Shiro's architecture
1. What authority management
When it comes to multi-user login system, user rights management must be carried out. Rights management belongs to the category of system security. Rights management is mainly to achieve "control of user access to the system" and control the resources that users can access according to security rules.
The authority management includes two parts "identity authentication" and "authorization", referred to as authentication and authorization. The process of authority management is the process of authentication and authorization. The user first authenticates the user's identity when accessing the system, and then determines the resources that the user can access according to the user's authority after the authentication is passed.
1. What is identity authentication?
Identity authentication is the process of judging whether the current user is a legitimate user. If it is, the identity authentication is passed, otherwise the identity authentication fails. The most commonly used identity authentication method is to log in with a user name and password. Identity authentication is used to query the currently logged-in user name. Is the password correct? Others include fingerprint login authentication and credit card authentication.
2. What is authorization?
Authorization refers to authorized access. The current user is granted access rights. Only with the access rights we can enter the resources that we want to browse or that the user can browse.
1.3 Illustrate an example of
a case that illustrates the identity authentication and authorization. We can give this example. For example, when we go to work, when entering the gate, the property needs to identify your identity. This is the process of identity authentication, and you enter the company After the company may have access control, different office areas on different floors, you only have partial access permissions, because your role is only authorized for part of the area.
2. What is Shiro?
Shiro is a powerful and easy-to-use security framework that can easily implement functions such as authentication, authorization, encryption, and session management.
1. Shiro's core architecture
From the picture above, we can see that the core part of Shiro is the Security Manager. We call him the Security Manager. What content does the Security Manager manage? It’s the big box in the middle, including Authenticatior, Authorizer, and Session. Manager, Session DAO, Cache Manager, PluggableRealms are now managed by our Security Manager, so the first thing we need to do when using Shiro is to get the security manager before we can operate it. Identity authentication, authorization, session management, cache management, domain management. Let's take a look at the things that belong to the Security Manager management one by one.
1.Subject /ˈsʌbdʒɪkt/
Subject is externally applied to Subject for interaction. Subject is responsible for recording user information. We can also regard Subject as an object carrying user information. Subject is an interface in Shiro, which defines a lot of identity authentication and authorization. In the method, external programs or users are authenticated through Subject, and Subject must be authenticated and authorized through Serurity Manager.
2.Security Manager /sɪˈkjʊərəti/
Security Manager security manager , he is the core of Shiro, responsible for the realization of identity authentication, authorization, etc. for all subjects. In fact, Security Manager implements identity authentication through Authenticatior, authorization through Authorizer, and session through Session Manager Manage these functions.
3.Authenticator /ɔːˌθentɪˈkeɪtə/
Authenticator authenticator , in actual use, different scenarios we need to perform identity authentication scenarios will be different, so Shiro designed Authenticator as an interface, we can do different identity authentication according to different scenarios, but at the same time Shiro also provides A ready-made Authenticator implementation class ModularRealmAuthenticator is created, which can satisfy most of the authentication scenarios in our development.
4.Authorizer /ˈɔːθəraɪzə/
Authorizer authorizer, after the user has passed the Authenticator authentication, the Authorizer authorizer is required to authorize the user before they can access the corresponding resources.
5.Realm /relm/
Realm field , from the above figure, we can see that both the Authenticator and Authorizer are above the Realm field, because identity authentication and authorization need to be completed by the Realm field, and the identity needs to be from the Reaml field The user information obtained in this is used to compare with the user information in the Subject, and the authorization scope of the current user must be searched from the Realm realm according to the current user during authorization. So we can regard Realm as a data source, here is the source of data. Where does the data in Realm come from? Realm data can be read from the configuration file or in the database for query. Generally, the information is stored in the database.
6.Session Manager
Session Manager session management , Shiro framework customizes a set of session management, it does not rely on the session of the web container, so we can still use Shiro Session even in a non-web environment, and we can easily achieve a single point by using Shiro Session Log in, for example, after logging in, put the information of the user's successful login into the Session, and then put the information into redis. When the user accesses other services, he can directly verify whether the user has logged in from redis, thus realizing the single sign-on function .
7.Session DAO
Session operation DAO , this module is responsible for the addition, deletion, modification, and checking of session information. It is impossible for us to put the information in the session and not ask anymore. When the user logs out of the current login or has not logged in for a long time, we need to deal with the current user’s Session information, Session DAO is used to manipulate session information. We can choose to store session information in the database and delete it when not in use.
8.Cache Manager
Cache management , Shiro has its own cache management to store the user's cache information, so that you don't want to look up the corresponding user's permission information in the database or configuration file every time a user is authorized, and use the cache management to cache the permissions Information can improve the response speed of the user's service.
9.Cryptography /krɪpˈtɑːɡrəfi/
Encryption , a series of encryption and decryption methods are provided here, because it is impossible for us to store the password in plaintext whether it is stored in a file or in a database, we need to encrypt the information, and there are some sensitive user information to prevent leakage Both need to be encrypted.
So far, all the functions of Shiro have been introduced. Shiro is known as a safe and easy-to-use permission framework. We can see that his core things are not much, that is, the Authenticator and Authorizer in the Security Manager. The other parts are for both of them, or more accurately, they are auxiliary functions, so we can master this part. It is the focus of the key.
Three. Summary
Shiro is a lightweight and easy-to-use permission framework. The framework of the framework is not so complicated and easy to use. It is a mainstream security framework like Spring Security. It is also an indispensable skill for daily development. In this article, it is mainly Introduced the framework of the framework, as well as some transferred nouns, follow-up will continue to update the framework of the article.