文章目录
一、RBAC介绍
1.1 RBAC简介
1.2 权限管理
二、 用户认证
三、用户授权
四、权限模型
五、Shiro介绍
六、认证流程
6.1 创建springboot工程并导入依赖
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>1.2.3</version>
</dependency>
6.2 在resources目录下创建shiro.ini文件,IEDA需要安装*.ini并重启方可生效
#对用户的配置
[users]
#对用户的用户名和密码的配置
jack=123
tom=456
6.3 创建认证测试类
package com.qf.authentication;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
import org.junit.Test;
public class AuthenticationDemo {
// 用户登陆和退出
@Test
public void testLoginAndLogout() {
// 创建securityManager工厂,通过ini配置文件创建securityManager工厂
Factory<SecurityManager> factory = new IniSecurityManagerFactory(
"classpath:shiro.ini");
// 创建SecurityManager
SecurityManager securityManager = factory.getInstance();
// 将securityManager设置当前的运行环境中
SecurityUtils.setSecurityManager(securityManager);
// 从SecurityUtils里边创建一个subject
Subject subject = SecurityUtils.getSubject();
// 在认证提交前准备token(令牌)
// 这里的账号和密码 将来是由用户输入进去
UsernamePasswordToken token = new UsernamePasswordToken("jack", "123");
// 执行认证提交
subject.login(token);
// 是否认证通过
boolean isAuthenticated = subject.isAuthenticated();
System.out.println("是否认证通过:" + isAuthenticated);
// 退出操作
subject.logout();
// 是否认证通过
isAuthenticated = subject.isAuthenticated();
System.out.println("是否认证通过:" + isAuthenticated);
}
}
6.4 执行流程
6.5 总结
七、使用realm认证
7.1 创建自定义realm
package com.qf.realm;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
public class realmDemo extends AuthorizingRealm {
private String realmName = "realmDemo";
//认证
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken
authenticationToken) throws AuthenticationException {
//从token中取出用户信息
//用户名,身份信息
String principal = (String)authenticationToken.getPrincipal();
System.out.println(principal);
//密码,凭证
Object credentials = authenticationToken.getCredentials();
//类型转化
String password = new String((char[]) credentials);
System.out.println(password);
if("jack".equals(principal) && "123".equals(password)){
SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(principal,password,realmName);
return simpleAuthenticationInfo;
}
return null;
}
//授权
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
return null;
}
}
7.2 在resource目录下创建shiro-realm.ini(注意:realm路径别配置错了)
[main]
#自定义realm
realmDemo=com.qf.realm.realmDemo
#将realm设置到securityManager
securityManager.realms=$realmDemo
7.3 在AuthenticationDemo类中添加方法进行测试
// 自定义realm
@Test
public void testRealmDemo() {
// 创建securityManager工厂,通过ini配置文件创建securityManager工厂
Factory<SecurityManager> factory = new IniSecurityManagerFactory(
"classpath:shiro-realm.ini");
// 创建SecurityManager
SecurityManager securityManager = factory.getInstance();
// 将securityManager设置当前的运行环境中
SecurityUtils.setSecurityManager(securityManager);
// 从SecurityUtils里边创建一个subject
Subject subject = SecurityUtils.getSubject();
// 在认证提交前准备token(令牌)
// 这里的账号和密码 将来是由用户输入进去
UsernamePasswordToken token = new UsernamePasswordToken("jack", "123");
try {
// 执行认证提交
subject.login(token);
} catch (AuthenticationException e) {
e.printStackTrace();
}
// 是否认证通过
boolean isAuthenticated = subject.isAuthenticated();
System.out.println("是否认证通过:" + isAuthenticated);
}
八、MD5加密
8.1.创建MD5Demo测试类,进行测试
import org.apache.shiro.crypto.hash.Md5Hash;
import org.apache.shiro.crypto.hash.SimpleHash;
public class MD5Demo {
public static void main(String[] args) {
// 原始 密码
String password = "123";
// 盐
String salt = "abcde";
// 散列次数
int hashIterations = 2;
