分享知識-快樂自己:Shrio 案例Demo概述
阿新 • • 發佈:2018-12-16
本文章為模擬案例,如有需要進行稍微改造方可使用。(這裡使用的是 聚合工程)
1、ShiroParent :為父工程 用來統一版本號
2、ShrioDay01:為參考文件
3、ShrioDay02:執行模擬案例
4、點我下載原始碼:地址一為本章案例 地址二為真實整合案例
ShrioParent--POM:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation
目錄結構:
ShrioDay01 工程:
POM:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<parent>
<artifactId>ShiroParent</artifactId>
<groupId>com.gdbd</groupId>
<version>1.0-SNAPSHOT</version>
</parent>
<modelVersion>4.0.0</modelVersion>
<artifactId>ShiroDay01</artifactId>
<name>ShiroDay01</name>
<!-- FIXME change it to the project's website -->
<url>http://www.example.com</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>1.7</maven.compiler.source>
<maven.compiler.target>1.7</maven.compiler.target>
</properties>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
</dependency>
<!--shiro-all-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-all</artifactId>
</dependency>
<!-- https://mvnrepository.com/artifact/log4j/log4j -->
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</dependency>
<!-- https://mvnrepository.com/artifact/org.slf4j/slf4j-api -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</dependency>
<!-- https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12 -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
</dependency>
</dependencies>
<build>
<pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
<plugins>
<plugin>
<artifactId>maven-clean-plugin</artifactId>
<version>3.0.0</version>
</plugin>
<!-- see http://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_jar_packaging -->
<plugin>
<artifactId>maven-resources-plugin</artifactId>
<version>3.0.2</version>
</plugin>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.7.0</version>
</plugin>
<plugin>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.20.1</version>
</plugin>
<plugin>
<artifactId>maven-jar-plugin</artifactId>
<version>3.0.2</version>
</plugin>
<plugin>
<artifactId>maven-install-plugin</artifactId>
<version>2.5.2</version>
</plugin>
<plugin>
<artifactId>maven-deploy-plugin</artifactId>
<version>2.8.2</version>
</plugin>
</plugins>
</pluginManagement>
</build>
</project>
Quickstart:
package com.gdbd;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Simple Quickstart application showing how to use Shiro's API.
*
* @since 0.9 RC2
*/
public class Quickstart {
private static final transient Logger log = LoggerFactory.getLogger(Quickstart.class);
public static void main(String[] args) {
// The easiest way to create a Shiro SecurityManager with configured
// realms, users, roles and permissions is to use the simple INI config.
// We'll do that by using a factory that can ingest a .ini file and
// return a SecurityManager instance:
// Use the shiro.ini file at the root of the classpath
// (file: and url: prefixes load from files and urls respectively):
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance();
// for this simple example quickstart, make the SecurityManager
// accessible as a JVM singleton. Most applications wouldn't do this
// and instead rely on their container configuration or web.xml for
// webapps. That is outside the scope of this simple quickstart, so
// we'll just do the bare minimum so you can continue to get a feel
// for things.
SecurityUtils.setSecurityManager(securityManager);
// Now that a simple Shiro environment is set up, let's see what you can do:
// get the currently executing user:
// 獲取當前的 Subject. 呼叫 SecurityUtils.getSubject();
Subject currentUser = SecurityUtils.getSubject();
// Do some stuff with a Session (no need for a web or EJB container!!!)
// 測試使用 Session
// 獲取 Session: Subject#getSession()
Session session = currentUser.getSession();
session.setAttribute("someKey", "aValue");
String value = (String) session.getAttribute("someKey");
if (value.equals("aValue")) {
log.info("************************ Retrieved the correct value! [" + value + "]");
}
// 調動 Subject 的 isAuthenticated()
// 測試當前的使用者是否已經被認證. 即是否已經登入.
if (!currentUser.isAuthenticated()) {
// 把使用者名稱和密碼封裝為 UsernamePasswordToken 物件
UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa");
// rememberme
token.setRememberMe(true);
try {
// 執行登入.
currentUser.login(token);
}
// 若沒有指定的賬戶, 則 shiro 將會丟擲 UnknownAccountException 異常.
catch (UnknownAccountException uae) {
log.info("----> There is no user with username of " + token.getPrincipal());
return;
}
// 若賬戶存在, 但密碼不匹配, 則 shiro 會丟擲 IncorrectCredentialsException 異常。
catch (IncorrectCredentialsException ice) {
log.info("----> Password for account " + token.getPrincipal() + " was incorrect!");
return;
}
// 使用者被鎖定的異常 LockedAccountException
catch (LockedAccountException lae) {
log.info("The account for username " + token.getPrincipal() + " is locked. " +
"Please contact your administrator to unlock it.");
}
// ... catch more exceptions here (maybe custom ones specific to your application?
