shiro的加载方式

1：加载user/password的ini配置文件

[users]
zhang=123
wang=123

2：加载single-realm的ini配置文件

#声明一个realm
myRealm1=com.github.zhangkaitao.shiro.chapter2.realm.MyRealm1
#指定securityManager的realms实现
securityManager.realms=$myRealm1

3：加载multi-realm的ini配置文件

#声明一个realm
myRealm1=com.github.zhangkaitao.shiro.chapter2.realm.MyRealm1
myRealm2=com.github.zhangkaitao.shiro.chapter2.realm.MyRealm2
#指定securityManager的realms实现
securityManager.realms=$myRealm1,$myRealm2

4：通过jdbc-realm验证用户，会自动赋值给指定realm类的属性名

jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
dataSource=com.alibaba.druid.pool.DruidDataSource
dataSource.driverClassName=com.mysql.jdbc.Driver
dataSource.url=jdbc:mysql://localhost:3306/shiro
dataSource.username=root
#dataSource.password=
jdbcRealm.dataSource=$dataSource
securityManager.realms=$jdbcRealm

#指定securityManager的authenticator实现
authenticator=org.apache.shiro.authc.pam.ModularRealmAuthenticator
securityManager.authenticator=$authenticator
#指定securityManager.authenticator的authenticationStrategy
#FirstSuccessfulStrategy成功验证一个realm即可，返回验证成功的认证信息
#AtLeastOneSuccessfulStrategy成功验证一个realm即可，返回所有realm验证成功的认证信息(ModularRealmAuthenticator默认)
#AllSuccessfulStrategy必须成功验证所有realm，返回所有realm验证成功的认证信息
allSuccessfulStrategy=org.apache.shiro.authc.pam.AllSuccessfulStrategy
securityManager.authenticator.authenticationStrategy=$allSuccessfulStrategy

注意：可以自定义authenticationStrategy，需继承抽AbstractAuthenticationStrategy类

授权

1：ini配置角色权限的格式,可以用hasRole/hasAllRoles判断用户是否具有某个或者所有角色，isPermitted/isPermittedAll判断用户是否具有某个权限或者所有权限

[users]
zhang=123,role1,role2
wang=123,role1
[roles]
#权限通配符：";"表示资源/操作/实例的分割；","表示操作的分割；"*"表示任意资源/操作/实例。
#shiro对权限字符串缺失部分的处理,user:view=user:view:*,可以理解为前缀匹配
role1=user:create,user:update
role2=user:create,user:delete
#role3=role4
role3=system:user:create;system:user:update;system:user:delete;system:user:view
role4=system:user:create,update,delete,view
#role5=role6
role5=system:user:*
role6=system:user
#对资源user的1 实例拥有view权限，实例就是具体到某条记录
role7=system:user:view:1
role8=system:user:update,delete:1
role9=system:user:auth:*
#对资源user拥有所有权限
role10=system:user:*:*

2：改变验证权限的类，如下ini配置

[main]
#自定义authorizer
authorizer=org.apache.shiro.authz.ModularRealmAuthorizer
#自定义permissionResolver
#permissionResolver=org.apache.shiro.authz.permission.WildcardPermissionResolver
permissionResolver=com.github.zhangkaitao.shiro.chapter3.permission.BitAndWildPermissionResolver
authorizer.permissionResolver=$permissionResolver
#自定义rolePermissionResolver
rolePermissionResolver=com.github.zhangkaitao.shiro.chapter3.permission.MyRolePermissionResolver
authorizer.rolePermissionResolver=$rolePermissionResolver

securityManager.authorizer=$authorizer

#自定义realm 一定要放在securityManager.authorizer赋值之后（因为调用setRealms会将realms设置给authorizer，并给各个Realm设置permissionResolver和rolePermissionResolver）
realm=com.github.zhangkaitao.shiro.chapter3.realm.MyRealm
securityManager.realms=$realm

配置

1：无ini配置，纯java代码

DefaultSecurityManager securityManager = new DefaultSecurityManager();

