1. In addition to the spring family, the other Java security framework is the shiro framework.
However, there is a domestic framework that is very useful recently: Sa-Token adds a link description . Friends who want to know more can go and look.
shiro official documentation
(https://shiro.apache.org/)
1. Learning tutorial reference (https://www.w3cschool.cn/shiro/)
Apache Shiro is a security framework for Java. Currently, more and more people are using Apache Shiro because it is quite simple. Compared with Spring Security, it may not be as powerful as Spring Security, but in actual work, you may not need something so complicated, so use a small and simple one. Shiro is enough. As for which one of the two is better, there is no need to worry about this, it will be easier to solve the project problem.
1.Authentication: Identity authentication/login, verifying whether the user has the corresponding identity;
2.Authorization: Authorization, that is, permission verification, to verify whether an authenticated user has a certain permission; that is, to determine whether the user can do things, a common example is to verify whether a user has a certain role. Or fine-grained verification of whether a user has a certain permission on a certain resource;
3.Session Management: Session management means that after a user logs in, it is a session. Before exiting, all its information is in the session; the session can be in a normal JavaSE environment or in a Web environment;
4. Cryptography: Encryption to protect the security of data, such as encrypting passwords and storing them in the database instead of storing them in plain text;
5. Web Support: Web support, which can be easily integrated into the Web environment; Caching: caching, for example, after a user logs in, his user information and roles/permissions do not need to be checked every time, which can improve efficiency;
Concurrency: Shiro supports concurrent verification of multi-threaded applications, that is, if you start another thread in one thread, the permissions can be automatically propagated;
Testing: Provide testing support;
Run As: Allow one user to pretend to be another user (if they allow );
Remember Me: Remember me, this is a very common function, that is, after logging in once, you do not need to log in next time.
Subject: The subject represents the current "user". This user is not necessarily a specific person. Anything that interacts with the current application is a Subject, such as web crawlers, robots, etc.; that is, an abstract concept; all Subjects are bound to SecurityManager, all interactions with Subject will be delegated to SecurityManager; Subject can be considered as a facade; SecurityManager is the actual executor;
SecurityManager: Security manager; that is, all security-related operations will interact with SecurityManager; and it manages all Subjects; it can be seen that it is the core of Shiro, and it is responsible for interacting with other components introduced later. If you have studied SpringMVC, You can think of it as a DispatcherServlet front controller;
Realm: Domain, Shiro obtains security data (such as users, roles, permissions) from Realm. That is to say, if SecurityManager wants to verify the user's identity, it needs to obtain the corresponding user from Realm for comparison to determine whether the user's identity is legitimate; it also needs to obtain it from Realm. The user's corresponding role/authority is used to verify whether the user can perform operations; Realm can be regarded as a DataSource, that is, a secure data source.
1. Add dependencies
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.2</version>
</dependency>
2. Create configuration information user information
[users]
jiangnan=123456
huangchao=9521
3.Write authentication code sample demo
Scanner scanner = new Scanner(System.in);
System.out.println("输入用户名");
String userName = scanner.next();
System.out.println("输入密码");
String pwd = scanner.next();
//1.创建安全管理器
IniSecurityManagerFactory factory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);
//2.创建主体
Subject subject = SecurityUtils.getSubject();
AuthenticationToken userToken = new UsernamePasswordToken(userName, pwd);
try {
//3.认证
subject.login(userToken);
System.out.println("验证成功");
} catch (AuthenticationException e) {
e.printStackTrace();
System.out.println("验证失败");
}
4. To deepen my understanding of Cai Cai by tracing the source code, I drew a sketch, so don’t be ridiculous~~~
