This article turns from: http://www.php100.com/html/itnews/it/2013/0206/12039.html
The Apache Shiro is a powerful and easy to integrate open Source permission framework, it can complete authentication, authorization, encryption, session management and other functions. Authentication and authorization are the core of authority control, in simple terms, "authentication" is to prove who you are. WEB Application General Practice to submit a user name and password through the form to achieve the authentication purpose. Authorization is whether authenticated users are allowed to access protected resources. On the Shiro of a series of features and advantages, many articles have been enumerated, here no longer repeat, this article focuses on Shiro in the WEB application how to implement authentication code certification and how to achieve a single sign-on.
User Rights model
Before we uncover the Shiro veil, we need to recognize the user rights model. The user privilege model mentioned in this paper refers to the data model used to express user information and user rights information. That will prove "who you are." "," How much protected resources you can access. ”。 In order to realize a more flexible user rights data model, the user information is usually represented by a single entity, and the user rights information is represented by two entities. User information in Loginaccount indicates that the simplest user information may contain only the username LoginName and password password two properties. The actual application may contain information such as whether the user is disabled and whether the user's information expires. User rights information with role and Permission, the role and Permission constitute a many-to-many relationship. Permission can be understood as an operation on a resource, role can be simply understood as a set of Permission. A many-to-many relationship is formed between user information and role. means that the same user can have multiple role, and a role can be owned by more than one user.
Figure 1. User Rights model
Certification and authorization
Shiro authentication and authorization process is protected by Shiro resources, will be authenticated and authorized. You can use Shiro to protect URLs by referring to the "Integration with Spring" section. A user accesses a URL protected by Shiro, such as http://host/security/action.do. Shiro first check whether the user has passed the certification, if not passed the authentication check, then jump to the login page, otherwise authorize the inspection. The authentication process needs to obtain the user and the password information through the Realm, usually we realize the JDBC Realm, at this time the user authentication needs the information from the database obtains. If the cache is used, the first time the user information is fetched from the cache. After the certification passed the Shiro authorization check, authorization check also need to obtain user permission information through Realm. The user rights information required by Shiro includes role or Permission, either one or both, depending on the configuration of the protected resource. If the user rights information does not contain the role or Permission required by Shiro, the authorization does not pass. You can access the resource for the protected URL only if the authorization passes, otherwise you will jump to the unauthorized page.
Shiro Realm
In the process of Shiro authentication and authorization processing, mention to Realm. Realm can be understood as DAO that reads user information, roles, and permissions. Since most WEB applications use relational databases, implementing JDBC Realm is a common practice, followed by the implementation of CAS Realm and another Realm.
Listing 1. Implementation of your own JDBC Realm
| 01 |
public class Myshirorealm extendsauthorizingrealm{ |
| 03 |
A business interface for obtaining information about user information and user rights |
| 04 |
Privatebusinessmanager Businessmanager; |
| 06 |
Obtaining Authorization information |
| 07 |
Protectedauthorizationinfo Dogetauthorizationinfo ( |
| 08 |
PrincipalCollection principals) { |
| 09 |
String username = (string) Principals.fromrealm ( |
| 10 |
GetName ()). Iterator (). Next (); |
| 12 |
if (username!= null) { |
| 13 |
Querying User licensing information |
| 14 |
Collection<string> pers=businessmanager.querypermissions (username); |
| 15 |
if (Pers!= null&&!pers.isempty ()) { |
| 16 |
Simpleauthorizationinfo info = Newsimpleauthorizationinfo (); |
| 17 |
for (String each:pers) |
| 18 |
Info.addstringpermissions (each); |
| 27 |
Get authentication information |
| 28 |
Protectedauthenticationinfo Dogetauthenticationinfo ( |
| 29 |
Authenticationtoken Authctoken) Throwsauthenticationexception { |
| 30 |
Usernamepasswordtoken token = (usernamepasswordtoken) Authctoken; |
| 31 |
User name received through form |
| 32 |
String username = token.getusername (); |
| 34 |
if (username!= null&&! "). Equals (username)) { |
| 35 |
Loginaccount account = Businessmanager.get (username); |
| 38 |
Return Newsimpleauthenticationinfo ( |
| 39 |
Account.getloginname (), Account.getpassword (), GetName ()); |
Code Description: Businessmanager represents the user information from the database and user rights of the business class, the actual situation may be due to the user rights model design or the persistence of the framework of different choices, here is not to produce sample code. Dogetauthenticationinfo method, take user information. In contrast to the user rights model, the Loginaccount entity is taken. Ultimately we need to provide AuthenticationInfo objects for Shiro. Dogetauthorizationinfo method to obtain user permission information. The code gives an example of getting the user Permission, which gets the same code as the user role. The user rights information provided for Shiro is returned as a Authorizationinfo object.
Why do you have a passion for Shiro?
Someone might ask, "I've been using spring, and the application's security components have already chosen spring, and why Shiro." Of course, it's undeniable that Spring security is also an excellent safety control component. The purpose of this article is not to allow you to choose Shiro and to give up Spring security, and to be objective, to compare the two slightly: simplicity, Shiro is simpler and easier to understand than spring security in use. Flexibility, Shiro can be run in any application environment such as Web, EJB, IoC, Google App Engine, but not dependent on these environments. and spring security can only be integrated with spring. Pluggable, Shiro clean APIs and design patterns make it easy to integrate with many other frameworks and applications. Shiro can be seamlessly integrated with third-party frameworks such as Spring, Grails, Wicket, Tapestry, Mule, Apache Camel, and Vaadin. Spring security appears to be catching Jin in this respect.
Integration with Spring
Spring is widely used in Java WEB application development, and it can be said that spring is mainstream compared to EJB. Shiro itself provides good support with spring, and it is easy to integrate spring into your application.
With the aforementioned user rights data model, and the implementation of its own Realm, we can begin to integrate Shiro for application services.
Installation of Shiro
Shiro installation is very simple, Shiro website download Shiro-all-1.2.0.jar, Shiro-cas-1.2.0.jar (single sign-on need), and slf4j download Shiro rely on the log component Slf4j-api-1.6.1.jar. Spring-related JAR packages are not enumerated here. These JAR packages need to be placed into the Web engineering/web-inf/lib/directory. At this point, the rest is configured.
Configure filters
First, the configuration filter lets the requesting resource pass through the Shiro filtering process, which is similar to the use of other filters.
Xml
| 02 |
<filter-name>shiroFilter</filter-name> |
| 04 |
Org.springframework.web.filter.DelegatingFilterProxy |
