湖南建筑信息网,seo平台优化,平原网站建设费用,广州天河网站开发公司一、权限基础
a) 认证(你是谁#xff1f;)
判断你(被认证者)是谁的过程。通常被认证者提供用户名和密码。
常见的认证包含如下几种#xff1a;
匿名认证#xff1a;允许访问资源#xff0c;不做任何类型的安全检查。表单认证#xff1a;访问资源之前#xff0c;需要提… 一、权限基础
a) 认证(你是谁)
判断你(被认证者)是谁的过程。通常被认证者提供用户名和密码。
常见的认证包含如下几种
匿名认证允许访问资源不做任何类型的安全检查。表单认证访问资源之前需要提交包含用户名和密码的表单。这是web application最常用的认证方式。这个过程一般会接合Session只在第一次新会话访问资源时提交认证表单。基本HTTP认证基于RFC 2617的一种认证方式。用户认证Filter that allows access to resources if the accessor is a known user, which is defined as having a known principal. This means that any user who is authenticated or remembered via a remember me feature will be allowed access from this filter.
b) 授权(你可以做什么)
判断被认证者(你)是否能做什么操作的过程。
端口授权必须通过指定的某个端口才能访问资源。Permission授权Filter that allows access if the current user has the permissions specified by the mapped value, or denies access if the user does not have all of the permissions specified.Role授权Filter that allows access if the current user has the roles specified by the mapped value, or denies access if the user does not have all of the roles specified.
perms org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter port org.apache.shiro.web.filter.authz.PortFilter roles org.apache.shiro.web.filter.authz.RolesAuthorizationFilter ssl org.apache.shiro.web.filter.authz.SslFilter
c) 加密
使用技术手段如MD5、SHA等把待加密的数据变为密文如信息摘要等过程。
d) RBAC
基于角色的访问控制Role-Based Access Control。
e) Realm
data access object for an application’s security components (users,roles, permissions)
f) Permission
最小粒度的授权不与用户关联。 例如导出报表、查看id号为“PO20090008”的采购单、创建FAQ。
g) Role
Permission的集合。
二、Shiro特点 简单。功能强大。能独立运行不依赖其它框架或容器。包含了认证、授权、Session管理、加密。易于扩展。 三、web application 集成Shiro
a) 数据模型 用户账号Account可以简单的理解为用户。 一个账号可以拥有多个角色Role。 一个角色包含了多个权限Permission。
b) 创建工程新建实体添加与Shiro相关的Jar包
EclipseFile--New--Other--Web--Dynamic Web Project
在 /WEB-INFO/lib/目录下添加如下Jar包 相关Jar包http://incubator.apache.org/shiro/download.html
c) 配置web.xml添加过滤器
filterfilter-nameShiroFilter/filter-namefilter-classorg.apache.shiro.web.servlet.IniShiroFilter/filter-class
/filter
filter-mappingfilter-nameShiroFilter/filter-nameurl-pattern/*/url-pattern
/filter-mapping
d) INI配置
[main]
#SHA256加密
sha256Matcher org.apache.shiro.authc.credential.Sha256CredentialsMatcher#realm
myRealm com.xx.xx.shiro.MyShiroRealm
myRealm.credentialsMatcher $sha256Matcher#缓存
myRealm.authorizationCachingEnabled true
cacheorg.apache.shiro.cache.ehcache.EhCacheManager
myRealm.cacheManager$cache[filters]
shiro.loginUrl /login.jsp
#authcorg.apache.shiro.web.filter.authc.FormAuthenticationFilter
authc.successUrl /background.jsp
perms.unauthorizedUrl /401.jsp[urls]
/login.jspauthc
/logout.jspanon
/about.jspanon
/background.jspauthc/faq/test.jspauthc
/faq/list.jspauthc,perms[faq:list]
/faq/view.jspauthc,perms[faq:view]
位置 配置参数可以写在web.xml文件中也可以单独文件形式存放在本地类根路径、文件系统以及网络环境中。 Shiro INI Inline Config 和External Config
public class MyShiroRealm extends AuthorizingRealm {protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {String username (String) principals.fromRealm(getName()).iterator().next();if( username ! null ){AccountManager accountManager new AccountManagerImpl();CollectionRole myRoles accountManager.getRoles( username );if( myRoles ! null ){SimpleAuthorizationInfo info new SimpleAuthorizationInfo();for( Role each:myRoles ){info.addRole(each.getName());info.addStringPermissions( each.getPermissionsAsString() );}return info;}}return null;}protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken ) throws AuthenticationException {UsernamePasswordToken token (UsernamePasswordToken) authcToken;String accountName token.getUsername();//用户名密码验证if( accountName ! null !.equals(accountName) ){AccountManager accountManager new AccountManagerImpl();Account account accountManager.get( token.getUsername() );if( account ! null )return new SimpleAuthenticationInfo(account.getName(),account.getPassword(), getName() );}return null;}
}
f) 登录页面 %Object obj request.getAttribute(org.apache.shiro.web.filter.authc.
