Apache Shiro 认证+受权（一）

时间 2019-11-12

原文原文链接

一、核心依赖java

<dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-core</artifactId>
            <version>1.4.0</version>
        </dependency>

二、认证流程：建立SecurityManager-->主体提交认证-->SecurityMananger认证-->Authentictor认证-->Realm验证（从subject.login(token)开始跟踪源码能够验证（idea下ctrl+alt+b跟踪源码）），单元测试代码以下：mysql

package com.example.demo_mg;

import junit.framework.Assert;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.realm.SimpleAccountRealm;
import org.apache.shiro.subject.Subject;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.test.context.junit4.SpringRunner;

@RunWith(SpringRunner.class)
@SpringBootTest
public class DemoMgApplicationTests {

    SimpleAccountRealm simpleAccountRealm = new SimpleAccountRealm();

    @Before
    public void before() {
        simpleAccountRealm.addAccount("wzs", "123456");
    }

    @Test
    public void contextLoads() {
    }

    @Test
    public void test() {
        //构建SecurityManager环境
        DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager();
        defaultSecurityManager.setRealm(simpleAccountRealm);
        //主体提交认证请求
        SecurityUtils.setSecurityManager(defaultSecurityManager);
        Subject subject = SecurityUtils.getSubject();
        UsernamePasswordToken token = new UsernamePasswordToken("wzs", "123456");
        subject.login(token);
        Assert.assertEquals(subject.isAuthenticated(), true);
        subject.logout();
        Assert.assertEquals(subject.isAuthenticated(), true);
    }
}

帐号错误UnknownAccountException，密码错误IncorrectCredentialsException。算法

从subject.login(token);点击ctrl+alt+b跟踪源码到DelegatingSubject的login方法，调用Subject subject = this.securityManager.login(this, token);，继续跟踪到DefaultSecurityManager的login方法，调用info = this.authenticate(token);，继续跟踪到AuthenticatingSecurityManager的authenticate方法，调用this.authenticator.authenticate(token);，继续跟踪到AbstractAuthenticator的authenticate方法，调用info = this.doAuthenticate(token);，继续跟踪到ModularRealmAuthenticator的doAuthenticate方法，能够看到以下认证代码，经过realm实现认证：spring

protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {
        this.assertRealmsConfigured();
        Collection<Realm> realms = this.getRealms();
        return realms.size() == 1 ? this.doSingleRealmAuthentication((Realm)realms.iterator().next(), authenticationToken) : this.doMultiRealmAuthentication(realms, authenticationToken);
    }

三、受权流程：建立SecurityManager-->主体受权-->SecurityManager受权-->Authorizer受权-->Realm获取角色权限数据（数据库|缓存等）：sql

package com.example.demo_mg;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.realm.SimpleAccountRealm;
import org.apache.shiro.subject.Subject;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.test.context.junit4.SpringRunner;

@RunWith(SpringRunner.class)
@SpringBootTest
public class DemoMgApplicationTests {

    SimpleAccountRealm simpleAccountRealm = new SimpleAccountRealm();

    @Before
    public void before() {
        simpleAccountRealm.addAccount("wzs", "123456", "admin", "user");
    }

    @Test
    public void contextLoads() {
    }

    @Test
    public void test() {
        //构建SecurityManager环境
        DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager();
        defaultSecurityManager.setRealm(simpleAccountRealm);
        //主体提交认证请求
        SecurityUtils.setSecurityManager(defaultSecurityManager);
        Subject subject = SecurityUtils.getSubject();
        UsernamePasswordToken token = new UsernamePasswordToken("wzs", "123456");
        subject.login(token);
        //受权
        subject.checkRole("admin");
        subject.checkRoles("admin", "user");
        subject.logout();
    }
}

