Apache Shiro入门实例

Shiro是一个强大灵活的开源安全框架，提供身份验证、授权、会话管理、密码体系。

1.先创建一个Maven项目

2.配置pom

<project xmlns="http://maven.apache.org/POM/4.0.0" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 
http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>cn.edu.stu</groupId>
  <artifactId>shiro-test</artifactId>
  <version>0.0.1-SNAPSHOT</version>
  
  <dependencies>
      <dependency>
        <groupId>org.apache.shiro</groupId>
        <artifactId>shiro-core</artifactId>
        <version>1.3.0</version>
    </dependency>
    <dependency>
        <groupId>org.slf4j</groupId>
        <artifactId>slf4j-log4j12</artifactId>
        <version>1.6.4</version>
    </dependency>
    
  </dependencies>
  
</project>

3.在src/main/java下创建log4j.properties文件，配置logger

log4j.rootLogger=info, ServerDailyRollingFile, stdout 
log4j.appender.ServerDailyRollingFile=org.apache.log4j.DailyRollingFileAppender 
log4j.appender.ServerDailyRollingFile.DatePattern='.'yyyy-MM-dd 
log4j.appender.ServerDailyRollingFile.File=C://logs/notify-subscription.log 
log4j.appender.ServerDailyRollingFile.layout=org.apache.log4j.PatternLayout 
log4j.appender.ServerDailyRollingFile.layout.ConversionPattern=%d - %m%n 
log4j.appender.ServerDailyRollingFile.Append=true

log4j.appender.stdout=org.apache.log4j.ConsoleAppender 
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout 
log4j.appender.stdout.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss} %p [%c] %m%n

4.在根目录下创建auth.ini文件

[users]
lonestarr = vespa

5.示例代码

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.LockedAccountException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class ShiroTest {

    private static Logger logger = LoggerFactory.getLogger(ShiroTest.class);
    
    public static void main(String[] args) {
        Factory<org.apache.shiro.mgt.SecurityManager> factory =
 new IniSecurityManagerFactory("auth.ini");
        SecurityManager securityManager = factory.getInstance();
        SecurityUtils.setSecurityManager(securityManager);
        
        //obtain the currently executing user
        Subject user = SecurityUtils.getSubject();
        
        //logger.info("User is authenticated: " + user.isAuthenticated());
        
        /*The Session is a Shiro-specific instance that provides most of 
         * what you're used to with regular HttpSessions but with some 
         * extra goodies and one big difference: it does not require 
         * an HTTP environment!
         */
        Session session = user.getSession();
        session.setAttribute("key", "value");
        
        if(!user.isAuthenticated()) {
            UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa");
            token.setRememberMe(true);
            try {
                user.login(token);
                //if no exception, that's it, we're done!
            } catch (UnknownAccountException uae) {
                //username wasn't in the system, show them an error message?
            } catch (IncorrectCredentialsException ice ) {
                //password didn't match, try again?
            } catch (LockedAccountException lae) {
                //account for that username is locked - can't login.  Show them a message?
            } 
                //... more types exceptions to check if you want ...
            catch (AuthenticationException ae) {
                //unexpected condition - error?
            }
        }
        
        //get user name
        logger.info( "User [" + user.getPrincipal() + "] logged in successfully." );
        
        //if user have specific role or not
        if(user.hasRole("schwartz")) {
            logger.info("May the Schwartz be with you!");
        }
        else {
            logger.info( "Hello, mere mortal.");
        }
        
        //we can perform an extremely powerful instance-level permission 
        //check - the ability to see if the user has the ability to access 
        //a specific instance of a type
        if (user.isPermitted("winnebago:drive:eagle5" ) ) {
            logger.info("You are permitted to 'drive' the 'winnebago' with license plate (id) 'eagle5'." +
                        "Here are the keys - have fun!");
        } else {
            logger.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!");
        }

        // when the user is done using the application, they can log out
        user.logout();
    }

}

6.运行结果

2016-08-04 15:27:48 INFO [org.apache.shiro.session.mgt.AbstractValidatingSessionManager] Enabling session validation scheduler...
2016-08-04 15:27:48 INFO [cn.edu.stu.shiro.ShiroTest] User [lonestarr] logged in successfully.
2016-08-04 15:27:48 INFO [cn.edu.stu.shiro.ShiroTest] Hello, mere mortal.
2016-08-04 15:27:48 INFO [cn.edu.stu.shiro.ShiroTest] Sorry, you aren't allowed to drive the 'eagle5' winnebago!