Introduction to Shiro (Classic Atlas) _shiro

Chapter Shiro Introduction--"Follow me to learn Shiro" original: Click to open the Link blog category: Follow me to learn Shiro and I learn s

Catalog stickers: Follow me to learn Shiro catalog stickers

1.1 Introduction

Apache Shiro is a security framework for Java. Currently, there are more and more people using Apache Shiro because it's fairly simple, compared to spring security, it may not be as powerful as spring security does, but it might not need to be that complicated in actual work, So it's enough to use a small, simple shiro. For both of them which is good, this need not tangle, can be more simple to solve the project problem.

This tutorial only introduces the basic Shiro use, not too much analysis of the source code, etc., heavy in use.

Shiro can be very easy to develop a good enough application, not only can be used in javase environment, can also be used in Java EE environment. Shiro can help us accomplish: Authentication, authorization, encryption, session management, Web integration, caching, and so on. This is not what we want, and the Shiro API is also very simple; its basic function points are shown in the following illustration:

Authentication: Identity Authentication/Login, verify that the user has the corresponding identity;

Authorization: Authorization, that is, permission validation, to verify that an authenticated user has a permission, that is, to determine whether a user can do something, such as verifying that a user has a role. or fine-grained to verify that a user has a permission on a resource;

Session Manager: Conversation management, that is, after a user logs on is a session, before exiting, all of its information is in the session, the session can be a common javase environment, can also be like the web environment;

Cryptography: Encryption, protection of data security, such as password encryption stored in the database, rather than plaintext storage;

Web Support:web support, can be easily integrated into the web environment;

Caching: caching, such as user login, the user information, the role/permissions do not have to check every time, this can improve efficiency;

Concurrency:shiro supports concurrent validation of multi-threaded applications, such as opening another thread in one thread, which automatically propagates the past;

Testing: Provide test support;

Run as: Allows one user to pretend to be visited by another user (if they allow);

Remember me: Remember me, this is a very common function, that is, once logged in, the next time you do not have to log in.

Keep in mind that Shiro does not maintain user and maintenance privileges; it needs to be designed/delivered by ourselves, and then injected to Shiro via the corresponding interface.

Next, we look at the Shiro architecture from the outside and from the inside, for a good framework, there should be a very simple and Easy-to-use API from the outside, and the API contract is clear; internally, it should have an extensible architecture, which is very easy to insert user-defined implementations, Because no framework can meet all the requirements.

First, let's look at Shiro from the outside, from an application perspective to see how to use Shiro to do the work. The following figure:

You can see: the object of direct interaction of the application code is subject, that is to say, Shiro's external API core is subject; The meaning of each API:

Subject: The main body, represents the current "user", this user is not necessarily a specific person, and the current application of the interaction of any thing is Subject, such as web crawler, robot, etc., that is, an abstract concept; all Subject are bound to SecurityManager, All interactions with subject will be delegated to SecurityManager; subject can be regarded as a façade; SecurityManager is the actual performer;

SecurityManager: Security Manager, that is, all security-related operations will interact with SecurityManager, and it manages all subject, and can see that it is the core of Shiro, which interacts with the other components described in the following. If you have studied Springmvc, you can think of it as Dispatcherservlet front-end controller;

Realm: Domain, Shiro from Realm to obtain security data (such as users, roles, permissions), that is, SecurityManager to authenticate user identity, then it needs to obtain the corresponding user from Realm to compare to determine whether the user's identity is legitimate , it also needs to obtain the user's corresponding role/authority from realm to verify whether the user can perform the operation; Realm can be regarded as datasource, that is, the safe data source.

That is to say for us, the simplest one Shiro application:

1, the application code through subject to carry out authentication and authorization, and subject entrusted to SecurityManager;

2, we need to inject Shiro SecurityManager realm, so that SecurityManager can be legitimate users and their rights to judge.

As you can see from the above, Shiro does not provide the maintenance of user/rights, but rather through realm let developers inject themselves.

Next, let's look at the architecture of the Shiro from within the Shiro, as shown in the following illustration:

Subject: Subject, you can see that the subject can be any "user" that can interact with the application;

SecurityManager: Equivalent to the filterdispatcher in the Springmvc of Dispatcherservlet or Struts2; it's Shiro's heart. All specific interactions are controlled through SecurityManager, which manages all subject and is responsible for authentication and authorization, and session and cache management.

Authenticator: Authentication, responsible for the subject certification, this is an extension point, if the user feel Shiro default is not good, you can customize the implementation, it needs authentication strategy (authentication strategy), that is, when the user authentication passed;

Authrizer: Authorization, or access controller, to determine whether the subject has the right to do the appropriate operation, that is, control the user can access the functions of the application;

Realm: can have 1 or more Realm, can be considered as a secure Entity data source, which is used to obtain security entities, can be JDBC implementations, LDAP implementations, memory implementations, and so on; Shiro doesn't know where your user/permissions are stored and in what format. , so we usually need to realize our own realm in the application.

SessionManager: If you write a servlet you should know the concept of the session, the session needs someone to manage its lifecycle, this component is SessionManager, and Shiro is not just for use in the Web environment, can also be used in such as the common Javase environment, EJB and other environments; all, Shiro a session to manage the interaction between the subject and application data; In this case, for example, we are in the Web environment, just started a Web server; then we went to the EJB server. When you want to put the session data of the two servers in one place, you can implement your own distributed session (such as putting the data on the memcached server);

Sessiondao:dao, data Access objects, crud for sessions, such as we want to save session to a database, we can implement our own Sessiondao, write to the database as JDBC. , such as to put the session into the memcached, you can achieve their own memcached Sessiondao, in addition Sessiondao can use cache for caching to improve performance;

CacheManager: Caching controllers to manage caching of users, roles, permissions, and so on, because these data are rarely changed, and can be improved by the performance of the access in the cache

Cryptography: Cipher module, Shiro improves some of the common cryptographic components used for password encryption/decryption.

To this Shiro architecture and its components are known, next to learn the Shiro components.

Reference http://shiro.apache.org/reference.html

Sample source code: Https://github.com/zhangkaitao/shiro-example Gathen 134755960 to explore Spring/shiro technology. Size: 28.8 KB size: 30.5 KB size: 133.6 KB