From 2cbdca091c0cdb4a24ed7af9466742a3b1d62731 Mon Sep 17 00:00:00 2001 From: wu xiangkai Date: Wed, 2 Nov 2022 10:48:09 +0800 Subject: [PATCH] =?UTF-8?q?=E6=97=A5=E5=B8=B8=E6=8F=90=E4=BA=A4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Apache Shiro Authentication.md | 31 +++++++ .../Apache Shiro/Apache Shiro QuickStart.md | 92 +++++++++++++++++++ spring/Apache Shiro/Apache Shiro.md | 17 ++++ 3 files changed, 140 insertions(+) create mode 100644 spring/Apache Shiro/Apache Shiro Authentication.md create mode 100644 spring/Apache Shiro/Apache Shiro QuickStart.md diff --git a/spring/Apache Shiro/Apache Shiro Authentication.md b/spring/Apache Shiro/Apache Shiro Authentication.md new file mode 100644 index 0000000..2ed8eee --- /dev/null +++ b/spring/Apache Shiro/Apache Shiro Authentication.md @@ -0,0 +1,31 @@ +# Apache Shiro Authentication +## Apache Shiro Authentication简介 +Authentication是一个对用户进行身份认证的过程,在认证过程中用户需要向应用提供用于证明用户的凭据。 +## Apache Authentication概念 +### subject +在应用的角度,subject即是一个用户 +### principals +主体,用于标识一个用户,可以是username、social security nubmer等 +### credentials +凭据,在用户认证过程中用于认证用户的身份,可以是密码、生物识别数据(如指纹、面容等) +### realms +专用于security的dao对象,用于和后端的datasource进行沟通。 +## Shiro Authentication过程 +### Shiro框架的Authentication过程 +1. 收集用户的principals和credentials +2. 向应用的认证系统提交用户的principals和credentials +3. 认证结束之后,根据认证结果允许访问、重试访问请求或者阻塞访问 +### 收集用户的principals和credentials +可以通过UsernamePasswordToken来存储用户提交的username和password,并可以调用UsernamePasswordToken.rememberMe方法来启用Shiro的“remember-me”功能。 +```java +//Example using most common scenario: +//String username and password. Acquire in +//system-specific manner (HTTP request, GUI, etc) +UsernamePasswordToken token = new UsernamePasswordToken( username, password ); + +//”Remember Me” built-in, just do this: +token.setRememberMe(true); +``` +### 将收集的principals和credentials提交给认证系统 +在收集完用户的principals和credentials之后,需要将其提交给应用的认证系统。 +在Shiro中,代表认证系统的是Realm,其从存放安全数据的datasource中获取数据,并且 \ No newline at end of file diff --git a/spring/Apache Shiro/Apache Shiro QuickStart.md b/spring/Apache Shiro/Apache Shiro QuickStart.md new file mode 100644 index 0000000..9dfe684 --- /dev/null +++ b/spring/Apache Shiro/Apache Shiro QuickStart.md @@ -0,0 +1,92 @@ +- [Apache Shiro Quick Start](#apache-shiro-quick-start) + - [Apache Shiro常用API](#apache-shiro常用api) + - [获取当前用户](#获取当前用户) + - [设置用户Session](#设置用户session) + - [通过用户名和密码对用户进行身份认证](#通过用户名和密码对用户进行身份认证) + - [对身份认证失败的情况进行异常处理](#对身份认证失败的情况进行异常处理) + - [对已经登录的用户进行role检验](#对已经登录的用户进行role检验) + - [检测某用户是否具有某项特定权限](#检测某用户是否具有某项特定权限) + - [在实例级别对用户的权限进行检测](#在实例级别对用户的权限进行检测) + - [用户登出](#用户登出) + +# Apache Shiro Quick Start +## Apache Shiro常用API +### 获取当前用户 +在任何环境中,都可以通过如下代码来获取当前执行的用户: +```java +Subject currentUser = SecurityUtils.getSubject(); +``` +### 设置用户Session +可以通过如下代码获取用户的Shiro Session,并可以向Session中设置属性和值,设置的值在用户会话期间内都可以使用。 +**Shiro Session在使用时并不要求当前位于HTTP环境下** +```java +Session session = currentUser.getSession(); +session.setAttribute( "someKey", "aValue" ); +``` +> 如果当前应用部署于Web环境下,那么Shiro Session默认会使用HttpSession,但是如果当前应用部署在非Web环境下时,Shiro Session会使用其Enterprise Session Management。 + +### 通过用户名和密码对用户进行身份认证 +通过如下代码,可以通过UsernamePasswordToken来对未认证的用户进行身份认证。 +```java +if ( !currentUser.isAuthenticated() ) { + //collect user principals and credentials in a gui specific manner + //such as username/password html form, X509 certificate, OpenID, etc. + //We'll use the username/password example here since it is the most common. + //(do you know what movie this is from? ;) + UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa"); + //this is all you have to do to support 'remember me' (no config - built in!): + token.setRememberMe(true); + currentUser.login(token); +} +``` +### 对身份认证失败的情况进行异常处理 +如果在身份认证的过程中失败,可以通过如下代码捕获认证失败抛出的异常,并对异常进行异常处理 +```java +try { + currentUser.login( token ); + //if no exception, that's it, we're done! +} catch ( UnknownAccountException uae ) { + //username wasn't in the system, show them an error message? +} catch ( IncorrectCredentialsException ice ) { + //password didn't match, try again? +} catch ( LockedAccountException lae ) { + //account for that username is locked - can't login. Show them a message? +} + ... more types exceptions to check if you want ... +} catch ( AuthenticationException ae ) { + //unexpected condition - error? +} +``` +### 对已经登录的用户进行role检验 +如果用户已经登录,如果要检测该用户是否被授予某role权限,可以通过如下代码进行检验 +```java +if ( currentUser.hasRole( "schwartz" ) ) { + log.info("May the Schwartz be with you!" ); +} else { + log.info( "Hello, mere mortal." ); +} +``` +### 检测某用户是否具有某项特定权限 +如果要对已经登录的用户执行检测,检测其是否被授予某项特定的前线,可以通过如下方式进行检测。 +```java +if ( currentUser.isPermitted( "lightsaber:wield" ) ) { + log.info("You may use a lightsaber ring. Use it wisely."); +} else { + log.info("Sorry, lightsaber rings are for schwartz masters only."); +} +``` +### 在实例级别对用户的权限进行检测 +在Shiro中,可以检测用户是否对某实例具有特定权限,通过如下代码: +```java +if ( currentUser.isPermitted( "winnebago:drive:eagle5" ) ) { + log.info("You are permitted to 'drive' the 'winnebago' with license plate (id) 'eagle5'. " + + "Here are the keys - have fun!"); +} else { + log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!"); +} +``` +### 用户登出 +如果已经登录的用户想要执行登出操作,可以通过如下代码进行登录: +```java +currentUser.logout(); +``` \ No newline at end of file diff --git a/spring/Apache Shiro/Apache Shiro.md b/spring/Apache Shiro/Apache Shiro.md index 95a5129..aa57a6c 100644 --- a/spring/Apache Shiro/Apache Shiro.md +++ b/spring/Apache Shiro/Apache Shiro.md @@ -1,3 +1,20 @@ +- [Apache Shiro](#apache-shiro) + - [Shiro简介](#shiro简介) + - [Shiro中常用的概念](#shiro中常用的概念) + - [Subject](#subject) + - [SecurityManager](#securitymanager) + - [realms](#realms) + - [Authentication](#authentication) + - [Authorization](#authorization) + - [Session Management](#session-management) + - [Shiro Session可在任何应用中使用](#shiro-session可在任何应用中使用) + - [Shiro加密](#shiro加密) + - [shiro hash](#shiro-hash) + - [Shiro Ciphers](#shiro-ciphers) + - [Shiro框架的Web支持](#shiro框架的web支持) + - [Web Session管理](#web-session管理) + - [Shiro Native Session](#shiro-native-session) + # Apache Shiro ## Shiro简介 Shiro是一个简单易用且功能强大的Java安全框架,用于实现认证、授权、加密、session管理等场景,并且Shiro可以被用于任何应用,包括命令行应用、移动应用、大型web应用或是企业应用。