// 所有認證時異常的父類.
catch (AuthenticationException ae) {
//unexpected condition? error?
}
}
//say who they are:
//print their identifying principal (in this case, a username):
log.info("----> User [" + currentUser.getPrincipal() + "] logged in successfully.");
//test a role:
// 測試是否有某一個角色. 呼叫 Subject 的 hasRole 方法.
if (currentUser.hasRole("schwartz")) {
log.info("----> May the Schwartz be with you!");
} else {
log.info("----> Hello, mere mortal.");
return;
}
//test a typed permission (not instance-level)
// 測試使用者是否具備某一個行為. 呼叫 Subject 的 isPermitted() 方法。
if (currentUser.isPermitted("lightsaber:weild")) {
log.info("----> You may use a lightsaber ring. Use it wisely.");
} else {
log.info("Sorry, lightsaber rings are for schwartz masters only.");
}
//a (very powerful) Instance Level permission:
// 測試使用者是否具備某一個行為.
if (currentUser.isPermitted("user:delete:zhangsan")) {
log.info("----> You are permitted to 'drive' the winnebago with license plate (id) 'eagle5'. " +
"Here are the keys - have fun!");
} else {
log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!");
}
//all done - log out!
// 執行登出. 呼叫 Subject 的 Logout() 方法.
System.out.println("---->" + currentUser.isAuthenticated());
currentUser.logout();
System.out.println("---->" + currentUser.isAuthenticated());
System.exit(0);
}
}
log4j.properties:
log4j.rootLogger=INFO, stdout
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d %p [%c] - %m %n
# General Apache libraries
log4j.logger.org.apache=WARN
# Spring
log4j.logger.org.springframework=WARN
# Default Shiro logging
log4j.logger.org.apache.shiro=TRACE
# Disable verbose logging
log4j.logger.org.apache.shiro.util.ThreadContext=WARN
log4j.logger.org.apache.shiro.cache.ehcache.EhCache=WARN
shiro.ini
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
# =============================================================================
# Quickstart INI Realm configuration
#
# For those that might not understand the references in this file, the
# definitions are all based on the classic Mel Brooks' film "Spaceballs". ;)
# =============================================================================
# -----------------------------------------------------------------------------
# Users and their assigned roles
#
# Each line conforms to the format defined in the
# org.apache.shiro.realm.text.TextConfigurationRealm#setUserDefinitions JavaDoc
# -----------------------------------------------------------------------------
[users]
# user 'root' with password 'secret' and the 'admin' role
root = secret, admin
# user 'guest' with the password 'guest' and the 'guest' role
guest = guest, guest
# user 'presidentskroob' with password '12345' ("That's the same combination on
# my luggage!!!" ;)), and role 'president'
presidentskroob = 12345, president
# user 'darkhelmet' with password 'ludicrousspeed' and roles 'darklord' and 'schwartz'
darkhelmet = ludicrousspeed, darklord, schwartz
# user 'lonestarr' with password 'vespa' and roles 'goodguy' and 'schwartz'
lonestarr = vespa, goodguy, schwartz
# -----------------------------------------------------------------------------
# Roles with assigned permissions
#
# Each line conforms to the format defined in the
# org.apache.shiro.realm.text.TextConfigurationRealm#setRoleDefinitions JavaDoc
# -----------------------------------------------------------------------------
[roles]
# 'admin' role has all permissions, indicated by the wildcard '*'
admin = *
# The 'schwartz' role can do anything (*) with any lightsaber:
schwartz = lightsaber:*
# The 'goodguy' role is allowed to 'delete' (action) the user (type) with
# license plate 'zhangsan' (instance specific id)
goodguy = user:delete:zhangsan
ShrioDay02 工程:
POM:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<parent>
<artifactId>ShiroParent</artifactId>
<groupId>com.gdbd</groupId>
<version>1.0-SNAPSHOT</version>
</parent>
<modelVersion>4.0.0</modelVersion>
<artifactId>ShiroDay02</artifactId>
<packaging>war</packaging>
<name>ShiroDay02 Maven Webapp</name>
