你的位置:首页 > ASP.net教程




Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.

弱弱的翻译一下:apache shiro是一个强大且易于使用的java安全框架,使用它可以进行








The Shiro framework is designed to make authentication as clean and intuitive as possible while providing a rich set of features. Below is a highlight of the Shiro authentication features.


  • Subject Based - Almost everything you do in Shiro is based on the currently executing user, called a Subject. And you can easily retrieve the Subject anywhere in your code. This makes it easier for you to understand and work with Shiro in your applications.


  • Single Method call - The authentication process is a single method call. Needing only one method call keeps the API simple and your application code clean, saving you time and effort.


  • Rich Exception Hierarchy - Shiro offers a rich exception hierarchy to offered detailed explanations for why a login failed. The hierarchy can help you more easily diagnose code bugs or customer services issues related to authentication. In addition, the richness can help you create more complex authentication functionality if needed.


  • ‘Remember Me’ built in - Standard in the Shiro API is the ability to remember your users if they return to your application. You can offer a better user experience to your them with minimal development effort

    remember me功能内置的支持:shiro中remember me功能的api可以给你应用更好的用户体验。

  • Pluggable data sources - Shiro uses pluggable data access objects (DAOs), called Realms, to connect to security data sources like LDAP and Active Directory. To help you avoid building and maintaining integrations yourself, Shiro provides out-of-the-box realms for popular data sources like LDAP, Active Directory, Kerberos, and JDBC. If needed, you can also create your own realms to support specific functionality not included in the basic realms.


  • Login with one or more realms - Using Shiro, you can easily authenticate a user against one or more realms and return one unified view of their identity. In addition, you can customize the authentication process with Shiro’s notion of an authentication strategy. The strategies can be setup in configuration files so changes don’t require source code modifications– reducing complexity and maintenance effort.

      通过一个或者多个realms进行登录认证-使用shiro可以轻易的认证一个用户并提供一个统一的试图,此外我们还可以定制化认   证的策略,我们可以在配置文件中进行配置而不必修改代码。



  • Checks based on roles or permissions - Since the complexity of authorization differs greatly between applications, Shiro is designed to be flexible, supporting both role-based security and permission-based security based on your projects needs.


  • Powerful and intuitive permission syntax - As an option, Shiro provides an out-of-the-box permission syntax, called Wildcard Permissions, that help you model the fine grained access policies your application may have. By using Shiro’s Wildcard Permissions you get an easy-to-process and human readable syntax. Moreoever, you don’t have to go through the time-consuming effort and complexity of creating your own method for representing your access policies.


  • Multiple enforcement options – Authorization checks in Shiro can be done through in-code checks, JDK 1.5 annotations, AOP, and JSP/GSP Taglibs. Shiro’s goal is to give you the choice to use the option you think are best based on your preferences and project needs.


  • Strong caching support - Any of the modern open-source and/or enterprise caching products can be plugged in to Shiro to provide a fast and efficient user-experience. For authorization, caching is crucial for performance in larger environments or with more complex policies using back-end security data sources.


  • Supports any data model - Shiro can support any data model for access control– it doesn’t force a model on you. Your realm implementation ultimately decides how your permissions and roles are grouped together and whether to return a “yes” or a “no” answer to Shiro. This feature allows you to architect your application in the manner you chose and Shiro will bend to support you.




  1. Subject currentUser = SecurityUtils.getSubject();  


  1. AuthenticationToken token = new UsernamePasswordToken(username, password);  
  2. Subject.isPermitted()/checkRoles()  
  3. Subject.login(token)//登录操作  
  4. Subject.logout()//退出登录操作  


  1. //这里我们使用spring和shiro进行集成  
  2. <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">  
  3.         <property name="realm" ref="shiroDbRealm" />  
  4.         <property name="cacheManager" ref="shiroEhcacheManager" />  
  5. </bean>  




  1. <filter>  
  2.     <filter-name>shiroFilter</filter-name>  
  3.     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>  
  4.     <init-param>  
  5.         <param-name>targetFilterLifecycle</param-name>  
  6.         <param-value>true</param-value>  
  7.     </init-param>  
  8. </filter>  
  9. <filter-mapping>  
  10.     <filter-name>shiroFilter</filter-name>  
  11.     <url-pattern>/*</url-pattern>  
  12. </filter-mapping>  



