Shiro review--using INI file for authorization testing

One, Shiro authorized

Authorization process:

Similar to the user's authentication process, Shrio in the user authorization, and finally to realm to obtain information.

Shiro three ways to authorize:

Shiro supports three different ways of authorizing:

• programmatic: by writing If/else Authorization code block completion:

Subject Subject = Securityutils.getsubject ();

if (subject.hasrole ("admin")) {

// have permission

} else {

// No Permissions

}

• Annotated: By the execution of the Java on the method, place the corresponding annotations to complete:

@RequiresRoles ("admin")

public void Hello () {

// have permission

}

• JSP/GSP Tags: in JSP/GSP the page is completed with the appropriate tags:

<shiro:hasrole name= "Admin" >

<! -have permission- >

</shiro:hasRole>

Two, code test Shrio authorization

First write the INI file:

#用户 [Users] #用户zhang的密码是123, this user has role1 and role2 two roles zhangsan=123,role1,role2# permissions [roles] #角色role1对资源user拥有create, Update Permissions role1=user:create,user:update# role role2 have Create, delete permissions on the resource user role2=user:create,user:delete# The role Role3 has create permission on the resource user role3=user:create

Permission identity Symbol rule: resource: Action: Instance (middle use half-width: delimited)

USER:CREATE:01 represents a create operation on a 01 instance of a user resource.

User:create: Represents a create operation on a user resource, which is equivalent to user:create:*, which is a create operation for all user resource instances.

For example, USER:*:01 represents all operations on user Resource Instance 01.

Authorization Test Code:

/** * Authorization Test * @author Liuhuichao * */public class Authorizationtest {//Role authorization, resource authorization @testpublic void Testauthorization () {//Create S Ecuritymanager Factory factory<securitymanager> factory=new inisecuritymanagerfactory ("Classpath: Shiro-permission.ini ");//Create Securitymanagersecuritymanager securitymanager=factory.getinstance ();// The SecurityManager is set to the system runtime environment, and spring is integrated to configure the SecurityManager into the spring container Securityutils.setsecuritymanager ( SecurityManager);//Create Subjectsubject subject=securityutils.getsubject ();//Perform certification Usernamepasswordtoken token=new Usernamepasswordtoken ("Zhangsan", "123"); try {subject.login (token);} catch (Authenticationexception e) { E.printstacktrace ();} SYSTEM.OUT.PRINTLN ("Authentication Status:" +subject.isauthenticated ());//authentication is performed after authorization//role-based authorization */boolean ishasrole=subject.hasrole (" Role1 "); SYSTEM.OUT.PRINTLN ("Whether there is role1 permission:" +ishasrole);//Determine if you have multiple roles, Boolean hasallroles=subject.hasallroles (Arrays.aslist (" Role1 "," Role2 ")); System.out.println ("has all roles ([Role1],[role2]):" +hasallroles);//Use the check method to authorize, if authorization does not pass, throws an exception try {Subject.checkRole ("Role12");} catch (Authorizationexception e) {System.out.println ("user does not have role12 role"); E.printstacktrace ();} /* resource-based authorization */boolean ispermitted=subject.ispermitted ("user:create:1"); SYSTEM.OUT.PRINTLN ("Whether there is user:create permission:" +ispermitted); Boolean Ispremittedall=subject.ispermittedall ("User:create" , "User:delete"); SYSTEM.OUT.PRINTLN ("Whether there is user:create,user:delete permission:" +ispermitted);//Use checktry {subject.checkpermission with no return value (" User:post ");} catch (Authorizationexception e) {System.out.println ("user does not have user:post permissions"); E.printstacktrace ();}}}

Note that only the user authentication code on the basis of the next plus OK, so that the simple user authentication + authorization.

Shiro review--using INI file for authorization testing