<!-- FIXME change it to the project's website -->
<url>http://www.example.com</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>1.7</maven.compiler.source>
<maven.compiler.target>1.7</maven.compiler.target>
</properties>
<dependencies>
<!-- 單元測試 -->
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<scope>test</scope>
</dependency>
<!--shiro-all-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-all</artifactId>
</dependency>
<!-- 新增shrio-web支援 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
</dependency>
<!-- 新增shrio-spring支援 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
</dependency>
<!-- https://mvnrepository.com/artifact/org.apache.shiro/shiro-ehcache -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
</dependency>
<!-- 日誌處理 -->
<!-- https://mvnrepository.com/artifact/log4j/log4j -->
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</dependency>
<!-- https://mvnrepository.com/artifact/org.slf4j/slf4j-api -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</dependency>
<!-- https://mvnrepository.com/artifact/org.slf4j/slf4j-log4j12 -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</dependency>
<!-- Spring -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-aspects</artifactId>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jms</artifactId>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context-support</artifactId>
</dependency>
<!-- Mybatis -->
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis</artifactId>
</dependency>
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis-spring</artifactId>
</dependency>
<!-- JSP相關 -->
<dependency>
<groupId>jstl</groupId>
<artifactId>jstl</artifactId>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jsp-api</artifactId>
<scope>provided</scope>
</dependency>
<!-- MySql -->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
</dependency>
<!-- 連線池 -->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
</dependency>
<dependency>
<groupId>net.sf.ehcache</groupId>
<artifactId>ehcache-core</artifactId>
</dependency>
</dependencies>
<build>
<finalName>ShiroDay02</finalName>
<pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
<plugins>
<plugin>
<artifactId>maven-clean-plugin</artifactId>
<version>3.0.0</version>
</plugin>
<!-- see http://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_war_packaging -->
<plugin>
<artifactId>maven-resources-plugin</artifactId>
<version>3.0.2</version>
</plugin>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.7.0</version>
</plugin>
<plugin>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.20.1</version>
</plugin>
<plugin>
<artifactId>maven-war-plugin</artifactId>
<version>3.2.0</version>
</plugin>
<plugin>
<artifactId>maven-install-plugin</artifactId>
<version>2.5.2</version>
</plugin>
<plugin>
<artifactId>maven-deploy-plugin</artifactId>
<version>2.8.2</version>
</plugin>
</plugins>
</pluginManagement>
</build>
</project>
ShiroController:
package com.gdbd.controller;
import com.gdbd.service.ShiroService;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import javax.servlet.http.HttpSession;
/**
* @author asus
*/
@Controller
@RequestMapping("/shiro")
public class ShiroController {
@Autowired
private ShiroService shiroService;
/***
* 測試存在 Session中的值 是否可以在service中獲取到
* @param session
* @return
*/
@RequestMapping("/testAnnotation")
public String testAnnotation(HttpSession session) {
session.setAttribute("key", "HttpServletSession:存入的值");
shiroService.show();
return "redirect:/list.jsp";
}
/***
* 登陸程式碼
* @param userName
* @param passWord
* @return
*/
@RequestMapping("/login")
public String login(@RequestParam("userName") String userName,
@RequestParam("passWord") String passWord) {
Subject currentUser = SecurityUtils.getSubject();
if (!currentUser.isAuthenticated()) {
// 把使用者名稱和密碼封裝為 UsernamePasswordToken 物件
UsernamePasswordToken token = new UsernamePasswordToken(userName, passWord);
System.out.println("1.token.hashCode()" + token.hashCode());
// rememberme 記住我
token.setRememberMe(true);
try {
// 執行登入.
