Shulou(Shulou.com)06/02 Report--

This article mainly introduces "the method of spring integrating shiro". In the daily operation, I believe that many people have doubts about the method of spring integrating shiro. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts of "spring integrating shiro method". Next, please follow the editor to study!

* principal: main character * credentials: certificate

Ps: there are a large number of configurations in the process of integration. I will post the code directly.

Configuration (1) configure the filter in the engine (web.xml)

Shiro is that access control is implemented through filter, so we configure a filter

ShiroFilter org.springframework.web.filter.DelegatingFilterProxy shiroFilter / *

Because it is integrated with spring, we need a class

See the name to know the meaning, this is an agent class that can represent filter (why do you feel like saying tongue twisters?)

It proxies a spring-managed bean that implements the Filter interface, declares the name of the target class in init-param, and describes the name of the target class in the spiring context

Usually we directly specify filter-name to tell spring, so we can specify bean in spring context directly.

(2) applicationContext.xml1. Configure shiroFilter

Pay attention to be consistent with the filter-name sent in web.xml

two。 Configure filter chain (rules for access control of url)

Rules for access control

Filter abbreviation function corresponding to the java class anon unauthenticated can access org.apache.shiro.web.filter.authc.AnonymousFilterauthc authentication can access org.apache.shiro.web.filter.authc.FormAuthenticationFilterperms requires specific permissions to access org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilterroles requires specific roles to access org.apache.shiro.web.filter.authz.RolesAuthorizationFilteruser requires specific users to access org.apache.shiro.web.filter.authc.UserFilter3.shiroFilter also requires a securityManager

4. Information post-processor

5. The code / login.html* = anon / user_login.action* = anon / validatecode. Jsp = anon / css/** = anon / js/** = anon / images/** = anon / * * = authc II: coarse-grained authentication and authorization Subject subject = SecurityUtils.getSubject () AuthenticationToken token = new UsernamePasswordToken (model.getUsername (), model.getPassword ()); subject.login (token); (1) Certification 1. Execution process (this process is a little complicated and requires a little patience)

When we execute subject.login (token), Subject is an interface that actually calls the login (token) method of its implementation class DelegatingSubject, which internally executes Subject subject = securityManager.login (this, token); you can see that token has been passed to securityManager

The security manager SecurityManager is also an interface, which actually calls the login (subject,token) method of its implementation class DefaultSecurityManager. Inside this method, the authenticate (token) method of its parent class AuthenticatingSecurityManager is called, and authenticator.authenticate (token) is called inside this method.

The authenticator Authenticator is also an interface, which calls the authenticate (token) of the implementation class AbstractAuthenticator, which is an abstract method, calls the doAuthenticate (token) method of its subclass ModularRealmAuthenticator, and internally calls doSingleRealmAuthentication (realms.iterator (). Next (), authenticationToken);, internally calls realm.getAuthenticationInfo (token)

Realm is an interface, which calls the getAuthenticationInfo (token) of the actual class AuthenticatingRealm. In this method, an abstract method doGetAuthenticationInfo (token) is called. At this point, the getAuthenticationInfo (token) method in our custom implementation class myRealm can be called.

We found that after a series of passes, the token we received is the UsernamePasswordToken we created ourselves. Don't be afraid to make a bold turn. In this token, we can get our user name and password back, query whether the current user exists in the database through the user name, and return null if it does not exist. If it does, return the user, user password and custom realm name together.

Although the follow-up code is also very complicated, I really can't write it. In fact, I can guess. Because realm is the bridge between shiro and database, it does not make a decision, so when we return the user's password, securityManager will compare the password we return with the password entered by the user to make a decision.

two。 Brief description of process

The username and password are encapsulated into token and passed to securityManager through the login (token) method of subject

SecurityManager calls realm to query whether the user exists by user name, returns the user password if it does, and returns null if it does not exist.

SecurityManager compares the user password returned by realm with the actual password of the user

3.MyRealm code @ Componentpublic class CustomRealm extends AuthorizingRealm {@ Autowired private UserService userService; @ Override protected AuthorizationInfo doGetAuthorizationInfo (PrincipalCollection arg0) {return null;} @ Override protected AuthenticationInfo doGetAuthenticationInfo (AuthenticationToken token) throws AuthenticationException {UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) token; User user = userService.findByUserName (usernamePasswordToken.getUsername ()) If (user==null) {return null;} else {return new SimpleAuthenticationInfo (user, user.getPassword (), getName ());} (II): authorization

There are some differences between authentication and authentication, both need to return information.

Authentication returns authentication information authenticationInfo

Authorization, of course, returns authorization information authorizationInfo.

The implementation is also very simple, that is, to find out the roles and permissions of the user respectively, and add them to the information object respectively.

Go directly to the code

@ Componentpublic class CustomRealm extends AuthorizingRealm {@ Autowired private UserService userService; @ Autowired private RoleService roleService; @ Autowired private PermissionService permissionService; @ Override protected AuthorizationInfo doGetAuthorizationInfo (PrincipalCollection arg0) {SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo (); Subject subject = SecurityUtils.getSubject (); User user = (User) subject.getPrincipal () List roles = roleService.findByUserId (user.getId ()); for (Role role: roles) {authorizationInfo.addRole (role.getKeyword ());} List permissions = permissionService.findByUserId (user.getId ()) For (Permission permission: permissions) {authorizationInfo.addStringPermission (permission.getKeyword ());} return authorizationInfo;} @ Override protected AuthenticationInfo doGetAuthenticationInfo (AuthenticationToken token) throws AuthenticationException {UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) token; User user = userService.findByUserName (usernamePasswordToken.getUsername ()) If (user==null) {return null;} else {return new SimpleAuthenticationInfo (user, user.getPassword (), getName ());} III: fine grain

Reasons for fine-grained (method) permission control: custom annotation (adding to the method, describing the need for permission message in the comment), creating a proxy object for the target business object, using reflection technology to read the annotation information in the proxy method, obtaining the required permissions, and querying whether the current login user has permissions to meet

ApplicationContext.xml

Note: the configuration here is the traditional configuration of spring aop, so we need to pay attention to the implementation principle. Usually, when there is no special processing, we use the JDK dynamic proxy, which is an interface-based proxy. Here we need to use the cglib proxy (for more information on the reading of annotations by different proxy methods, see the quizzes for agents, comments, interfaces and implementation classes).

At the same time, the proxy mode of transaction management needs to be changed to cglib.

Of course, if you add annotations directly to the interface, you can use the jdk dynamic proxy at all.

The annotation explains that @ RequiresAuthentication verifies whether the user logs in @ RequiresUser to verify whether the user is remembered. User has two meanings, one is successfully logged in (subject.isAuthenticated () = = true), the other is verified by memory (subject.isRemembered () = = true) @ RequiresGuest to verify whether it is a guest request, as opposed to @ RequiresUser, in other words, subject.getPrincipal () = null@RequiresRoles, such as @ RequiresRoles ("aRoleName"). Indicates that the secondary method can only be executed if there is an aRoleName role in the subject. If not, an exception such as @ RequiresPermissions ("file:read", "write:a.txt") will be thrown, requiring that there must be file:read and write:a.txt in the subject to execute this method, otherwise an exception AuthorizationException will be thrown here The study on "spring's method of integrating shiro" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.