Shiro (1)-Introduction

Introduction

Apache Shiro is a powerful and easy-to-use Java security framework that provides developers with an intuitive and comprehensive solution for authentication, authorization, encryption, and session management.

In practical applications, it implements all aspects of application security management.

Shiro Functions

What can Apache Shiro do?

Supports Authentication across one or more data sources (LDAP, JDBC, Kerberos identity, etc)

Execute authorization and role-based fine-grained permission control.

Enhanced cache support.

Supports web or non-web environments and can be used in any single sign-on (SSO) or cluster distributed sessions.

Main functions: authentication, authorization, session management and encryption.

Download and use

1. Ensure that jdk1.5 + and maven2.2 + are installed in the system.

2. Go to the Shiro homepage to download Shiro.

3. Extract

unzip shiro-root-1.1.0-source-release.zip

4. Go to the Quickstart directory.

cd shiro-root-1.1.0/samples/quickstart

5. Run Quickstart.

 mvn compile exec:java

The execution is completed, for example:

Quickstart. Java

 // get the currently executing user: Subject currentUser = SecurityUtils.getSubject();

Using securityutils. getsubject (), we can obtain the currently executed topic.

After obtaining the topic, you can get the corresponding session information.

 // Do some stuff with a Session (no need for a web or EJB container!!!)        Session session = currentUser.getSession();        session.setAttribute("someKey", "aValue");        String value = (String) session.getAttribute("someKey");        if (value.equals("aValue")) {            log.info("Retrieved the correct value! [" + value + "]");        }

You can get the http session information or use it in a non-web environment to obtain the corresponding session information.

If an application is deployed in a web application, the application is based on httpsession by default. In enterprise applications, you can use the same API in multiple applications, regardless of the deployment environment. You can also use any client technology to share session data.

Next, determine the logon information.

 // let's login the current user so we can check against roles and permissions:        if (!currentUser.isAuthenticated()) {            UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa");            token.setRememberMe(true);            try {                currentUser.login(token);            } catch (UnknownAccountException uae) {                log.info("There is no user with username of " + token.getPrincipal());            } catch (IncorrectCredentialsException ice) {                log.info("Password for account " + token.getPrincipal() + " was incorrect!");            } catch (LockedAccountException lae) {                log.info("The account for username " + token.getPrincipal() + " is locked.  " +                        "Please contact your administrator to unlock it.");            }            // ... catch more exceptions here (maybe custom ones specific to your application?            catch (AuthenticationException ae) {                //unexpected condition?  error?            }        }

If it is correct, it can be executed downward. If it is incorrect, it will process different services.

For example, if the user name is incorrect, the password is incorrect, or the user is locked, you can also use a custom exception.

If the logon is successful, what can be done next?

Prompt current user:

//say who they are:        //print their identifying principal (in this case, a username):        log.info("User [" + currentUser.getPrincipal() + "] logged in successfully.");

Test whether there are other roles.

//test a role:        if (currentUser.hasRole("schwartz")) {            log.info("May the Schwartz be with you!");        } else {            log.info("Hello, mere mortal.");        }

Then, test whether you have specific permissions.

//test a typed permission (not instance-level)        if (currentUser.isPermitted("lightsaber:weild")) {            log.info("You may use a lightsaber ring.  Use it wisely.");        } else {            log.info("Sorry, lightsaber rings are for schwartz masters only.");        }

Then verify a very powerful instance-level permission.

 //a (very powerful) Instance Level permission:        if (currentUser.isPermitted("winnebago:drive:eagle5")) {            log.info("You are permitted to 'drive' the winnebago with license plate (id) 'eagle5'.  " +                    "Here are the keys - have fun!");        } else {            log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!");        }

Finally, use the program to log out:

//all done - log out!        currentUser.logout();