SpringMVC integrates Shiro Security Framework (1), springmvcshiro

SpringMVC integrates Shiro Security Framework (1), springmvcshiro

I. Preparations

1. For more information about Shiro, see Dr. Zhang.

 

II. Introduction

1. Apache Shiro is a Java security framework. It can help us complete authentication, authorization, encryption, session management, Web Integration, cache, and so on. Shows the basic functions:

Authentication: Identity Authentication/logon. It verifies whether a user has the corresponding identity. Authorization: Authorization, that is, permission verification, verifies whether an authenticated user has a certain permission; it is used to determine whether a user can do things. Common examples include verifying whether a user has a role. Or fine-grained verification of whether a user has a certain permission on a resource; Session Manager: Session management, that is, after a user logs on, it is a Session, before exiting, all its information is in the session. sessions can be in the normal JavaSE environment or Web environment. Cryptography: encryption to protect data security, for example, password encryption is stored in the database rather than plaintext storage; Remember Me: Remember Me, this is a very common feature, that is, after a login, you will not have to log on again next time.

 

2. From the application perspective, observe how to use Shiro to complete the work. For example:

Subject: The Subject represents the current "user". This user is not necessarily a specific person. Anything that interacts with the current application is Subject, such as web crawler and robot; it is an abstract concept. All Subject is bound to SecurityManager, and all interactions with Subject are delegated to SecurityManager. Subject can be considered as a facade; SecurityManager is the actual executor; SecurityManager: security Manager; that is, all security-related operations will interact with SecurityManager; and it manages all Subject; it can be seen that it is the core of Shiro, it interacts with other components introduced later. If you have learned SpringMVC, You can regard it as the DispatcherServlet front-end Controller; Realm: domain, shiro obtains security data (such as users, roles, and permissions) from Realm, that is, if SecurityManager wants to authenticate the user identity, it needs Alm obtains the corresponding users for comparison to determine whether the user identity is legal. It also needs to obtain the corresponding role/permission of the user from Realm to verify whether the user can perform operations. It can regard Realm as a DataSource, security data source.

 

3. Check Shiro's internal architecture, as shown in:

Subject: The Subject. You can see that the Subject can be any "user" that can interact with the application. SecurityManager: is equivalent to DispatcherServlet in SpringMVC. It is the heart of Shiro; all specific interactions are controlled through SecurityManager. It manages all Subject, and is responsible for authentication and authorization, as well as session and Cache Management. Authenticator: the Authenticator responsible for subject Authentication. This is an extension. If you think Shiro is poor by default, you can customize it. Authenticator requires Authentication Strategy ), that is, under what circumstances is the user authentication passed; Authrizer: the authorizer or access controller is used to determine whether the subject has the permission to perform corresponding operations; that is, it controls the functions that users can access the application. Realm: it can have one or more Realm, which can be considered as a secure entity data source, that is, it is used to obtain a security entity; it can be JDBC, LDAP, or memory, and so on. It is provided by users. Note: Shiro does not know where your users/permissions are stored and in what format; therefore, we generally need to implement our own Realm in the application; SessionManager: If you have written Servlet, you should know the concept of Session, and someone needs to manage its lifecycle. This component is SessionManager; shiro can be used not only Environment B can also be used in environments such as normal JavaSE environments and ejbs. All Shiro abstracts a Session to manage the interaction data between the subject and the application. In this way, for example, we use it in the Web environment. We started with a Web server, and then we mounted an EJB server. At this time, we wanted to put the session data of the two servers in one place, in this case, you can implement your own distributed Sessions (such as placing data on the Memcached server); SessionDAO: The DAO is used by all users. The data access object is used for the session CRUD, for example, if we want to save the Session to the database, we can implement our own SessionDAO and write it to the database through JDBC; for example, if we want to put the Session in Memcached, we can implement our own Memcached SessionDAO; in addition, SessionDAO can use Cache for caching to improve performance. CacheManager: A Cache controller for managing caches such as users, roles, and permissions. This data is rarely changed, hold down Encryption: Password module, Shiro improves access performance by using common encryption components such as password encryption/decryption.