Authentication and authorization procedures in the Shiro permission Framework _ Permission Framework

Source: Internet
Author: User
Tags aop
</pre><pre name= "code" class= "HTML" ><bean id= "Shirofilter" Org.apache.shiro.spring.web.ShiroFilterFactoryBean ">
        <property name=" SecurityManager "ref=" SecurityManager "/> <property name= loginurl" value= "/login"/> <property name= " 
        successUrl" Value= "/first"/>
        <property name= "Filters" >
                <entry key= "AUTHC" value-ref= "Formauthenticationfilter"/>
        <property name= " Filterchaindefinitions ">
            	<!--do not need to authenticate static resources-->
            	/images/** = anon
            	/js/** = Anon
            	/styles/** = Anon
            	<!--all URLs need to be authenticated-->
                /logout = logout/**
                = authc
            </value >

First look at the Web filter filter in Shiro:

The default authentication filter filters filter is the form filter, the default login URL is/login (as long as no certification will jump to the/login path), the secondary login success URL is/first.

The default login URL jumps to the page is login.jsp as follows:

<! DOCTYPE HTML PUBLIC "-//w3c//dtd HTML 4.01 transitional//en" > <%@ page contenttype= "text/html; Charset=utf-8 "%> <%@ include file="/web-inf/jsp/tag.jsp "%>  

The feature of the form filter is that as long as the form is submitted (condition: 2.action path is "") it is equivalent to:

Subject CurrentUser = Securityutils.getsubject ();
Currentuser.login (token);

He will automatically authenticate to the method in real:

	 * Identity certificate
	protected AuthenticationInfo dogetauthenticationinfo (Authenticationtoken Token) throws Authenticationexception {
		string userName = (string) token.getprincipal ();
		User user = Userservice.findbyusername (userName);
		if (user = = null) {
			//Throw no exception
			throw new Unknownaccountexception ();//No account found
		if (user.getlocked ()) {
			//Throw user locked exception
			throw new Lockedaccountexception ()///account lockout
		//If query to return authentication information AuthenticationInfo
		simpleauthenticationinfo simpleauthenticationinfo = new Simpleauthenticationinfo (UserName, User.getpassword () , ByteSource.Util.bytes (User.getcredentialssalt ()),
				this.getname ());

		return simpleauthenticationinfo;

It is worth noting that the constructor of this method is Simpleauthenticationinfo, because it determines the way credentials are certified:


   Public Simpleauthenticationinfo (object principal, object credentials, String realmname) {
        this.principals = new Simpleprincipalcollection (Principal, realmname);
        This.credentials = credentials;

The constructor corresponding to the default class, nothing needs to input, no encryption algorithm, no iterative times, directly through the user name and password for the verification can be.

<bean id= "Userrealm" class= "Com.lgy.web.shiro.UserRealm" >
    	<!--set up certification voucher-->
    	<!--<property Name= "Credentialsmatcher" ref= "Credentialsmatcher"/>-->


  Public Simpleauthenticationinfo (object principal, Object Hashedcredentials, Bytesource Credentialssalt, String Realmname) {
        this.principals = new Simpleprincipalcollection (principal, realmname);
        This.credentials = hashedcredentials;
        This.credentialssalt = Credentialssalt;

This is related to your encrypted password salt:

Package com.lgy.service;
Import Org.apache.shiro.crypto.RandomNumberGenerator;
Import Org.apache.shiro.crypto.SecureRandomNumberGenerator;
Import Org.apache.shiro.crypto.hash.SimpleHash;
Import Org.apache.shiro.util.ByteSource;
Import Org.springframework.beans.factory.annotation.Value;

Import Org.springframework.stereotype.Service;
Import Com.lgy.model.User; @Service public class Passwordhelper {private RandomNumberGenerator randomnumbergenerator = new Securerandomnumbergen

    Erator ();
    @Value ("${password.algorithmname}") Private String algorithmname;

    @Value ("${password.hashiterations}") private int hashiterations;

        public void Encryptpassword (user user) {User.setsalt (Randomnumbergenerator.nextbytes (). Tohex ());      String newpassword = new Simplehash (Algorithmname,//Encryption Algorithm User.getpassword (),
          Password ByteSource.Util.bytes (User.getcredentialssalt ()),//salt username + salt      Hashiterations//Iteration count). Tohex ();
    User.setpassword (NewPassword);

So you need to set up voucher information:

