简单登录流程:
1. SecurityManager
2. SecurityUtils.setSecurityManager
3. SecurityUtils.getSubject
4. token(UsernamePasswordToken等)
5. subject.login
Apache Shiro Configuration
Shiro 配置--ini
》适用于用户少且不需要在运行时动态创建的情景
1. web.xml 中自定义shiro.ini位置(默认位置)
/WEB-INF/shiro.ini or classpath:shiro.ini
配置内容
<filter><filter-name>ShiroFilter</filter-name><filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class><init-param><param-name>configPath</param-name><param-value>/WEB-INF/anotherFile.ini</param-value></init-param></filter>
2. Shiro.ini 示例
# =======================# Shiro INI configuration# =======================[main]# Objects and their properties are defined here,# Such as the securityManager, Realms and anything# else needed to build the SecurityManager[users]# The 'users' section is for simple deployments# when you only need a small number of statically-defined# set of User accounts.[roles]# The 'roles' section is for simple deployments# when you only need a small number of statically-defined# roles.[urls]# The 'urls' section is used for url-based security# in web applications. We'll discuss this section in the# Web documentation
说明:
[main] 主配置
[main]sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher # 加密密码匹配# true = hex, false = base64:sha256Matcher.storedCredentialsHexEncoded = falsemyRealm = com.company.security.shiro.DatabaseRealmmyRealm.connectionTimeout = 30000myRealm.username = jsmith # 内部被转换为myRealm.setUsername("jsmith");myRealm.password = secretmyRealm.credentialsMatcher = $sha256Matcher # 凭证(密码)加密securityManager.sessionManager.globalSessionTimeout = 1800000
多个属性(逗号 ,)
securityManager.sessionManager.sessionListeners = $sessionListener1, $sessionListener2
Map形式属性设置
object1 = com.company.some.Classobject2 = com.company.another.Class...anObject = some.class.with.a.Map.propertyanObject.mapProperty = key1:$object1, key2:$object2
重复设置的属性,后写的覆盖前面的
myRealm = com.company.security.MyRealm...myRealm = com.company.security.DatabaseRealm #(覆盖了前面的myRealm)
[users] 用户配置
[users]admin = secret #A password is required.lonestarr = vespa, goodguy, schwartzdarkhelmet = ludicrousspeed, badguy, schwartz# user1 = sha256-hashed-hex-encoded password, role1, role2, ... # 可以使用 shiro 的Command Line Hasher 来加密密码。需要配置 credentialsMatcher
格式: 用户 = 密码,角色1,角色2,... ,角色N
username = password, roleName1, roleName2, ..., roleNameN
[roles] 角色配置
[roles]# 'admin' role has all permissions, indicated by the wildcard '*'admin = * # 所有权限# The 'schwartz' role can do anything (*) with any lightsaber:schwartz = lightsaber:* # 角色 schwartz 拥有对资源 lightsaber 做任何事的权限# The 'goodguy' role is allowed to 'drive' (action) the winnebago (type) with# license plate 'eagle5' (instance specific id)goodguy = winnebago:drive:eagle5 # 角色goodguy 拥有对 id 为 eagle5 的 winnebago 资源执行 drive 的权限
格式:角色 = 权限定义1,权限定义2,... ,权限定义N
rolename = permissionDefinition1, permissionDefinition2, ..., permissionDefinitionN
权限定义:http://shiro.apache.org/permissions.html
[url] web应用中url过滤
[urls]/index.html = anon/user/create = anon/account/**=ssl,authc # Any request to my application's path of /account or any of it's sub paths (/account/foo, /account/bar/baz, etc) will trigger the 'ssl, authc' filter chain/user/** = authc/admin/** = authc, roles[administrator]/rest/** = authc, rest/remoting/rpc/** = authc, perms["remote:invoke"]
格式:
URL_Ant_Path_Expression = Path_Specific_Filter_Chain
注意:
2. URL过滤原则是 FIRST MATCH WINS. 后面的不会覆盖前面的!
url中过滤器(anno等)定义:
filter1[optional_config1], filter2[optional_config2], ..., filterN[optional_configN] # 如 authc, perms["remote:invoke"]
注意:若filter不是shiro中已定义的(DefaultFilter),而是自己继承 PathMatchingFilter 实现的,则需要在【main】中先声明
测试时,可以在【main】中禁用 filter
[main]...# configure Shiro's default 'ssl' filter to be disabled while testing:ssl.enabled = false
登录请求login.do不能设为authc