角色不存在UnauthorizedException数据库

从subject.checkRoles("admin", "user");点击ctrl+alt+b跟踪源码到DelegatingSubject的checkRoles方法，调用this.securityManager.checkRoles(this.getPrincipals(), roleIdentifiers);，继续跟踪到AuthorizingSecurityManager的checkRoles方法，调用this.authorizer.checkRoles(principals, roles);，继续跟踪到ModularRealmAuthorizer的checkRoles方法，遍历roles调用this.checkRole(principals, role);，继续跟踪到checkRole方法，调用this.hasRole(principals, role)，继续跟踪到hasRole方法，可见以下代码，经过realm受权：apache

public boolean hasRole(PrincipalCollection principals, String roleIdentifier) {
        this.assertRealmsConfigured();
        Iterator var3 = this.getRealms().iterator();

        Realm realm;
        do {
            if (!var3.hasNext()) {
                return false;
            }

            realm = (Realm)var3.next();
        } while(!(realm instanceof Authorizer) || !((Authorizer)realm).hasRole(principals, roleIdentifier));

        return true;
    }

四、测试内置的IniRealm：
在src/test下新建Direcotry，名称resources，右键Mark Direcotry As-->Test Sources Root，在下面新建user.ini文件，内容：缓存

[users]
wzs=123456,admin
[roles]
admin=user:delete,user:update

单元测试代码：dom

package com.example.demo_mg;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.realm.text.IniRealm;
import org.apache.shiro.subject.Subject;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.test.context.junit4.SpringRunner;

@RunWith(SpringRunner.class)
@SpringBootTest
public class DemoMgApplicationTests {

    @Test
    public void contextLoads() {
    }

    @Test
    public void test() {
        IniRealm iniRealm = new IniRealm("classpath:user.ini");
        //构建SecurityManager环境
        DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager();
        defaultSecurityManager.setRealm(iniRealm);
        //主体提交认证请求
        SecurityUtils.setSecurityManager(defaultSecurityManager);
        Subject subject = SecurityUtils.getSubject();
        UsernamePasswordToken token = new UsernamePasswordToken("wzs", "123456");
        subject.login(token);
        //受权
        subject.checkRole("admin");
        subject.checkPermissions("user:delete", "user:update");
        subject.checkPermission("user:insert");
        subject.logout();
    }
}

权限不存在UnauthorizedExceptionide

五、测试内置的JdbcRealm：
1）安装mysql8.0
2）按照JdbcRealm的源码的SQL建表：

CREATE TABLE `users` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `username` varchar(255) DEFAULT NULL,
  `password` varchar(255) DEFAULT NULL,
`password_salt` varchar(255) DEFAULT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;

CREATE TABLE `user_roles` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `username` varchar(255) DEFAULT NULL,
  `role_name` varchar(255) DEFAULT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;

CREATE TABLE `roles_permissions` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `role_name` varchar(255) DEFAULT NULL,
  `permission` varchar(255) DEFAULT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;

3）添加测试数据：

insert into users (username,password) values ('wzs','123456');
insert into user_roles (username,role_name) values ('wzs','admin');
insert into roles_permissions (role_name,permission) values ('admin','user:delete');

4）依赖

<dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <version>8.0.11</version>
        </dependency>

        <dependency>
            <groupId>com.alibaba</groupId>
            <artifactId>druid</artifactId>
            <version>1.1.6</version>
        </dependency>

5）单元测试代码：

package com.example.demo_mg;

import com.alibaba.druid.pool.DruidDataSource;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.realm.jdbc.JdbcRealm;
import org.apache.shiro.realm.text.IniRealm;
import org.apache.shiro.subject.Subject;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.test.context.junit4.SpringRunner;

@RunWith(SpringRunner.class)
@SpringBootTest
public class DemoMgApplicationTests {
    DruidDataSource dataSource = new DruidDataSource();
    {
        dataSource.setDriverClassName("com.mysql.cj.jdbc.Driver");
        dataSource.setUrl("jdbc:mysql://129.204.58.30:3306/shiro");
        dataSource.setUsername("user");
        dataSource.setPassword("*********");
    }