  1. @Override  
  2.     protected void initFilterBean() throws ServletException {  
  3.         synchronized (this.delegateMonitor) {  
  4.             if (this.delegate == null) {  
  5.                 // If no target bean name specified, use filter name.  
  6.                 if (this.targetBeanName == null) {  
  7.                     this.targetBeanName = getFilterName();  
  8.                 }  
  9.                 // Fetch Spring root application context and initialize the delegate early,  
  10.                 // if possible. If the root application context will be started after this  
  11.                 // filter proxy, we'll have to resort to lazy initialization.  
  12.                 WebApplicationContext wac = findWebApplicationContext();  
  13.                 if (wac != null) {  
  14.                     this.delegate = initDelegate(wac);  
  15.                 }  
  16.             }  
  17.         }  
  18.     }  


  1. <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">  
  2.         <property name="securityManager" ref="securityManager" />  
  3.         <property name="loginUrl" value="/login" />  
  4.         <property name="successUrl" value="/management/index" />  
  5.         <property name="filters">  
  6.             <map>  
  7.                 <!-- <entry key="authc" value-ref="baseFormAuthenticationFilter"/> -->  
  8.                 <!-- 是否启用验证码检验 -->  
  9.                 <entry key="authc" value-ref="captchaFormAuthenticationFilter" />  
  10.                 <entry key="user" value-ref="dWZUserFilter" />  
  11.             </map>  
  12.         </property>  
  13.         <property name="filterChainDefinitions">  
  14.             <value>  
  15.                 /Captcha.jpg = anon  
  16.                 /styles/** = anon  
  17.                 /login/timeout = anon  
  18.                 /login = authc  
  19.                 /logout = logout  
  20.                 /** = user  
  21.             </value>  
  22.         </property>  
  23.     </bean>  


  1.     <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">  
  2.         <property name="realm" ref="shiroDbRealm" />  
  3.                  <!--  缓存用户的授权信息  -->  
  4.                 <property name="cacheManager" ref="shiroEhcacheManager" />  
  5.         </bean>  
  6.         <bean id="shiroEhcacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">  
  7.                  <property name="cacheManagerConfigFile" value="classpath:ehcache/ehcache-shiro./>  
  8.         </bean>  
  9.         <bean id="shiroDbRealm" class="com.mbb.ShiroDbRealm" depends-on="userDAO, userRoleDAO, moduleDAO, organizationRoleDAO,captchaService">  
  11.         </bean>  


    1. public class ShiroDbRealm extends AuthorizingRealm {  
    2.         //实现用户的认证  
    3.         protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) throws AuthenticationException {  
    4.              User user = userService.get(authcToken.getUsername());  
    5.              ShiroUser shiroUser = new ShiroUser(user.getId(), user.getUsername(), user);  
    6. <pre code_snippet_id="239402" snippet_file_name="blog_20140316_8_5493693" name="code" class="html">             return new SimpleAuthenticationInfo(shiroUser, user.getPassword(),ByteSource.Util.bytes(salt), getName());  
    7. </pre> }<br>  
    8. //实现用户的鉴权<br>  
    9. protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {<br>  
    10. Collection<?> collection = principals.fromRealm(getName());<br>  
    11.         if (CollectionUtils.isEmpty(collection)) {<br>  
    12.             return null;<br>  
    13.         }<br>  
    14.         ShiroUser shiroUser = (ShiroUser) collection.iterator().next();<br>  
    15.         <br>  
    16.         List<UserRole> userRoles = userRoleService.find(shiroUser.getId());<br>  
    17.         List<OrganizationRole> organizationRoles = organizationRoleService<br>  
    18.                 .find(shiroUser.getUser().getOrganization().getId());<br>  
    19.         <br>  
    20.         SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();<br>  
    21.         info.addStringPermissions(makePermissions(userRoles, organizationRoles, shiroUser));<br>  
    22.         <br>  
    23.         return info;<br>  
    24. }<br>  
    25. }  
    26. <pre></pre>  
    27. <p></p>  
    28. <pre></pre>  
    29. <br>  
    30. <br>  
    31. <p></p>  
    32. <p><br>  
    33. </p>  
    34. <br>  
    35. <p></p>  
    36. <ul style="">  
    37. <br>  
    38. </ul>  
    39. <br>  
    40. <p></p>