Authentication and authorization procedures in the Shiro permission Framework _ Permission Framework

</pre><pre name= "code" class= "HTML" ><bean id= "Shirofilter" Org.apache.shiro.spring.web.ShiroFilterFactoryBean ">
        <property name=" SecurityManager "ref=" SecurityManager "/> <property name= loginurl" value= "/login"/> <property name= " 
        successUrl" Value= "/first"/>
        <property name= "Filters" >
            <util:map>
                <entry key= "AUTHC" value-ref= "Formauthenticationfilter"/>
            </util:map>
        </property>
        <property name= " Filterchaindefinitions ">
            <value>
            	<!--do not need to authenticate static resources-->
            	/images/** = anon
            	/js/** = Anon
            	/styles/** = Anon
            	<!--all URLs need to be authenticated-->
                /logout = logout/**
                = authc
            </value >
        </property>
    </bean>

First look at the Web filter filter in Shiro:

The default authentication filter filters filter is the form filter, the default login URL is/login (as long as no certification will jump to the/login path), the secondary login success URL is/first.

The default login URL jumps to the page is login.jsp as follows:

<! DOCTYPE HTML PUBLIC "-//w3c//dtd HTML 4.01 transitional//en" > <%@ page contenttype= "text/html; Charset=utf-8 "%> <%@ include file="/web-inf/jsp/tag.jsp "%>  

The feature of the form filter is that as long as the form is submitted (condition: 1.post 2.action path is "") it is equivalent to:


Subject CurrentUser = Securityutils.getsubject ();
 
Currentuser.login (token);
 

 

He will automatically authenticate to the method in real:


/**
	 * Identity certificate
	/@Override
	protected AuthenticationInfo dogetauthenticationinfo (Authenticationtoken Token) throws Authenticationexception {
		string userName = (string) token.getprincipal ();
		User user = Userservice.findbyusername (userName);
		
		if (user = = null) {
			//Throw no exception
			throw new Unknownaccountexception ();//No account found
		}
		if (user.getlocked ()) {
			//Throw user locked exception
			throw new Lockedaccountexception ()///account lockout
		}
		//If query to return authentication information AuthenticationInfo
		simpleauthenticationinfo simpleauthenticationinfo = new Simpleauthenticationinfo (UserName, User.getpassword () , ByteSource.Util.bytes (User.getcredentialssalt ()),
				this.getname ());

		return simpleauthenticationinfo;
	}
 

It is worth noting that the constructor of this method is Simpleauthenticationinfo, because it determines the way credentials are certified:

1.


   Public Simpleauthenticationinfo (object principal, object credentials, String realmname) {
        this.principals = new Simpleprincipalcollection (Principal, realmname);
        This.credentials = credentials;
    }
 

The constructor corresponding to the default class, nothing needs to input, no encryption algorithm, no iterative times, directly through the user name and password for the verification can be.


<bean id= "Userrealm" class= "Com.lgy.web.shiro.UserRealm" >
    	<!--set up certification voucher-->
    	<!--<property Name= "Credentialsmatcher" ref= "Credentialsmatcher"/>-->
    </bean>
 

 

 

2.


  Public Simpleauthenticationinfo (object principal, Object Hashedcredentials, Bytesource Credentialssalt, String Realmname) {
        this.principals = new Simpleprincipalcollection (principal, realmname);
        This.credentials = hashedcredentials;
        This.credentialssalt = Credentialssalt;
    }
 

This is related to your encrypted password salt:


Package com.lgy.service;
Import Org.apache.shiro.crypto.RandomNumberGenerator;
Import Org.apache.shiro.crypto.SecureRandomNumberGenerator;
Import Org.apache.shiro.crypto.hash.SimpleHash;
Import Org.apache.shiro.util.ByteSource;
Import Org.springframework.beans.factory.annotation.Value;

Import Org.springframework.stereotype.Service;
	
Import Com.lgy.model.User; @Service public class Passwordhelper {private RandomNumberGenerator randomnumbergenerator = new Securerandomnumbergen

    Erator ();
    @Value ("${password.algorithmname}") Private String algorithmname;

    @Value ("${password.hashiterations}") private int hashiterations;

        public void Encryptpassword (user user) {User.setsalt (Randomnumbergenerator.nextbytes (). Tohex ());      String newpassword = new Simplehash (Algorithmname,//Encryption Algorithm User.getpassword (),
          Password ByteSource.Util.bytes (User.getcredentialssalt ()),//salt username + salt      Hashiterations//Iteration count). Tohex ();
    User.setpassword (NewPassword);
 }
}
 

So you need to set up voucher information:


<!--Realm Implement-->
    <bean id= "Userrealm" class= "Com.lgy.web.shiro.UserRealm" >
    	<!--set up certification voucher device >
    	<property name= "Credentialsmatcher" ref= "Credentialsmatcher"/>
    </bean>
     
    <!--certification voucher -->
    <bean id= "Credentialsmatcher" class= "Org.apache.shiro.authc.credential.HashedCredentialsMatcher" >
    	<!--algorithm name-->
    	<property name= "Hashalgorithmname" value= "${password.algorithmname}"/>
    	<!--iteration number-->
    	<property name= "hashiterations" value= "${password.hashiterations}"/>
    </bean >   
 

If the certification passes, it will jump to the setting of the secondary login success URL is/first. This is the end of the identity certificate.



