Apache Shrio安全框架

2021-04-01 16:25

阅读：579

标签：div tom val ssi iss 模块 list ima anon

一、Shiro整体概述

1.简介

Apache Shiro是Java的一个安全框架,功能强大,使用简单,Shiro为开发人员提供了一个直观而全面的认证(登录),授权(判断是否含有权限),加密(密码加密)及会话管理(Shiro内置Session)的解决方案.

2.Shiro组件

3.Shiro架构

3.1 外部架构(以应用程序角度)

3.2 内部架构

4. Shiro的过滤器

过滤器简称	对应的java类
anon	org.apache.shiro.web.filter.authc.AnonymousFilter
authc	org.apache.shiro.web.filter.authc.FormAuthenticationFilter
authcBasic	org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter
perms	org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter
port	org.apache.shiro.web.filter.authz.PortFilter
rest	org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter
roles	org.apache.shiro.web.filter.authz.RolesAuthorizationFilter
ssl	org.apache.shiro.web.filter.authz.SslFilter
user	org.apache.shiro.web.filter.authc.UserFilter
logout	org.apache.shiro.web.filter.authc.LogoutFilter

挑几个重要的说明一下:

anon:匿名过滤器,不登录也可以访问的资源使用,比如首页,一些静态资源等

authc:认证过滤器,登录成功后才能访问的资源使用

perms:授权过滤器,必须具备某种权限才能访问

roles:角色过滤器,必须具备某种角色才能访问

注意:这么多过滤器,使用起来肯定不方便,Shiro框架也考虑到了这一点,所以有一个过滤器,一个顶十个,即DelegatingFilterProxy.

5. Shiro与Spring整合

5.1 pom.xml

   
        dependency>
            groupId>org.apache.shirogroupId>
            artifactId>shiro-springartifactId>
            version>1.3.2version>
        dependency>

5.2 web.xml

 filter>
        filter-name>shiroFilterfilter-name>
        filter-class>org.springframework.web.filter.DelegatingFilterProxyfilter-class>
        init-param>
            param-name>targetFilterLifecycleparam-name>
            param-value>trueparam-value>
        init-param>
    filter>
    filter-mapping>
        filter-name>shiroFilterfilter-name>
        url-pattern>/*url-pattern>
    filter-mapping>

5.3 applicationContext-shiro.xml

xml version="1.0" encoding="UTF-8"?>
beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:jdbc="http://www.springframework.org/schema/jdbc" xmlns:tx="http://www.springframework.org/schema/tx"
       xmlns:task="http://www.springframework.org/schema/task"
       xsi:schemaLocation="
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
        http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc.xsd
        http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd">
    
    bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
        
        property name="realm" ref="authRealm"/>
        
        property name="cacheManager" ref="cacheManager"/>
    bean>

    
    bean id="authRealm" class="com.itheima.web.shiro.AuthRealm">
        
        property name="credentialsMatcher" ref="customerCredentialsMatcher">property>
    bean>

    
    bean id="customerCredentialsMatcher" class="com.itheima.web.shiro.CustomCredentialsMatcher">bean>

    
    
    bean id="cacheManager" class="org.apache.shiro.cache.MemoryConstrainedCacheManager">bean>

    
    bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
        property name="securityManager" ref="securityManager"/>
        
        property name="loginUrl" value="/login.jsp">property>
        
        property name="unauthorizedUrl" value="/unauthorized.jsp">property>

        property name="filterChainDefinitions">
            
            value>
                /system/module/list.do = perms["模块管理"]
                /index.jsp* = anon
                /login.jsp* = anon
                /login* = anon
                /logout* = anon
                /css/** = anon
                /img/** = anon
                /plugins/** = anon
                /make/** = anon
                /** = authc
            value>
        property>
    bean>

    
    bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>

    
    bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
          depends-on="lifecycleBeanPostProcessor">
        property name="proxyTargetClass" value="true"/>
    bean>

    
    bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
        property name="securityManager" ref="securityManager"/>
    bean>

    
    aop:aspectj-autoproxy proxy-target-class="true"/>

beans>

5.4 如果你想看具体的实现代码,可以点击页面右上角,到我的github仓库中拉取.

Apache Shrio安全框架

标签：div tom val ssi iss 模块 list ima anon

原文地址：https://www.cnblogs.com/ubiquitousShare/p/12553451.html

上一篇：jQuery---ajax

下一篇：通达OA 任意文件上传+文件包含导致RCE漏洞复现

文章来自：搜素材网的编程语言模块，转载请注明文章出处。
文章标题：Apache Shrio安全框架
文章链接：http://soscw.com/index.php/essay/70999.html

亲，登录后才可以留言！

Apache Shrio安全框架

评论

热门文章

推荐文章

最新文章

置顶文章