Shulou(Shulou.com)06/01 Report--

Shiro tutorial series

Shiro tutorial (3)-shiro Licensing

1 shiro introduction 1.1 what is shiro

Shiro is an open source framework under apache, which extracts the functions related to security authentication of software system, and realizes the functions of user identity authentication, authorization, encryption, session management and so on, forming a general security authentication framework.

1.2Why learn shiro?

Since shiro extracts the functions related to security authentication to form a framework, using shiro can quickly complete the development of authentication, authorization and other functions, and reduce the cost of the system.

Shiro is widely used, and shiro can be run in web applications, non-web applications and cluster distributed applications. More and more users begin to use shiro.

Spring security (formerly known as Acegi) is also an open source rights management framework in the field of Java, but spring security relies on spring to run, while shiro is relatively independent. The main reason is that shiro is simple and flexible, so now more and more users choose shiro.

1.3 Shiro architecture

1.3.1 Subject

Subject is the subject, and the external application interacts with the subject. Subject records the current operation user and understands the concept of the user as the main body of the current operation. It may be a user requested through the browser or a running program. Subject is an interface in shiro. Many methods related to authentication are defined in the interface. External programs authenticate through subject, while subject authenticates and authorizes through SecurityManager security manager.

1.3.2 SecurityManager

SecurityManager is the security manager, which manages the security of all subject. It is the core of shiro and is responsible for the security management of all subject. Authentication and authorization of subject can be completed through SecurityManager. In essence, SecurityManager is authenticated through Authenticator, authorized through Authorizer, session management through SessionManager and so on.

SecurityManager is an interface that inherits Authenticator, Authorizer and SessionManager.

1.3.3 Authenticator

Authenticator is the authenticator, which authenticates the user's identity. Authenticator is an interface, and shiro provides ModularRealmAuthenticator implementation classes. ModularRealmAuthenticator can basically meet most of the needs, and you can also customize the authenticator.

1.3.4 Authorizer

Authorizer is the authorizer, and the user is authenticated by the authenticator. When accessing the function, the user needs to determine whether the user has the operation authority of this function.

1.3.5 realm

Realm is the domain, equivalent to datasource data source, securityManager security authentication needs to obtain user rights data through Realm, for example: if the user identity data is in the database, then realm needs to obtain user identity information from the database.

Note: do not understand realm as just fetching data from the data source, there is also code related to authentication and authorization verification in realm.

1.3.6 sessionManager

SessionManager is session management. The shiro framework defines a set of session management, which does not rely on the session of the web container, so shiro can be used on non-web applications and can centralize the session management of distributed applications at one point. This feature enables it to achieve single sign-on.

1.3.7 SessionDAO

SessionDAO, or session dao, is a set of interfaces for session session operations. For example, if you want to store session to a database, you can store the session to the database through jdbc.

1.3.8 CacheManager

CacheManager is cache management, which stores user rights data in the cache, which can improve performance.

1.3.9 Cryptography

Cryptography is password management. Shiro provides a set of encryption / decryption components to facilitate development. For example, it provides common functions such as hashing, encryption / decryption and so on.

1.4 jar package for shiro

Like other java open source frameworks, adding shiro's jar package to the project allows you to use the features provided by shiro. Shiro-core is a must for the core package. It also provides shiro-web integrated with web, shiro-spring integrated with spring, shiro-quartz integrated with task scheduling quartz, and so on. The following is the maven coordinates of each jar package of shiro.

[html] view plain copy print?

Org.apache.shiro

Shiro-core

1.2.3

Org.apache.shiro

Shiro-web

1.2.3

Org.apache.shiro

Shiro-spring

1.2.3

Org.apache.shiro

Shiro-ehcache

1.2.3

Org.apache.shiro

Shiro-quartz

1.2.3

You can also include all packages of shiro by introducing shiro-all:

Org.apache.shiro

Shiro-all

1.2.3

Refer to the lib directory:

2 shiro Certification 2.1 Certification process

2.2 starter (user login and logout) 2.2.1 create a java project

Jdk version: 1.7.0,72

Eclipse:elipse-indigo

2.2.2 Jar package and dependency package added to shiro-core

2.2.3 log4j.properties Log profile

Log4j.rootLogger=debug, stdout

Log4j.appender.stdout=org.apache.log4j.ConsoleAppender

Log4j.appender.stdout.layout=org.apache.log4j.PatternLayout

Log4j.appender.stdout.layout.ConversionPattern=%d p [% c] -% m% n

2.2.4 shiro.ini

Initialize the SecurityManager environment through the Shiro.ini configuration file.

Configure eclipse to support ini file editing:

After the eclipse configuration, create a shiro.ini configuration file in classpath to facilitate testing in the shiro.ini configuration file that configures the username and password:

[users]

Zhang=123

Lisi=123

2.2.5 Authentication Code

[java] view plain copy print?

/ / user login, user exit

@ Test

Public void testLoginLogout () {

/ / build a SecurityManager factory, and IniSecurityManagerFactory can initialize the SecurityManager environment from an ini file

Factory factory = new IniSecurityManagerFactory (

"classpath:shiro.ini")

/ / create a SecurityManager through the factory

SecurityManager securityManager = factory.getInstance ()

/ / set securityManager to the running environment

SecurityUtils.setSecurityManager (securityManager)

/ / create a Subject instance that needs to be authenticated using the securityManager created above

Subject subject = SecurityUtils.getSubject ()

/ / create a token token to record the user's authenticated identity and credentials, namely account number and password

UsernamePasswordToken token = new UsernamePasswordToken ("zhang", "123")

Try {

/ / user login

Subject.login (token)

} catch (AuthenticationException e) {

/ / TODO Auto-generated catch block

E.printStackTrace ()

}

/ / user authentication status

Boolean isAuthenticated = subject.isAuthenticated ()

System.out.println ("user authentication status:" + isAuthenticated)

/ / user exits

Subject.logout ()

IsAuthenticated = subject.isAuthenticated ()

System.out.println ("user authentication status:" + isAuthenticated)

}

2.2.6 Certification implementation process

1. Create a token token. The token contains the authentication information submitted by the user, namely the account number and password.

2. Execute subject.login (token), and finally securityManager authenticates through Authenticator.

3. Implementation of Authenticator ModularRealmAuthenticator calls realm to get the user's real account and password from the ini configuration file, which is IniRealm (included with shiro)

4. IniRealm first looks for the account in ini according to the account in token. If it cannot be found, it returns null to ModularRealmAuthenticator. If it is found, it matches the password. If the matching password is successful, the authentication is passed.

2.2.7 Common exceptions

UnknownAccountException

There is no exception to the account as follows:

Org.apache.shiro.authc.UnknownAccountException: No account found for user .

IncorrectCredentialsException

This exception is thrown when the password is entered incorrectly, as follows:

Org.apache.shiro.authc.IncorrectCredentialsException: Submitted credentials for token [org.apache.shiro.authc.UsernamePasswordToken-zhangsan, rememberMe=false] did not match the expected credentials.

More are as follows:

DisabledAccountException (account is disabled)

LockedAccountException (account is locked)

ExcessiveAttemptsException (too many login failures)

ExpiredCredentialsException (expired credential), etc.

2.3 Custom Realm

The above program uses the IniRealm,IniRealm that comes with Shiro to read the user's information from the ini configuration file. In most cases, it needs to read the user's information from the system's database, so you need to customize realm.

2.3.1 realm provided by shiro

The most basic is the Realm interface. CachingRealm is responsible for cache processing, AuthenticationRealm is responsible for authentication, and AuthorizingRealm is responsible for authorization. Usually, custom realm inherits AuthorizingRealm.

2.3.2 Custom Realm

[java] view plain copy print?

Public class CustomRealm1 extends AuthorizingRealm {

@ Override

Public String getName () {

Return "customRealm1"

}

/ / UsernamePasswordToken is supported

@ Override

Public boolean supports (AuthenticationToken token) {

Return token instanceof UsernamePasswordToken

}

/ / Authentication

@ Override

Protected AuthenticationInfo doGetAuthenticationInfo (

AuthenticationToken token) throws AuthenticationException {

/ / obtain user identity information from token

String username = (String) token.getPrincipal ()

/ / query from the database with username

/ /....

/ / return null if the query cannot be found

If (! username.equals ("zhang")) {/ / the simulated query cannot be found here

Return null

}

/ / obtain the user password queried from the database

String password = "123"; / / static data simulation is used here.

/ / the returned authentication information is authenticated by the parent class AuthenticatingRealm

SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo (

Username, password, getName ()

Return simpleAuthenticationInfo

}

/ / authorization

@ Override

Protected AuthorizationInfo doGetAuthorizationInfo (

PrincipalCollection principals) {

/ / TODO Auto-generated method stub

Return null

}

}

2.3.3 shiro-realm.ini

[html] view plain copy print?

[main]

# Custom realm

CustomRealm=com.sihai.shiro.authentication.realm.CustomRealm1

# set realm to securityManager

SecurityManager.realms=$customRealm

2.3.4 Test code

The test code is the same as the starter, and the address of ini is changed to shiro-realm.ini.

Simulate that the account does not exist, the password is wrong, and the account and password are tested correctly.

2.4 Hash algorithm

Hash algorithm is generally used to generate summary information of a section of text, hash algorithm is irreversible, the content can generate a summary, can not be converted into the original content. Hashing algorithms are often used to hash passwords. The commonly used hashing algorithms are MD5 and SHA.

General hashing algorithms need to provide a salt (salt) and the original content to generate summary information, this is done for security, for example: 111111 MD5 value is: 96e79218965eb72c92a549dd5a330112, take "96e79218965eb72c92a549dd5a330112" to md5 to crack the website is easy to crack, if you want to hash 111111 and salt (salt, a random number), so that although the password is 111111 plus different salt will generate different hash values.

2.4.1 exampl

[java] view plain copy print?

/ / md5 encryption, no salt

String password_md5 = new Md5Hash ("111111") .toString ()

System.out.println ("md5 encryption, no salt =" + password_md5)

/ / md5 encryption, salt, and hash at a time

String password_md5_sale_1 = new Md5Hash ("111111", "eteokues", 1) .toString ()

System.out.println ("password_md5_sale_1=" + password_md5_sale_1)

String password_md5_sale_2 = new Md5Hash ("111111", "uiwueylm", 1) .toString ()

System.out.println ("password_md5_sale_2=" + password_md5_sale_2)

/ / two hashes are equivalent to md5 (md5 ())

/ / use SimpleHash

String simpleHash = new SimpleHash ("MD5", "111111", "eteokues", 1) .toString ()

System.out.println (simpleHash)

2.4.2 use in realm

The practical application is to store the salt and the hashed value in the database, and automatically realm takes out the salt from the database and the encrypted value is verified by shiro.

2.4.2.1 Custom realm

[java] view plain copy print?

@ Override

Protected AuthenticationInfo doGetAuthenticationInfo (

AuthenticationToken token) throws AuthenticationException {

/ / user account

String username = (String) token.getPrincipal ()

/ / extract salt and encrypted values from the database according to the user's account number

/ /.. Static data is used here

/ / if no user information is found based on the account, return null,shiro and throw the exception "account does not exist"

/ / add the password according to the fixed rules. The password should be stored in the database. The original password is 111111 and the salt is eteokues.

String password = "cb571f7bd7a6f73ab004a70322b963d5"

/ / Salt, random number, which is also stored in the database

String salt = "eteokues"

/ / return authentication information

SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo (

Username, password, ByteSource.Util.bytes (salt), getName ()

Return simpleAuthenticationInfo

}

2.4.2.2 realm configuration

Configure shiro-cryptography.ini

[html] view plain copy print?

[main]

# define credential matcher

CredentialsMatcher=org.apache.shiro.authc.credential.HashedCredentialsMatcher

# Hash algorithm

CredentialsMatcher.hashAlgorithmName=md5

# number of hashes

CredentialsMatcher.hashIterations=1

# set the credential matcher to realm

CustomRealm=com.sihai.shiro.authentication.realm.CustomRealm2

CustomRealm.credentialsMatcher=$credentialsMatcher

SecurityManager.realms=$customRealm

2.4.2.3 Test code

The test code is the same as the previous section, pay attention to modify the ini path.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.