操作系统本身、MicrosoftEdge浏览器、Inter......
  • 工业福利!用.NET快速开发物联网扫码器设备的通用扫码功能
    不管你是用.netframework还是用.netcore或者更高版本.net环境,这篇文章也许都能帮到你!因为接下来我会提供一个简单粗暴的方式,来快速实现多款扫码器的通用扫码功能。目前本地测试过的包括基恩士系列、康耐视系列、以及其他支持以太网通信的多款小众厂家等。下面开始重点操作:首先......
  • CSS动画-数字轮盘滚动效果实现(组件封装,快速使用)
    效果图:原理分析:这玩意就和垂直方向的轮播图差不多,只是把轮播的图换成数字 主要实现:父组件:父组件接收一个curNum属性,这个属性代表当前需要显示的数字。它将这个数字传递给子组件AnimateNum,以便子组件可以正确地显示和滚动数字。子组件一(AnimateNum):这个组件接收父组件传递......
  • KubeKey v3.1 发布:快速自定义离线安装包
    日前,KubeKeyv3.1正式发布。该版本主要对离线场景部署、离线包制作以及向Kubernetesv1.24+升级进行了优化。KubeKey简介KubeKey是KubeSphere社区开源的一款高效集群部署工具,运行时默认使用Docker,也可对接Containerd、CRI-O、iSula等CRI运行时,且ETCD集群独立运行......
  • 渗透测试快速启动指南-全-
    渗透测试快速启动指南(全)原文:QuickStartGuidetoPenetrationTesting协议:CCBY-NC-SA4.0一、NMAP简介漏洞评估和渗透测试变得越来越重要,尤其是在最近几年。组织通常拥有存储敏感数据的复杂资产网络。这些资产暴露在来自组织内部和外部的潜在威胁之下。为了全面了解组织......
  • 开源快速开发平台:提质增效 加速实现流程化办公
    在科技的迅猛发展下,运用低代码技术平台、开源快速开发平台的优势特点,可以助力企业实现流程化办公、进入数字化转型新时代。随着社会的进步和发展,各行业的业务量都在明显上涨,如果还是采用传统的方式,明显跟不上时代发展步伐。想要实现提质增效的办公目的,可以了解低代码技术平台、开......
  • React-路由快速启动指南-全-
    React路由快速启动指南(全)原文:zh.annas-archive.org/md5/64054E4C94EED50A4AF17DC3BC635620译者:飞龙协议:CCBY-NC-SA4.0前言Facebook的React框架重新定义了前端应用程序的构建方式。ReactRouter已成为使用React构建的应用程序的事实标准路由框架。通过其最新的4......
  • Vue-快速启动指南-全-
    Vue快速启动指南(全)原文:zh.annas-archive.org/md5/056a1fe7509ea158cc95e0fe373880b7译者:飞龙协议:CCBY-NC-SA4.0前言直到几年前,直接DOM操作是前端开发的标准,jQuery一直引领潮流。所有这一切都随着现代JavaScript库和框架的普及而开始改变,主要是Angular和React。......
  • VuePress-快速启动指南-全-
    VuePress快速启动指南(全)原文:zh.annas-archive.org/md5/986b9a64ec5b7230ac6d991c3d740203译者:飞龙协议:CCBY-NC-SA4.0前言VuePress自称为“Vue动力的静态站点生成器”。换句话说,VuePress是一个简单的工具,可以让您在几分钟内创建静态站点和单页应用(SPA)。在VuePress......