2. Introduction to Shiro
2.1 What is Shiro
Shiro is an open source framework of Apache. It is a permission management framework that realizes user authentication and user authorization.
Spring has Spring Security (formerly known as Acegi), which is a permission framework. It is too closely dependent on Spring and is not as easy to use as Shiro.
Shiro does not depend on Spring. Shiro can not only realize the authority management of web applications, but also realize the authority management of C/S system and distributed system. Shiro is a lightweight framework, and more and more enterprise projects start to use Shiro.
Use Shiro to realize the authority management of the system, effectively improve the development efficiency, and thus reduce the development cost.
2.2 Three main concepts
Subject: Simply understood as representing the current operating user.
SecurityManager: used to manage all Subjects.
Realms: Used to verify permission information.
Subject: subject, the subject currently participating in the application security part. It could be a user, it could be a third-party service, it could be a cron job, or anything. Primarily refers to something that is interacting with the current software. All Subjects require a SecurityManager. When interacting with a Subject, these interactions are actually converted into interactions with the SecurityManager.
SecurityManager: The security manager, the core of the Shiro architecture, is like the umbrella for all the original components inside Shiro. However, once the SecurityManager is configured, the SecurityManager is used less, and developers spend most of their time on the Subject. When you interact with the Subject, the SecurityManager is actually behind the scenes to help you lift the Subject to do some security operations.
Realms: Realms serve as a bridge between Shiro and applications. When interacting with security data, such as user accounts or access control, Shiro looks for one or more Realms. Shiro provides some Realms that can be used directly. If the default Realms cannot meet your needs, you can also customize your own Realms.
2.3 Overall Architecture
- Authenticator: Authenticator, manage login and logout.
- Authorizer: Authorizer, which grants the subject authority.
- Session Manager: session manager, session management mechanism. Use sessions without any web container.
- Session Dao: session operation, mainly adding, deleting, modifying and checking.
- Cache Manager: cache manager.
- Pluggable Realms (1 or more): connection between shiro and the database, authentication and authorization verification.
- Cryptography: Data encryption.
2.4 Core components
Subject is the subject, and the external reference interacts with the Subject. The Subject records the current operating user, and understands the concept of the user as the subject of the current operation. It may be a user requesting through a browser or a running program. Subject is an interface in Shrio, which defines many methods related to authentication and authorization. External programs perform authentication and authorization through Subject, and Subject performs authentication and authorization through SecurityManager.
SecurityManager is the security manager, which manages the security of all Subjects. It is the core of Shrio, and the authentication and authorization of all Subjects can be completed through SecurityManager. In essence, SecurityManager authenticates through Authenticator, authorizes through Authorizer, and manages sessions through SessionManager. SecurityManager is an interface that inherits the three interfaces of Authenticator, Authorizer, and SessionManager.
Authenticator is an authenticator that authenticates user identities. Authenticator is an interface. Shrio provides the ModularRealmAuthenticator implementation class. ModularRealmAuthenticator can basically meet most needs, and you can also customize the authenticator.
Authorizer is the authorizer. The user is authenticated by the authenticator. When accessing a function, it is necessary to use the authorizer to determine whether the user has the operation authority of this function.
Realm is the domain, which is equivalent to the datasource data source. SecurityManager needs to obtain user permission data through Realm for security authentication. For example, if the user identity data is in the database, then Realm needs to obtain user identity information from the database. Don't understand Realm as just getting data from the data source, there are related codes for authentication and authorization verification in Realm.
SessionManager is session management. The Shrio framework defines a set of session management, which does not depend on the Session of the web container, so Shrio can be used in non-Web applications, and can also centralize the session management of distributed applications. This feature enables it Implement single sign-on.
SessionDAO is session DAO, which is a set of interfaces for Session session operations. For example, if you want to store Session in the database, you can store the session in the database through jdbc.
CacheManager is cache management, which stores user permission data in the cache, which can improve performance.
Cryptografy is password management. Shrio provides a set of decryption/encryption components for easy development. For example, it provides common hashing and encryption/decryption functions.