"Shiro" four, Apache Shiro authorized

1, authorization Implementation mode 1.1, what is the authorization authorization contains 4 elements (a more popular generic permission model)

Resources: Resource
Various resources that require access control

Permissions: Permissions
Security Policy controls atomic elements
Based on resources and actions
Control Force

Roles: Role
A collection of behaviors

User: Users Principal
Subject, associate role or permission

In simple terms, we can understand that: we are logged into the system, we are a "user", "user" can be one or more "roles", a "role" can have a variety of "permissions", these "permissions" represents the resources we can access. Of course, "user" can also skip "role" directly to "user" Assigned "permissions", indicating the "user" can access the "resources."

1.2. Authorization mode A, programming model

Role-based

Role validation
Api:
Hasrole (String roleName)
Hasroles (list<string> rolenames)
Hasallroles (collection<string> rolenames)

Subject CurrentUser = securityutils.getsubject (); if (Currentuser.hasrole ("admin")) {    else{    ...}

Role assertion (assertion)
Failure throws an exception authorizationexception
Api
Checkrole (String roleName)
Checkroles (collection<string> rolenames)
Checkroles (String ... rolenames)

Subject CurrentUser = securityutils.getsubject (); Currentuser.checkrole ("Bankteller"); openbankaccount ();

Based on permission

Permission check
Object-based permission checksum
Application scenario: Explicit control, type-safe
Api
ispermiited (Permission p)
ispermiited (list<permission> perms)
Ispermiitedall (collection<permission> perms)

New Printerpermission ("HP", "print"= securityutils.getsubject (); if (currentuser.ispermitted (printpermission)) {    else  {    ...}

String-based permission checksum
Application scenario: Lightweight, simple
Api
ispermiited (String Perm)
Ispermiited (String ... perms)
Ispermiitedall (String ... perms)

Subject CurrentUser = securityutils.getsubject (); if (Currentuser.ispermitted ("PRINTER:PRINT:HP")) {    else  {    ...}

Permission assertion (assertion)
Failure throws an exception authorizationexception
Api
Checkpermission (Permission p))
Checkpermission (String Perm)
Checkpermissions (collection<permission> perms)
Checkpermissions (String ... perms)

Subject currentUser =new accountpermission ("open"); current.checkpermission (P); O Penbankaccount ();

B, JDK annotations

@RequiresAuthentication

Used to determine if authenticated, unauthenticated access to the resource throws an exception, and the following code works the same

@RequiresAuthentication  Public void Updateaccount (account useraccount) {    ...}  Public void Updateaccount (account useraccount) {    if(!  Securityutils.getsubject (). IsAuthenticated ()) {        thrownew  Authorizationexception (...);    }

@RequiresGuest

Used to determine if a visitor would throw an exception if non-visitors, the code below works the same

@RequiresGuest  Public void signUp (User newuser) {    ...}  Public void signUp (User newuser) {    = securityutils.getsubject ();     = currentuser.getprincipals ();     if NULL &&! Principals.isempty ()) {        thrownew  authorizationexception (...);    }}

@RequiresPermissions

Used to determine if this permission is accessible, the code below works the same

@ReruiresPermissions ("Account:create")publicvoid  Creataccount (account account) {    ...}  Public void Creataccount (account account) {    = securityutils.getsubject ();     if (!subject.ispermitted ("Account:create")) {        thrownew  Authorizationexception (...);    }

@RequiresRoles

Used to determine if the role is accessible, the code below works the same

@RequiresRoles ("admin")publicvoid  deleteuser (user user) {    ...}  Public void deleteuser (user user) {    = securityutils.getsubject ();     if (!subject.hasrole ("admin")) {        thrownew  authorizationexception (...);    }} 

@RequiresUser

Used to judge non-visitors to access, the code below works the same

@RequiresUser  Public void Updateaccount (account account) {    ...}  Public void Updateaccount (account account) {    = securityutils.getsubject ();     = currentuser.getprincipals ();     if Null | | Principals.isempty ()) {        thrownew  authorizationexception (...);    }}

C, Jsp/gsp Taglibs

Web-biased, no introduction

2. Authorization structure

1. Call subject's ispermitted or Hasrole method

2. Find security Manager (facade mode)

3. Call the Authorizer component

4, access to the database through the realm to obtain data, to determine whether there is authorization

Authorizer

Default implementation Modularrealmauthorizer

Iterative Authorization for multiple realms

Strategy

If a realm does not implement Authorizer, do not validate

If a realm implements Authorizer

Once the checksum fails, throw authorizationexception immediately.

Once the checksum is successful, return true immediately

Permissionresolver Permissions Resolver

Used to parse a permission string into a permission object, Shiro internally using a permission object for validation

Default Wildcardpermissionresolver (wildcard permission resolver)

You can customize the parser

Rolepermissionresolver

Used to convert a role string to a Permission object

You can customize the parser

　　

"Shiro" four, Apache Shiro authorized