Shiro and Spring Security comparison

Shiro Introduction

Apache Shiro is a security framework for Java. Currently, there are more and more people using Apache Shiro, because it is fairly simple, compared to spring security, it may not be as powerful as spring security, but it may not need to be as complex as it actually works. So the use of small and simple Shiro is enough. For the two of them in the end which is good, this does not have to struggle, can be easier to solve the project problem just fine.

Shiro Architecture and function Introduction

1. Basic concepts related to certification and authorization

Two basic concepts

Security entities: Specific object data that the system needs to protect

Permissions: System-related functional operations, such as basic crud

Authentication: identity Authentication/login, verify that the user has the corresponding identity;

Authorization: authorization, which is authentication of permissions, verifies that a authenticated user has a permission, that is, to determine whether a user can do something, as usual: To verify that a user has a role. or fine-grained verification that a user has a certain permission on a resource;

Session Manager : conversation Management, that is, the user login is a session, before exiting, all its information is in the session, the session can be normal javase environment, can also be such as the web environment;

cryptography: Encryption, protection of data security, such as password encryption stored in the database, rather than plaintext storage;

Web Support: Web support, can be very easy to integrate into the web environment;

Caching: Cache, such as user login, its user information, the role/permissions do not need to check every time, this can improve efficiency;

Concurrency:Shiro supports concurrent authentication for multi-threaded applications, such as opening another thread in one thread, enabling the automatic propagation of permissions to the past;

testing: provide testing support;

Run as: allows one user to pretend to access the identity of another user (if they allow);

Remember me: Remember me, this is a very common feature, that is, once logged in, the next time you come back without logging in.

2.Shiro Four core functions: Authentication,authorization,cryptography,session Management

Shiro Architecture

3.Shiro three core components: Subject, SecurityManager and Realms.

Subject: The subject, represents the current "user", the user is not necessarily a specific person, and the current application of anything is Subject, such as web crawler, robot, etc., that is, an abstract concept All subject are bound to SecurityManager, and all interactions with subject are delegated to SecurityManager; subject can be considered a façade; SecurityManager is the actual performer;

SecurityManager: security Manager; That is, all security-related operations interact with SecurityManager, and it manages all subject; You can see that it is the core of Shiro and it is responsible for interacting with the other components described behind , if you have studied Springmvc, you can think of it as the Dispatcherservlet front controller;

Realm: Shiro from the realm to obtain security data (such as users, roles, permissions), that is, SecurityManager to verify the identity of the user, then it needs to get the appropriate user from realm to compare to determine whether the user identity is legitimate It also requires the user's corresponding roles/privileges from realm to verify that the user is able to operate, and that realm can be viewed as a DataSource, a secure data source.

about Spring Security

Spring security is a secure framework that provides declarative, secure access control solutions for spring-based enterprise applications. It provides a set of beans that can be configured in the context of the spring application, taking full advantage of the spring Ioc,di (control inversion inversion of controls, di:dependency injection Dependency injection) and AOP (aspect-oriented programming) capabilities provide declarative, secure access control for application systems, reducing the effort to write large amounts of repetitive code for enterprise system security controls. It is a lightweight security framework that ensures that spring-based applications provide authentication and authorization support. It is well integrated with spring MVC and is bundled with popular security algorithm implementations. Security consists of two operations "authentication" and "verification" (sometimes called permission control). "Authentication" is the process of establishing a user's declared role, which can be a user, a device, or a system. "Validation" refers to the ability of a user to perform an action in your app. The role has been established during the authentication process before the authorization decision is reached.

Its design is based on a wide range of dependencies within the framework and can be divided into the following blocks.

Web/http security: This is the most complex part. The framework authentication mechanism is implemented by establishing filter and related service beans. When a protected URL is accessed, the user is introduced to the login interface or to the error interface.

Security of a business object or method: Controls the way access is granted.

AuthenticationManager: Processes authentication requests from other parts of the framework.

Accessdecisionmanager: Provides access decisions for the security of a Web or method. Will register a default, but we can also use the custom Accessdecisionmanager in the same way that the normal bean is registered.

Authenticationprovider:authenticationmanager is to authenticate users through it.

Userdetailsservice: Closely related to Authenticationprovider, used to obtain user information.

Shiro and Spring security comparison

Shiro easier to use, achieve and most important understanding than spring

The only reason that Spring security is more well known is because the brand name

"Spring" is famous for its simplicity, but ironically many people find it difficult to install spring security

However, Spring Security has better community support

Apache Shiro has an additional module in Spring Security processing cryptography

Spring-security is good for spring, if the project is SPRINGMVC, it is convenient to use. But if spring is not used in the project, don't think about it.

Shiro is powerful, simple and flexible. Is the Apache under the project is more reliable, and not with any framework or container binding, can run independently

Shiro Study tutorial can refer to open source "Follow me to learn Shiro": http://jinnianshilongnian.iteye.com/blog/2018398