Apache Shiro 10-minute tour!

The following is the simple learning and understanding of Shiro, if you want to learn more in-depth, please refer to my column

Http://blog.csdn.net/column/details/study-shiro.html?&page=1

Preface

Welcome to the Apache Shiro 10-minute tour!

Hopefully, this simple, fast example will give you an in-depth understanding of the use of Shiro in your application. Well, you should be able to handle it in 10 minutes.

Overview

What is Apache Shiro?

Apache Shiro is a powerful, easy-to-use Java security framework that provides developers with an intuitive and comprehensive solution for authentication, authorization, encryption, and session management.

In fact, Shiro's primary function is to manage all security-related applications in the application, while supporting multiple implementations as much as possible. Shiro is built on sophisticated interface-driven design and object-oriented principles, supporting a variety of custom behaviors. The default implementation provided by Shiro allows it to accomplish the same functionality as other security frameworks, and that's not what we've been trying to get!

So what can Apache Shiro do?

Many, many, hehe. But not in the Quick guide, what if you want to know? Go here and find your answer. Of course, if you still want to know when and why we should "create" Shiro, go and see Shrio's history and mission .

OK, now let's do something about it.

Note: Shiro can be run in any environment, small to the simplest command line applications, large to large enterprise applications, and clustered applications. But we're going to use the simplest main method in the Quick guide to give you a sense of the Shiro API.

Download

1. Make sure the jdk1.5+ and maven2.2+ are installed
2. Go here to download the latest published source code. In the example we use the 1.1.0 release version.
3. Extracting source code
4. Go to the Quick Guide folder

   CD Shiro-root-1.1.0/samples/quickstart

5. Run a quick guide

   MVN Compile Exec:java

The log information is printed in the process to tell you what is going on, and then exit execution. Can be here "Samples/quickstart/src/main/java/quickstart.java" find the source code, can also be modified, remember to run "MVN compile Exec:java" can be modified.

Quickstart.java

Quickstart.java contains everything we've just mentioned (certifications, authorizations, etc.), and this simple example makes it easy to familiarize yourself with the Shiro API. So, let's take the code in Quickstart.java, 1.1-point anatomy, so it's easy to understand their role. In almost all environments, you can obtain the current user in this way:

Subject CurrentUser = Securityutils.getsubject ();

With Securityutils.getsubject (), you can get the current subject. Subject is the epitome of a particular security for users in the application, although it is more appropriate to feel the use of the user directly, but in fact it is far more meaningful than the user. And every application has its own users and frameworks, and we don't want to confuse them, and subject is a recognized noun in the field of security. OK, let's continue.

In a single application, calling Getsubject () returns a subject that is a user information that is located in a particular location in the application and, in the case of running on the server (such as a web app), Getsubject returns a user information that is located in the current thread or request. Now that you've got the subject object, what can you do with it?

If you want to get the other parameters of the user's current session in the app, you can get the Session object:

Session session = Currentuser.getsession ();

Session.setattribute ("Somekey", "avalue");

This session object is a unique object in Shiro, which is very similar to the httpsession that we often use, but also provides additional things, the biggest difference with HttpSession is that the session in Shiro is not dependent on the HTTP environment (in other words, Can be run under a non-HTTP container).

If Shiro is deployed in a Web application, then this session is based on HttpSession. However, like the QuickStart example, used in a non-web environment, Shiro uses Enterprisesessionmanagment by default. That is, regardless of whether the same API is used in any tier of the application, but does not need to consider the deployment environment, this advantage opens up a whole new world for the application, since the session object in the application is no longer dependent on the httpsession or EJB's conversation bean. And any client technology can share session data.

Now you can get the current subject and its session object. So how do we verify things like roles and permissions?

It is simple and can be verified by the obtained user object. The Subject object represents the current user, but who is the current user? They're anonymous users. In other words, you must be logged in to get to the current user. No problem, so you can take care of it:

if (!currentuser.isauthenticated ()) {//collect user principals and credentials in a GUI specific manner//such as Usern  Ame/password HTML form, X509 certificate, OpenID, etc.//we ' ll use the Username/password example here since it's the most Common. (Do you know the What movie is the from?;) Usernamepasswordtoken token = new Usernamepasswordtoken ("Lonestarr", "Vespa"); This is any of the Remember Me ' (No config-built in!): Token.setrememberme (True); Currentuser.login (token); }

That's it, it's too easy!

How to deal with the login failure? Different types of exceptions can be handled by capturing various kinds of exceptions, depending on the type of exception:

You can capture the various exceptions provided by Shiro, or you can throw a custom class exception to handle situations Shiro not considered. For more information, you can learn about authenticationexception JavaDoc.

Tip: The safest thing to do is to inform the user of a failed login and you will never help the attacker to invade your system!

OK, now that you have a login user, what else can we do?

For example, who they are:

You can also determine whether a user has permission to operate on a specific entity:

Of course, you can also perform powerful instance-level permission validation. It lets you determine whether a user has permission to access a particular type of instance:

It's a piece of cake, right.

Finally, when the user is finished, you can also exit the app.

Currentuser.logout (); Removes all identifying information and invalidates their session too.

These are the cores of using Apache Shiro to develop applications, and of course, Apache Shiro has packed a lot of complex stuff inside, but now it's that simple.

You will have a question, who is responsible for user information (user name, password, role, permissions, etc.) out of the user login, and run, who is responsible for security certification? Of course it's up to you to decide. By configuring a Reaml that implements the realm in the Shiro to Shiro.

The configuration is very much dependent on your runtime environment, such as using Shiro in single, web, spring or JEE container-based applications, or in combination mode. How the configuration has gone beyond the scope of the QuickStart sample, because its main purpose is to help you familiarize yourself with the Shiro APIs and concepts.

If you want to learn more about Shiro, you can look at Authentication guide and AuthorizationGuide. You can also view other documents (especially Reference Manual), where you can solve all your questions.

The above is the simple learning and understanding of Shiro, if you want to learn more in-depth, please refer to my column

Http://blog.csdn.net/column/details/study-shiro.html?&page=1

This paper draws on: http://www.cnblogs.com/ibook360/archive/2011/10/27/2226522.html

Copyright notice: I feel like I'm doing a good job. I hope you can move your mouse and keyboard for me to order a praise or give me a comment, under the Grateful!_____________________________________________________ __ Welcome reprint, in the hope that you reprint at the same time, add the original address, thank you with

Apache Shiro 10-minute tour!