Apache Shiro User Manual (i) Shiro architecture Introduction

first, what is Shiro
Apache Shiro is a powerful, easy-to-use Java security framework that provides features such as authentication, authorization, encryption, and session management:

• Authentication-user identification, often referred to as the user "login";
• Authorization-access control;
• Password encryption-protect or hide data from being peeping;
• Session Management-The time-sensitive state associated with each user.

For any application, Shiro can provide comprehensive security management services. And compared to other security frameworks, Shiro is much simpler.

Ii. Introduction to the architecture of Shiro
First, let's look at the three core components of Shiro: Subject, SecurityManager and Realms. Such as:

Subject: "Current Operation User". However, in Shiro, the concept of subject not only refers to a person, but can also be a third-party process, a background account (Daemon accounts), or something similar. It simply means "what is currently interacting with the software". But given the majority of purposes and uses, you can think of it as the "user" concept of Shiro.
Subject represents the security actions of the current user, and SecurityManager manages the security actions of all users.

SecurityManager: It is the core of the Shiro framework, a typical facade model, Shiro through SecurityManager to manage internal component instances, and through it to provide various services for security management.

Realm:realm acts as a "bridge" or "connector" between Shiro and application security data. That is, when authentication (login) and authorization (access control) is performed on the user, Shiro will look for the user and their permission information from the realm where the app is configured.
In this sense, realm is essentially a security-related DAO: It encapsulates the connection details of the data source and provides the relevant data to Shiro when needed. When configuring Shiro, you must specify at least one realm for authentication and/or authorization. Configuring multiple realms is possible, but requires at least one.
Shiro includes realms that can connect a large number of secure data sources (aka directories), such as LDAP, relational database (JDBC), ini-like text configuration resources, and property files. If the default realm does not meet the requirements, you can also insert your own realm implementation that represents the custom data source.


Shiro Complete Architecture diagram:


In addition to the previous subject, SecurityManager, and realm three core components, the Shiro main components include:
Authenticator: Certification is the process of verifying a user's identity. A common example of this process is the "User/password" combination that everyone is familiar with. Most users usually provide their own user name (the party) and the password (certificate) that supports them when they log in to the software system. If the password (or password representation) stored in the system matches the user's offer, they are considered certified.
Authorizer: Authorization is essentially access control-controls what content users can access in the app, such as resources, Web pages, and so on.
SessionManager: In the security framework area, Apache Shiro offers something unique: The session API can be used consistently at any application or architecture level. That is, Shiro provides a conversational programming paradigm for any application-from small background standalone applications to large clustered Web applications. This means that the app developer who wants to use the session doesn't have to be forced to use a servlet or EJB container. Alternatively, if you are using these containers, developers can now choose to use a consistent session API at any layer instead of a servlet or EJB mechanism.
CacheManager: Provides caching support for other components of the Shiro.

? Shiro Authentication
Authentication is the process of verifying a user's identity. During the authentication process, the user is required to submit entity information (principals) and credential information (Credentials) to verify that the user is legitimate. The most common "entity/credential" combination is the "username/password" combination.
I. Shiro authentication process
1, collect entity/credential information
Java code
1.//exampleusingmostcommonscenarioofusername/passwordpair:
2. Usernamepasswordtokentoken=newusernamepasswordtoken (Username,passwor
D);
3.//"RememberMe" Built-in:4.token.setrememberme (true); The
Usernamepasswordtoken supports the most common authentication mechanism for user name/password. At the same time, because it implements the Remembermeauthenticationtoken interface, we can set the "Remember Me" function through the token. However, "remembered" and "certified" are different:
remembered users are simply non-anonymous users, and you can get user information through Subject.getprincipals (). However, it is not a fully authenticated user, and you still need to resubmit the authentication information when you access the functionality that requires the authenticated user.
This difference can be referred to the Amazon website, the site will default to remember the logged in users, when the site again, for the non-sensitive page features, the page will display the remembered user information, but when you visit the website account information, you still need to login authentication.
2, submitting entity/credential Information
Java code
1.subjectcurrentuser=securityutils.getsubject (); 2.currentuser.login (token);
After collecting the entity/credential information, we can get the current user through the Securityutils tool class, and then submit the authentication by calling the login method.

3, authentication processing
Java code
1.try{2.
Currentuser.login (token);
3.}catch (unknownaccountexceptionuae) {... 4.}catch (incorrectcredentialsexceptionice) {... 5.}catch (lockedaccountexceptionlae) {... 6.}catch (Excessiveattemptsexceptioneae) {... 7.}...catchyourown ...
8.}catch (Authenticationexceptionae) {9.//unexpectederror?
10.}
If the login method executes and does not throw any exception information, then the user authentication is considered passed. Securityutils.getsubject () can then be called anywhere in the application to obtain the user instance passed to the current authentication, using subject.isauthenticated () to determine whether the user is authenticated and returns TRUE.
Conversely, if an exception is thrown during the execution of the login method, the authentication will be considered unsuccessful. Shiro has a rich layer of distinct exception classes to describe the reasons for authentication failures, such as code examples.

Reference article:

Http://wenku.baidu.com/link?url=xYeiOd_u44piDnAWTR205oKJ_mBhsrUtW2AppqGbmAQxo6Cqn9tI_MLdzrIgh7d3OPfdTSK6eFW_ Ccpmkptdwnt65d9ommuou-zaappzqde

Apache Shiro User Manual (i) Shiro architecture Introduction