preface
I’ve talked about using INI files for login authentication, but this blog post will focus on another important feature of Shiro: authorization, which defines permissions for legitimate users. In this article we will still use the INI file to see how we can do the authorization.
RBAC simply describes role-based Access Control (ROLE-based Access Control) as a promising alternative to traditional Access Control (autonomous Access, mandatory Access). In RBAC, permissions are associated with roles, and users gain permissions for those roles by becoming a member of the appropriate roles. This greatly simplifies permission management. In an organization, roles are created to perform various tasks, and users are assigned roles based on their responsibilities and qualifications. Users can be easily assigned from one role to another. Roles can be assigned new permissions based on new requirements and system consolidation, and permissions can be reclaimed from a role as required. Role-to-role relationships can be established to encompass a wider range of objective situations. (From Baidu Baike.)
What is said above can be explained in one sentence simply what kind of user is what kind of role. What permissions you have. This rule is followed in Shiro’s licensing. Let’s write our authorization code based on the Shiro authentication article from the previous blog. See how user authorization is implemented using the INI file.
In our last blog post, our INI file defines the user name and password, as shown below.
[users] root=123456 admin=admin Let’s talk about how to add roles and permissions to users.
The most common is that a user has one role and one permission, assuming root is the Role1 role. Permission1. So, in the INI file we first write the [roles] tag, similar to the [Users] tag. [users] root=123456,role1 [roles] Roles = permission1 Can a user have multiple roles and permissions? The answer is yes. For example, suppose that the admin user is role1 or Role2. [users] root=123456,role1 admin=admin,role1,role2 [roles] role1 = permission1 role2 = permission2,permission3
Query whether a user has a role We have written what kind of user corresponding to what kind of role and permissions (in fact, has completed the operation of authorization), let’s look at how to query whether a user has a role. Of course, this operation must be performed after the user has logged in and authenticated. We first put together the three authentication methods we need. The specific methods and application scenarios are as follows.
Boolean hasRole(String var1); hasRole(String var1); hasRole(String var1); HasAllRoles (Collection var1) hasAllRoles(Collection var1) hasAllRoles(Collection var1) hasAllRoles(Collection var1) hasAllRoles(Collection var1) hasAllRoles(Collection var1) hasAllRoles(Collection VAR1) HasRoles (List var1); hasRoles(List var1); hasRoles(List var1); hasRoles(List var1); Now let’s pick up where MyShiro left off in the previous article and write the logical code. The original code in MyShiro is shown below.
import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.config.IniSecurityManagerFactory; import org.apache.shiro.mgt.SecurityManager; import org.apache.shiro.subject.Subject; import org.apache.shiro.util.Factory; import org.springframework.stereotype.Component; import java.util.HashMap; import java.util.Map; @Component public class MyShiro { public Map<String,Object> userLoginAction (String userName,String passWord){ Map<String,Object> resultMap = new HashMap<>(); / / initialize the SecurityManager object Factory Factory = new IniSecurityManagerFactory (” classpath: shiro ini “); // Get the SecurityManager instance object from the SecurityManager factory object. SecurityManager securityManager = factory.getInstance(); . / / the securityManager instance is bound to the SecurityUtils the SecurityUtils setSecurityManager (securityManager); // Create the Subject body. Subject subject = SecurityUtils.getSubject(); UsernamePasswordToken token = new UsernamePasswordToken(userName,passWord); // User login operation. Try {subject.login(token); resultMap.put(“code”,”200″); Resultmap. put(” MSG “,” user login successfully “); }catch (AuthenticationException e){// Cause of login failure 1 The user does not exist 2 The password of the user is incorrect resultmap. put(“code”,”-1″); Resultmap. put(” MSG “,” user login failed “); } return resultMap; }} Because the user must pass the authentication operation, we cannot determine the role in the case of login failure. The operation can be performed only when the user logs in successfully. So we only validate if the try succeeds. As shown in the figure below.
Picture description (50 words Max)
The code is relatively simple, I will directly use the three methods for code preparation. As shown below.
// User login operation. Try {subject.login(token); resultMap.put("code","200"); Resultmap. put(" MSG "," user login successfully "); If (subject.hasrole ("role1")){resultmap. put("roleMsg1"," user hasRole 1"); }else {resultmap. put("roleMsg1"," user does not own role 1"); } if (subject.hasallRoles (array.aslist ("role1","role2")) {resultmap. put("roleMsg2"," user has roles 1 and 2"); }else {resultmap. put("roleMsg2"," user does not have both role 1 and role 2"); Println (Arrays. AsList (subject.hasroles (Arrays. AsList ("role1","role2")))); }catch (AuthenticationException e){// Cause of login failure 1 The user does not exist 2 The password of the user is incorrect resultmap. put("code","-1"); Resultmap. put(" MSG "," user login failed "); }Copy the codeLet’s start the program and log in using the interface to see if it works. The verification result is as follows.
The root user
Picture description (50 words Max)
The admin user
Picture description (50 words Max)
The procedure for querying whether a user has permissions is similar to the procedure for querying whether a user has permissions. The method is shown below.
boolean isPermitted(String var1); boolean isPermittedAll(String… var1); boolean[] isPermitted(String… var1); The specific implementation code is shown below.
If (subject. IsPermitted ("permission1")){resultmap. put("PermittedMsg1"," user with permission1"); }else {resultmap. put("PermittedMsg1"," user does not have permission 1"); } if (subject.ispermittedall ("permission2","permission3")){resultmap. put("PermittedMsg2"," user has both permission 1 and permission2"); }else {resultmap. put("PermittedMsg2"," user does not have both permission 1 and permission 2"); }Copy the codeLet’s still verify that it’s correct, and then log in using the interface to see if it’s correct. The verification result is as follows.
The root user
Picture description (50 words Max)
The admin user
Picture description (50 words Max)
Shiro INI files are easy to use, but because of the use of hard coding, so the maintainability is poor, you can use it accordingly! Well, that’s all for today. If you have any questions please leave them in the comments section. I hope you’ll stay tuned. Thank you too ~