Getting Started with Shiro Overview

Table of contents

what is

Apache Shiro is a powerful and easy-to-use security (permissions) framework for Java. Shiro can do: authentication, authorization, encryption, session management, integration with the web, caching, etc. With Shiro you can quickly and easily secure any application - from the smallest mobile application to the largest web and enterprise application.

Official website: https://shiro.apache.org/

Why use Shiro

The framework landscape has changed considerably since 2003, so there are still many systems using Shiro today. This is inseparable from the characteristics of Shiro.

Ease of use: Building a system security framework with Shiro is very simple . Even the first contact can be quickly mastered.
Comprehensive: Shiro includes the functions required by the system security framework and meets the "one-stop service" of security requirements.
Flexible: Shiro can work in any application environment. While it works in Web, EJB, and IoC environments, it doesn't need to depend on them. Shiro also doesn't enforce any specifications, and doesn't even have many dependencies .
Strong web support: Shiro has excellent web application support, can create flexible security policies based on application URLs and web protocols (such as REST), and also provides a set of JSP libraries to control page output .
Strong compatibility: Shiro's design patterns make it easy to integrate with other frameworks and applications. Shiro integrates seamlessly with frameworks like Spring, Grails, Wicket, Tapestry, Mule, Apache Camel, Vaadin, and more. Community support: Shiro is an open source project of the Apache Software Foundation, with complete community support, documentation
support. Commercial companies like Katasoft also provide professional support and services if needed.

Comparison of Shiro and Spring Security

1Spring Security is developed based on Spring. If the project uses Spring as the foundation, it is more convenient to cooperate with Spring Security to do permissions, while Shiro needs to be integrated with Spring ;
Spring Security has more functions than Shiro, such as security maintenance;
Spring Security community resources are relatively richer than Shiro;
The configuration and use of Shiro are relatively simple, while Spring Security is more complicated to get started;
Shiro has low dependency, does not need any framework and container, and can run independently. Spring Security relies on Spring container;
Shiro can not only be used in the web, it can work in any application environment. Perhaps one of the most important benefits of Shiro when clustering sessions is that its sessions are container-independent

basic skills

1. The basic function points are shown in the figure below

2. Function introduction

Authentication: identity authentication/login, to verify whether the user has the corresponding identity;
Authorization: Authorization, that is, permission verification, verifies whether an authenticated user has a certain permission; that is, judges whether the user can perform any operations, such as: verifying whether a certain user has a certain role. Or fine-grained verification of whether a user has a certain permission to a certain resource;
Session Manager: session management, that is, a session after the user logs in, and all its information is in the session before logging out; the session can be in a normal JavaSE environment or in a Web environment;
Cryptography: Encryption to protect the security of data, such as encrypted storage of passwords to the database instead of plaintext storage;
Web Support: Web support, can be easily integrated into the Web environment;
Caching: Caching. For example, after a user logs in, the user information and the roles/permissions they have do not need to be checked every time, which can improve efficiency;
Concurrency: Shiro supports concurrent verification of multi-threaded applications, that is, if another thread is opened in one thread, permissions can be automatically propagated;
Testing: provide testing support;
Run As: Allows a user to pretend to be another user (if they allow it);
Remember Me: Remember me, this is a very common function, that is, after logging in once, you don’t need to log in next time

principle

1. Shiro architecture (Shiro's external view)
Look at Shiro from the outside, that is, observe how to use Shiro to complete the work from the perspective of the application

Shiro architecture
(1) Subject: The object that the application code directly interacts with is the Subject, that is to say, the core of Shiro's external API is the Subject. Subject represents the current "user". This user is not necessarily a specific person. Anything that interacts with the current application is a Subject, such as web crawlers, robots, etc.; all interactions with the Subject will be entrusted to the SecurityManager; the Subject is actually a The facade, the SecurityManager is the actual executor;
(2) SecurityManager: Security Manager; that is, all security-related operations will
interact with the SecurityManager; and it manages all Subjects; it can be seen that it is the core of Shiro, and it is responsible for communicating with It interacts with other components of Shiro, which is equivalent to the role of DispatcherServlet in SpringMVC
(3) Realm: Shiro obtains security data (such as users, roles, permissions) from Realm, that is to say, if SecurityManager wants to authenticate users, it needs to obtain corresponding Compare to determine whether the user's identity is legal; it is also necessary to obtain the user's corresponding role/permission from Realm to verify whether the user can perform operations; Realm can be regarded as a DataSource

2. Shiro architecture (Shiro internal view)

Shiro Architecture

(1) Subject: any "user" who can interact with the application;

(2) SecurityManager: Equivalent to DispatcherServlet in SpringMVC; it is the heart of Shiro; all specific interactions are controlled by SecurityManager; it manages all Subjects and is responsible for authentication, authorization, session and cache management.

(3) Authenticator: Responsible for Subject authentication, it is an extension point that can be customized; authentication strategy (Authentication Strategy) can be used, that is, under what circumstances is the user authentication passed ;

(4) Authorizer: The authorizer, that is, the access controller, is used to determine whether the subject has permission to perform corresponding operations; that is, it controls which functions the user can access in the application;

(5) Realm: There can be one or more Realms, which can be considered as security entity data sources, which are used to obtain security entities; it can be implemented by JDBC or memory, etc.; it is provided by the user; so generally in All applications need to implement their own Realm; (6) SessionManager: a component that manages the Session life cycle; and Shiro can be used not only in the Web environment, but also in the normal JavaSE environment

(7) CacheManager: Cache controller to manage caches such as users, roles, permissions, etc.; because these data are basically rarely changed, they can improve access performance after being placed in the cache

(8) Cryptography: Cipher module, Shiro improves some common encryption components for such as password encryption/decryption.