Shiro
brief introduction
- Three cores: Subject, Shiro securitymanager, real
- Shiro SecurityManager manages Subjec
- framework
- Authentication authentication and login
- Authorization, i.e. permission verification, verifies whether an authenticated user has a certain permission
- Session Manager session management, session management inside the web
- Cryptography encryption protects the security of data. For example, password encryption is stored in the database instead of plaintext storage
- Web Support can easily integrate the web
- Run As camouflage
- Remember Me: Remember Me, after logging in again, you don't need to log in next time
- web 401 unauthorized error
- Namespace
-
xmlns:th=http://www.thymeleaf.org xmlns:sec=http://www.thymeleaf.org/extras/spring-security xmlns:shiro=http://www.pollix.at/thymeleaf/shiro
Built in filter
- anon can access without authentication
- authc must be certified
- Remember that I can use it later
- perms has permission to access a resource
- roler has the permission of a role to access
Implement user authentication
- ShiroConfig class and UserRealm class are linked to complete the task of interception
- The try catch branch structure realizes the jump of the login page
- P43 / / password verification / / encryption md5 HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher()// The name of the encryption algorithm hashedcredentialsmatcher setHashAlgorithmName(MD5); // Whether to make it hex coded hashedcredentialsmatcher isStoredCredentialsHexEncoded(); // Number of iterations / / hashedcredentialsmatcher setHashIterations(3); SimpleHash simpleHash = new SimpleHash(MD5,user.getPwd() ); String s = simpleHash. toHex(); return new SimpleAuthenticationInfo(,s,);
- Integration code
- yml format
-
spring: datasource: usernam e: root password: 123456 #? serverTimezone=UTC resolves the error in the time zone url: jdbc:mysql://localhost:3306/ssmbuild?serverTimezone=UTC&useUnicode=true&characterEncoding=utf-8 driver-class-name: com.mysql.cj.jdbc.Driver type: com.alibaba.druid.pool.DruidDataSource #Spring Boot does not inject these attribute values by default and needs to bind itself #druid data source proprietary configuration initialSize: 5 minIdle: 5 maxActive: 20 maxWait: 60000 timeBetweenEvictionRunsMillis: 60000 minEvictableIdleTimeMillis: 300000 validationQuery: SELECT 1 FROM DUAL testWhileIdle: true testOnBorrow: false testOnReturn: false poolPreparedStatements: true #Configure filters for monitoring statistics interception, stat: monitoring statistics, log4j: logging, wall: defending sql injection #If allowed, an error occurs in Java lang.ClassNotFoundException: org. apache. log4j. Priority #Then import the log4j dependency. Maven address: https://mvnrepository.com/artifact/log4j/log4j filters: stat,wall,log4j maxPoolPreparedStatementPerConnectionSize: 20 useGlobalDataSourceStat: true connectionProperties: druid.stat.mergeSql=true;druid.stat.slowSqlMillis=500
Subject
- Value stored in session
- isAuthenticated whether the current user is authenticated
- Token token
Problem solving
- In shiroo, the first access message 400 contains the reason why the jsessionid is generated in the URL: jsessionid is the id indicating the session. It exists in the cookie. Generally, it does not appear in the URL. The server will take it out of the client's cookie. However, if the client disables the cookie, it will rewrite the URL and explicitly rewrite the jsessionid into the URL, It is convenient for the server to find the session id through this. If the cookie requested by the client does not contain jsessionid, the server calls request When getsession(), it will be generated and passed to the client. This time, the response header will contain the information about setting the cookie. If the cookie requested by the client contains jsessionid, the server will call request When getsession(), it will find the object according to jsessionid. If it can be found, it will return. Otherwise, it will be the same as if jsessionid was not passed; Solution: add: server. In properties servlet. session. tracking-modes=cookie server. servlet. session. cookie. http-only=true
Log correlation
- The first is dependent packages
-
<!-- There are two log fronts to be introduced here--> <dependency> <groupId>org.slf4j</groupId> <artifactId>jcl-over-slf4j</artifactId> </dependency> <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> </dependency> <dependency> <groupId>log4j</groupId> <artifactId>log4j</artifactId> <version>1.2.17</version> </dependency>
- The first two dependency packages are the log facade, which can help us call many log files
- log4j can be retained or deleted directly. It is estimated that it is an efficient framework
Supplementary knowledge
- When learning the new framework, you should pay attention to the two aspects of Hello world and quick start, and pay attention to writing and understanding these things quickly
- Reading code is a good habit. When you brush online classes later, you should pay more attention to the reading method of learning the source code
- The official flow chart can be found in the sample code