// 上边散列1次:7bc6c31880aeda581aa34e218af25753
// 上边散列2次:6585096f3f6735025449cfb351c8cff9
// 第一种方式
// 构造方法中:
// 第一个参数:明文,原始密码
// 第二个参数:盐,通过使用随机数
// 第三个参数:散列的次数,比如散列两次,相当 于md5(md5(''))
Md5Hash md5Hash = new Md5Hash(password, salt, hashIterations);
String password_md5 = md5Hash.toString();
System.out.println(password_md5);
// 第二种方式
// 第一个参数:散列算法
SimpleHash simpleHash = new SimpleHash("md5", password, salt,
hashIterations);
System.out.println(simpleHash.toString());
}
}
8.2在AuthenticationDemo类中添加方法进行测试
//测试MD5
@Test
public void testMD5() {
// 创建securityManager工厂,通过ini配置文件创建securityManager工厂
Factory<SecurityManager> factory =
new IniSecurityManagerFactory("classpath:shiro-realm-md5.ini");
// 创建SecurityManager
SecurityManager securityManager = factory.getInstance();
// 将securityManager设置当前的运行环境中
SecurityUtils.setSecurityManager(securityManager);
// 从SecurityUtils里边创建一个subject
Subject subject = SecurityUtils.getSubject();
// 在认证提交前准备token(令牌)
// 这里的账号和密码 将来是由用户输入进去
UsernamePasswordToken token = new UsernamePasswordToken("jack", "123");
try {
// 执行认证提交
subject.login(token);
} catch (AuthenticationException e) {
e.printStackTrace();
}
// 是否认证通过
boolean isAuthenticated = subject.isAuthenticated();
System.out.println("是否认证通过:" + isAuthenticated);
}
8.3创建shiro-realm-md5.ini
[main]
#自定义realm
realmDemo=com.qf.realm.realmDemoMD5
#将realm设置到securityManager
securityManager.realms=$realmDemo
8.4创建realmMD5
package com.qf.realm;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.crypto.hash.Md5Hash;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
public class realmDemoMD5 extends AuthorizingRealm {
private String realmName = "realmDemoMD5";
//认证
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
//用户名
String principal = (String)authenticationToken.getPrincipal();
//System.out.println(principal);
//密码
Object credentials = authenticationToken.getCredentials();
String password = new String((char[]) credentials);
System.out.println(password);
Md5Hash md5Hash = new Md5Hash(password, "abcde", 2);
String password_md5 = md5Hash.toString();
System.out.println(password_md5);
//从数据库查出来的密码
String dbpassword = "6585096f3f6735025449cfb351c8cff9";
if("jack".equals(principal) &&password_md5.equals(dbpassword)){
SimpleAuthenticationInfo
simpleAuthenticationInfo = new SimpleAuthenticationInfo(principal,password,realmName);
return simpleAuthenticationInfo;
}
return null;
}
//授权
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
return null;
}
}
九、授权流程
9.1创建shiro-permission.ini(shiro-permission.ini里边的内容相当于在数据库)
#用户
[users]
#用户jack的密码是123,此用户具有role1和role2两个角色
jack=123,role1,role2
tom=456,role2
#权限
[roles]
#角色role1对资源user拥有create、update权限
role1=user:create,user:update
#角色role2对资源user拥有create、delete权限
role2=user:create,user:delete
#角色role3对资源user拥有create权限
role3=user:create
9.2创建AuthorizationDemo
package com.qf.authorization;
import java.util.Arrays;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
import org.junit.Test;
public class AuthorizationDemo {
// 角色授权、资源授权测试
@Test
public void testAuthorization() {
// 创建SecurityManager工厂
Factory<SecurityManager> factory = new IniSecurityManagerFactory(
"classpath:shiro-permission.ini");
// 创建SecurityManager
SecurityManager securityManager = factory.getInstance();
// 将SecurityManager设置到系统运行环境,和spring后将SecurityManager配置spring容器中,一般单例管理
SecurityUtils.setSecurityManager(securityManager);
// 创建subject
