Shiro Notes (i) Introduction to the security framework of the----Shiro

I. Introduction of Shiro

Apache Shiro is a security framework for Java. Powerful, with a simple Java security framework, it provides developers with an intuitive and comprehensive solution for authentication, authorization, encryption, and session management.
In fact, Shiro's primary function is to manage all security-related applications in the application, while supporting multiple implementations as much as possible. Shiro is built on sophisticated interface-driven design and object-oriented principles, supporting a variety of custom behaviors. The default implementation provided by Shiro allows it to accomplish the same functionality as other security frameworks, and that's not what we've been trying to get.

Apache Shiro is fairly simple, compared to spring security, which may not be as powerful as spring security, but it may not be as complicated as it actually is, so using small, simple Shiro is enough. For the two of them in the end which is good, this does not have to struggle, can be easier to solve the project problem just fine.

Second, what can Shiro do

Verify user identity
User access control, such as whether a user has been given a role, whether to allow access to certain resources
The session API can be used in any environment, even if it is not a Web project or does not have an EJB container
Event response (during authentication, access control, or session life cycle)
Integration of multiple user information data sources
sso-Single-point login
Remember me, remember me.
Shiro attempts to implement these capabilities in any application environment, without relying on other frameworks, containers, or application servers.

three, the characteristics of Shiro

Shiro can be very easy to develop a good enough application, not only can be used in the javase environment, but also can be used in the Java EE environment. Shiro can help us complete: Authentication, authorization, encryption, session management, Web integration, caching, and more. This is not what we want, and the Shiro API is very simple; its basic function points are shown in the following figure:

Four cornerstones----authentication, authorization, session management, encryption

1.Authentication: identity Authentication/login, verify that the user has the corresponding identity;

2.Authorization: authorization, which is authentication of permissions, verifies that a authenticated user has a permission, that is, whether a user can do something, as usual: Verifying that a user has a role. or fine-grained verification that a user has a certain permission on a resource;

3.Session Manager: Session Management, that is, after the user logs on is a session, before exiting, all its information is in the session, the session can be normal javase environment, or can be such as the web environment;

4.Cryptography: encryption to protect the security of data, such as password encryption stored in the database, rather than plaintext storage;

In addition to the above features, Shiro also offers a number of extensions as follows

Web Support:web support, can be very easy to integrate into the web environment;

Caching: Cache, such as user login, its user information, the role/permissions do not need to check every time, this can improve efficiency;

Concurrency:shiro supports concurrent authentication of multi-threaded applications, such as opening another thread in one thread, enabling the automatic propagation of permissions to the past;

Testing: Provide testing support;

Run as: Allows one user to pretend to access the identity of another user (if they allow);

Remember me: Remember me, this is a very common feature, that is, once logged in, the next time you come back without logging in.

Remember, Shiro will not maintain the user, maintenance rights, these need we to design/provide, and then through the corresponding interface injection to Shiro.

IV. main structure of the reading

Shrio Frame composition

Subject: The main body, either on behalf of the user, can also represent the program (network crawler, etc.), it needs to access the system, the system needs to be authenticated and authorized, you can see the subject can be any interaction with the application of the "user."

SecurityManager: Security management, user request URL, corresponds to a Subject object, authenticated and authorized by SecurityManager subject (parent).

Authenricator: Authentication, mainly to subject authentication, subject information in Shrio is stored by Authenticationtoken object, Authenricationstrategy for authentication management. (child). If the user feels that Shiro default is not good, can be customized implementation, it needs authentication policy (authentication strategy), that is, under what circumstances the user authentication passed;

Authorizer: The authorization, after subject authentication, is granted by it to the corresponding role permissions. (child) controls which functions the user can access in the application;

Sessionmanager:shiro's session management approach, Shiro provides a special way to manage the session, usually the session in the Web program is HttpSession object, is managed by the Web container. If you write a servlet you should know the concept of the session, the session needs someone to manage its life cycle, this component is SessionManager, and Shiro not only can be used in the Web environment, but also can be used in the general javase environment, EJB and other environments; Shiro abstracted a session of itself to manage the data that interacts between the subject and the application, such as when we used the Web environment, just started as a Web server, and then on the EJB server. At this point, you want to put the session data of the two servers in one place, this time can realize their own distributed session (such as the data on the memcached server);

Sessiondao:session interface, Shiro through it to manage session data, personalized session data storage requires the use of Sessiondao.

CacheManager: Cache controller, mainly to cache session data and authorization data, reduce the database access pressure. Cache data can be managed through integration with Ehcache.