FormAuthenticationFilter.DEFAULT_ERROR_KEY_ATTRIBUTE_NAME);boolean flag false;String msg ; if( obj ! null ){if( org.apache.shiro.authc.UnknownAccountException.equals( obj ) )msg 未知帐号错误;else if(org.apache.shiro.authc.IncorrectCredentialsException.equals( obj ))msg 密码错误; else if( org.apache.shiro.authc.AuthenticationException.equals( obj ))msg 认证失败;flag !.equals(msg);} if( flag )out.print( msg );
%form actionlogin.jsp methodpostbr/用户帐号input typetext nameusername idusername value/br/登录密码input typepassword namepassword idpassword value / br/input value登录 typesubmit
/form
g) 登出页面
%SecurityUtils.getSubject().logout();%
四、在Shiro中实现CAPTCHA验证码功能
a) 验证码表单认证过滤器
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
import org.apache.shiro.web.util.WebUtils;public class CaptchaFormAuthenticationFilter extends FormAuthenticationFilter{public static final String DEFAULT_CAPTCHA_PARAM captcha;private String captchaParam DEFAULT_CAPTCHA_PARAM;public String getCaptchaParam() {return captchaParam;}protected String getCaptcha(ServletRequest request) {return WebUtils.getCleanParam(request, getCaptchaParam());}protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) {String username getUsername(request);String password getPassword(request);String captcha getCaptcha(request);boolean rememberMe isRememberMe(request);String host getHost(request); return new CaptchaUsernamePasswordToken(username, password, rememberMe, host,captcha);}
}
b) 用户名密码令牌UsernamePasswordToken
import org.apache.shiro.authc.UsernamePasswordToken;public classCaptchaUsernamePasswordToken extends UsernamePasswordToken {private static final long serialVersionUID 1L;private String captcha;public String getCaptcha() {return captcha;} public void setCaptcha(String captcha) {this.captcha captcha;}public CaptchaUsernamePasswordToken() {super();}public CaptchaUsernamePasswordToken(String username, char[] password,boolean rememberMe, String host,String captcha) { super(username, password, rememberMe, host);this.captcha captcha;}
}
c) 添加AuthenticationException
public classIncorrectCaptchaException extends AuthenticationException{private static final long serialVersionUID 1L;public IncorrectCaptchaException() {super();}public IncorrectCaptchaException(String message, Throwable cause) {super(message, cause);}public IncorrectCaptchaException(String message) {super(message);}public IncorrectCaptchaException(Throwable cause) {super(cause);}
}
d) Shiro INI文件
authc com.xx.xx.shiro.CaptchaFormAuthenticationFilter
e) 实现Realm protectedAuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken ) throwsAuthenticationException {CaptchaUsernamePasswordToken token (CaptchaUsernamePasswordToken) authcToken;String accountName token.getUsername();//验证码 验证String captcha null;Object obj_captcha SecurityUtils.getSubject().getSession().getAttribute( SessionKey.CAPTCHA );Object obj_count SecurityUtils.getSubject().getSession().getAttribute( SessionKey.LOGIN_FAILED_COUNT );int failed_count (obj_count null || !(obj_count instanceof Integer))?0:(Integer)obj_count;if( obj_captcha instanceof String)captcha (String)obj_captcha;if( captcha ! null failed_count 0 !captcha.equalsIgnoreCase( token.getCaptcha() )){throw newIncorrectCaptchaException(验证码错误);}//用户名密码验证if( accountName ! null !.equals(accountName) ){AccountManager accountManager newAccountManagerImpl();Account account accountManager.get( token.getUsername() );if( account ! null )return new SimpleAuthenticationInfo( account.getName(),account.getPassword(), getName() );}return null;}
}
f) 登录页面
% Object obj request.getAttribute(org.apache.shiro.web.filter.authc.
FormAuthenticationFilter.DEFAULT_ERROR_KEY_ATTRIBUTE_NAME);boolean flag false;String msg ; if( obj ! null ){if( org.apache.shiro.authc.UnknownAccountException.equals( obj ) )msg 未知帐号错误;else if(org.apache.shiro.authc.IncorrectCredentialsException.equals( obj ))msg 密码错误;else if(com.xx.xx.shiro.IncorrectCaptchaException.equals( obj ))msg 验证码错误;else if( org.apache.shiro.authc.AuthenticationException.equals( obj ))msg 认证失败;flag !.equals(msg);}if( flag ){out.print( msg );Integer count (Integer)request.getSession().getAttribute(SessionKey.LOGIN_FAILED_COUNT );if( count null )count Integer.valueOf(0);count;request.getSession().setAttribute(SessionKey.LOGIN_FAILED_COUNT, count);}
%form actionlogin.jsp methodpostbr/用户帐号input typetext nameusername idusername value/br/登录密码input typepassword namepassword idpassword value / br/验证码input typetext namecaptcha idcaptcha size6/img src/captcha altcaptcha /br/input value登录 typesubmit
/form
g) CAPTCHA实现
h)
五、代码的开发环境
JAVA1.6
Tomcat
Eclipse
