应用Shiro到Web Application(基础)

于 2011-09-30 11:00:00 发布
阅读量61 收藏
点赞数
文章标签: web.xml java 开发工具
本文介绍Shiro权限管理系统的基础知识,包括认证、授权、加密及RBAC等概念,并演示了如何在webapplication中集成Shiro,从创建项目到配置过滤器等步骤。

一、简介

如果你正想学习权限方面的知识,或者正打算把Shiro作为权限组件集成到自己的web application中,或许正在为Shiro如何实现CAPTCHA(验证码)功能而伤透脑筋。那么,本文正是为你准备的。本文简单介绍权限方面的基础知识并以实际例子,带你进入Shiro的世界。

二、权限基础

a)<wbr><wbr><wbr> 认证(你是谁?)<br> 判断你(被认证者)是谁的过程。通常被认证者提供用户名和密码。<br><br> 常见的认证包含如下几种<br> 匿名认证:允许访问资源,不做任何类型的安全检查。<br> 表单认证:访问资源之前,需要提交包含用户名和密码的表单。这是web application最常用的认证方式。这个过程一般会接合Session,只在第一次(新会话)访问资源时提交认证表单。<br> 基本HTTP认证:基于RFC 2617的一种认证方式。<br> 用户认证:Filter that allows access to resources if the accessor is a known user, which is defined as having a known principal. This means that any user who is authenticated or remembered via a 'remember me' feature will be allowed access from this filter.<br><br> b)<wbr><wbr><wbr> 授权(你可以做什么?)<br> 判断被认证者(你)是否能做什么操作的过程。<br> 端口授权:必须通过指定的某个端口才能访问资源。<br> Permission授权:Filter that allows access if the current user has the permissions specified by the mapped value, or denies access if the user does not have all of the permissions specified.<br> Role授权:Filter that allows access if the current user has the roles specified by the mapped value, or denies access if the user does not have all of the roles specified.<br><br> perms <wbr><wbr><wbr> org.apache.shiro.web.filter.authz.PermissionsAuthorization<wbr>Filter<br> port <wbr><wbr><wbr> org.apache.shiro.web.filter.authz.PortFilter<br> roles <wbr><wbr><wbr> org.apache.shiro.web.filter.authz.RolesAuthorizationFilter<wbr><br> ssl <wbr><wbr><wbr> org.apache.shiro.web.filter.authz.SslFilter<br><br> c)<wbr><wbr><wbr> 加密<br> 使用技术手段(如:MD5、SHA等)把待加密的数据变为密文(如:信息摘要等)过程。<br><br> d)<wbr><wbr><wbr> RBAC<br> 基于角色的访问控制(Role-Based Access Control)。<br> e)<wbr><wbr><wbr> Realm<br> data access object for an application’s security components (users,roles, permissions)<br><br> f)<wbr><wbr><wbr> Permission<br> 最小粒度的授权,不与用户关联。<br> 例如:导出报表、查看id号为“PO20090008”的采购单、创建FAQ。<br> g)<wbr><wbr><wbr> Role<br> Permission的集合。<br></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr>

三、Shiro特点

简单
功能强大
能独立运行,不依赖其它框架或容器
包含了认证、授权、Session管理、加密
易于扩展

四、web application 集成Shiro

接下来,按照如下步骤开始我们的Shiro之旅:
a)<wbr><wbr><wbr> 数据模型<br><br><a href="http://photo.blog.sina.com.cn/showpic.html#blogid=76a8f8780100r2c9&amp;url=http://s2.sinaimg.cn/orignal/76a8f878g76cb0669a9a1" target="_blank"><img title="应用Shiro到Web&lt;wbr&gt;Application(基础)" name="image_operate_66181306143586290" alt="应用Shiro到Web&lt;wbr&gt;Application(基础)" src="http://s2.sinaimg.cn/middle/76a8f878g76cb0669a9a1&amp;690" width="664" height="140"></a><br><br><br> 用户账号Account,可以简单的理解为用户。<br> 一个账号可以拥有多个角色(Role)。<br> 一个角色包含了多个权限(Permission)。<br><wbr><br><br> b)<wbr><wbr><wbr> 创建工程,新建实体,添加与Shiro相关的Jar包<br> 如果你正在全用Eclipse:<br> File--New--Other--Web--Dynamic Web Project<br><br> 在 /WEB-INFO/lib/目录下添加如下Jar包<br><br><a href="http://photo.blog.sina.com.cn/showpic.html#blogid=76a8f8780100r2c9&amp;url=http://s4.sinaimg.cn/orignal/76a8f878ga3ee4322ebc3" target="_blank"></a><img src="http://hi.youkuaiyun.com/attachment/201109/30/3638307_1317353580bBf2.jpg" alt=""><br><br><br><wbr><br> 相关Jar包,你可以在http://incubator.apache.org/shiro/download.html<br> c)<wbr><wbr><wbr> 配置web.xml,添加过滤器<br></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr>

