Chapter 1 Introduction to Shiro - "Learn Shiro With Me" Chapter 1 Introduction to Shiro - "Learn Shiro With Me"

Chapter 1 Introduction to Shiro - "Learn Shiro With Me"

Blog Category:

 
• Follow me Shiro

follow me shiro 

 

Catalog Stickers:  Follow Me Shiro Catalog Stickers

 

1.1 Introduction

Apache Shiro is a security framework for Java. At present, more and more people are using Apache Shiro, because it is quite simple. Compared with Spring Security, it may not have the powerful functions of Spring Security, but it may not need such complicated things in actual work, so use small and simple Shiro is enough. As for which of the two is better, there is no need to tangle, it would be better to solve the project problem more easily.

This tutorial only introduces the basic use of Shiro, and will not analyze the source code too much. The focus is on use.

 

Shiro can easily develop a good enough application, which can be used not only in the JavaSE environment, but also in the JavaEE environment. Shiro can help us with: authentication, authorization, encryption, session management, integration with the web, caching, etc. Isn't this what we want, and Shiro's API is also very simple; its basic function points are shown in the following figure:

Authentication : Authentication/login, verifying whether the user has the corresponding identity;

Authorization : Authorization, that is, permission verification, verifying whether an authenticated user has a certain permission; that is, judging whether the user can do things, such as: verifying whether a user has a certain role. Or fine-grained to verify whether a user has a certain permission to a certain resource;

Session Manager : Session management, that is, after a user logs in, it is a session, and all its information is in the session before exiting; the session can be in a common JavaSE environment or a Web environment;

Cryptography : Encryption to protect the security of data, such as passwords are encrypted and stored in the database instead of plaintext;

Web Support : Web support can be easily integrated into the Web environment;

Caching: Caching, for example, after a user logs in, their user information and roles/permissions do not need to be checked every time, which can improve efficiency;

Concurrency : Shiro supports concurrent verification of multi-threaded applications, that is, if one thread is started in another thread, the permissions can be automatically propagated;

Testing : Provide testing support;

Run As : allows one user to pretend to be another user (if they allow it) to access;

Remember Me : Remember me, this is a very common function, that is, after logging in once, you don't need to log in the next time you come back.

 

Remember that Shiro will not maintain users and permissions; these need to be designed/ provided by ourselves; and then injected into Shiro through the corresponding interface .

 

Next, let's take a look at Shiro's architecture from the outside and inside. For a good framework, from the outside, it should have a very simple and easy-to-use API, and the API contract is clear; from the inside, it should have an available API. Extended architecture, i.e. it is very easy to plug in user-defined implementations, since no framework can satisfy all requirements.

 

First, let's look at Shiro from the outside, that is, from an application perspective, to see how work can be done with Shiro. As shown below:

 

It can be seen that the object that the application code directly interacts with is the Subject, that is to say, the core of Shiro's external API is the Subject; the meaning of each API:

Subject : Subject, representing the current "user", this user is not necessarily a specific person, anything that interacts with the current application is a Subject, such as web crawlers, robots, etc.; that is, an abstract concept; all Subjects are bound to SecurityManager, all interactions with Subject will be delegated to SecurityManager; Subject can be regarded as a facade; SecurityManager is the actual executor;

SecurityManager : Security Manager; that is, all security-related operations will interact with SecurityManager; and it manages all Subjects; it can be seen that it is the core of Shiro, which is responsible for interacting with other components introduced later, if you have learned SpringMVC, You can think of it as a DispatcherServlet front controller;

Realm : Domain, Shiro obtains security data (such as users, roles, permissions) from Realm, that is to say, if SecurityManager wants to verify the user's identity, then it needs to obtain the corresponding user from Realm for comparison to determine whether the user's identity is legal; it also needs to obtain the user's identity from Realm. Obtain the user's corresponding roles/permissions to verify whether the user can operate; Realm can be regarded as a DataSource, that is, a secure data source.

 

That is to say, for us, the simplest Shiro application:

1. The application code is authenticated and authorized by the Subject, and the Subject is delegated to the SecurityManager;

2. We need to inject Realm into Shiro's SecurityManager, so that SecurityManager can obtain legitimate users and their permissions for judgment.

 

It can also be seen from the above that Shiro does not provide maintenance users/ permissions, but allows developers to inject themselves through Realm .

