1. The most basic method - permission five table
The most basic and most importantly, back shiro and spring security permissions are based on five tables
2.shiro
Apache Shiro is a powerful and easy to use Java security framework for authentication, authorization, password and session management. Shiro's easy to understand the use of the API, you can quickly and easily access any application, from the smallest to the largest mobile network applications and enterprise applications.
The main function
Three core components:
Subject, and the SecurityManager Realms.
Subject:
namely, "The current user." However, in Shiro, Subject of this concept is not only a person, it can be a third-party process, the background accounts (Daemon Account) or other similar things. It simply means "the current interactive software with something."
Subject represents the current user's security operation, SecurityManager manage all users of the security operation.
SecurityManager: It is the core framework of Shiro, a typical Facade pattern, Shiro to manage the internal component instance by SecurityManager, and through it to provide a variety of services security management.
Realm: Realm act as a "bridge" or "connector" between Shiro and application security data. That is, when a user performs an authentication (login) and authorization (access control) verification, Shiro looks for information from users and their privileges in the application configuration Realm.
In this sense, Realm is essentially a safety-related DAO: It encapsulates the data source connection details, and if necessary will provide relevant data to Shiro. When configuring Shiro, you must specify at least one Realm, for authentication and (or) authorization. Configure multiple Realm is possible, but requires at least one.
Shiro built Realm can connect a large number of security data sources (aka directory), such as LDAP, relational databases (JDBC), similar to the INI text configuration resources, and property files. If the default Realm can not meet the demand, you can also insert custom data source on behalf of their own Realm implementation.
Subject represents the current user's security operation, SecurityManager manage all users of the security operation.
SecurityManager: It is the core framework of Shiro, a typical Facade pattern, Shiro to manage the internal component instance by SecurityManager, and through it to provide a variety of services security management.
Realm: Realm act as a "bridge" or "connector" between Shiro and application security data. That is, when a user performs an authentication (login) and authorization (access control) verification, Shiro looks for information from users and their privileges in the application configuration Realm.
In this sense, Realm is essentially a safety-related DAO: It encapsulates the data source connection details, and if necessary will provide relevant data to Shiro. When configuring Shiro, you must specify at least one Realm, for authentication and (or) authorization. Configure multiple Realm is possible, but requires at least one.
Shiro built Realm can connect a large number of security data sources (aka directory), such as LDAP, relational databases (JDBC), similar to the INI text configuration resources, and property files. If the default Realm can not meet the demand, you can also insert custom data source on behalf of their own Realm implementation.
3.Spring Security
Brief introduction
Spring Security, formerly known as Acegi Security, is a framework to provide secure authentication services for Spring project group.
Spring Security provides comprehensive security services for J2EE-based enterprise applications. Particularly the use of leading J2EE solution -Spring framework for the development of enterprise software projects.
Features
Spring Security support for Web security is dependent on a large number of Servlet filters. These filters intercept incoming request, and prior to the application of certain security processing request processing. Spring Security provides a number of filters that can intercept Servlet request and forwarded to authentication and access management decision-making processes these requests, thereby enhancing security. According to their needs, appropriate filters may be used to protect their applications.
If too Servlet filters and make it work, it is necessary to use <filter> and <filter-mapping> element are arranged in the web.xml file Web application. Although this can work, but it does not apply to the use of dependency injection configuration.
FilterToBeanProxy is a special Servlet filters, which itself is not much work to do, but to delegate their work to a Bean Spring application context to complete. Bean was commissioned almost the same as other Servlet filters achieve javax.servlet.Filter interface, but it is configured in the Spring configuration file rather than the web.xml file.
In fact, FilterToBeanProxy proxy to that Bean can be any realization of javax.servlet.Filter. This can be any of a Spring Security filter, or it can be a filter that you create. But as the book already mentioned, Spring Security configuration requires at least four and probably a dozen or more filters.