System.out.println("-----執行登陸-----");
currentUser.login(token);
}
// 所有認證時異常的父類.
catch (AuthenticationException ae) {
System.out.println("登陸失敗" + ae.getMessage());
}
}
return "redirect:/list.jsp";
}
/***
* 登出清理快取
* @return
*/
@RequestMapping("/exit")
public String exit()
{
Subject currentUser = SecurityUtils.getSubject();
currentUser.logout();
return "login";
}
}
FilterChainDefinitionMapBuilder:
package com.gdbd.facktroy;
import java.util.LinkedHashMap;
/**
* 通過例項工廠方法的方式 實現是否有許可權訪問方法
* @author asus
*/
public class FilterChainDefinitionMapBuilder {
/***
* 從資料庫表中初始化資源和許可權
* @return
*/
public LinkedHashMap<String, String> buildFilterChainDefinitionMap() {
LinkedHashMap<String, String> map = new LinkedHashMap<>();
map.put("/login.jsp", "anon");
map.put("/shiro/login", "anon");
/***
* 登出(快取很嚴重【例如:成功登陸一次,再去登陸頁面輸入錯誤密碼同樣可以登入,
* 不會再走相關 Realm 認證:所以需要先登出】)
*/
map.put("/shiro/logout", "logout");
//必須通過 登陸認證和具備匹配許可權可以訪問
map.put("/user.jsp", "authc,roles[user]");
map.put("/admin.jsp", "authc,roles[admin]");
//通過記住我的功能,可以訪問 list
map.put("/list.jsp", "user");
map.put("/**", "authc");
return map;
}
}
ShiroRealm:
package com.gdbd.realms;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.crypto.hash.SimpleHash;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
import java.util.HashSet;
import java.util.Set;
/**
* 第一道 加密的方式 MD5
* @author asus
* 1):單一實現認證:AuthenticatingRealm
* 2):授權+認證 :AuthorizingRealm
*/
public class ShiroRealm extends AuthorizingRealm {
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
throws AuthenticationException {
System.out.println("[SecondRealm--one]==doGetAuthenticationInfo");
System.out.println("doGetAuthenticationInfo" + token);
System.out.println("2.token.hashCode()" + token.hashCode());
//1、把AuthenticationToken 轉換為 UsernamePasswordToken
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
//2、從 UsernamePasswordToken 中獲取 username
String username = upToken.getUsername();
String password =new String( upToken.getPassword());
System.out.println("======username:=======" + username + "======username:=======" + password);
//3、使用資料庫方法,從資料庫中查詢 username 對應的使用者記錄
System.out.println("從資料庫中獲取 username:" + username + "所對應的使用者資訊");
//4、若使用者不存在,則可以丟擲 UnknownAccountException 異常
if ("unknown".equals(username)) {
throw new UnknownAccountException("使用者不存在");
}
//5、根據使用者資訊的情況,決定是否需要丟擲其他的 AuthenticationException 異常
if ("monster".equals(username)) {
throw new LockedAccountException("使用者被鎖定!!!");
}
//6、根據使用者的情況 來構建 AuthenticationInfo 物件並返回
/***
* 通常使用的實現類為:SimpleAuthenticationInfo
* 1):principal:認證的實體資訊,可以是 username,
* 也可以是資料表對應的使用者的實體類物件。
* 2):credentials:密碼
* 3):realmName:當前 realm 物件的name 呼叫父類的getName() 方法即可
*/
Object principal =username;
//資料庫查詢出來的密碼 123456--加密1024次:fc1709d0a95a6be30bc5926fdb7f22f4
//簡單模擬不同使用者登陸
Object credentials = "";
if ("admin".equals(username)) {
credentials = "038bdaf98f2037b31f1e75b5b4c9b26e";
} else {
credentials = "098d2c478e9c11555ce2823231e02ec1";
}
String realmName = this.getName();
System.out.println("============"+realmName+"===============");
SimpleAuthenticationInfo info = null;
// info = new SimpleAuthenticationInfo(principal, credentials, realmName);
// 使用鹽值加密:防止兩個人的密碼一樣導致加密後的金鑰也一致性,所以要加點鹽
ByteSource credentialsSalt = ByteSource.Util.bytes(username);
info = new SimpleAuthenticationInfo(principal, credentials, credentialsSalt, realmName);
return info;
}
/**
* 內部實現加密模擬測試
* @param args
*/
public static void main(String[] args) {
String hashAlgorithmName = "MD5";
Object credentials = "123456";
Object salt = ByteSource.Util.bytes("user");
int hashIterations = 1024;
Object result = new SimpleHash(hashAlgorithmName, credentials, salt, hashIterations);
System.out.println(result);
}
/***
* 用於授權的方法
* @param principalCollection
