This article refers to Zhang Kaitao's "Learn Shiro from Me"
Article Directory
Shiro Sosuke
- Apache Shiro is a security permission framework for Java
- Shiro can easily develop good enough applications, which can be used not only in the JavaSE environment, but also in the JavaEE environment.
- Shiro can complete: authentication, authorization, encryption, session management, inheritance from the Web, caching, etc.
- Download: http://shiro.apache.org/
- Authentication: It is equivalent to identity authentication, verifying the login user to see if you have the corresponding identity;
- Authorization: It is equivalent to authorization, such as verifying whether an authenticated user has a certain authority (in layman's terms, it is to determine whether the user can do something), a common example is to verify whether a user has a certain role. Or more subdivided: verify whether a user has permission to a certain resource;
- Session Manager: Session management, that is, after the user logs in, it is a session. Before logging out, all its information is stored in the session;
- Cryptography: Encryption, to protect the security of data, for example, passwords are encrypted and stored in the database instead of plaintext storage;
- Web Support: Web support, can be easily integrated into the Web environment;
- Caching: Caching, for example, after the user logs in successfully, the user's personal information is in the cache, and there is no need to query frequently, which is a way to improve efficiency;
- Concurrency: Shiro supports concurrent verification of multi-threaded applications. For example, opening another thread in one thread can automatically spread permissions.
- Testing: Provide testing support;
- Run As: Allow a user to pretend to be another user to access;
- Remember Me: It is equivalent to the "remember password" in the form login, that is, after logging in once, there is no need to log in next time.
The more important point: Shiro will not maintain users and maintain permissions; these need to be designed/provided by themselves; then they can be injected into Shiro through the corresponding interface.
Shiro's workflow
- Subject: It is equivalent to the current user. This user is not necessarily a specific person. Anything that interacts with the current application can be called a Subject; Subject
所有的 Subject 都绑定到 SecurityManager ,与 Subject 的所有交互都会委托给 SecurityManager
can be regarded as a facade; SecurityManager is the actual implementation; - SecurityManager:
它是一个安全管理器,所有与安全有关的操作都会与 SecurityManager 交互
;; SecurityManager并且它还管理着所有 Subject
can be regarded as Shiro's core object,它主要负责和其它组件进行交互
which can be compared to the DispatcherServlet front controller in SpringMVC; - Realm:
Shiro 从 Realm 获取安全数据(例如用户、角色、权限)
It means that the SecurityManager needs to verify user identity从 Realm 中获取相应的用户进行比较来确认用户身份是否合法
; it also needs to be from Realm拿到用户相应的角色/权限进行验证用户是否能够进行操作
; Realm can be compared to DataSource, which is a secure data source.
How is a simple Shiro application performed?
- First, the application code is authenticated and authorized through the Subject, and the Subject delegates to the SecurityManager;
- We need to inject Realm into Shiro's SecurityManager so that the SecurityManager can obtain legal users and their permissions for judgment.