    @Test
    public void contextLoads() {
    }

    @Test
    public void test() {
        JdbcRealm jdbcRealm = new JdbcRealm();
        jdbcRealm.setDataSource(dataSource);
        jdbcRealm.setPermissionsLookupEnabled(true);//为了查询权限表，要开启权限查询
        //构建SecurityManager环境
        DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager();
        defaultSecurityManager.setRealm(jdbcRealm);
        //主体提交认证请求
        SecurityUtils.setSecurityManager(defaultSecurityManager);
        Subject subject = SecurityUtils.getSubject();
        UsernamePasswordToken token = new UsernamePasswordToken("wzs", "123456");
        subject.login(token);
        //受权
        System.out.println(subject.isAuthenticated());
        System.out.println(subject.hasRole("admin"));
        System.out.println(subject.isPermitted("user:delete"));
        subject.logout();
    }
}

6）若自定义用户、角色、权限三张表，须要自定义查询用户、角色、权限的SQL：

参考JdbcRealm的查询语句：
    protected String authenticationQuery = "select password from users where username = ?";
    protected String userRolesQuery = "select role_name from user_roles where username = ?";
    protected String permissionsQuery = "select permission from roles_permissions where role_name = ?";

设置自定义查询语句到jdbcRealm对象：
        jdbcRealm.setAuthenticationQuery("自定义查询用户sql");
        jdbcRealm.setUserRolesQuery("自定义查询角色sql");
        jdbcRealm.setPermissionsQuery("自定义查询权限sql");

六、自定义Realm，参考JdbcRealm继承抽象的AuthorizingRealm类并实现其抽象方法，认证doGetAuthenticationInfo，受权doGetAuthenticationInfo，而后单元测试受权和认证：

package com.example.demo_mg.realm;

import org.apache.commons.collections.map.HashedMap;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;

import java.util.*;

public class TestRealm extends AuthorizingRealm {
    //模拟users、user_roles、roles_permissions三张表的查询，实际应用须要查询数据库或缓存
    Map<String, String> users = new HashMap<>();
    Map<String, Set<String>> user_roles = new HashedMap();
    Map<String, Set<String>> roles_permissions = new HashedMap();

    {
        users.put("wzs", "123456");
        user_roles.put("wzs", new HashSet<>(Arrays.asList("admin", "test")));
        roles_permissions.put("admin", new HashSet<>(Arrays.asList("user:delete", "user:update")));
        super.setName("TestRealm"); //设置Realm名称，可选
    }

    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        //从认证信息获取用户名
        String username = (String)principalCollection.getPrimaryPrincipal();
        //从数据库或缓存中获取角色、权限数据
        Set<String> roles = user_roles.get(username);
        Set<String> permissions = new HashSet<>();
        for (String role : roles) {
            Set<String> set;
            if((set = roles_permissions.get(role)) != null) {
                permissions.addAll(set);
            }
        }
        SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
        simpleAuthorizationInfo.setRoles(roles);
        simpleAuthorizationInfo.setStringPermissions(permissions);
        return simpleAuthorizationInfo;
    }

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        //从主题传过来的认证信息中，得到用户名
        String username = (String)authenticationToken.getPrincipal();
        //经过用户名从数据库中获取凭证
        String password = users.get(username);
        if(password != null) {
            return new SimpleAuthenticationInfo(username, password, super.getName());
        }
        return null;
    }
}

单元测试：

package com.example.demo_mg;

import com.example.demo_mg.realm.TestRealm;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.subject.Subject;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.test.context.junit4.SpringRunner;

@RunWith(SpringRunner.class)
@SpringBootTest
public class DemoMgApplicationTests {
    @Test
    public void contextLoads() {
    }

    @Test
    public void test() {
        TestRealm testRealm = new TestRealm();
        //构建SecurityManager环境
        DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager();
        defaultSecurityManager.setRealm(testRealm);
        //主体提交认证请求
        SecurityUtils.setSecurityManager(defaultSecurityManager);
        Subject subject = SecurityUtils.getSubject();
        UsernamePasswordToken token = new UsernamePasswordToken("wzs", "123456");
        subject.login(token);
        //受权
        System.out.println(subject.isAuthenticated());
        System.out.println(subject.hasRole("admin"));
        System.out.println(subject.isPermitted("user:delete"));
        subject.logout();
    }
}