The authorization process is as follows:

There are three ways of Shiro authorization


Shiro supports three ways of authorizing:

1 Programming: Complete by writing If/else Authorization code block:

Subject Subject =securityutils.getsubject ();

if (Subject.hasrole ("admin")) {

have permission

} else {

No permissions

}

2 annotation: By placing the corresponding annotation on the executed Java method:

@RequiresRoles ("admin")

public void Hello () {

have permission

}

3.JSP/GSP Tags: on the jsp/gsp page through the corresponding label to complete:

<shiro:hasrolename= "Admin" >

<!-has permission->

</shiro:hasRole>

Programming not to mention, focus on the annotation and JSP tag way:

If you use the SPRINGMVC annotation test, you need to configure note initiation in the SPRINGMVC configuration file:


<?xml version= "1.0" encoding= "UTF-8"?> <beans xmlns=
"Http://www.springframework.org/schema/beans"
       xmlns:util= "Http://www.springframework.org/schema/util"
       xmlns:aop= "http://www.springframework.org/ SCHEMA/AOP "
       xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance "
       xsi:schemalocation="
       http:// Www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
       http:// Www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
       http:// WWW.SPRINGFRAMEWORK.ORG/SCHEMA/AOP http://www.springframework.org/schema/aop/spring-aop.xsd ">

    <AOP: Config proxy-target-class= "true" ></aop:config>
    <bean class= " Org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor ">
        <property name=" SecurityManager "ref=" SecurityManager "/>
    </bean>
</beans>
 

In the controller:


    @RequiresPermissions ("User:create")
    @RequestMapping (value = "/create", method = Requestmethod.get)
    public String Showcreateform (model model) {
        //...
        return "User/edit";
    }
When entering into this controller, you will first enter the realm:


/**
	 * Authorized certification
	/@Override
	protected Authorizationinfo dogetauthorizationinfo (principalcollection Principals) {
		User user = (user) principals.getprimaryprincipal ();
		Simpleauthorizationinfo authorizationinfo = new Simpleauthorizationinfo ();
        Authorizationinfo.setroles (Userservice.findroles (User.getusername ()));
        Authorizationinfo.setstringpermissions (Userservice.findpermissions (User.getusername ()));
		return authorizationinfo;
	}
 

The permissions comparison may have the following 2:

@RequiresPermissions ("User:create")
@RequiresRoles ("admin")

1. Role-based authentication

2. Authentication based on the permission code



If you are using JSP tags for authentication:

Condition: Need to import <% @taglib prefix= "Shiro" uri= "Http://shiro.apache.org/tags"%>

In the page

<shiro:haspermission name= "User:update" >

......
</shiro:hasPermission>

<shiro:hasrole name= "" >

......
</shiro:hasRole>



Ditto to enter the page, if such a label appears, each occurrence will invoke realm:


/**
	 * Authorized certification
	/@Override
	protected Authorizationinfo dogetauthorizationinfo (principalcollection Principals) {
		User user = (user) principals.getprimaryprincipal ();
		Simpleauthorizationinfo authorizationinfo = new Simpleauthorizationinfo ();
        Authorizationinfo.setroles (Userservice.findroles (User.getusername ()));
        Authorizationinfo.setstringpermissions (Userservice.findpermissions (User.getusername ()));
		return authorizationinfo;
	}
 

 

 
Equivalent to what they call in the Shiro:

Subject Subject = Securityutils.getsubject ();
Subject.checkrole ("");
Subject.checkpermission ("");



*

JSP tags for Shiro



JSP page Add:

<%@ tagliburi= "Http://shiro.apache.org/tags" prefix= "Shiro"%>


Label name

Label criteria (all display label contents)

<shiro:authenticated>

After logging in

<shiro:notAuthenticated>

is not in the logon state

<shiro:guest>

When the user is not rememberme

<shiro:user>

When the user is RememberMe

<shiro:hasanyroles name= "abc,123" >

In the case of an ABC or 123 role

<shiro:hasrole name= "abc" >

have role ABC

<shiro:lacksrole name= "abc" >

No role ABC

<shiro:haspermission name= "abc" >

have permission resources ABC

<shiro:lackspermission name= "abc" >

No ABC permissions Resource

<shiro:principal>

Show user identity name

<shiro:principalproperty= "username"/> Displays the value of the property in the user's identity. Of course, every time you do this, you may waste a bad performance, and you need to configure caching.