 

Next, let's take a look at Shiro's architecture from inside Shiro, as shown in the following figure:

  

Subject : The subject, you can see that the subject can be any "user" who can interact with the application;

SecurityManager : Equivalent to DispatcherServlet in SpringMVC or FilterDispatcher in Struts2; it is the heart of Shiro; all specific interactions are controlled through SecurityManager; it manages all Subjects, and is responsible for authentication and authorization, as well as session and cache management.

Authenticator : Authenticator, responsible for subject authentication, this is an extension point, if the user thinks that Shiro is not good by default, he can customize the implementation; it needs an Authentication Strategy, that is, under what circumstances the user authentication has passed;

Authrizer : Authorizer, or access controller, is used to determine whether the subject has permission to perform the corresponding operation; that is, it controls which functions the user can access in the application;

Realm : There can be one or more Realms, which can be considered as a data source of security entities, that is, used to obtain security entities; it can be implemented by JDBC, LDAP, or memory, etc.; provided by the user; note: Shiro doesn't know where your users/permissions are stored and in what format; so we generally need to implement our own Realm in our applications;

SessionManager : If you have written Servlet, you should know the concept of Session. Session needs someone to manage its life cycle. This component is SessionManager; and Shiro can not only be used in the Web environment, but also in ordinary JavaSE environments, such as EJB and other environments; all, Shiro abstracts a Session of its own to manage the data interacting between the subject and the application; in this case, for example, when we use it in the Web environment, it was a Web server at first; then EJB was introduced Server; at this time, if you want to put the session data of the two servers in one place, you can implement your own distributed session at this time (such as putting the data in the Memcached server);

SessionDAO : Everyone has used DAO, data access object, CRUD for session, for example, if we want to save the session to the database, then we can implement our own SessionDAO and write to the database through JDBC; for example, if we want to put the session in Memcached, You can implement your own Memcached SessionDAO; in addition, Cache can be used in SessionDAO for caching to improve performance;

CacheManager : Cache controller to manage caches such as users, roles, permissions, etc.; because these data are rarely changed, they can improve access performance after being placed in the cache.

Cryptography : The cryptography module, Shiro improves some common cryptographic components used such as cryptographic encryption/decryption.

 

Now that the Shiro architecture and its components are known, let's learn Shiro's components next.

 

Reference http://shiro.apache.org/reference.html

 

Catalog Stickers:  Follow Me Shiro Catalog Stickers

 

1.1 Introduction

Apache Shiro is a security framework for Java. At present, more and more people are using Apache Shiro, because it is quite simple. Compared with Spring Security, it may not have the powerful functions of Spring Security, but it may not need such complicated things in actual work, so use small and simple Shiro is enough. As for which of the two is better, there is no need to tangle, it would be better to solve the project problem more easily.

This tutorial only introduces the basic use of Shiro, and will not analyze the source code too much. The focus is on use.

 

Shiro can easily develop a good enough application, which can be used not only in the JavaSE environment, but also in the JavaEE environment. Shiro can help us with: authentication, authorization, encryption, session management, integration with the web, caching, etc. Isn't this what we want, and Shiro's API is also very simple; its basic function points are shown in the following figure:

Authentication : Authentication/login, verifying whether the user has the corresponding identity;

Authorization : Authorization, that is, permission verification, verifying whether an authenticated user has a certain permission; that is, judging whether the user can do things, such as: verifying whether a user has a certain role. Or fine-grained to verify whether a user has a certain permission to a certain resource;

Session Manager : Session management, that is, after a user logs in, it is a session, and all its information is in the session before exiting; the session can be in a common JavaSE environment or a Web environment;

Cryptography : Encryption to protect the security of data, such as passwords are encrypted and stored in the database instead of plaintext;

Web Support : Web support can be easily integrated into the Web environment;

Caching: Caching, for example, after a user logs in, their user information and roles/permissions do not need to be checked every time, which can improve efficiency;

Concurrency : Shiro supports concurrent verification of multi-threaded applications, that is, if one thread is started in another thread, the permissions can be automatically propagated;

Testing : Provide testing support;

Run As : allows one user to pretend to be another user (if they allow it) to access;

Remember Me : Remember me, this is a very common function, that is, after logging in once, you don't need to log in the next time you come back.

 

Remember that Shiro will not maintain users and permissions; these need to be designed/ provided by ourselves; and then injected into Shiro through the corresponding interface .

