1.1 Introduction
Apache Shiro is a security framework for Java. At present, more and more people are using Apache Shiro, because it is quite simple. Compared with Spring Security, it may not have the powerful functions of Spring Security, but it may not need such complicated things in actual work, so use small and simple Shiro is enough. As for which of the two is better, there is no need to tangle, it would be better to solve the project problem more easily.
This tutorial only introduces the basic use of Shiro, and will not analyze the source code too much. The focus is on use.
Shiro can easily develop a good enough application, which can be used not only in the JavaSE environment, but also in the JavaEE environment. Shiro can help us with: authentication, authorization, encryption, session management, integration with the web, caching, etc. Isn't this what we want, and Shiro's API is also very simple; its basic function points are shown in the following figure:
Authentication : Authentication/login, verifying whether the user has the corresponding identity;
Authorization : Authorization, that is, permission verification, verifying whether an authenticated user has a certain permission; that is, judging whether the user can do things, such as: verifying whether a user has a certain role. Or fine-grained to verify whether a user has a certain permission to a certain resource;
Session Manager : Session management, that is, after a user logs in, it is a session, and all its information is in the session before exiting; the session can be in a common JavaSE environment or a Web environment;
Cryptography : Encryption to protect the security of data, such as passwords are encrypted and stored in the database instead of plaintext;
Web Support : Web support can be easily integrated into the Web environment;
Caching: Caching, for example, after a user logs in, their user information and roles/permissions do not need to be checked every time, which can improve efficiency;
Concurrency : Shiro supports concurrent verification of multi-threaded applications, that is, if one thread is started in another thread, the permissions can be automatically propagated;
Testing : Provide testing support;
Run As : allows one user to pretend to be another user (if they allow it) to access;
Remember Me : Remember me, this is a very common function, that is, after logging in once, you don't need to log in the next time you come back.
Remember that Shiro will not maintain users and permissions; these need to be designed/ provided by ourselves; and then injected into Shiro through the corresponding interface .
Next, let's take a look at Shiro's architecture from the outside and inside. For a good framework, from the outside, it should have a very simple and easy-to-use API, and the API contract is clear; from the inside, it should have an available API. Extended architecture, i.e. it is very easy to plug in user-defined implementations, since no framework can satisfy all requirements.
First, let's look at Shiro from the outside, that is, from an application perspective, to see how work can be done with Shiro. As shown below:
It can be seen that the object that the application code directly interacts with is the Subject, that is to say, the core of Shiro's external API is the Subject; the meaning of each API:
Subject : Subject, representing the current "user", this user is not necessarily a specific person, anything that interacts with the current application is a Subject, such as web crawlers, robots, etc.; that is, an abstract concept; all Subjects are bound to SecurityManager, all interactions with Subject will be delegated to SecurityManager; Subject can be regarded as a facade; SecurityManager is the actual executor;
SecurityManager : Security Manager; that is, all security-related operations will interact with SecurityManager; and it manages all Subjects; it can be seen that it is the core of Shiro, which is responsible for interacting with other components introduced later, if you have learned SpringMVC, You can think of it as a DispatcherServlet front controller;
Realm : Domain, Shiro obtains security data (such as users, roles, permissions) from Realm, that is to say, if SecurityManager wants to verify the user's identity, then it needs to obtain the corresponding user from Realm for comparison to determine whether the user's identity is legal; it also needs to obtain the user's identity from Realm. Obtain the user's corresponding roles/permissions to verify whether the user can operate; Realm can be regarded as a DataSource, that is, a secure data source.
That is to say, for us, the simplest Shiro application:
1. The application code is authenticated and authorized by the Subject, and the Subject is delegated to the SecurityManager;
2. We need to inject Realm into Shiro's SecurityManager, so that SecurityManager can obtain legitimate users and their permissions for judgment.
It can also be seen from the above that Shiro does not provide maintenance users/ permissions, but allows developers to inject themselves through Realm .
Next, let's take a look at Shiro's architecture from inside Shiro, as shown in the following figure:
Subject:主体,可以看到主体可以是任何可以与应用交互的“用户”;
SecurityManager:相当于SpringMVC中的DispatcherServlet或者Struts2中的FilterDispatcher;是Shiro的心脏;所有具体的交互都通过SecurityManager进行控制;它管理着所有Subject、且负责进行认证和授权、及会话、缓存的管理。
Authenticator:认证器,负责主体认证的,这是一个扩展点,如果用户觉得Shiro默认的不好,可以自定义实现;其需要认证策略(Authentication Strategy),即什么情况下算用户认证通过了;
Authrizer:授权器,或者访问控制器,用来决定主体是否有权限进行相应的操作;即控制着用户能访问应用中的哪些功能;
Realm:可以有1个或多个Realm,可以认为是安全实体数据源,即用于获取安全实体的;可以是JDBC实现,也可以是LDAP实现,或者内存实现等等;由用户提供;注意:Shiro不知道你的用户/权限存储在哪及以何种格式存储;所以我们一般在应用中都需要实现自己的Realm;
SessionManager:如果写过Servlet就应该知道Session的概念,Session呢需要有人去管理它的生命周期,这个组件就是SessionManager;而Shiro并不仅仅可以用在Web环境,也可以用在如普通的JavaSE环境、EJB等环境;所有呢,Shiro就抽象了一个自己的Session来管理主体与应用之间交互的数据;这样的话,比如我们在Web环境用,刚开始是一台Web服务器;接着又上了台EJB服务器;这时想把两台服务器的会话数据放到一个地方,这个时候就可以实现自己的分布式会话(如把数据放到Memcached服务器);
SessionDAO:DAO大家都用过,数据访问对象,用于会话的CRUD,比如我们想把Session保存到数据库,那么可以实现自己的SessionDAO,通过如JDBC写到数据库;比如想把Session放到Memcached中,可以实现自己的Memcached SessionDAO;另外SessionDAO中可以使用Cache进行缓存,以提高性能;
CacheManager:缓存控制器,来管理如用户、角色、权限等的缓存的;因为这些数据基本上很少去改变,放到缓存中后可以提高访问的性能
Cryptography:密码模块,Shiro提高了一些常见的加密组件用于如密码加密/解密的。
到此Shiro架构及其组件就认识完了,接下来挨着学习Shiro的组件吧。