[Shiro] tutorial 1 :SecurityManager and Subject

时间:2021-03-27 10:00:59

  SecurityManager是Shiro的绝对核心,不同于java.lang.SecurityManager,每个应用程序都要有一个SecurityManager.

所以我们第一件事就是配置一个SecurityManager实例.

配置:

我们可以直接实例化SecurityManager类,Shiro的SecurityManger的实现有很多配置选项和内部组件.

可以通过文本类型的配置文件配置.Shiro提供了ini格式的配置文件.

相较于xml,ini更加易读,也无需太多依赖.

可以简单配置简单对象图,如SecurityManager.

    public static void main(String[] args) {

    log.info("My First Apache Shiro Application");

    //1.工厂模式,通过配置文件来构建工厂

    Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");

    //2.通过工厂来得到SecurityManager的实例

    SecurityManager securityManager = factory.getInstance();

    //3.设置(2)中得到的实例为当前进程的SecurityManager

    SecurityUtils.setSecurityManager(securityManager);

    //4.根据(3)中的设置,getSubject()可以使用了.得到主题对象(或者称之为Shiro的'用户')

    Subject currentUser = SecurityUtils.getSubject();

    //5. Shiro的session不需要HTTP环境,但能提供其相似功能以及额外的优势

    Session session = currentUser.getSession();

    session.setAttribute( "someKey", "aValue" );

Shiro will automatically use its Enterprise Session Management by default.这意味着在任何层,任意开发环境,你可以在你的程序中得到相同的API.

这打开了新世界的大门: 一些程序需要session不再*使用HttpSession或者EJB Stateful Session Beans.

任何客户端数据都可以共享session数据.

===我们可以获得一个Subject以及他们的Session. 以上的Subject实例代表着当前用户.

note:谁是当前用户呢?

Well, they’re anonymous - that is, until they log in at least once. So, let’s do that:

if ( !currentUser.isAuthenticated() ) {

    //collect user principals and credentials in a gui specific manner

    //such as username/password html form, X509 certificate, OpenID, etc.

    //We'll use the username/password example here since it is the most common.

    UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa");

    //this is all you have to do to support 'remember me' (no config - built in!):

    token.setRememberMe(true);

    currentUser.login(token);

}

以上是最简单的方法了.

但是登录失败了呢?可以捕捉一系列排序号的指定异常来精确诊断哪一步出问题了.

try {

    currentUser.login( token );

    //if no exception, that's it, we're done!

} catch ( UnknownAccountException uae ) {

    //username wasn't in the system, show them an error message?

} catch ( IncorrectCredentialsException ice ) {

    //password didn't match, try again?

} catch ( LockedAccountException lae ) {

    //account for that username is locked - can't login.  Show them a message?

}

    ... more types exceptions to check if you want ...

} catch ( AuthenticationException ae ) {

    //unexpected condition - error?

}

更多异常参考:Authentication异常的详细信息

Handy Hint:

Security best practice is to give generic login failure messages to users because you do not want to aid an attacker trying to break into your system.

Ok, so by now, we have a logged in user. What else can we do?

Let’s say who they are:

//print their identifying principal (in this case, a username):

log.info( "User [" + currentUser.getPrincipal() + "] logged in successfully." );

We can also test to see if they have specific role or not:

if ( currentUser.hasRole( "schwartz" ) ) {

    log.info("May the Schwartz be with you!" );

} else {

    log.info( "Hello, mere mortal." );

}

We can also see if they have a permission to act on a certain type of entity:

if ( currentUser.isPermitted( "lightsaber:weild" ) ) {

    log.info("You may use a lightsaber ring.  Use it wisely.");

} else {

    log.info("Sorry, lightsaber rings are for schwartz masters only.");

}

Also, we can perform an extremely powerful instance-level permission check - the ability to see if the user has the ability to access a specific instance of a type:

if ( currentUser.isPermitted( "winnebago:drive:eagle5" ) ) {

    log.info("You are permitted to 'drive' the 'winnebago' with license plate (id) 'eagle5'.  " +

                "Here are the keys - have fun!");

} else {

    log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!");

}

Piece of cake, right?

Finally, when the user is done using the application, they can log out:

currentUser.logout(); //removes all identifying information and invalidates their session too.

[Shiro] tutorial 1 :SecurityManager and Subject的更多相关文章

  1. Shiro源码分析之Subject和SecurityManager

    Subject 毫无疑问,Subject是Shiro最重要的一个概念. “Subject”只是一个安全术语,意味着应用程序用户的特定于安全性的“视图”.Shiro Subject实例代表单个应用程序用 ...

