What 1.shiro that?
Apache Shiro is a Java security framework that provides authentication, authorization, encryption and session management.
2.shiro of Features
Its basic function point as shown below:
Here are some points in the meaning of each function:
Authentication : authentication / login, verify that the user is not have the appropriate identification;
The Authorization : Authorization that the competence to verify, verify that a user has authenticated a privilege; that is to determine whether the user can do things such as: fine-grained verify that a user has a permission for a resource.
Management the Session : answer management, that is, a user login session, in the absence of exit, all of his information in the session; the session may be javase environment, can also be a web environment.
Cryptography : encryption, secure data; for example: the encrypted password stored in the database, instead of storing the plaintext.
Support Web : web support, can be very easily integrated into a web environment.
Caching : Cache, such as user login, user information, with the role \ permissions do not always have to check, in the cache can take to provide efficiency.
Concurrency : shiro support concurrent verification multi-threaded, that is, such as opening another thread in a thread, it can automatically propagate permissions past.
Testing : provide test support;
Of As RUN : pretend that allows a user to another user (if they allow) access.
Me Remember : Remember me, this is a very common feature, ie after the first login, then do not come back next time logged.
Last but not least: shiro not going to maintain user, maintenance authority; these require developers to design and create, and then injected through the interface to shiro response.
As can be seen from the figure: the application code to directly interact with objects Subject, shiro means that the core of the external API is Subject.
Meaning each API are as follows:
Subject : the main body representing the current "user" (The user is not necessarily a specific person) and any current stuff interactive applications are Subject.
Subject are all bound to the SecurityManager, SecurityManager entrusted to interact with all of the Subject will; be the Subject considered a facade; SecurityManager is the actual performer;
SecurityManager : security manager, that is all about the safety of operations will interact with the SecurityManager, and it is the manager of all the Subject, you can see that it is the core of shiro, she is responsible for interacting with other components behind. Springmvc can put him as the DispatherServlet front controller.
Realm : domain. shiro Safety Data (such as users, roles, permissions) from the realm, that Securitymanager to verify the user's identity, get it from the realm in the corresponding user compared to determine the identity of the user is legitimate; also need to get the appropriate user from the realm roles / permissions verify that the user can operate. Realm can be seen as DataSource, namely secure data sources.
It is simply about two things:
1, the application code to perform authentication and authorization by Subject, and Subject commissioned to SecurityManager;
2, we need to Shiro of SecurityManager injection Realm, so that SecurityManager to get legitimate users and their privileges to judge.