 

Next, let's take a look at Shiro's architecture from the outside and inside. For a good framework, from the outside, it should have a very simple and easy-to-use API, and the API contract is clear; from the inside, it should have an available API. Extended architecture, i.e. it is very easy to plug in user-defined implementations, since no framework can satisfy all requirements.

 

First, let's look at Shiro from the outside, that is, from an application perspective, to see how work can be done with Shiro. As shown below:

 

It can be seen that the object that the application code directly interacts with is the Subject, that is to say, the core of Shiro's external API is the Subject; the meaning of each API:

Subject : Subject, representing the current "user", this user is not necessarily a specific person, anything that interacts with the current application is a Subject, such as web crawlers, robots, etc.; that is, an abstract concept; all Subjects are bound to SecurityManager, all interactions with Subject will be delegated to SecurityManager; Subject can be regarded as a facade; SecurityManager is the actual executor;

SecurityManager : Security Manager; that is, all security-related operations will interact with SecurityManager; and it manages all Subjects; it can be seen that it is the core of Shiro, which is responsible for interacting with other components introduced later, if you have learned SpringMVC, You can think of it as a DispatcherServlet front controller;

Realm : Domain, Shiro obtains security data (such as users, roles, permissions) from Realm, that is to say, if SecurityManager wants to verify the user's identity, then it needs to obtain the corresponding user from Realm for comparison to determine whether the user's identity is legal; it also needs to obtain the user's identity from Realm. Obtain the user's corresponding roles/permissions to verify whether the user can operate; Realm can be regarded as a DataSource, that is, a secure data source.

 

That is to say, for us, the simplest Shiro application:

1. The application code is authenticated and authorized by the Subject, and the Subject is delegated to the SecurityManager;

2. We need to inject Realm into Shiro's SecurityManager, so that SecurityManager can obtain legitimate users and their permissions for judgment.

 

It can also be seen from the above that Shiro does not provide maintenance users/ permissions, but allows developers to inject themselves through Realm .

 

Next, let's take a look at Shiro's architecture from inside Shiro, as shown in the following figure:

  

Subject : The subject, you can see that the subject can be any "user" who can interact with the application;

SecurityManager : Equivalent to DispatcherServlet in SpringMVC or FilterDispatcher in Struts2; it is the heart of Shiro; all specific interactions are controlled through SecurityManager; it manages all Subjects, and is responsible for authentication and authorization, as well as session and cache management.

Authenticator : Authenticator, responsible for subject authentication, this is an extension point, if the user thinks that Shiro is not good by default, he can customize the implementation; it needs an Authentication Strategy, that is, under what circumstances the user authentication has passed;

Authrizer : Authorizer, or access controller, is used to determine whether the subject has permission to perform the corresponding operation; that is, it controls which functions the user can access in the application;

Realm : There can be one or more Realms, which can be considered as a data source of security entities, that is, used to obtain security entities; it can be implemented by JDBC, LDAP, or memory, etc.; provided by the user; note: Shiro doesn't know where your users/permissions are stored and in what format; so we generally need to implement our own Realm in our applications;

SessionManager : If you have written Servlet, you should know the concept of Session. Session needs someone to manage its life cycle. This component is SessionManager; and Shiro can not only be used in the Web environment, but also in ordinary JavaSE environments, such as EJB and other environments; all, Shiro abstracts a Session of its own to manage the data interacting between the subject and the application; in this case, for example, when we use it in the Web environment, it was a Web server at first; then EJB was introduced Server; at this time, if you want to put the session data of the two servers in one place, you can implement your own distributed session at this time (such as putting the data in the Memcached server);

SessionDAO : Everyone has used DAO, data access object, CRUD for session, for example, if we want to save the session to the database, then we can implement our own SessionDAO and write to the database through JDBC; for example, if we want to put the session in Memcached, You can implement your own Memcached SessionDAO; in addition, Cache can be used in SessionDAO for caching to improve performance;

CacheManager : Cache controller to manage caches such as users, roles, permissions, etc.; because these data are rarely changed, they can improve access performance after being placed in the cache.

Cryptography : The cryptography module, Shiro improves some common cryptographic components used such as cryptographic encryption/decryption.

 

Now that the Shiro architecture and its components are known, let's learn Shiro's components next.

 

Reference http://shiro.apache.org/reference.html