Shulou(Shulou.com)06/02 Report--

This article mainly introduces "how to configure the security framework Shiro". In the daily operation, I believe many people have doubts about how to configure the security framework Shiro. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts about "how to configure the security framework Shiro". Next, please follow the editor to study!

Shiro is a very simple security framework, while a similar Spring Security is much more complex. Although spring-boot integrates with Spring Security, we chose Shiro.

Shiro official website: http://shiro.apache.org/

Brief introduction of principle

What the security framework needs to deal with:

You must have permission to access the protected page. If you are not logged in, you are automatically redirected to the login page; if you are logged in, if you do not have permissions, you do not have permissions.

When logging in, you need to verify the password and user status (locked users cannot log in), and obtain the user's permission information to determine whether the user has the right to access the page.

On the page, you should be able to determine whether the user has access to a page in order to control whether the function is displayed.

Shiro uses a Servlet Filter filter to protect the visited pages, and configures the page paths that need to be protected through the shiroFilterChainDefinitionMap described below.

Use AuthorizingRealm to get the user's password and permission information, which is the com.jspxcms.core.security.ShiroDbRealm described below.

Use tags in the JSP page to determine if there is a way to access the @ RequiresPermissions ("my:perm:code") identity in Controller.

Configuration and source code

Configuration class com.jspxcms.core.ShiroConfig (7. 0 and earlier / src/main/resources/conf/context-shiro.xml)

Permission-related class package: com.jspxcms.core.security

Encryption-related common class package: com.jspxcms.common.security

Core classes:

Com.jspxcms.core.security.CmsAuthenticationFilter login logic processing class. It includes the logic of adding CAPTCHA to judge and recording login log.

Query user name, password and obtain user rights information when com.jspxcms.core.security.ShiroDbRealm logs in.

Filter mapping configuration

ShiroConfig reads the filter mapping configuration.

Bean ("shiroFilter") @ DependsOn ("propertiesHelper") public ShiroFilterFactoryBean shiroFilterFactoryBean (BeanFactory beanFactory) throws IOException {ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean () Map filterChainDefinitionMap = propertiesHelper () .getSortedMap ("shiroFilterChainDefinitionMap."); factoryBean.setFilterChainDefinitionMap (filterChainDefinitionMap);...}

Filter mapping configuration: / src/main/resources/conf/conf.properties

ShiroFilterChainDefinitionMap / login=authcshiroFilterChainDefinitionMap / logout=logoutshiroFilterChainDefinitionMap / cmscp=backSite,anonshiroFilterChainDefinitionMap / cmscp/=backSite,anonshiroFilterChainDefinitionMap / cmscp/index.do=backSite,anonshiroFilterChainDefinitionMap / cmscp/login.do=backSite,authcshiroFilterChainDefinitionMap / cmscp/logout.do=backSite,logoutshiroFilterChainDefinitionMap / cmscp/**=backSite,usershiroFilterChainDefinitionMap / my/**=usershiroFilterChainDefinitionMap [1000] / * * = anon

The general description is as follows:

The / my/** / cmscp/** path needs to be logged in before it can be accessed. If you are not logged in, it will be redirected to the login page. The former is the foreground member center path, and the latter is the background management path.

/ login / cmscp/login.do is a login request. The former is the foreground login request, and the latter is the background login request.

/ logout / cmscp/logout.do is an exit login request.

/ * * other paths can be accessed at will.

Password encryption

It is extremely insecure to save the user's password directly in plaintext in the database. To encrypt the password and then save it to the database, the usual encryption methods are md5 sha1 sha256 and so on. Md5 is the most widely used, but it is not recommended because of its poor security. Sha1 is used as the encryption method in the system.

The configuration in ShiroConfig is as follows:

@ Bean ("credentialsDigest") public SHA1CredentialsDigest credentialsDigest () {return new SHA1CredentialsDigest ();}

This encrypted object is injected into the com.jspxcms.core.security.ShiroDbRealm:

@ Autowiredpublic void setCredentialsDigest (CredentialsDigest credentialsDigest) {this.credentialsDigest = credentialsDigest;} at this point, the study on "how to configure the security framework Shiro" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.