Crazy God Shiro notes

Shiro

brief introduction

  • Three cores: Subject, Shiro securitymanager, real
    • Shiro SecurityManager manages Subjec
  • framework
  • Authentication authentication and login
  • Authorization, i.e. permission verification, verifies whether an authenticated user has a certain permission
  • Session Manager session management, session management inside the web
  • Cryptography encryption protects the security of data. For example, password encryption is stored in the database instead of plaintext storage
  • Web Support can easily integrate the web
  • Run As camouflage
  • Remember Me: Remember Me, after logging in again, you don't need to log in next time
  • web 401 unauthorized error
  • Namespace
  • xmlns:th=http://www.thymeleaf.org 
				xmlns:sec=http://www.thymeleaf.org/extras/spring-security
				xmlns:shiro=http://www.pollix.at/thymeleaf/shiro

Built in filter

  • anon can access without authentication
  • authc must be certified
  • Remember that I can use it later
  • perms has permission to access a resource
  • roler has the permission of a role to access

Implement user authentication

  • ShiroConfig class and UserRealm class are linked to complete the task of interception
  • The try catch branch structure realizes the jump of the login page
  • P43 / / password verification / / encryption md5 HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher()// The name of the encryption algorithm hashedcredentialsmatcher setHashAlgorithmName(MD5); // Whether to make it hex coded hashedcredentialsmatcher isStoredCredentialsHexEncoded(); // Number of iterations / / hashedcredentialsmatcher setHashIterations(3); SimpleHash simpleHash = new SimpleHash(MD5,user.getPwd() ); String s = simpleHash. toHex(); return new SimpleAuthenticationInfo(,s,);
  • Integration code
  • yml format
  • spring:

  datasource:

    usernam e: root

    password: 123456

    #? serverTimezone=UTC resolves the error in the time zone

    url: jdbc:mysql://localhost:3306/ssmbuild?serverTimezone=UTC&useUnicode=true&characterEncoding=utf-8

    driver-class-name: com.mysql.cj.jdbc.Driver

    type: com.alibaba.druid.pool.DruidDataSource



    #Spring Boot does not inject these attribute values by default and needs to bind itself

    #druid data source proprietary configuration

    initialSize: 5

    minIdle: 5

    maxActive: 20

    maxWait: 60000

    timeBetweenEvictionRunsMillis: 60000

    minEvictableIdleTimeMillis: 300000

    validationQuery: SELECT 1 FROM DUAL

    testWhileIdle: true

    testOnBorrow: false

    testOnReturn: false

    poolPreparedStatements: true



      #Configure filters for monitoring statistics interception, stat: monitoring statistics, log4j: logging, wall: defending sql injection

      #If allowed, an error occurs in Java lang.ClassNotFoundException: org. apache. log4j. Priority

      #Then import the log4j dependency. Maven address: https://mvnrepository.com/artifact/log4j/log4j

    filters: stat,wall,log4j

    maxPoolPreparedStatementPerConnectionSize: 20

    useGlobalDataSourceStat: true

    connectionProperties: druid.stat.mergeSql=true;druid.stat.slowSqlMillis=500

Subject

  • Value stored in session
  • isAuthenticated whether the current user is authenticated
  • Token token

Problem solving

  • In shiroo, the first access message 400 contains the reason why the jsessionid is generated in the URL: jsessionid is the id indicating the session. It exists in the cookie. Generally, it does not appear in the URL. The server will take it out of the client's cookie. However, if the client disables the cookie, it will rewrite the URL and explicitly rewrite the jsessionid into the URL, It is convenient for the server to find the session id through this. If the cookie requested by the client does not contain jsessionid, the server calls request When getsession(), it will be generated and passed to the client. This time, the response header will contain the information about setting the cookie. If the cookie requested by the client contains jsessionid, the server will call request When getsession(), it will find the object according to jsessionid. If it can be found, it will return. Otherwise, it will be the same as if jsessionid was not passed; Solution: add: server. In properties servlet. session. tracking-modes=cookie server. servlet. session. cookie. http-only=true

Log correlation

  • The first is dependent packages
  • <!--        There are two log fronts to be introduced here-->
        <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>jcl-over-slf4j</artifactId>
        </dependency>
        <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>slf4j-log4j12</artifactId>
        </dependency>
        <dependency>
            <groupId>log4j</groupId>
            <artifactId>log4j</artifactId>
            <version>1.2.17</version>
        </dependency>
  • The first two dependency packages are the log facade, which can help us call many log files
  • log4j can be retained or deleted directly. It is estimated that it is an efficient framework

Supplementary knowledge

  • When learning the new framework, you should pay attention to the two aspects of Hello world and quick start, and pay attention to writing and understanding these things quickly
  • Reading code is a good habit. When you brush online classes later, you should pay more attention to the reading method of learning the source code
  • The official flow chart can be found in the sample code

Keywords: Shiro

Added by jamest on Fri, 24 Dec 2021 00:21:34 +0200

Popular Keywords

©2024 Programming VIP