How can Shiro achieve authentication and authorization?

1 year ago

William Carter

2 minutes

Shiro is a powerful and flexible Java security framework that can be used to implement authentication and authorization features. Here are the general steps for using Shiro for authentication and authorization:

Add Shiro dependency: Include Shiro related dependencies in the Maven or Gradle configuration file of the project.
Configure Shiro: Create a Shiro configuration file that includes the relevant configuration information for Shiro, such as authenticators, authorizers, Realms, and so on.
Create a Realm: Realm is one of the core components of Shiro, used to retrieve user information from data sources and perform authentication and authorization. You need to implement your own Realm class, which includes the specific logic for authentication and authorization.
Authentication: Use the Subject object from Shiro to perform authentication operations in places where authentication is required. The Subject is the core object in Shiro that represents the security operations of the current user.
Authorization: In places where authorization is required, perform authorization operations using Shiro’s Subject object. Typically, use Shiro’s annotations or programmatic approaches to authorize, determining whether to allow the execution of a certain operation based on the user’s role or permissions.

The following is a simple example code.

// 创建一个 Shiro 的 Subject 对象
Subject currentUser = SecurityUtils.getSubject();

// 创建一个 UsernamePasswordToken 对象，将用户提供的用户名和密码封装到该对象中
UsernamePasswordToken token = new UsernamePasswordToken(username, password);

try {
    // 进行身份验证
    currentUser.login(token);

    // 身份验证成功，进行授权操作
    if (currentUser.isAuthenticated()) {
        // 检查用户是否有某个角色
        if (currentUser.hasRole("admin")) {
            // 执行某个操作
        } else {
            // 没有权限执行该操作
        }

        // 检查用户是否具有某个权限
        if (currentUser.isPermitted("user:create")) {
            // 执行某个操作
        } else {
            // 没有权限执行该操作
        }
    }
} catch (AuthenticationException e) {
    // 身份验证失败
}

This is just a simple example, but in reality, you may need more complex logic and configurations to meet your needs. You can refer to Shiro’s official documentation and sample code to learn more about Shiro authentication and authorization.