Article Directory
Shiro introduction and function description
Shiro is a security framework for Java. At present, more and more people use Apache Shiro because it is quite simple. Compared with Spring Security, it may not be as powerful as Spring Security, but it may not need such complicated things in actual work, so use small and simple Shiro Will suffice.
Authentication: authentication / login, verify that the user has the appropriate identity is not;
the Authorization: Authorization that the competence to verify, verify that a user has authenticated a privilege; that is judged by
whether or not users can do things, such as common: Verify that a user has a role. Or with a fine-grained verify
whether a user permissions to a resource;
the Session Manager: Session management, that is, after the user logs in one session, in the absence of exit, it's all believed
the information in the session; the session can It is a common JavaSE environment, or it can be a Web environment;
Cryptography: encryption to protect the security of data, such as password encryption stored in the database instead of plain text storage;
Web Support: Web support, can be easily integrated into the Web environment ;
Caching: Caching, for example, after a user logs in, their user information and roles / permissions do not have to be checked every time, which can improve efficiency;
Concurrency: shiro supports concurrent verification of multi-threaded applications, that is, if you open another in one thread Thread, which can
automatically propagate permissions;
Testing: Provide testing support;
Run As: Allow one user to pretend to be the identity of another user (if they allow);
Remember Me: Remember me, this is a very common function, That is, after logging in once, you do n’t need to log in if you come back next time.
Remember, Shiro will not maintain users and maintain permissions; these need to be designed / provided by ourselves; and then
injected into Shiro through the corresponding interface.
Shiro realization principle understanding
In other words, for us, the simplest Shiro application: the
application code is authenticated and authorized by Subject, and the Subject is entrusted to SecurityManager; we need to inject Realm into Shiro ’s SecurityManager, so that SecurityManager can get legitimate
users and Judging by its authority.
Shiro's architectural understanding
Subject: Subject, you can see that the subject can be any "user" that can interact with the application;
SecurityManager: equivalent to DispatcherServlet in SpringMVC or
FilterDispatcher in Struts2 ; is the heart of Shiro; all specific interactions are controlled through the SecurityManager; it Manages all subjects and is responsible for authentication and authorization, as well as session and cache management.
Authenticator: authenticator, responsible for subject authentication, this is an extension point, if the user feels that Shiro's default is not good, you can customize the implementation; it requires an authentication strategy (Authentication Strategy), that is, under what circumstances the user authentication is passed;
Authrizer : Authorizer, or access controller, is used to determine whether the subject has permission to perform the corresponding operation; that is, to control which functions in the application the user can access;
Realm: There can be one or more Realm, which can be considered as safe entity data Source, which is used to obtain the security entity; it can be JDBC, LDAP, or memory, etc .; provided by the user; Note: Shiro does not know where your users / permissions are stored and in what format ; So we generally need to implement our own Realm in the application;
SessionManager: If you have written a Servlet, you should know the concept of Session. Session needs someone to manage its life cycle. This component is SessionManager; and Shiro can be used not only in the Web environment, but also in ordinary JavaSE environment, EJB and other environments; all this, Shiro abstracts a Session to manage the data between the main body and the application; in this case, for example, we use it in a Web environment, it was originally a Web server; then came to the EJB Server; At this time, I want to put the session data of the two servers in one place. At
this time, I can implement my own distributed session (such as putting the data in the Memcached server);
SessionDAO: DAO everyone has used, data access objects, use For session CRUD, for example, if we want to save the session to the database, then we can implement our own SessionDAO, such as JDBC to write to the database; for example, if you want to put the Session in Memcached, you can implement your own Memcached SessionDAO; in addition, you can use Cache in SessionDAO Cache to improve performance;
CacheMa nager: cache controller, to manage caches such as users, roles, permissions, etc .; because these data
are rarely changed basically , they can improve access performance after being placed in the cache.
Cryptography: cryptographic module, Shiro has improved some common Encryption components are used such as password encryption
shiro authentication function (Authentication) flow
flow chart:
1、UsernamePasswordToken 实现HostAuthenticationToken和RemeberAuthenticationToken,HostAuthenticationToken实现AuthenticationToken
2、首先调用 Subject.login(token)进行登录,其会自动委托给 Security Manager,调用之前必
须通过 SecurityUtils. setSecurityManager()设置;
3、SecurityManager 负责真正的身份验证逻辑;它会委托给 Authenticator 进行身份验证;SecurityManager j接口继承Authenticator、Authrizer、sessionManage接口
4、Authenticator 才是真正的身份验证者,Shiro API 中核心的身份认证入口点,此处可以自
定义插入自己的实现;
5、Authenticator 可能会委托给相应的 AuthenticationStrategy 进行多 Realm 身份验证,默认
ModularRealmAuthenticator 会调用 AuthenticationStrategy 进行多 Realm 身份验证;
6、Authenticator 会把相应的 token 传入 Realm,从 Realm 获取身份验证信息,如果没有返
回/抛出异常表示身份验证失败了。此处可以配置多个 Realm,将按照相应的顺序及策略进
行访问。
Realm
Generally inherit AuthorizingRealm (authorization); it inherits AuthenticatingRealm (that is, authentication), and also indirectly inherits CachingRealm (with cache implementation), rewriting the AuthenticationInfo authentication and doGetAuthorizationInfo authorization methods.
shiro interceptor rules