七、密码加密及加盐：
在6的基础上调整代码：

package com.example.demo_mg.realm;

import org.apache.commons.collections.map.HashedMap;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.crypto.hash.Md5Hash;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;

import java.util.*;

public class TestRealm extends AuthorizingRealm {
    //模拟users、user_roles、roles_permissions三张表的查询，实际应用须要查询数据库或缓存
    Map<String, String> users = new HashMap<>();
    Map<String, Set<String>> user_roles = new HashedMap();
    Map<String, Set<String>> roles_permissions = new HashedMap();
    String salt = UUID.randomUUID().toString().replaceAll("-","");

    {
        //不加盐(与认证对应）
//        users.put("wzs", new Md5Hash("123456",null, 2).toString());
        //加盐
        users.put("wzs", new Md5Hash("123456",salt, 2).toString());
        user_roles.put("wzs", new HashSet<>(Arrays.asList("admin", "test")));
        roles_permissions.put("admin", new HashSet<>(Arrays.asList("user:delete", "user:update")));
        super.setName("TestRealm"); //设置Realm名称，可选
    }

    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        //从认证信息获取用户名
        String username = (String)principalCollection.getPrimaryPrincipal();
        //从数据库或缓存中获取角色、权限数据
        Set<String> roles = user_roles.get(username);
        Set<String> permissions = new HashSet<>();
        for (String role : roles) {
            Set<String> set;
            if((set = roles_permissions.get(role)) != null) {
                permissions.addAll(set);
            }
        }
        SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
        simpleAuthorizationInfo.setRoles(roles);
        simpleAuthorizationInfo.setStringPermissions(permissions);
        return simpleAuthorizationInfo;
    }

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        //从主题传过来的认证信息中，得到用户名
        String username = (String)authenticationToken.getPrincipal();
        //经过用户名从数据库中获取凭证
        String password = users.get(username);
        if(password != null) {
            //不加盐
//            return new SimpleAuthenticationInfo(username, password, super.getName());
            //加盐
            SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(username, password, super.getName());
            simpleAuthenticationInfo.setCredentialsSalt(ByteSource.Util.bytes(salt));
            return simpleAuthenticationInfo;
        }
        return null;
    }
}

单元测试：

package com.example.demo_mg;

import com.example.demo_mg.realm.TestRealm;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.subject.Subject;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.test.context.junit4.SpringRunner;

@RunWith(SpringRunner.class)
@SpringBootTest
public class DemoMgApplicationTests {
    @Test
    public void contextLoads() {
    }

    @Test
    public void test() {
        TestRealm testRealm = new TestRealm();

        //设置加密
        HashedCredentialsMatcher matcher = new HashedCredentialsMatcher();
        matcher.setHashAlgorithmName("md5"); //加密算法
        matcher.setHashIterations(2); //加密次数，与new Md5Hash("123456",null, 2).toString();的hashIterations参数一致，不然IncorrectCredentialsException
        testRealm.setCredentialsMatcher(matcher);

        //构建SecurityManager环境
        DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager();
        defaultSecurityManager.setRealm(testRealm);
        //主体提交认证请求
        SecurityUtils.setSecurityManager(defaultSecurityManager);
        Subject subject = SecurityUtils.getSubject();
        UsernamePasswordToken token = new UsernamePasswordToken("wzs", "123456");
        subject.login(token);
        //受权
        System.out.println(subject.isAuthenticated());
        System.out.println(subject.hasRole("admin"));
        System.out.println(subject.isPermitted("user:delete"));
        subject.logout();
    }
}

MD5加密不可逆，但不加盐存在风险，注册的时候随机生成盐，保存到数据库，这里返回的认证对象带的盐从库里查出来。