1.What is
Apache Shiro is a powerful and easy-to-use Java security (permissions) framework. Shiro can finish
Integrated: authentication, authorization, encryption, session management, integration with the Web, caching, etc. With Shiro you can quickly and easily
Securing any application—from the smallest mobile app to the largest web and enterprise applications.
Official website: https://shiro.apache.org/
2. Why use Shiro?
The framework landscape has changed considerably since 2003 , so there are still many systems in use today
Shiro. This is inseparable
from Shiro
's characteristics.
Ease of use: Building a system security framework with Shiro is easy. Even if it’s your first time, you can quickly master it
grip.
Comprehensive: Shiro includes the functions required by the system security framework and is a "one-stop shop" for security needs.
Flexible: Shiro can work in any application environment. Although it can be used in Web, EJB and IoC environments
works in , but there is no need to rely on them. Shiro also doesn't enforce any specifications or even many dependencies.
Strong web support: Shiro has excellent web application support, based on application URL and
Web protocols such as REST create flexible security policies, while a set of JSP libraries are provided to control page output.
Strong compatibility: Shiro’s design patterns make it easy to integrate with other frameworks and applications. Shiro and
Seamless integration with frameworks such as Spring, Grails, Wicket, Tapestry, Mule, Apache Camel, Vaadin and more.
Community support: Shiro is an open source project of the Apache Software Foundation, with complete community support and documentation
support. Commercial companies like Katasoft also provide professional support and services if needed.
3. Comparison between Shiro and SpringSecurity
1. Spring Security is developed based on Spring. If the project uses Spring as the basis, cooperate with Spring
Security is more convenient for permissions, while Shiro needs to be integrated with Spring for development;
2. Spring Security has richer functions than Shiro, such as security maintenance;
3. Spring Security community resources are relatively richer than Shiro;
4. Shiro is relatively simple to configure and use, but Spring Security is more complicated to get started with;
5. Shiro has low dependencies, does not require any frameworks and containers, and can run independently. Spring Security depends on
Spring container;
6. Shiro can not only be used in the web, it can work in any application environment. Shiro during a cluster session
Perhaps the most important benefit is that its sessions are container independent.
4.Basic functions
1. The basic function points are as shown in the figure below
2. Function introduction
(1) Authentication: Identity authentication/login, verifying whether the user has the corresponding identity;
(2) Authorization: Authorization, that is, permission verification, to verify whether an authenticated user has a certain permission; that is,
Determine whether the user can perform any operations, such as verifying whether a user has a certain role. Or fine-grained verification
Whether a certain user has certain permissions on a certain resource;
(3) Session Manager: Session management, that is, after the user logs in, it is a session. Before exiting, its
All information is in the session; the session can be a normal JavaSE environment or a Web environment;
(4) Cryptography: Encryption to protect the security of data. For example, passwords are encrypted and stored in the database instead of being stored in plain text.
store;
(5) Web Support: Web support can be easily integrated into the Web environment;
(6) Caching: For example, after a user logs in, his user information and roles/permissions do not need to be checked every time.
This can improve efficiency;
(7) Concurrency: Shiro supports concurrent verification of multi-threaded applications, that is, opening another thread in one thread
Process, which can automatically propagate permissions;
(8) Testing: Provide testing support;
(9) Run As: Allows one user to pretend to be another user (if they allow it) for access;
(10) Remember Me: Remember me, this is a very common function, that is, after logging in once, you will not need to log in next time.
Logged in
5.Principle
1. Shiro architecture (from the outside of Shiro)
Looking at Shiro from the outside, that is, looking at how to use Shiro to get things done from an application perspective
Shiro architecture
(1) Subject: The object that application code directly interacts with is Subject, which means Shiro’s external API core
It’s Subject. Subject represents the current "user", which is not necessarily a specific person.
Anything the application interacts with is a Subject, such as web crawlers, robots, etc.; all interactions with the Subject
will be delegated to SecurityManager; Subject is actually a facade, SecurityManager is the actual
Executor;
(2) SecurityManager: Security manager; that is, all security-related operations will be done with SecurityManager
Interaction; and it manages all Subjects; it can be seen that it is the core of Shiro, and it is responsible for interacting with other parts of Shiro
Components interact, which is equivalent to the role of DispatcherServlet in SpringMVC
(3) Realm: Shiro obtains security data (such as users, roles, permissions) from Realm, that is to say
SecurityManager wants to authenticate the user, then it needs to get the corresponding user from Realm for comparison to ensure
Determine whether the user's identity is legal; it is also necessary to obtain the user's corresponding role/permissions from Realm to verify whether the user can enter.
Row operations; you can think of Realm as a DataSource
2.
Shiro architecture (from Shiro’s
internal
perspective )
Shiro architecture
(1) Subject: any "user" who can interact with the application;
(2) SecurityManager: equivalent to SpringMVC
DispatcherServlet; is Shiro's heart
Dirty; all specific interactions are controlled through SecurityManager; it manages all Subjects and is responsible for
Responsible for authentication, authorization, session and cache management.
(3) Authenticator: Responsible for Subject authentication. It is an extension point and can be customized; you can use authentication
Authentication Strategy, that is, under what circumstances is the user authentication passed?
(4) Authorizer: Authorizer, that is, access controller, used to determine whether the subject has the authority to perform corresponding operations; that is,
Controls which features in the application users can access;
(5) Realm: There can be one or more Realm, which can be considered as a secure entity data source, that is, used to obtain secure entity data.
Integrated; it can be JDBC implementation, memory implementation, etc.; provided by the user; so it is generally required in applications.
To implement your own Realm;
(6) SessionManager: a component that manages the Session life cycle; Shiro can not only be used on the Web
environment, it can also be used in a normal JavaSE environment
(7) CacheManager: Cache controller to manage caches such as users, roles, permissions, etc.; because these data
Basically, there are few changes. Putting it in the cache can improve the performance of access.
(8) Cryptography: cryptography module, Shiro improves some common encryption components for password encryption/decryption
dense.