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("[doGetAuthorizationInfo:==進入授權管理]");
//1、從PrincipalCollection 中來獲取登入使用者的資訊
Object primaryPrincipal = principalCollection.getPrimaryPrincipal();
System.out.println("授權管理方法:當前登入名為:"+primaryPrincipal);
//2、利用登陸的使用者的資訊用來獲取當前使用者的角色或許可權(可能需要查詢資料庫)
/***
* 無論是哪一個使用者,預設都有檢視 user 的許可權,
* 如果是admin使用者登入,在追加user許可權
*/
Set<String> set = new HashSet<String>();
set.add("user");
if ("admin".equals(primaryPrincipal)) {
set.add("admin");
}
//3、建立 SimpleAuthorizationInfo ,並設定其 reles 屬性
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(set);
//4、返回 SimpleAuthenticationInfo 物件。
return info;
}
}
SecondRealm:
package com.gdbd.realms;
import org.apache.shiro.authc.*;
import org.apache.shiro.crypto.hash.SimpleHash;
import org.apache.shiro.realm.AuthenticatingRealm;
import org.apache.shiro.util.ByteSource;
/**
* 第二道處理方式 SHA1 加密的方式 進行了雙重密碼認證
* @author asus
*/
public class SecondRealm extends AuthenticatingRealm {
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
throws AuthenticationException {
System.out.println("[SecondRealm--Tow]==doGetAuthenticationInfo");
System.out.println("doGetAuthenticationInfo" + token);
System.out.println("2.token.hashCode()" + token.hashCode());
//1、把AuthenticationToken 轉換為 UsernamePasswordToken
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
//2、從 UsernamePasswordToken 中獲取 username
String username = upToken.getUsername();
String password = (upToken.getPassword()).toString();
System.out.println("======username:=======" + username + "======username:=======" + password);
//3、使用資料庫方法,從資料庫中查詢 username 對應的使用者記錄
System.out.println("從資料庫中獲取 username:" + username + "所對應的使用者資訊");
//4、若使用者不存在,則可以丟擲 UnknownAccountException 異常
if ("unknown".equals(username)) {
throw new UnknownAccountException("使用者不存在");
}
//5、根據使用者資訊的情況,決定是否需要丟擲其他的 AuthenticationException 異常
if ("monster".equals(username)) {
throw new LockedAccountException("使用者被鎖定!!!");
}
//6、根據使用者的情況 來構建 AuthenticationInfo 物件並返回
/***
* 通常使用的實現類為:SimpleAuthenticationInfo
* 1):principal:認證的實體資訊,可以是 username,
* 也可以是資料表對應的使用者的實體類物件。
* 2):credentials:密碼
* 3):realmName:當前 realm 物件的name 呼叫父類的getName() 方法即可
*/
Object principal = username;
//資料庫查詢出來的密碼 123456--加密1024次:fc1709d0a95a6be30bc5926fdb7f22f4
Object credentials = "";
if ("admin".equals(username)) {
credentials = "ce2f6417c7e1d32c1d81a797ee0b499f87c5de06";
} else {
credentials = "073d4c3ae812935f23cb3f2a71943f49e082a718";
}
String realmName = this.getName();
SimpleAuthenticationInfo info = null;
// info = new SimpleAuthenticationInfo(principal, credentials, realmName);
// 使用鹽值加密:防止兩個人的密碼一樣導致加密後的金鑰也一致性,所以要加點鹽
ByteSource credentialsSalt = ByteSource.Util.bytes(username);
info = new SimpleAuthenticationInfo(principal, credentials, credentialsSalt, realmName);
return info;
}
/***
* 內部測試加密方式
* @param args
*/
public static void main(String[] args) {
String hashAlgorithmName = "SHA1";
Object credentials = "123456";
Object salt = ByteSource.Util.bytes("admin");
int hashIterations = 1024;
Object result = new SimpleHash(hashAlgorithmName, credentials, salt, hashIterations);
System.out.println(result);
}
}
SystemLogoutFilter:(其中一種登出方式 過濾器)
package com.gdbd.realms;
import org.apache.shiro.session.SessionException;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authc.LogoutFilter;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
/**
* 登出
* @author asus
*/
public class SystemLogoutFilter extends LogoutFilter {
@Override
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
//在這裡執行退出系統前需要清空的資料
Subject subject = getSubject(request, response);
String redirectUrl = getRedirectUrl(request, response, subject);
try {
subject.logout();
} catch (SessionException ise) {
ise.printStackTrace();
}
issueRedirect(request, response, redirectUrl);
return false;
}
}
TestRealm:(可直接省略....)
