1. Shiro

This article refers to Zhang Kaitao's "Learn Shiro from Me"

Shiro Sosuke

• Apache Shiro is a security permission framework for Java
• Shiro can easily develop good enough applications, which can be used not only in the JavaSE environment, but also in the JavaEE environment.
• Shiro can complete: authentication, authorization, encryption, session management, inheritance from the Web, caching, etc.
• Download: http://shiro.apache.org/

• Authentication: It is equivalent to identity authentication, verifying the login user to see if you have the corresponding identity;
• Authorization: It is equivalent to authorization, such as verifying whether an authenticated user has a certain authority (in layman's terms, it is to determine whether the user can do something), a common example is to verify whether a user has a certain role. Or more subdivided: verify whether a user has permission to a certain resource;
• Session Manager: Session management, that is, after the user logs in, it is a session. Before logging out, all its information is stored in the session;
• Cryptography: Encryption, to protect the security of data, for example, passwords are encrypted and stored in the database instead of plaintext storage;
• Web Support: Web support, can be easily integrated into the Web environment;
• Caching: Caching, for example, after the user logs in successfully, the user's personal information is in the cache, and there is no need to query frequently, which is a way to improve efficiency;
• Concurrency: Shiro supports concurrent verification of multi-threaded applications. For example, opening another thread in one thread can automatically spread permissions.
• Testing: Provide testing support;
• Run As: Allow a user to pretend to be another user to access;
• Remember Me: It is equivalent to the "remember password" in the form login, that is, after logging in once, there is no need to log in next time.

The more important point: Shiro will not maintain users and maintain permissions; these need to be designed/provided by themselves; then they can be injected into Shiro through the corresponding interface.

Shiro's workflow

• Subject: It is equivalent to the current user. This user is not necessarily a specific person. Anything that interacts with the current application can be called a Subject; Subject 所有的 Subject 都绑定到 SecurityManager ，与 Subject 的所有交互都会委托给 SecurityManagercan be regarded as a facade; SecurityManager is the actual implementation;
• SecurityManager: 它是一个安全管理器，所有与安全有关的操作都会与 SecurityManager 交互;; SecurityManager 并且它还管理着所有 Subjectcan be regarded as Shiro's core object, 它主要负责和其它组件进行交互which can be compared to the DispatcherServlet front controller in SpringMVC;
• Realm: Shiro 从 Realm 获取安全数据（例如用户、角色、权限）It means that the SecurityManager needs to verify user identity 从 Realm 中获取相应的用户进行比较来确认用户身份是否合法; it also needs to be from Realm 拿到用户相应的角色/权限进行验证用户是否能够进行操作; Realm can be compared to DataSource, which is a secure data source.

How is a simple Shiro application performed?

1. First, the application code is authenticated and authorized through the Subject, and the Subject delegates to the SecurityManager;
2. We need to inject Realm into Shiro's SecurityManager so that the SecurityManager can obtain legal users and their permissions for judgment.