Authorization is access control, which will determine whether the user has the corresponding access rights to resources in the application.
For example, determine whether a user has permission to view pages, permission to edit data, permission to have a certain button, and whether he has permission to print, etc.
1. Three elements of authorization
Authorization has three core elements: permissions, roles and users.
Permissions
Permissions are the core element of the Apache Shiro security mechanism. It clearly states the allowed behavior and performance in the application. A well-formatted permissions statement clearly communicates the permissions a user has on the resource.
Most resources will support typical CRUD operations (create, read, update, delete), but it makes sense for any operation to be based on a specific resource. Therefore, the fundamental idea of permission declaration is based on resources and operations.
Through the permission declaration, we can only understand what this permission can do in the application, but we cannot determine who has this permission.
So, we need to associate users and permissions in the application.
The usual approach is to assign permissions to a role and then associate this role with one or more users.
Permission declaration and granularity
Shiro permission declaration usually uses expressions separated by colons. As mentioned before, a permission expression can clearly specify the resource type, allowed operations, and accessible data. At the same time, Shiro permission expressions support simple wildcards, allowing for more flexible permission settings.
The following uses examples to illustrate permission expressions.
User data can be queried
User:view
User data can be queried or edited
User:view,edit
Can be edited Perform all operations on user data
User:* or user
Can edit user data with id 123
User:edit:123
Role
Shiro supports two role modes:
1. Traditional role: A role represents a series of operations. When an operation needs to be authorized and verified, you only need to determine whether it is the role. Can. This kind of role permissions is relatively simple and vague, which is not conducive to expansion.
2. Permission role: A role has a set of permissions. During authorization verification, it is necessary to determine whether the current role has the permission. This kind of role permissions can provide a detailed permission description for the role, which is suitable for more complex permission designs.
The authorization implementation of the two role modes will be described in detail below.
2. Authorization implementation
Shiro supports three ways to implement the authorization process:
Coding implementation
Annotation implementation
JSP Taglig implementation
1. Encoding-based authorization implementation
1.1 Traditional role-based authorization implementation
When you need to verify whether a user has a certain role, you can call the hasRole* method of the Subject instance to verify.
Subject currentUser = SecurityUtils.getSubject(); if (currentUser.hasRole("administrator")) { //show the admin button } else { //don't show the button? Grey it out? }
The relevant verification methods are as follows:
Subject method The verification method
hasRoles(ListSubject currentUser = SecurityUtils.getSubject(); //guarantee that the current user is a bank teller and //therefore allowed to open the account: currentUser.checkRole("bankTeller"); openBankAccount();
Create an instance of org.apache.shiro.authz.Permission, and This instance object is passed as a parameter to Subject.isPermitted() for verification.
Permission printPermission = new PrinterPermission("laserjet4400n", "print"); Subject currentUser = SecurityUtils.getSubject(); if (currentUser.isPermitted(printPermission)) { //show the Print button } else { //don't show the button? Grey it out? } Permission printPermission = new PrinterPermission("laserjet4400n", "print"); Subject currentUser = SecurityUtils.getSubject(); if (currentUser.isPermitted(printPermission)) { //show the Print button } else { //don't show the button? Grey it out? }
isPermitted(List
isPermittedAll(Collection
2、 基于字符串的实现
相比笨重的基于对象的实现方式,基于字符串的实现便显得更加简洁。
Subject currentUser = SecurityUtils.getSubject(); if (currentUser.isPermitted("printer:print:laserjet4400n")) { //show the Print button } else { //don't show the button? Grey it out? }
使用冒号分隔的权限表达式是org.apache.shiro.authz.permission.WildcardPermission 默认支持的实现方式。
这里分别代表了 资源类型:操作:资源ID
类似基于对象的实现相关方法,基于字符串的实现相关方法:
isPermitted(String perm)、isPermitted(String... perms)、isPermittedAll(String... perms)
基于权限对象的断言实现
Subject currentUser = SecurityUtils.getSubject(); //guarantee that the current user is permitted //to open a bank account: Permission p = new AccountPermission("open"); currentUser.checkPermission(p); openBankAccount();
基于字符串的断言实现
Subject currentUser = SecurityUtils.getSubject(); //guarantee that the current user is permitted //to open a bank account: currentUser.checkPermission("account:open"); openBankAccount();
断言实现的相关方法
Subject方法 说明
checkPermission(Permission p) 断言用户是否拥有制定权限
checkPermission(String perm) 断言用户是否拥有制定权限
checkPermissions(Collection
checkPermissions(String... perms) 断言用户是否拥有所有指定权限
2、基于注解的授权实现
Shiro注解支持AspectJ、Spring、Google-Guice等,可根据应用进行不同的配置。
相关的注解:
@ RequiresAuthentication
可以用户类/属性/方法,用于表明当前用户需是经过认证的用户。
@RequiresAuthentication public void updateAccount(Account userAccount) { //this method will only be invoked by a //Subject that is guaranteed authenticated ... } @ RequiresGuest
表明该用户需为”guest”用户
@ RequiresPermissions
当前用户需拥有制定权限
@RequiresPermissions("account:create") public void createAccount(Account account) { //this method will only be invoked by a Subject //that is permitted to create an account ... } @RequiresRoles
当前用户需拥有制定角色
@ RequiresUser
当前用户需为已认证用户或已记住用户
3、基于JSP TAG的授权实现
Shiro提供了一套JSP标签库来实现页面级的授权控制。
在使用Shiro标签库前,首先需要在JSP引入shiro标签:
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
下面一一介绍Shiro的标签:
guest标签
验证当前用户是否为“访客”,即未认证(包含未记住)的用户
user标签
认证通过或已记住的用户
authenticated标签
已认证通过的用户。不包含已记住的用户,这是与user标签的区别所在。
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
