Under normal circumstances, if we are just simple username, password login, then we do authentication as long as the configuration of the default authentication filter is good,
As follows:
1 configuration file Configuration login authentication
<bean id= "Shirofilter"
class= "Org.apache.shiro.spring.web.ShiroFilterFactoryBean" >
<property Name= "SecurityManager" ref= "SecurityManager"/>
<property name= "loginurl"
value= "http://casserver/ Login?service=http://casclient/shiro-cas "/>
<property name=" Successurl "
value="/welcome.do "/> <property name= "Unauthorizedurl" value= "/403.do"/> <property
name= "Filterchaindefinitions" >
<value>
/logout.do*=anon
/casticketerror.do*=anon
# Permission Configuration Example
/security/account/view.do= Authc,perms[security_account_view]
/** = authc
</value>
</property>
The Shiro filter is not defined in the following configuration, so it is the default filter, for example:
Shiro built -in Filterchain
Filter Name |
Class |
Anon |
Org.apache.shiro.web.filter.authc.AnonymousFilter |
Authc |
Org.apache.shiro.web.filter.authc.FormAuthenticationFilter |
Authcbasic |
Org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter |
Perms |
Org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter |
Port |
Org.apache.shiro.web.filter.authz.PortFilter |
Rest |
Org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter |
Roles |
Org.apache.shiro.web.filter.authz.RolesAuthorizationFilter |
Ssl |
Org.apache.shiro.web.filter.authz.SslFilter |
User |
Org.apache.shiro.web.filter.authc.UserFilter
|
When the corresponding URL is accessed, there will be a corresponding filter to perform the filter,
For example Formauthenticationfilter This class inherits the Authenticatingfilter abstract class,
There is a method in the abstract class:
Exception {
Authenticationtoken token = createtoken (request, response);
null) {
+
"must is created in order to execute a login attempt.";
illegalstateexception (msg);
}
{
Subject Subject = getsubject (request, response);
Subject.login (token);
onloginsuccess (token, subject, request, response);
(authenticationexception e) {
onloginfailure (token, E, request, response);
}
}
When you need to formauthenticationfilter this filter for authentication or permission filtering, you will first go to this method, create tokens, and then get subject to execute the login method, as shown in the code, if successful, will execute The Onloginsuccess method of the Formauthenticationfilter class fails to execute the Onloginfailure method.
Each time you request a new URL that requires authentication, you need to go to this method to filter it.
For example: Access to the/login method is filtered, and the Onloginsuccess method is redirected to the/login method execution.
Exception {
//login successful, remove the check code from session session
= Subject.getsession ();
Session.removeattribute (captcha_session);
Trigger Execution authentication Method
securitymanager.issessionuseradminrole ();
(redirecttosavedrequest) {
return superonloginsuccess (token, subject, request , response);
{
webutils.issueredirect (request, Response, Getsuccessurl ());
return False;
}
}
Another way to achieve authentication:
You can also not configure/login =AUTHC
Instead, the token is created and executed within the/login corresponding controller method.
Subject Subject = getsubject (request, response);
Subject.login (token);
Then the execution subject.isauthenticated () is judged.
Subject.login (token); Executing the internal logic will go to Authorizingrealm for authentication and return the authentication results. Of course, you can also configure multiple realms.
Authorizationfilter {
//todo-complete JavaDoc
@SuppressWarnings ({"unchecked"})
IOException {
Subject Subject = getsubject (request, response);
String[] Rolesarray = (string[]) Mappedvalue;
|| Rolesarray. = = 0) {
//no roles specified, so nothing to check-allow access.
return True;
}
set<string> roles = Collectionutils.asset (Rolesarray);
subject.hasallroles (roles);
}
}
When Role[sad] is configured in the configuration file, it is called to the
Isaccessallowed method, you can see the sad character into the conversion, and then determine whether the current user has this role.
Execution Hasallroles will eventually call
Authorizingrealm The authorization judgment and returns the authorization result. Of course, you can also configure multiple realms.