<!--Realm Implement-->
    <bean id= "Userrealm" class= "Com.lgy.web.shiro.UserRealm" >
    	<!--set up certification voucher device >
    	<property name= "Credentialsmatcher" ref= "Credentialsmatcher"/>
    <!--certification voucher -->
    <bean id= "Credentialsmatcher" class= "Org.apache.shiro.authc.credential.HashedCredentialsMatcher" >
    	<!--algorithm name-->
    	<property name= "Hashalgorithmname" value= "${password.algorithmname}"/>
    	<!--iteration number-->
    	<property name= "hashiterations" value= "${password.hashiterations}"/>
    </bean >   

If the certification passes, it will jump to the setting of the secondary login success URL is/first. This is the end of the identity certificate.

The authorization process is as follows:

There are three ways of Shiro authorization

Shiro supports three ways of authorizing:

1 Programming: Complete by writing If/else Authorization code block:

Subject Subject =securityutils.getsubject ();

if (Subject.hasrole ("admin")) {

have permission

} else {

No permissions


2 annotation: By placing the corresponding annotation on the executed Java method:

@RequiresRoles ("admin")

public void Hello () {

have permission


3.JSP/GSP Tags: on the jsp/gsp page through the corresponding label to complete:

<shiro:hasrolename= "Admin" >

<!-has permission->


Programming not to mention, focus on the annotation and JSP tag way:

If you use the SPRINGMVC annotation test, you need to configure note initiation in the SPRINGMVC configuration file:

<?xml version= "1.0" encoding= "UTF-8"?> <beans xmlns=
       xmlns:util= "Http://"
       xmlns:aop= " SCHEMA/AOP "
       xmlns:xsi=" "

    <AOP: Config proxy-target-class= "true" ></aop:config>
    <bean class= " ">
        <property name=" SecurityManager "ref=" SecurityManager "/>

In the controller:

    @RequiresPermissions ("User:create")
    @RequestMapping (value = "/create", method = Requestmethod.get)
    public String Showcreateform (model model) {
        return "User/edit";
When entering into this controller, you will first enter the realm:

	 * Authorized certification
	protected Authorizationinfo dogetauthorizationinfo (principalcollection Principals) {
		User user = (user) principals.getprimaryprincipal ();
		Simpleauthorizationinfo authorizationinfo = new Simpleauthorizationinfo ();
        Authorizationinfo.setroles (Userservice.findroles (User.getusername ()));
        Authorizationinfo.setstringpermissions (Userservice.findpermissions (User.getusername ()));
		return authorizationinfo;

The permissions comparison may have the following 2:

@RequiresPermissions ("User:create")
@RequiresRoles ("admin")

1. Role-based authentication

2. Authentication based on the permission code

If you are using JSP tags for authentication:

Condition: Need to import <% @taglib prefix= "Shiro" uri= "Http://"%>

In the page

<shiro:haspermission name= "User:update" >


<shiro:hasrole name= "" >


Ditto to enter the page, if such a label appears, each occurrence will invoke realm:

	 * Authorized certification
	protected Authorizationinfo dogetauthorizationinfo (principalcollection Principals) {
		User user = (user) principals.getprimaryprincipal ();
		Simpleauthorizationinfo authorizationinfo = new Simpleauthorizationinfo ();
        Authorizationinfo.setroles (Userservice.findroles (User.getusername ()));
        Authorizationinfo.setstringpermissions (Userservice.findpermissions (User.getusername ()));
		return authorizationinfo;

Equivalent to what they call in the Shiro:

Subject Subject = Securityutils.getsubject ();
Subject.checkrole ("");
Subject.checkpermission ("");


JSP tags for Shiro

JSP page Add:

<%@ tagliburi= "Http://" prefix= "Shiro"%>

Label name

Label criteria (all display label contents)


After logging in


is not in the logon state


When the user is not rememberme


When the user is RememberMe

<shiro:hasanyroles name= "abc,123" >

In the case of an ABC or 123 role

<shiro:hasrole name= "abc" >

have role ABC

<shiro:lacksrole name= "abc" >

No role ABC

<shiro:haspermission name= "abc" >

have permission resources ABC

<shiro:lackspermission name= "abc" >

No ABC permissions Resource


Show user identity name

<shiro:principalproperty= "username"/> Displays the value of the property in the user's identity. Of course, every time you do this, you may waste a bad performance, and you need to configure caching.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.