An analysis of the application of Apache Shiro in Web projects

User Rights model

Before we uncover the Shiro veil, we need to recognize the user rights model. The user privilege model mentioned in this paper refers to the data model used to express user information and user rights information. Which proves "Who are you?" "," How much protected resources can you access? ”。 In order to realize a more flexible user rights data model, the user information is usually represented by a single entity, and the user rights information is represented by two entities.

User information in Loginaccount indicates that the simplest user information may contain only the username LoginName and password password two properties. The actual application may contain information such as whether the user is disabled and whether the user's information expires.

User rights information with role and Permission, the role and Permission constitute a many-to-many relationship. Permission can be understood as an operation on a resource, role can be simply understood as a set of Permission.

A many-to-many relationship is formed between user information and role. means that the same user can have multiple role, and a role can be owned by more than one user.

Figure 1. User Rights model

Certification and authorization

Shiro Authentication and authorization process

The resources that are protected by Shiro will be authenticated and authorized. You can use Shiro to protect URLs by referring to the "Integration with Spring" section.

A user accesses a URL protected by Shiro, such as http://host/security/action.do.

Shiro first check whether the user has passed the certification, if not passed the authentication check, then jump to the login page, otherwise authorize the inspection. The authentication process needs to obtain the user and the password information through the Realm, usually we realize the JDBC Realm, at this time the user authentication needs the information from the database obtains. If the cache is used, the first time the user information is fetched from the cache.

After the certification passed the Shiro authorization check, authorization check also need to obtain user permission information through Realm. The user rights information required by Shiro includes role or Permission, either one or both, depending on the configuration of the protected resource. If the user rights information does not contain the role or Permission required by Shiro, the authorization does not pass. You can access the resource for the protected URL only if the authorization passes, otherwise you will jump to the unauthorized page.