  2. shiro错误No SecurityManager accessible to the calling code

    Shire在Web.xml中shiroFilter的Mapping配置错误 org.apache.shiro.UnavailableSecurityManagerException: No Secur ...

  3. shiro实战系列&lpar;十&rpar;之Subject

    毫无疑问,在 Apache Shiro 中最重要的概念就是 Subject.'Subject'仅仅是一个安全术语,是指应用程序用户的特定 安全的“视图”.一个 Shiro Subject 实例代表了一 ...

  4. Shiro的认证原理(Subject&num;login的背后故事)

    登录操作一般都是我们触发的: Subject subject = SecurityUtils.getSubject(); AuthenticationToken authenticationToken ...

  5. Shiro遇到的SecurityManager红色警告

    问题如图 需要添加一个导入 import org.apache.shiro.mgt.SecurityManager; 这样就不会报错了

  6. SpringBoot2整合Shiro报错 UnavailableSecurityManagerException&colon; No SecurityManager accessible to the calling code 【已解决】

    SpringBoot集成Shiro报错 UnavailableSecurityManagerException: No SecurityManager accessible to the callin ...

  7. Apache Shiro系列教程之二:十分钟上手Shiro

    在本教程中,我们会写一个简单的.仅仅输出一些内容命令行程序,从而对Shiro有一个大体的感觉. 一.准备工作 本教程需要Java1.5+,并且我们用Maven生成项目,当然Maven不是必须的,你也可 ...

  8. Apache Shiro Architecture--官方文档

    原文地址:http://shiro.apache.org/architecture.html Apache Shiro's design goals are to simplify applicati ...

  9. shiro入门实例,基于ini配置

    基于ini或者关系数据库的,其实都是一样的,重要的是思想. # ==================================================================== ...

随机推荐

  1. Linux强制访问控制机制模块分析之mls&lowbar;type&period;h

    2.4.2 mls_type.h 2.4.2.1文件描述 对于mls_type.h文件,其完整文件名为security/selinux/ss/mls_types.h,该文件定义了MLS策略使用的类型. ...

  2. jprofiler安装与使用

    1: 修改/etc/profile 增加以下内容: JPROFILER_HOME=/opt/jprofiler9/bin/linux-x64export LD_LIBRARY_PATH=$LD_LIB ...

  3. 一致性Hash算法及使用场景

    一.问题产生背景      在使用分布式对数据进行存储时,经常会碰到需要新增节点来满足业务快速增长的需求.然而在新增节点时,如果处理不善会导致所有的数据重新分片,这对于某些系统来说可能是灾难性的. 那 ...

  4. python 多线程 paramiko实现批量命令输入输出

    远程批量执行命令 实现多线程执行 速度快 实现多并发登录 #-*- coding: utf-8 -*- #!/usr/bin/python import paramiko import threadi ...

  5. jQuery Mobile Slider 禁用点击事件

    阿子原创,转载请注明出处. 在使用jQuery Mobile Slider时,发现在页面上下拖动时,很容易不小心触发Slider的点击事件,从而造成误操作.为此需要禁用Slider的点击事件. 官方A ...

  6. SDP(1):ScalikeJDBC-基本操作介绍

    简单来说:JDBC是一种开放标准的跨编程语言.跨数据库类型编程API.各类型数据库产品厂商都会按它的标准要求来提供针对自身产品的JDBC驱动程序.最主要的这是一套成熟的工具,在编程人员中使用很普及.既 ...

  7. SpringMVC之GET请求参数中文乱码

    server.xml 文件中的编码过滤器设置是针对POST请求的,tomacat对GET和POST请求处理方式是不同的,要处理针对GET请求的编码问题,则需要改tomcat,conf目录下的serve ...

  8. js术语扫盲贴:XHR、RegExp、call-apply、prototype

    (1) XHR:xml httprequestXHR注入:XHR 注入技术是通过XMLHttpRest来获取javascript的.但与eval不同的是,该机制是通过创建一个script的DOM元素, ...

  9. socketserver和socket的补充&lpar;验证客户端合法性&rpar;

    一.socket的补充 1.参数 socket.socket(family=AF_INET,type=SOCK_STREAM,proto=0,fileno=None) 参数说明: family 地址系 ...

  10. flume实现kafka到文件测试用例

    kafka 到 file at2.sources =st2 at2.channels = ct2 at2.sinks = kt2 # For each one of the sources, the ...

相关文章