first, what is Shiro
Apache Shiro is a powerful, easy-to-use Java security framework that provides features such as authentication, authorization, encryption, and session management:
- Authentication-user identification, often referred to as the user "login";
- Authorization-access control;
- Password encryption-protect or hide data from being peeping;
- Session Management-The time-sensitive state associated with each user.
for any application, Shiro can provide comprehensive security management services. And compared to other security frameworks, Shiro is much simpler.
Ii. Introduction to the architecture of Shiro
first, let's look at the three core components of Shiro: Subject, SecurityManager, and Realms. such as:
Subject: "Current Operation User". However, in Shiro, the concept of subject not only refers to a person, but can also be a third-party process, a background account (Daemon accounts), or something similar. It simply means "what is currently interacting with the software". But given the majority of purposes and uses, you can think of it as the "user" concept of Shiro.
subject represents the security actions of the current user, and SecurityManager manages the security actions of all users.
SecurityManager: It is the core of the Shiro framework, a typical facade model, Shiro through SecurityManager to manage internal component instances, and through it to provide various services for security management.
Realm:realm acts as a "bridge" or "connector" between Shiro and application security data. That is, when authentication (login) and authorization (access control) is performed on the user, Shiro will look for the user and their permission information from the realm where the app is configured.
In this sense, realm is essentially a security-related DAO: It encapsulates the connection details of the data source and provides the relevant data to Shiro when needed. When configuring Shiro, you must specify at least one realm for authentication and/or authorization. Configuring multiple realms is possible, but requires at least one.
Shiro includes realms that can connect a large number of secure data sources (aka directories), such as LDAP, relational database (JDBC), ini-like text configuration resources, and property files. If the default realm does not meet the requirements, you can also insert your own realm implementation that represents the custom data source.
Shiro Complete Architecture diagram:
In addition to the subject, SecurityManager, and realm three core components described above, the Shiro main components include:
Authenticator: Certification is the process of verifying a user's identity. A common example of this process is the "User/password" combination that everyone is familiar with. Most users usually provide their own user name (the party) and the password (certificate) that supports them when they log in to the software system. If the password (or password representation) stored in the system matches the user's offer, they are considered certified.
Authorizer: Authorization is essentially access control-controls what content users can access in the app, such as resources, Web pages, and so on.
SessionManager: In the security framework area, Apache Shiro offers something unique: The session API can be used consistently at any application or architecture level. That is, Shiro provides a conversational programming paradigm for any application-from small background standalone applications to large clustered Web applications. This means that the app developer who wants to use the session doesn't have to be forced to use a servlet or EJB container. Alternatively, if you are using these containers, developers can now choose to use a consistent session API at any layer instead of a servlet or EJB mechanism.
CacheManager :provides caching support for other components of Shiro.
Source: http://kdboy.iteye.com/blog/1154644
From for notes (Wiz)
Apache Shiro User Manual (i) Shiro architecture Introduction