package com.gdbd.realms;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
/**
* 測試
* @author asus
*/
public class TestRealm extends AuthorizingRealm {
/***
* 用於授權的方法
* @param principalCollection
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
return null;
}
/***
* 用於認證的方法
* @param authenticationToken
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
return null;
}
}
ShiroService:(驗證註解方式 。設定是否有許可權訪問該方法)
package com.gdbd.service;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.apache.shiro.session.Session;
import java.util.Date;
/**
* 註解實現是否有訪問許可權
* @author asus
*/
public class ShiroService {
/***
* Shiro 註解方式實現是需要注意的是:
* 在開發的過程中,往往會在 Seivice 中宣告異 Transactional 處於事務管理就(即變成了一個代理物件)
* 如果再寫一個 Shiro 許可權的註解會發生異常(型別轉換錯誤)
* ----------------------
* 使用 SecurityUtils.getSubject().getSession() 可以獲取到 HttpServletSession 中的值
*/
@RequiresRoles({"admin"})
public void show() {
Session session = SecurityUtils.getSubject().getSession();
System.out.println("使用 Shiro 中的Session 訪問HttpServletSession的值為:" + session.getAttribute("key"));
System.out.println("Shiro 許可權註解測試方法:" + new Date());
}
}
ehcache.xml:
<ehcache>
<!-- Sets the path to the directory where cache .data files are created.
If the path is a Java System Property it is replaced by
its value in the running VM.
The following properties are translated:
user.home - User's home directory
user.dir - User's current working directory
java.io.tmpdir - Default temp file path -->
<diskStore path="java.io.tmpdir"/>
<!--授權的時候進行快取策略-->
<cache name="authorizationCache"
eternal="false"
timeToIdleSeconds="3600"
timeToLiveSeconds="0"
overflowToDisk="false"
statistics="true">
</cache>
<!--認證的時候進行快取策略-->
<cache name="authenticationCache"
eternal="false"
timeToIdleSeconds="3600"
timeToLiveSeconds="0"
overflowToDisk="false"
statistics="true">
</cache>
<cache name="shiro-activeSessionCache"
eternal="false"
timeToIdleSeconds="3600"
timeToLiveSeconds="0"
overflowToDisk="false"
statistics="true">
</cache>
<!--Default Cache configuration. These will applied to caches programmatically created through
the CacheManager.
The following attributes are required for defaultCache:
maxInMemory - Sets the maximum number of objects that will be created in memory
eternal - Sets whether elements are eternal. If eternal, timeouts are ignored and the element
is never expired.
timeToIdleSeconds - Sets the time to idle for an element before it expires. Is only used
if the element is not eternal. Idle time is now - last accessed time
timeToLiveSeconds - Sets the time to live for an element before it expires. Is only used
if the element is not eternal. TTL is now - creation time
overflowToDisk - Sets whether elements can overflow to disk when the in-memory cache
has reached the maxInMemory limit.
-->
<defaultCache
maxElementsInMemory="10000"
eternal="false"
timeToIdleSeconds="120"
timeToLiveSeconds="120"
overflowToDisk="true"
/>
<!--Predefined caches. Add your cache configuration settings here.
If you do not have a configuration for your cache a WARNING will be issued when the
CacheManager starts
The following attributes are required for defaultCache:
name - Sets the name of the cache. This is used to identify the cache. It must be unique.
maxInMemory - Sets the maximum number of objects that will be created in memory
eternal - Sets whether elements are eternal. If eternal, timeouts are ignored and the element
is never expired.
timeToIdleSeconds - Sets the time to idle for an element before it expires. Is only used
if the element is not eternal. Idle time is now - last accessed time
timeToLiveSeconds - Sets the time to l