Shiro from getting started to giving up

Apache Shiro is a security framework for Java. Currently, there are more and more people using Apache Shiro, because it is fairly simple, compared to spring security, it may not be as powerful as spring security, but it may not need to be as complex as it actually works. So the use of small and simple Shiro is enough. For the two of them in the end which is good, this does not have to struggle, can be easier to solve the project problem just fine.

Shiro can be very easy to develop a good enough application, not only can be used in the javase environment, but also can be used in the Java EE environment. Shiro can help us complete: Authentication, authorization, encryption, session management, Web integration, caching, and more. This is not what we want, and the Shiro API is very simple; its basic function point is as follows:

Authentication : identity Authentication/login, verify that the user has the corresponding identity;

Authorization : authorization, which is authentication of permissions, verifies that a authenticated user has a permission, that is, whether a user can do something, as usual: Verifying that a user has a role. or fine-grained verification that a user has a certain permission on a resource;

Session Manager : session management, that is, after the user logs on is a session, before exiting, all its information is in the session, the session can be normal javase environment, or it can be a web environment;

Cryptography : encryption, protection of data security, such as password encryption stored in the database, rather than plaintext storage;

Web Support : Web support, can be very easy to integrate into the web environment;

Caching: Cache, such as user login, its user information, the role/permissions do not need to check every time, this can improve efficiency;

Concurrency :Shiro supports concurrent authentication for multi-threaded applications, such as opening another thread in one thread to automatically propagate the past;

Testing : provide testing support;

Run as : allows one user to pretend to access the identity of another user (if they allow it);

Remember Me : Remember me, this is a very common feature, that is, once logged in, the next time you come back without logging in.

Remember one thing, Shiro. do not maintain the user, maintenance rights, these need we to design/ and then injected to the Shiro via the appropriate interface . can be.

Next we look at the architecture of the Shiro from the outside and inside, for a good framework, from the outside it should have a very simple and easy to use API, and the API contract is clear, from the inside, it should have an extensible architecture, that is very easy to insert user-defined implementation, Because no framework can meet all requirements.

First, let's look at Shiro from the outside, that is, from an application perspective, to see how to use Shiro to do the job. Such as:

You can see that the object that the application code interacts directly with is subject, that is, Shiro's external API core is subject; The meaning of each API:

Subject : The subject, represents the current "user", the user is not necessarily a specific person, and the current application of any thing is subject, such as web crawler, robot, is an abstract concept; All subject are bound to SecurityManager, All interactions with subject will be delegated to SecurityManager; subject can be regarded as a façade; SecurityManager is the actual performer;

SecurityManager : security Manager, that is, all security-related operations interact with SecurityManager, and it manages all subject, and it is the core of Shiro, and it is responsible for interacting with the other components described behind, if you have learned SPRINGMVC , you can think of it as the Dispatcherservlet front controller;

Realm : domain, Shiro from the realm to obtain security data (such as users, roles, permissions), that is, SecurityManager to verify the user identity, then it needs to get the appropriate user from the realm to compare to determine whether the user identity is legitimate It also requires the user's corresponding roles/privileges from realm to verify that the user is able to operate, and that realm can be viewed as a DataSource, a secure data source.

That is to say, for us, the simplest of a Shiro application:

1, the application code through the subject for authentication and authorization, and subject entrusted to SecurityManager;

2, we need to give Shiro SecurityManager to inject realm, so that SecurityManager can get legitimate users and their rights to judge.

as can be seen from the above, Shiro do not provide maintenance users/ permissions, but through Realm let the developers inject themselves.

Let's take a look at the Shiro architecture from within Shiro, as shown in the following:

Subject : subject, you can see that the subject can be any "user" that can interact with the application;

SecurityManager : equivalent to Dispatcherservlet in Springmvc or Filterdispatcher in Struts2; the heart of Shiro; All specific interactions are controlled by SecurityManager It manages all subject, and is responsible for authentication and authorization, as well as session and cache management.

Authenticator : Authenticator, responsible for the main authentication, this is an extension point, if the user feels Shiro default is not good, can be customized implementation; It needs authentication policy (authentication strategy), that is, under what circumstances the user authentication passed;

Authrizer : the authorization, or access controller, is used to determine whether the subject has the right to do the corresponding operation, that is, to control the user access to the application of what functions;

Realm : There can be 1 or more realms that can be considered as security Entity data sources, that is, for obtaining security entities, either JDBC implementations or LDAP implementations, or memory implementations, etc.; note: Shiro does not know your user/ Where permissions are stored and in what format; so we generally need to implement our realm in the application;

SessionManager : If you write a servlet you should know the concept of the session, the session need someone to manage its life cycle, this component is SessionManager, and Shiro not only can be used in the Web environment, It can also be used in the environment such as ordinary javase environment, EJB, etc. all, Shiro abstracted a session of itself to manage the data of the interaction between the subject and the application, such as we used in the Web environment, just started a Web server, and then went to the EJB server At this point, you want to put the session data of the two servers in one place, this time can realize their own distributed session (such as the data on the memcached server);

Sessiondao : DAO everyone has used, data access objects, for the session of CRUD, such as we want to save the session to the database, then we can implement their own sessiondao, through such as JDBC write to the database, such as to put the session into the memcached, Can implement their own memcached Sessiondao, in addition Sessiondao can use cache for caching, to improve performance;

CacheManager : A cache controller that manages caches such as users, roles, permissions, and so on, because the data is rarely changed and is placed in the cache to improve access performance

Cryptography : cipher module, Shiro improves some common cryptographic components for password encryption/decryption.

This article turns from http://jinnianshilongnian.iteye.com/blog/2018936

Shiro from getting started to giving up