Shiro, apacheshiro
Shiro is a powerful and streamlined Java security framework.
Provides intuitive and comprehensive solutions for authentication, authorization, encryption, and session management.
Some features of Shiro:
- Supports authentication and authorization based on various data sources, allowing for role or fine-grained authorization, and rich Exception layers.
- Supports caching to improve application performance.
- For environment-independent session access, session management tends to be more business-oriented and supports SSO, cluster, and distributed scenarios.
- Data is encrypted in a simpler way.
- Simplified web security support. Secure access to URLs and resources, automatic processing of login and logout, and remember me.
- Less dependencies. Generally, only slf4j and common-beanutils are required.
Security framework = authentication + authorization + cryptography + session management
Explanation 1:
- Authentication: Authentication. It can be simply understood as logon to prove who you are.
- Authorization: Authorization, that is, who has the permission to perform an operation.
- Session Management: User session management. It is environment-independent and can be used in any application.
- Cryptography: It is easy to use encryption algorithms to encrypt data.
- Web Support: Provides simple APIs for web applications.
- Caching: Cache ensures quick and effective security operations.
- Concurrency: Shiro supports multi-threaded applications.
- Testing: Even security settings do not prevent unit or integration testing.
- "Run": Permission disguise.
- Remember Me: Remember the permission after logging on.
In short, Shiro's architecture includes three concepts:
The detailed architecture diagram of Shiro is as follows:
- Subject: Used to describe the users currently performing various operations. Although "users" in real life are usually human beings, they can also be third-party services in programs, such as crawlers or scheduled tasks, or anything that interacts with programs. The Subject instance is bound to SecurityManager. When we operate Subject, the essence is the interaction between Subject and SecurityManager. Subject is the facade for accessing SecurityManager.
- SecurityManager: Shiro core, 'umbrebala' object, "covered" all security components for smooth execution. At the same time, he manages each Subject to perform security operations on each Subject.
- Authenticator: Mainly responsible for authentication components. The login logic is executed by the Authenticator, and relevant data is obtained from the Realm to confirm the user identity. If multiple Realm instances exist, Authentication Strategy is used. For example, how to handle a Realm that passes the Authentication and other issues that are not passed through is the work of Authentication Startegy.
- Authorizer: Is responsible for the permissions of the user, and determines whether the user has the permission to perform an operation through security data.
- SessionManager: Responsible for session lifecycle to provide a robust environment-independent session experience. Environment-independent is a major selling point of Shiro. SessionDao is used for session persistence and can use any data source.
- CacheManager: Used to manage the cache lifecycle. Authentication, permissions, sessions, and other information can be cached.
- Cryptography: Used to facilitate encryption and decryption.
- Realms: A bridge connecting Shiro and data. For example, Realm is used when you need security-related data for actions such as authentication or authorization. You can also regard Realm as a security-related DAO, which is used to encapsulate the Implementation Details of operation security-related data. There can be many Realm, but at least one.