//设置authenticator
ModularRealmAuthenticator authenticator = new ModularRealmAuthenticator();
authenticator.setAuthenticationStrategy(new AtLeastOneSuccessfulStrategy());
securityManager.setAuthenticator(authenticator);
//设置authorizer
ModularRealmAuthorizer authorizer = new ModularRealmAuthorizer();
authorizer.setPermissionResolver(new WildcardPermissionResolver());
securityManager.setAuthorizer(authorizer);
//设置Realm
DruidDataSource ds = new DruidDataSource();
ds.setDriverClassName("com.mysql.jdbc.Driver");
ds.setUrl("jdbc:mysql://localhost:3306/shiro");
ds.setUsername("root");
ds.setPassword("");
JdbcRealm jdbcRealm = new JdbcRealm();
jdbcRealm.setDataSource(ds);
jdbcRealm.setPermissionsLookupEnabled(true);
securityManager.setRealms(Arrays.asList((Realm) jdbcRealm));
//将SecurityManager设置到SecurityUtils 方便全局使用
SecurityUtils.setSecurityManager(securityManager);
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken("zhang", "123");
subject.login(token);

2:ini配置

Factory<org.apache.shiro.mgt.SecurityManager> factory =
        new IniSecurityManagerFactory("classpath:shiro-config.ini");
org.apache.shiro.mgt.SecurityManager securityManager = factory.getInstance();
//将SecurityManager设置到SecurityUtils 方便全局使用
SecurityUtils.setSecurityManager(securityManager);
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken("zhang", "123");
subject.login(token);

[main]
#覆盖默认的securityManager
#securityManager=org.apache.shiro.mgt.DefaultSecurityManager

#authenticator
authenticator=org.apache.shiro.authc.pam.ModularRealmAuthenticator
authenticationStrategy=org.apache.shiro.authc.pam.AtLeastOneSuccessfulStrategy
authenticator.authenticationStrategy=$authenticationStrategy
securityManager.authenticator=$authenticator

#authorizer
authorizer=org.apache.shiro.authz.ModularRealmAuthorizer
permissionResolver=org.apache.shiro.authz.permission.WildcardPermissionResolver
authorizer.permissionResolver=$permissionResolver
securityManager.authorizer=$authorizer

#realm
dataSource=com.alibaba.druid.pool.DruidDataSource
dataSource.driverClassName=com.mysql.jdbc.Driver
dataSource.url=jdbc:mysql://localhost:3306/shiro
dataSource.username=root
#dataSource.password=

jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.dataSource=$dataSource
jdbcRealm.permissionsLookupEnabled=true
securityManager.realms=$jdbcRealm

加密解密待完善--密码处理相关

realm详解--留待后面看源码，详细处理

与web继承--看了spring关于web这块源码之后再来细看

拦截器,使用spring的比较好，不复杂，简单易懂

1：user 拦截器只要用户登录(isRemembered()==true or isAuthenticated()==true)过即可访问成
2：authc 拦截器会判断用户是否是通过Subject.login（isAuthenticated()==true）登录的

会话管理

1：会话管理器SessionManager
2：会话监听器SessionListener
3：会话存储/持久化SessionDAO-CachingSessionDAO
4：会话验证SessionValidationScheduler
5：sessionFactory 是创建会话的工厂

缓存

1：Cache,CacheManager,CacheManagerAware
2：Realm缓存 CachingRealm实现了CacheManagerAware
3：建议废弃shiro的缓存，实现自己的缓存或者使用spring的缓存SpringCacheManagerWrapper

和spring集成

1：就是将之前的ini配置文件整合成为了bean配置，注意查看和之前的ini配置对比，其实就是将set改成了property设置，注入值，最终的一个bean还是securityManager
2：shiro在spring中可以使用注解判断角色权限@RequiresRoles("admin")，因为spirng支持aop，如果不具备该角色抛出UnauthorizedException异常，可以采用spring的@ExceptionHandler来捕捉异常

SSL后续多研究再来完成这部分吧

SSO结合zheng吧

OAuth2后续多看一点

只允许一个人登录

1：扩展KickoutSessionControlFilter

授予身份及切换身份

验证码，做一个拖动符合那个验证码吧

nginx做分布式会话，集中权限管理