<wbr><wbr><wbr><wbr><wbr> &lt;filter&gt;</wbr></wbr></wbr></wbr></wbr>

<wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> &lt;filter-name&gt;ShiroFilter&lt;/filter-name&gt;</wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr>

<wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> &lt;filter-class&gt;org.apache.shiro.web.servlet.IniShiroFilter&lt;/filter-class&gt;</wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr>

<wbr><wbr><wbr><wbr><wbr> &lt;/filter&gt;</wbr></wbr></wbr></wbr></wbr>

<wbr><wbr><wbr><wbr><wbr> &lt;filter-mapping&gt;</wbr></wbr></wbr></wbr></wbr>

<wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> &lt;filter-name&gt;ShiroFilter&lt;/filter-name&gt;</wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr>

<wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> &lt;url-pattern&gt; / *&lt;/url-pattern&gt;</wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr>

</filter-mapping>


d)<wbr><wbr><wbr> INI配置<br> [main]<br> #SHA256加密<br> sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher<wbr><br><br> #realm<br> myRealm = com.wearereading.example.shiro.MyShiroRealm<br> myRealm.credentialsMatcher = $sha256Matcher<br><br> #缓存<br> myRealm.authorizationCachingEnab<wbr>led = true<br> cache=org.apache.shiro.cache.ehcache.EhCacheManager<br> myRealm.cacheManager=$cache<br><br> [filters]<br> shiro.loginUrl = /login.jsp<br> #authc=org.apache.shiro.web.filter.authc.FormAuthenticationFilter<wbr><br> authc.successUrl =/background.jsp<br> perms.unauthorizedUrl =/401.jsp<br><br> [urls]<br> /login.jsp=authc<br> /logout.jsp=anon<br> /about.jsp=anon<br> /background.jsp=authc<br><br> /faq/test.jsp=authc<br> /faq/list.jsp=authc,perms["faq:list"]<br> /faq/view.jsp=authc,perms["faq:view"]<br><br> 位置:<br> 配置参数可以写在web.xml文件中,也可以单独文件形式存放在本地类根路径、文件系统以及网络环境中。<br> Shiro INI Inline Config 和External Config<br><br> public class MyShiroRealm extends AuthorizingRealm{<br><br><wbr><wbr><wbr><br><wbr><wbr><wbr> protected AuthorizationInfo doGetAuthorizationInfo(<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> PrincipalCollection principals) {<br><wbr><wbr><wbr><wbr><wbr><wbr> String username = (String) principals.fromRealm(<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> getName()).iterator().next();<br><wbr><wbr><wbr><wbr><wbr><wbr><br><wbr><wbr><wbr><wbr><wbr><wbr> if( username != null ){<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> AccountManager accountManager = new AccountManagerImpl();<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> Collection&lt;Role&gt; myRoles = accountManager.getRoles( username );<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> if( myRoles != null ){<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> for( Role each:myRoles ){<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> info.addRole(each.getName());<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> info.addStringPermissions( each.getPermissionsAsString() );<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> }<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> return info;<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> }<br><wbr><wbr><wbr><wbr><wbr><wbr> }<br><wbr><wbr><wbr><wbr><wbr><wbr><br><wbr><wbr><wbr><wbr><wbr><wbr> return null;<br><wbr><wbr><wbr> }<br><br><wbr><wbr><wbr><br><wbr><wbr><wbr> protected AuthenticationInfo doGetAuthenticationInfo(<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr> AuthenticationToken authcToken ) throws AuthenticationException {<br><wbr><wbr><wbr><wbr><wbr><wbr> UsernamePasswordToken token = (UsernamePasswordToken) authcToken;<br><wbr><wbr><wbr><wbr><wbr><wbr> String accountName = token.getUsername();<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><br><wbr><wbr><wbr><wbr><wbr><wbr> //用户名密码验证<br><wbr><wbr><wbr><wbr><wbr><wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr>

iteye_3224
关注
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值