一、shiro身份认证过程

(参考http://shiro.apache.org/authentication.html)

1、Collect the Subject’s submitted principals and credentials  收集客户端提交的用户名和凭证

2、Submit the principals and credentials for authentication.      提交用户名和凭证进行身份认证  
3、If the submission is successful, allow access, otherwise retry authentication or block access.  如果提交成功，则允许访问，否则重试身份验证或阻止访问。

二、java示例代码

pom.xml :

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>

  <groupId>com.tingcream</groupId>
  <artifactId>shiro</artifactId>
  <version>0.0.1-SNAPSHOT</version>
  <packaging>jar</packaging>

  <name>shiro</name>
  <url>http://maven.apache.org</url>

  <properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
  </properties>

  <dependencies>
    <dependency>
      <groupId>junit</groupId>
      <artifactId>junit</artifactId>
      <version>3.8.1</version>
    </dependency>

    <!-- shiro-core 引入 -->
	<dependency>
	    <groupId>org.apache.shiro</groupId>
	    <artifactId>shiro-core</artifactId>
	    <version>1.3.2</version>
	</dependency>
	<dependency>
	    <groupId>org.slf4j</groupId>
	    <artifactId>slf4j-log4j12</artifactId>
	    <version>1.7.21</version>
    </dependency>
    
  </dependencies>
  <build>
    <plugins>
       <plugin>
	     <groupId>org.apache.maven.plugins</groupId>
	     <artifactId>maven-compiler-plugin</artifactId>
	     <version>3.6.2</version>
	     <configuration>
	        <target>1.8</target>   
	        <source>1.8</source>
	        <encoding>utf-8</encoding>
	     </configuration>
	  </plugin>
    </plugins>
  </build>
</project>

HelloWorld.java

package com.tingcream.shiro;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.ExcessiveAttemptsException;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.LockedAccountException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;

/**
 * shiro认证过程 ,使用shiro.ini配置文件
 * @author jelly
 */
public class HelloWorld {

	public static void main(String[] args) {
		// 读取配置文件，初始化SecurityManager工厂
		Factory factory=new IniSecurityManagerFactory("classpath:shiro.ini");
		// 获取securityManager实例
		SecurityManager securityManager=factory.getInstance();
		// 把securityManager实例绑定到SecurityUtils
		SecurityUtils.setSecurityManager(securityManager);
		// 得到当前执行的用户 (可以是人或任何的客户端程序进程)
		Subject currentUser=SecurityUtils.getSubject();
		// 创建token令牌，用户名/密码
		UsernamePasswordToken token=new UsernamePasswordToken("zhangsan", "zs123456");

		//”Remember Me” built-in, just do this: 
		//token.setRememberMe(true);
		try {
		    currentUser.login(token);
		    System.out.println("用户身份认证成功!");
		} catch  ( UnknownAccountException e ) { 
			  e.printStackTrace();
			 System.out.println("未知的账户，用户名不存在");
		} catch  ( IncorrectCredentialsException e ) {
			 e.printStackTrace();
			 System.out.println("密码错误");
		} catch  ( LockedAccountException e ) { 
			  e.printStackTrace();
			 System.out.println("账户被锁定");
			
		} catch  ( ExcessiveAttemptsException e ) { 
			  e.printStackTrace();
			  System.out.println("过度的尝试");
			
		}   catch ( AuthenticationException e ) {
			  e.printStackTrace();
			  System.out.println("认证失败");
		}
		currentUser.logout();
	}
}

log4j.properties

#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
#
log4j.rootLogger=INFO, stdout

log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d %p [%c] - %m %n

# General Apache libraries
log4j.logger.org.apache=WARN

# Spring
log4j.logger.org.springframework=WARN

# Default Shiro logging
log4j.logger.org.apache.shiro=TRACE

# Disable verbose logging
log4j.logger.org.apache.shiro.util.ThreadContext=WARN
log4j.logger.org.apache.shiro.cache.ehcache.EhCache=WARN

[users]
zhangsan=zs123456
lisi=ls123456

注意：

运行main方法，若用户登录成功(用户名、密码正确)，则打印用户身份认证成功。若失败，shiro会以抛出各种内置异常的方式给予反馈。所以我们需要在try...catch块中捕获各种类型的异常。