shiro is a security (permission) framework, not only in javase but also in javaee
Shiro can complete authentication, authorization, encryption, session management, integration with the web, caching, etc.
Authentication : Authentication/login, verifying whether the user has the corresponding identity;
Authorization : Authorization, that is, permission verification, verifying whether an authenticated user has a certain permission; that is, judging whether the user can do things, such as: verifying whether a user has a certain role. Or fine-grained to verify whether a user has a certain permission to a certain resource;
Session Manager : Session management, that is, after a user logs in, it is a session, and all its information is in the session before exiting; the session can be in a common JavaSE environment or a Web environment;
Cryptography : Encryption to protect the security of data, such as passwords are encrypted and stored in the database instead of plaintext;
Web Support : Web support can be easily integrated into the Web environment;
Caching: Caching, for example, after a user logs in, their user information and roles/permissions do not need to be checked every time, which can improve efficiency;
Concurrency : Shiro supports concurrent verification of multi-threaded applications, that is, if another thread is started in one thread, the permissions can be automatically propagated;
Testing : Provide testing support;
Run As : allows one user to pretend to be another user (if they allow it) to access;
Remember Me : Remember me, this is a very common function, that is, after logging in once, you don't need to log in the next time you come back.
Remember that Shiro will not maintain users and permissions; these need to be designed/ provided by ourselves; and then injected into Shiro through the corresponding interface .
Next, let's take a look at Shiro's architecture from the outside and inside. For a good framework, from the outside, it should have a very simple and easy-to-use API, and the API contract is clear;
Internally, it should have an extensible architecture that is very easy to plug in user-defined implementations, since no framework can meet all needs.
1. First of all, let's look at Shiro from the outside , that is, from the application point of view to observe how to use Shiro to get work done. As shown below:
First focus on the three most important objects:
Subject : The subject, representing the current "user"; all Subjects are bound to the SecurityManager, and all interactions with the Subject will be delegated to the SecurityManager; the Subject can be regarded as a facade; the SecurityManager is the actual executor;
SecurityManager : Security Manager; that is, all security-related operations will interact with SecurityManager; and it manages all Subjects; it can be seen that it is the core of Shiro, which is responsible for interacting with other components introduced later, if you have learned SpringMVC, You can think of it as a DispatcherServlet front controller;
Realm : Domain, Shiro obtains security data (such as users, roles, permissions) from Realm, that is to say, if SecurityManager wants to verify the user's identity, then it needs to obtain the corresponding user from Realm for comparison to determine whether the user's identity is legal; it also needs to obtain the user's identity from Realm. Obtain the user's corresponding role/authority to verify whether the user can operate; Realm can be regarded as a DataSource, that is, a secure data source.
One of the simplest Shiro apps:
1. The application code is authenticated and authorized by the Subject, and the Subject is delegated to the SecurityManager;
2. We need to inject Realm into Shiro's SecurityManager, so that SecurityManager can obtain legitimate users and their permissions for judgment.
(1) Create a token using the user's login information
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
The token can be understood as a user token, and the login process is abstracted as Shiro verifies whether the token has a legal identity and related permissions.
(2) Execute the login action
SecurityUtils.setSecurityManager(securityManager); // 注入SecurityManager Subject subject = SecurityUtils.getSubject(); // Get the Subject singleton object subject.login(token); // login
The SecurityUtils object is essentially a factory similar to the ApplicationContext in Spring. Through the login relationship between the token (token) and the project (subject), Shiro ensures the overall security of the project.
(3) Judging users
Shiro itself has no way of knowing whether the user holding the token is legitimate, as no one but the project's designers will know. Therefore , Realm is one of the few modules in the entire framework that must be implemented by the designer . Of course, Shiro provides a variety of ways to implement it.
2. Next, let's take a look at Shiro's architecture from inside Shiro, as shown in the following figure:
Subject : The subject, you can see that the subject can be any "user" who can interact with the application;
SecurityManager : Equivalent to DispatcherServlet in SpringMVC or FilterDispatcher in Struts2; it is the heart of Shiro; all specific interactions are controlled through SecurityManager; it manages all Subjects, and is responsible for authentication and authorization, as well as session and cache management.
Authenticator : Authenticator, responsible for subject authentication, this is an extension point, if the user thinks that Shiro is not good by default, he can customize the implementation; it needs an Authentication Strategy, that is, under what circumstances the user authentication has passed;
Authrizer : Authorizer, or access controller, is used to determine whether the subject has permission to perform the corresponding operation; that is, it controls which functions the user can access in the application;
Realm : There can be one or more Realms, which can be considered as a data source of security entities, that is, used to obtain security entities; it can be implemented by JDBC, LDAP, or memory, etc.; provided by the user; note: Shiro doesn't know where your users/permissions are stored and in what format; so we generally need to implement our own Realm in our applications;
SessionManager : If you have written Servlet, you should know the concept of Session. Session needs someone to manage its life cycle. This component is SessionManager; and Shiro can not only be used in the Web environment, but also in ordinary JavaSE environments, such as EJB and other environments; all, Shiro abstracts a Session of its own to manage the data interacting between the subject and the application; in this case, for example, when we use it in the Web environment, it was a Web server at first; then EJB was introduced Server; at this time, if you want to put the session data of the two servers in one place, you can implement your own distributed session at this time (such as putting the data in the Memcached server);
SessionDAO : Everyone has used DAO, data access object, CRUD for session, for example, if we want to save the session to the database, then we can implement our own SessionDAO and write to the database through JDBC; for example, if we want to put the session in Memcached, You can implement your own Memcached SessionDAO; in addition, Cache can be used in SessionDAO for caching to improve performance;
CacheManager : Cache controller to manage caches such as users, roles, permissions, etc. Because these data are rarely changed, they can improve access performance after being placed in the cache.
Cryptography : The cryptography module, Shiro improves some common cryptographic components used such as cryptographic encryption/decryption.
Taken from:
Chapter 1 Introduction to Shiro - "Learn Shiro With Me"