1. What is Shiro?
Apache Shiro is a powerful and easy-to-use Java security framework that provides functions such as authentication, authorization, encryption, and session management:
- Authentication-user identification, often referred to as "Logon ";
- Authorization-access control;
- Password Encryption-protect or hide data to prevent spying;
- Session management-time-sensitive status of each user.
Shiro can provide comprehensive security management services for any application. Shiro is much simpler than other security frameworks.
II. Introduction to Shiro Architecture
First, let's take a look at Shiro's three core components: subject, securitymanager, and realms. For example:
Subject: "current user ". However, in Shiro, the concept of subject is not only a person, but also a third-party process, a background account, or other similar things. It only means "What is currently interacting with the software ". But considering most of the purposes and purposes, you can think of it as the "user" concept of Shiro.
Subject represents the security operations of the current user, and securitymanager manages the security operations of all users.
Securitymanager: it is the core of the Shiro framework and a typical facade mode. Shiro manages internal component instances through securitymanager and provides various security management services.
Realm: realm acts as a "bridge" or "connector" between Shiro and application security data ". That is to say, when performing authentication (LOGIN) and authorization (Access Control) authentication on the user, Shiro will find the user and its permission information from the realm configured by the application.
In this sense, realm is essentially a security-related Dao: it encapsulates the connection details of the data source and provides the relevant data to Shiro as needed. When configuring Shiro, you must specify at least one realm for authentication and/or authorization. You can configure multiple realm instances, but at least one is required.
Shiro has built-in realm that can connect to a large number of secure data sources (also known as Directories), such as LDAP, relational database (JDBC), text configuration resources like INI, and attribute files. If the default realm cannot meet your needs, you can also insert your own realm implementation that represents the custom data source.
Shiro complete architecture diagram:
In addition to the subject, securitymanager, and realm core components mentioned above, the main Shiro components also include:
Authenticator: authentication is the process of verifying the user's identity. A common example of this process is the "user/password" combination that everyone is familiar. Most users generally provide their usernames (clients) and their supported passwords (certificates) when logging on to the software system ). If the password (or password representation) stored in the system matches the password provided by the user, they are considered certified.
Authorizer: authorization is essentially Access Control-controls the content that a user can access an application, such as resources and web pages.
Sessionmanager: In the security framework field, Apache Shiro provides something unique: Session APIs can be used consistently at any application or architecture layer. That is, Shiro provides a session programming paradigm for any application-from small background independent applications to large cluster web applications. This means that application developers who want to use sessions do not have to be forced to use servlet or EJB containers. Alternatively, if you are using these containers, you can also choose to use consistent session APIs at any layer to replace the servlet or EJB mechanism.
Cachemanager: Provides cache support for other Shiro components.