Comparison of Shiro and Spring Security

Others 2022-04-22 11:40:10 views: 0

Shiro Shiro

Apache Shiro is a security framework for Java. At present, more and more people are using Apache Shiro, because it is quite simple. Compared with Spring Security, it may not have the powerful functions of Spring Security, but it may not need such complicated things in actual work, so use small and simple Shiro is enough. As for which of the two is better, there is no need to tangle, it would be better to solve the project problem more easily.

Shiro Architecture and Function Introduction

Basic concepts related to authentication and authorization

two basic concepts

Security entity: the specific object data that the system needs to protect

Permissions: System-related functional operations, such as basic CRUD

  1. Authentication: identity authentication/login, verifying whether the user has the corresponding identity;
  2. Authorization: Authorization, that is, permission verification, verifying whether an authenticated user has a certain permission; that is, judging whether the user can do things, such as: verifying whether a user has a certain role. Or fine-grained to verify whether a user has a certain permission to a certain resource;
  3. Session Manager: Session management, that is, after a user logs in, it is a session, and before exiting, all its information is in the session; the session can be in a common JavaSE environment or a Web environment;
  4. Cryptography: Encryption to protect the security of data, such as passwords are encrypted and stored in the database instead of plaintext;
  5. Web Support: Web support can be easily integrated into the Web environment;
  6. Caching: Caching, for example, after a user logs in, their user information and roles/permissions do not need to be checked every time, which can improve efficiency;
  7. Concurrency: shiro supports concurrent verification of multi-threaded applications, that is, if you start another thread in one thread, permissions can be automatically propagated to the past;
  8. Testing: Provide testing support;
  9. Run As: allows one user to pretend to be another user (if they allow it) to access;
  10. Remember Me: Remember me, this is a very common function, that is, after logging in once, you do not need to log in the next time you come.

Four core functions of Shiro

Java security framework Shiro and Spring Security comparison

Three core components of Shiro

  1. Subject: Subject, representing the current "user", this user is not necessarily a specific person, anything that interacts with the current application is a Subject, such as web crawlers, robots, etc.; that is, an abstract concept; all Subjects are bound to SecurityManager, all interactions with Subject will be delegated to SecurityManager; Subject can be regarded as a facade; SecurityManager is the actual executor;
  2. SecurityManager: Security Manager; that is, all security-related operations will interact with SecurityManager; and it manages all Subjects; it can be seen that it is the core of Shiro, which is responsible for interacting with other components introduced later, if you have learned SpringMVC, You can think of it as a DispatcherServlet front controller;
  3. Realm: domain, Shiro obtains security data (such as users, roles, permissions) from Realm, that is to say, if SecurityManager wants to verify the user's identity, then it needs to obtain the corresponding user from Realm for comparison to determine whether the user's identity is legal; it also needs to obtain the user's identity from Realm. Obtain the user's corresponding role/authority to verify whether the user can operate; Realm can be regarded as a DataSource, that is, a secure data source.

Introduction to Spring Security

Spring Security is a security framework that can provide declarative security access control solutions for Spring-based enterprise application systems. It provides a set of beans that can be configured in the Spring application context, making full use of Spring IoC, DI (Inversion of Control, DI: Dependency Injection) and AOP (Aspect Oriented Programming) functions to provide application systems with Declarative security access control capabilities reduce the effort of writing a lot of repetitive code for enterprise system security controls. It is a lightweight security framework that ensures authentication and authorization support for Spring based applications. It is well integrated with Spring MVC and comes bundled with implementations of popular security algorithms. Security mainly includes two operations "authentication" and "validation" (sometimes also called permission control). "Authentication" is the process of establishing a user's stated role, which can be a user, a device, or a system. "Authentication" refers to a user being able to perform an action in your app. Before reaching the authorization judgment, the role has been established in the authentication process.

Its design is based on a wide range of dependencies within the framework and can be divided into the following pieces.

  • Web/Http Security: This is the most complicated part. The framework's authentication mechanism is implemented by establishing filters and related service beans. When accessing a protected URL, the user will be taken to a login screen or an error prompt screen.

  • Security of business objects or methods: controls access to methods.

  • AuthenticationManager: handles authentication requests from other parts of the framework.

  • AccessDecisionManager: Provides access decisions for web or method security. A default will be registered, but we can also use a custom AccessDecisionManager by registering a normal bean.

  • AuthenticationProvider: AuthenticationManager is used to authenticate users.

  • UserDetailsService: closely related to AuthenticationProvider, used to obtain user information.

Java security framework Shiro and Spring Security comparison

Comparison of Shiro and Spring Security

  1. Shiro is easier to use, implement and most importantly understand than Spring

  2. The only reason Spring Security is better known is because of the brand name

  3. "Spring" is known for its simplicity, but ironically many people find it difficult to install Spring Security

  4. However, Spring Security has better community support

  5. Apache Shiro has an additional module on how Spring Security handles cryptography

  6. Spring-security combines well with spring. If the project uses springmvc, it is very convenient to use. But if spring is not used in the project, then don't consider it.

  7. Shiro is powerful, yet simple and flexible. It is a relatively reliable project under Apache, and it is not bound to any framework or container, and can run independently

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=325012577&siteId=291194637
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com