Subject subject = SecurityUtils.getSubject();
// 创建token令牌
UsernamePasswordToken token = new UsernamePasswordToken("jack", "123");
//认证
subject.login(token);
//是否认证成功
boolean authenticated = subject.isAuthenticated();
System.out.println("是否认证成功:"+authenticated);
//--------认证通过之后进行授权----------
//基于角色的授权
//单个角色判断
boolean role1 = subject.hasRole("role1");
System.out.println("role1:"+role1);
//多个角色判断
boolean allRoles = subject.hasAllRoles(Arrays.asList("role1", "role2"));
System.out.println("role1 + role2:"+allRoles);
//subject.checkRole("role3");//检查是否有当前角色
//基于资源的授权
//单个权限判断
boolean permitted = subject.isPermitted("user:create");
System.out.println("user:create:"+permitted);
//多个权限判断
boolean permittedAll = subject.isPermittedAll("user:create", "user:update");
System.out.println("user:create + user:update:"+permittedAll);
//subject.checkPermissions("user:query", "user:add");
}
}
十、使用realm授权
10.1修改之前realmDemo.java中的doGetAuthorizationInfo方法
//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
// 从 principals获取主身份信息
// 将getPrimaryPrincipal方法返回值转为真实身份类型(在上边的doGetAuthenticationInfo认证通过填充到SimpleAuthenticationInfo中身份类型)
String primaryPrincipal = (String)principalCollection.getPrimaryPrincipal();
System.out.println("primaryPrincipal:"+primaryPrincipal);
// 根据身份信息获取权限信息
// 连接数据库...
// 模拟从数据库获取到数据
//把数据库中查到的角色放进集合中
ArrayList<String> roles = new ArrayList<>();
roles.add("role1");
roles.add("role2");
//把数据库中查到的资源放进集合中
HashSet<String> permissions = new HashSet<>();
permissions.add("user:add");
permissions.add("user:update");
//查到权限数据,返回授权信息(包括以上的角色或者资源)
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
//通过角色授权
//simpleAuthorizationInfo.addRoles(roles);
//通过资源授权
simpleAuthorizationInfo.addStringPermissions(permissions);
return simpleAuthorizationInfo;
}
10.2创建shiro-realm.ini文件,配置自定义的realm,将realm设置到securityManager中,因为之前已经配置过,该步骤可以省略
10.3在AuthorizationDemo中添加方法进行测试
//授权
@Test
public void testAuthorization(){
//准备环境
IniSecurityManagerFactory iniSecurityManagerFactory =
new IniSecurityManagerFactory("classpath:shiro-realm.ini");
SecurityManager securityManager = iniSecurityManagerFactory.getInstance();
SecurityUtils.setSecurityManager(securityManager);
//获取主体
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken("jack","123");
//认证
subject.login(token);
//是否认证成功
boolean authenticated = subject.isAuthenticated();
System.out.println("是否认证成功:"+authenticated);
//--------认证通过之后进行授权----------
//单个角色判断
boolean role1 = subject.hasRole("role1");
System.out.println("role1:"+role1);
//多个角色判断
boolean allRoles = subject.hasAllRoles(Arrays.asList("role1", "role2"));
System.out.println("role1 + role2:"+allRoles);
//subject.checkRole("role3");//检查是否有当前角色
//-------判断权限--------
//单个权限判断
boolean permitted = subject.isPermitted("user:create");
System.out.println("user:create:"+permitted);
//多个权限判断
boolean permittedAll = subject.isPermittedAll("user:create", "user:update");
System.out.println("user:create + user:update:"+permittedAll);
//subject.checkPermissions("user:query", "user:add");
}
10.4 授权流程
1、对subject进行授权,调用方法isPermitted("permission串")
2、SecurityManager执行授权,通过ModularRealmAuthorizer执行授权
3、ModularRealmAuthorizer执行realm(自定义的Realm)从数据库查询权限数据,调用realm的doGetAuthorizationInfo授权方法
4、realm从数据库查询权限数据,返回ModularRealmAuthorizer
5、ModularRealmAuthorizer调用PermissionResolver进行权限串比对
6、如果比对后,isPermitted中"permission串"在realm查询到权限数据中,说明用户访问permission串有权限,否则 没有权限,抛出异常。