One, Shiro authorized
Authorization process:
Similar to the user's authentication process, Shrio in the user authorization, and finally to realm to obtain information.
Shiro three ways to authorize:
Shiro supports three different ways of authorizing:
- programmatic: by writing If/else Authorization code block completion:
Subject Subject = Securityutils.getsubject ();
if (subject.hasrole ("admin")) {
// have permission
} else {
// No Permissions
}
- Annotated: By the execution of the Java on the method, place the corresponding annotations to complete:
@RequiresRoles ("admin")
public void Hello () {
// have permission
}
- JSP/GSP Tags: in JSP/GSP the page is completed with the appropriate tags:
<shiro:hasrole name= "Admin" >
<! -have permission- >
</shiro:hasRole>
Two, code test Shrio authorization
First write the INI file:
#用户 [Users] #用户zhang的密码是123, this user has role1 and role2 two roles zhangsan=123,role1,role2# permissions [roles] #角色role1对资源user拥有create, Update Permissions role1=user:create,user:update# role role2 have Create, delete permissions on the resource user role2=user:create,user:delete# The role Role3 has create permission on the resource user role3=user:create
Permission identity Symbol rule: resource: Action: Instance (middle use half-width: delimited)
USER:CREATE:01 represents a create operation on a 01 instance of a user resource.
User:create: Represents a create operation on a user resource, which is equivalent to user:create:*, which is a create operation for all user resource instances.
For example, USER:*:01 represents all operations on user Resource Instance 01.
Authorization Test Code:
/** * Authorization Test * @author Liuhuichao * */public class Authorizationtest {//Role authorization, resource authorization @testpublic void Testauthorization () {//Create S Ecuritymanager Factory factory<securitymanager> factory=new inisecuritymanagerfactory ("Classpath: Shiro-permission.ini ");//Create Securitymanagersecuritymanager securitymanager=factory.getinstance ();// The SecurityManager is set to the system runtime environment, and spring is integrated to configure the SecurityManager into the spring container Securityutils.setsecuritymanager ( SecurityManager);//Create Subjectsubject subject=securityutils.getsubject ();//Perform certification Usernamepasswordtoken token=new Usernamepasswordtoken ("Zhangsan", "123"); try {subject.login (token);} catch (Authenticationexception e) { E.printstacktrace ();} SYSTEM.OUT.PRINTLN ("Authentication Status:" +subject.isauthenticated ());//authentication is performed after authorization//role-based authorization */boolean ishasrole=subject.hasrole (" Role1 "); SYSTEM.OUT.PRINTLN ("Whether there is role1 permission:" +ishasrole);//Determine if you have multiple roles, Boolean hasallroles=subject.hasallroles (Arrays.aslist (" Role1 "," Role2 ")); System.out.println ("has all roles ([Role1],[role2]):" +hasallroles);//Use the check method to authorize, if authorization does not pass, throws an exception try {Subject.checkRole ("Role12");} catch (Authorizationexception e) {System.out.println ("user does not have role12 role"); E.printstacktrace ();} /* resource-based authorization */boolean ispermitted=subject.ispermitted ("user:create:1"); SYSTEM.OUT.PRINTLN ("Whether there is user:create permission:" +ispermitted); Boolean Ispremittedall=subject.ispermittedall ("User:create" , "User:delete"); SYSTEM.OUT.PRINTLN ("Whether there is user:create,user:delete permission:" +ispermitted);//Use checktry {subject.checkpermission with no return value (" User:post ");} catch (Authorizationexception e) {System.out.println ("user does not have user:post permissions"); E.printstacktrace ();}}}
Note that only the user authentication code on the basis of the next plus OK, so that the simple user authentication + authorization.
Shiro review--using INI file for authorization testing