What

Apache Shiro旨在成为最全面的，但也是最容易使用的Java安全框架。

文档

没有比官网更好的了 https://shiro.apache.org/get-started.html

简要分析

四大基石： 认证，授权，会话管理，加密

了解术语

Authentication：认证
Authorization：授权（访问控制）
其他：https://shiro.apache.org/terminology.html

架构

Shiro的架构有三个主要概念：Subject，SecurityManager和Realms

其他：https://shiro.apache.org/architecture.html

快速启动

获取当前用户（这里叫主题subject，代之用户，程序，上下文等，不叫user主要是防止shiro不跟其他框架重名） Subject currentUser = SecurityUtils.getSubject(); 获得会话session Session session = currentUser.getSession(); session.setAttribute( "someKey", "aValue" ); 登陆认证 if ( !currentUser.isAuthenticated() ) { //collect user principals and credentials in a gui specific manner //such as username/password html form, X509 certificate, OpenID, etc. //We'll use the username/password example here since it is the most common. //(do you know what movie this is from? ;) UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa"); //this is all you have to do to support 'remember me' (no config - built in!): token.setRememberMe(true); currentUser.login(token); } //或者捕获异常 try { currentUser.login( token ); //if no exception, that's it, we're done! } catch ( UnknownAccountException uae ) { //username wasn't in the system, show them an error message? } catch ( IncorrectCredentialsException ice ) { //password didn't match, try again? } catch ( LockedAccountException lae ) { //account for that username is locked - can't login. Show them a message? } ... more types exceptions to check if you want ... } catch ( AuthenticationException ae ) { //unexpected condition - error? } 获得当前用户主体 currentUser.getPrincipal() //是否有权限 if ( currentUser.hasRole( "schwartz" ) ) { log.info("May the Schwartz be with you!" ); } else { log.info( "Hello, mere mortal." ); } //是否有权限 if ( currentUser.isPermitted( "lightsaber:weild" ) ) { log.info("You may use a lightsaber ring. Use it wisely."); } else { log.info("Sorry, lightsaber rings are for schwartz masters only."); } // 登出 currentUser.logout(); //removes all identifying information and invalidates their session too.