Pluggable Realms: Scalable domain, equivalent to the data source, we can get a general understanding of how Shiro works through the above, but Shiro how to know subject information and database information match it. Shiro here provides a concept of realms, its role is to get the information in the database. This realm can be multiple and customizable, just inherit the Authorizingrealm interface. There can be 1 or more realms that can be considered a secure entity data source, that is, a JDBC implementation, a LDAP implementation, a memory implementation, and so on, provided by the user, Shiro does not know where your users/permissions are stored and in what format, So we usually need to implement our own realm cipher module in the application.

Note: Realm is required to authenticate and authorize subject, so realm is not just a data source, but a logic that includes authentication and authorization.

Cryptography: Password module, a password management tool, provides a set of cryptographic/decryption components. For example, commonly used hash, add/decrypt functions, daily practice using the MD5 algorithm is actually a hashing algorithm, can only encrypt, cannot decrypt.


It can be seen that the core part of the Shrio is the Certification and authorization section, the others are all around these two parts, just understand that both parts are ready for development.

Five, Shiro certification process

Shiro Processing a subject flowchart

You can see that the object that the application code interacts directly with is subject, that is, Shiro's external API core is subject; The meaning of each API:

Subject: The main body, represents the current "user", the user is not necessarily a specific person, and the current application of anything is Subject, such as web crawler, robot, that is, an abstract concept; all Subject are bound to SecurityManager, All interactions with subject will be delegated to SecurityManager; subject can be regarded as a façade; SecurityManager is the actual performer;


SecurityManager: Security Manager, that is, all security-related operations interact with SecurityManager, and it manages all subject, and you can see that it is the core of Shiro, and it is responsible for interacting with the other components described behind it. If you have studied Springmvc, you can think of it as Dispatcherservlet front-end controller;


Realm: Shiro get secure data from realm (such as Users, roles, permissions), that is, SecurityManager to authenticate the user, it needs to be compared from realm to determine if the user's identity is legitimate It also requires the user's corresponding roles/privileges from realm to verify that the user is able to operate, and that realm can be viewed as a DataSource, a secure data source.


That is to say, for us, the simplest of a Shiro application:

1, the application code through the subject for authentication and authorization, and subject entrusted to SecurityManager;

2, we need to give Shiro SecurityManager to inject realm, so that SecurityManager can get legitimate users and their rights to judge.


As can be seen from the above, Shiro does not provide maintenance users/permissions, but it allows developers to inject themselves through realm.

Shiro processing certification flowchart, equivalent to the expansion and refinement of the above diagram

It can be seen that the Shiro process is a one-level call, mainly called Authentication to authenticate, and finally requires realm to authenticate.

Six, filter rights interceptor

Filter abbreviation	The corresponding Java class
Anon	Org.apache.shiro.web.filter.authc.AnonymousFilter
Authc	Org.apache.shiro.web.filter.authc.FormAuthenticationFilter
Authcbasic	Org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter
Perms	Org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter
Port	Org.apache.shiro.web.filter.authz.PortFilter
Rest	Org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter
Roles	Org.apache.shiro.web.filter.authz.RolesAuthorizationFilter
Ssl	Org.apache.shiro.web.filter.authz.SslFilter
User	Org.apache.shiro.web.filter.authc.UserFilter
Logout	Org.apache.shiro.web.filter.authc.LogoutFilter

Seven, JSP Shiro tag

Viii. Shiro related articles

Permissions Basics
Discussion on authority control in Iteye forum
New Solution of RBAC

Other related articles
Shiro Official documents
Shiro official recommended information
Shiro Reference Manual Chinese version
Huang Yong's Shiro source analysis
Dead_knight Shiro Source Analysis Shiro+struts2+spring3 plus @requirespermissions after @autowired failure
Simple Shiro extension implements not, and, or permission validation
Session is lost when 404 error is encountered after integrating Shiro
Implement Shiro permission validation in the velocity template file

My trip to Shiro

ix. Shiro Project

1.springside

Springside: As the core of the spring framework, pragmatic-style Java EE application Reference example, is the mainstream technology selection in Java EE World, the best practice summary and demonstration.

Springrain technical Details (1)-shiro basic Rights control
Springrain Technical Details (2)-Permission table structure
Springrain Technical Details (3)-shiro's filterchaindefinitions
Springrain Technical Details (4)-shiro cache
Springrain Technical Details (5)-shiro's httpsession

2.spring Mvc+spring+mybatis+shiro+easyui Integrated Development Background User Rights management system

3.Spring Mvc+apache shiro+mybatis Development of a backend management system demo

4.renren-security

A lightweight rights management system whose core design objectives are rapid development, simple learning, lightweight and easy to expand, using the framework of Spring MVC, Shiro, MyBatis, Bootstrap, vue2.x, including: Administrator management, role management, menu management, scheduled Tasks, parameter management, code generator, and so on.