Shiro vs. Spring-Security

1. What is Shiro?

Official website introduction: https://github.com/apache/shiro

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, passwords, and session management. Using Shiro's easy-to-understand APIs, you can quickly and easily access any application, from the smallest mobile applications to the largest web and enterprise applications.

2. What is Spring-Security?

Official website introduction: https://spring.io/projects/spring-security

Spring Security is a powerful and highly customizable authentication and access control framework. It is the de facto standard for protecting Spring-based applications.
Spring Security is a framework dedicated to providing authentication and authorization for Java applications. Like all Spring projects, the real strength of Spring Security is that it can be easily extended to meet custom requirements

3. The main functions and core components of shiro

3.1 Main functions

Authentication: Identity authentication / login to verify whether the user has the corresponding identity;
Authorization: Authorization, that is, authority verification, verifying whether an authenticated user has a certain authority; that is, judging whether the user can do things, such as: verifying whether a user has a certain role. Or fine-grained verification of whether a user has certain permissions on a resource;
Session Manager: Session management, that is, a session is a session after the user logs in. Before logging out, all of its information is in the session; the session can be in a normal JavaSE environment or a Web environment;
Cryptography: Encryption to protect the security of data, such as password encryption stored in the database instead of plain text storage;

3.2 Core components

Subject: Subject: the "current user". However, in Shiro, the concept of Subject does not only refer to people, but can also be a third-party process, background account (Daemon Account) or other similar things. It simply means "something that is currently interacting with the software."
SecuritryManager: It is the core of the Shiro framework, a typical Facade model. Shiro manages internal component instances through the SecurityManager and provides various services for security management through it.
Realm: Realm acts as a "bridge" or "connector" between Shiro and application security data. In other words, when performing authentication (login) and authorization (access control) verification on the user, Shiro will look up the user and its permission information from the Realm configured in the application.

Realm can be compared to the Dao layer in SpringMvc (more secure than him).

Four. Comparison of advantages and disadvantages

4.1 Advantages of shiro

Shiro's code is easier to read and easier to use;
Shiro can be used in a non-web environment, does not bind to any framework or container, and runs independently;

4.2 Disadvantages of shiro

Authorized third-party login requires manual implementation;

4.3 Advantages of spring-security

Spring-security is better integrated with spring, the project is built by spring-boot, etc., which is more convenient to use;
Have better spring community to support;
Support oauth authorization, official website: https://spring.io/projects/spring-security-oauth;

4.4 Disadvantages of spring-security

For shiro is more complicated, no shiro is clear and easy to understand;

Summary: Novice friends can start with shiro, which is easier to understand. The above are personal understanding, there may be deviations, I hope there are errors, everyone can point out and discuss communication
The following are two small examples based on shiro and spring-security written by individuals. Welcome to learn and communicate. Later, we will introduce the use of security and shiro in detail.