Reference Blog: http://jinnianshilongnian.iteye.com/blog/2018398
1, Shiro Introduction
Apache Shiro is a Java framework that can be used for identity difficulty and authorization. Shiro basic functions are as follows:
Authentication, authorization, session management, encryption, web support, caching, concurrency (Shiro support for multi-threaded applications, such as opening another thread in one thread, the ability to automatically propagate the permissions of the past), testing (providing test support), Run as ( Allow one user to pretend to access another user's identity), Remember me: Remember me.
Eg:shiro does not maintain the user, the maintenance permission, these need us to design/provide, and then through the corresponding interface to inject to the Shiro
Good framework: From the outside it should have a very simple and easy to use API, and the API contract is clear, from the inside, it should have an extensible architecture, that is very easy to insert user-defined implementation, because no architecture can meet the needs.
Who uses the shiro--"application. Shiro from the perspective of the application. Interact with subject (body), Realm (domain), SecurityManager (Security Manager). In popular words, subject is the administrative department with the outside world, realm is the entire company's business data, work mainly by the company's core department (SecurityManager) support.
Eg: one of the simplest Shiro applications:
1. The application code through the subject for authentication and authorization, and subject entrusted to Securitymanger;
2. We need to inject realm into Shiro's securitymanager so that Securitymanger can be judged by legitimate users and their rights.
Shrio does not provide the ability to maintain user rights, but rather allows developers to inject themselves through realm.
How does Shiro work-how does the Security Manager interact with other components?
Authenticator (Authenticator): Requires authentication policy and can be customized.
Realm (data source): can have one or more. The security Entity data source. JDBC,LDAP, memory and so on. provided by the user. Eg:shiro does not know where your users/permissions are stored and in what format, so we generally need to implement our realm in the application;
SessionManager (Session Management): Shrio Abstract A session to manage the data that interacts between the subject and the application, such as when we are using the Web environment, just beginning as a Web server, and then on the EJB server. At this point, you want to put the session data of the two servers in one place, this time can implement their own distributed session (such as the data on the memcached server)
Sessiondao: Writes to the database. Want to put the session into the memcached, you can achieve their own memcached Sessiondao, in addition Sessiondao can use cache for caching, to improve performance;
Cachemember: Cache controller.
Cryptography: Password module.
Summary: Shiro is to use subject to connect with the outside world. Authorized users and permissions that the user passes through the realm write control. Shiro uses Securitymanger to implement functionality through interaction with other components within it.
Apache Shiro (i)