官方文档:
https://shiro.apache.org/reference.html
https://shiro.apache.org/java-authentication-guide.html
Terminology you’ll need
-
Subject - Security specific user ‘view’ of an application user. It can be a human being, a third-party process, a server connecting to you application, or even a cron job. Basically, it is anything or anyone communicating with your application.
-
Principals - A subjects identifying attributes. First name, last name, social security number, username
-
Credentials - secret data that are used to verify identities. Passwords, Biometric data, x509 certificates,
-
Realms - Security specific DAO, data access object, software component that talks to a backend data source. If you have usernames and password in LDAP, then you would have an LDAP Realm that would communicate with LDAP. The idea is that you would use a realm per back-end data source and Shiro would know how to coordinate with these realms together to do what you have to do.
First, we need to acquire the currently executing user, referred to as the subject.
A subject is just a security specific view of the user—-it can be a human, a process, cron job, doesn’t matter.
About "READMEMBER ME"
In Shiro, the Subject object supports two methods : isRemembered() and isAuthenticated().
A “remembered” subject has an identity (it is not anonymous) and their identifying attributes,referred to as principals, are remembered from a successful authentication during a previous session.
An authenticated subject has proved their identity during their current session.
If a subject is remembered, it DOES NOT mean they are authenticated.
Login/Logout
1 //With most of Shiro, you'll always want to make sure you're working with the currently 2 //executing user, referred to as the subject 3 Subject currentUser = SecurityUtils.getSubject(); 4 5 //Authenticate the subject by passing 6 //the user name and password token 7 //into the login method 8 currentUser.login(token); 9 10 //Your Code Here 11 currentUser.logout(); //removes all identifying information and invalidates their session too.
rich exception hierarchy
丰富的异常层级(机制)
1 try { 2 currentUser.login(token); 3 } catch ( UnknownAccountException uae ) { ... 4 } catch ( IncorrectCredentialsException ice ) { ... 5 } catch ( LockedAccountException lae ) { ... 6 } catch ( ExcessiveAttemptsException eae ) { ... 7 } ... your own ... 8 } catch ( AuthenticationException ae ) { 9 //unexpected error? 10 } 11 //No problems, show authenticated view…
词汇部分
译:
Again really, really easy 非常非常简单/容易
retain 保留
authentication attempt 验证尝试.n
hierarchy 等级制度、层次、层级、阶层、层次结构
integration 整合;集成
音: