Security Validation Framework use Note 001---Shiro introduction

1.1 Introduction

Apache Shiro is a security framework for Java. Currently, there are more and more people using Apache Shiro, because it is fairly simple, compared to spring security, it may not be as powerful as spring security, but it may not need to be as complex as it actually works. So the use of small and simple Shiro is enough. For the two of them in the end which is good, this does not have to struggle, can be easier to solve the project problem just fine.

This tutorial only describes the basic Shiro use, not too much analysis of the source, etc., heavy in use.

Shiro can be very easy to develop a good enough application, not only can be used in the javase environment, but also can be used in the Java EE environment. Shiro can help us complete: Authentication, authorization, encryption, session management, Web integration, caching, and more. This is not what we want, and the Shiro API is very simple; its basic function points are shown in the following figure:

Authentication: identity Authentication/login, verify that the user has the corresponding identity;

Authorization: authorization, which is authentication of permissions, verifies that a authenticated user has a permission, that is, to determine whether a user can do something, as usual: To verify that a user has a role. or fine-grained verification that a user has a certain permission on a resource;

Session Manager : conversation Management, that is, the user login is a session, before exiting, all its information is in the session, the session can be normal javase environment, can also be such as the web environment;

cryptography: Encryption, protection of data security, such as password encryption stored in the database, rather than plaintext storage;

Web Support: Web support, can be very easy to integrate into the web environment;

Caching: Cache, such as user login, its user information, the role/permissions do not need to check every time, this can improve efficiency;

Concurrency:Shiro supports concurrent authentication for multi-threaded applications, such as opening another thread in one thread, enabling the automatic propagation of permissions to the past;

testing: provide testing support;

Run as: allows one user to pretend to access the identity of another user (if they allow);

Remember me: Remember me, this is a very common feature, that is, once logged in, the next time you come back without logging in.

Remember, Shiro will not maintain the user, maintenance rights, these need we to design/provide, and then through the corresponding interface injection to Shiro.

Next we look at the architecture of the Shiro from the outside and inside, for a good framework, from the outside it should have a very simple and easy to use API, and the API contract is clear, from the inside, it should have an extensible architecture, that is very easy to insert user-defined implementation, Because no framework can meet all requirements.

First, let's look at Shiro from the outside, that is, from an application perspective, to see how to use Shiro to do the job. The following figure:

You can see that the object that the application code interacts directly with is subject, that is, Shiro's external API core is subject; The meaning of each API:

Subject: The subject, represents the current "user", the user is not necessarily a specific person, and the current application of anything is Subject, such as web crawler, robot, etc., that is, an abstract concept All subject are bound to SecurityManager, and all interactions with subject are delegated to SecurityManager; subject can be considered a façade; SecurityManager is the actual performer;

SecurityManager: security Manager; That is, all security-related operations interact with SecurityManager, and it manages all subject; You can see that it is the core of Shiro and it is responsible for interacting with the other components described behind , if you have studied Springmvc, you can think of it as the Dispatcherservlet front controller;

Realm: Shiro from the realm to obtain security data (such as users, roles, permissions), that is, SecurityManager to verify the identity of the user, then it needs to get the appropriate user from realm to compare to determine whether the user identity is legitimate It also requires the user's corresponding roles/privileges from realm to verify that the user is able to operate, and that realm can be viewed as a DataSource, a secure data source.

That is to say, for us, the simplest of a Shiro application:

1, the application code through the subject for authentication and authorization, and subject entrusted to SecurityManager;

2, we need to give Shiro SecurityManager to inject realm, so that SecurityManager can get legitimate users and their rights to judge.

as can be seen from the above, Shiro does not provide maintenance users/permissions, but it allows developers to inject themselves through realm.

 

Let's look at the architecture of Shiro from within Shiro, as shown in the following figure:

Subject: subject, you can see that the subject can be any "user" that can interact with the application;

SecurityManager: equivalent to Dispatcherservlet in Springmvc or filterdispatcher in Struts2; it's the heart of Shiro. All specific interactions are controlled through SecurityManager, which manages all subject, and is responsible for authentication and authorization, and session and cache management.

Authenticator: The authenticator, responsible for the main authentication, this is an extension point, if the user feels Shiro default is not good, can be customized implementation; It requires authentication policy (authentication strategy), That is, under what circumstances the user authentication passed;

Authrizer: an authorization, or access controller, used to determine whether the subject has the right to do the appropriate operation, that is, control the user can access the application of which functions;

Realm: There can be 1 or more realms that can be considered a secure Entity data source, which is used to obtain a security entity, either a JDBC implementation or an LDAP implementation, or a memory implementation, etc.; note: Shiro does not know your user/ Where permissions are stored and in what format; so we generally need to implement our realm in the application;

SessionManager: If you write a servlet you should know the concept of the session, the session needs someone to manage its life cycle, this component is SessionManager , and Shiro can not only be used in the Web environment, but also can be used in the environment such as ordinary javase environment, EJB, etc., all, Shiro abstract a session to manage the interaction between the subject and the data, such as we use in the Web environment, The first is a Web server, and then on the EJB server, when you want to put two server session data in one place, this time can realize their own distributed session (such as the data on the memcached server);

Sessiondao: DAO everyone has used, data access objects, for the session of CRUD, such as we want to save the session to the database, then we can implement their own sessiondao, through such as JDBC write to the database, such as to put the session into the memcached, Can implement their own memcached Sessiondao, in addition Sessiondao can use cache for caching, to improve performance;

CacheManager: A cache controller that manages caches such as users, roles, permissions, and so on, because the data is rarely changed and is placed in the cache to improve access performance

cryptography: cipher module, Shiro improves some common cryptographic components for password encryption/decryption.

By the end of this Shiro architecture and its components, learn the components of Shiro next to each other.

Reference http://shiro.apache.org/reference.html

Example source code: https://github.com/zhangkaitao/shiro-example; Spring/shiro technology can be explored Dabigatran 134755960.

Original address: http://jinnianshilongnian.iteye.com/blog/2018936