Java Permissions Framework Introduction: Shiro Unified Authentication Authorization

Shiro's Unified certification authority

Shiro is Apache below a simple, easy-to-use Java Permissions framework, for the monomer application, Shiro completely can be very good, fast to meet the requirements of the rights, so generally in the project, Shiro will become the first choice for developers.

However, if you need to do a second, third, nth application, the same requires the same authentication, authorization, you may need to extend the Shiro or integration of other frameworks, to meet your needs well.

How Shiro is authorized for authentication

Shiro itself does not help you to achieve certification, authorization, but Shiro well defines the permissions related to some concepts, let you complete the specific implementation

• Certification
  In Shiro, the completion of certification is generally the Subject.login (token), subject represents a user, token on behalf of a user request authorization when the authorization information submitted, Through Authenticatingrealm.dogetauthenticationinfo () get some information to the current subject, such as principals,credentials, verify the token submitted, if the login is successful, Save the currently logged on user

• Authorized
  In Shiro, authority control is generally the @requirespermissions, when the user accesses the protected resource, Shiro will pass Authorizingrealm.dogetauthorizationinfo (), Obtain the user's permission from the current authentication through subject principals to determine if the user can access the resource

In Shiro, by implementing realm to complete the above 2 things, when you single application, it is very simple to complete the application certification authorization.

But when you have multiple applications, you need to reuse the same set of users and permissions information, what to do, you can reuse realm, the user rights in the same db, this can be achieved, but the coupling is too high, different applications must be connected to the same data source, or you can take the user rights related DAO stripping out can also be implemented as RPC or rest call, but a better way is to separate the certification authority from the entire authentication authorization service.

Unified authentication authorization based on Shiro

In order to achieve unified authentication authorization, Shiro has casfilter, can integrate CAs, but CAS is another set of frameworks, more heavy, there is a separate learning cost, so here is a simpler, lightweight, easy-to-use, Shiro-based Authentication authorization service SHIRO-UAA

Certification Authorization Process

1. User requests protected resource resource Server

2. Resource server Determines whether the user is logged in

3. If you are not logged in, Resource Server directs the user to UAA server to log on

4. The user logs on UAA server, and if the login succeeds, UAA server returns code to the user and directs the user to the resource server that was previously accessed

5. Resource server gets Access-token,token with code to UAA server containing user authorization information

6. Resource server verifies that Accesstoken is legitimate, and if it is legitimate, save user information in Resource server

Such as:

Use

• Auth-server

1. Reference maven

2. To implement your own login

• Resource-server

1. Reference maven

2. As with Shiro, use related annotations for permission control

Basically out-of-the-box, currently auth-server just as a jar package, need to implement the login logic, follow-up will have deployable services

Shiro-uaa specific relevant instructions can view the project address