The 1th Chapter Shiro Introduction

1.1 Introduction

Apache Shiro is a security framework for Java. Currently, there are more and more people using Apache Shiro, because it is fairly simple, compared to spring security, it may not be as powerful as spring security, but it may not need to be as complex as it actually works. So the use of small and simple Shiro is enough. For the two of them in the end which is good, this does not have to struggle, can be easier to solve the project problem just fine. This tutorial only describes the basic Shiro use, not too much analysis of the source, etc., heavy in use. Shiro can be very easy to develop a good enough application, not only can be used in the javase environment, but also can be used in the Java EE environment. Shiro can help us complete: Authentication, authorization, encryption, session management, Web integration, caching, and so on, that's what we want. And the Shiro API is very simple, and its basic function point is as follows:

Primary Concerns main points of concern:

1.Authentication ( identity authentication/Login): Verify that the user has the appropriate identity;

2.Authorization ( Authorization): Permission verification, verifies that a authenticated user has a permission, that is, to determine what the user can do (verify that a user has a role, or fine-grained to verify that a user has a certain rights to a resource);

3.Session Manager ( Session Management): User login is a session, before exiting, all its information in the session, the session can be normal javase environment, can also be such as the web environment;

4.Cryptography ( encryption): Secure data (such as password encryption is stored in the database rather than in clear text).

Supporting Features Accessibility features :

1.WebSupport: Can be easily integrated into the web environment;

2.Caching ( cache): such as user login, their user information, the role/permissions do not need to check every time, so as to improve efficiency;

3.Concurrency ( concurrent authentication): Shiro supports concurrent authentication for multi-threaded applications, such as opening another thread in one thread to automatically propagate permissions;

4.Testing : provide testing support;

5.Run as : allows one user to pretend to access the identity of another user (if they allow it);

6.Remember Me ( remember me): This is a very common feature, that is, once logged in, the next time you come back without logging in.

Remember one thing, Shiro do not maintain the user, maintenance rights; We need to design ourselves. / and then inject it through the appropriate interface to Shiro can be.

Next we look at the architecture of the Shiro from the outside and inside, for a good framework, from the outside it should have a very simple and easy to use API, and the API contract is clear, from the inside, it should have an extensible architecture, that is very easy to insert user-defined implementation, Because no framework can meet all requirements. First, let's look at Shiro from the outside, that is, from an application perspective, to see how to use Shiro to do the job. Such as:

You can see that the object of direct interaction with the application code is subject, that is, Shiro's external API core is subject, the meaning of each API:

Subject ( subject): Represents the current "user", the user is not necessarily a specific person (anything that interacts with the current application is Subject, such as a web crawler, robot, etc.), Subject is an abstract concept All subject are bound to SecurityManager, and all interactions with subject are delegated to SecurityManager, and subject is considered a façade, and SecurityManager is the actual performer.

SecurityManager ( security Manager): All security-related operations interact with SecurityManager, and it also manages all subject, which can be seen as the core of Shiro, It is responsible for interacting with the other components described behind, and if you have learned SPRINGMVC, you can think of it as a dispatcherservlet front-end controller.

Realm : Shiro obtains secure data (such as users, roles, permissions) from the realm, that is, SecurityManager to authenticate the user, it needs to be compared from realm to determine whether the user's identity is legitimate, Shiro also need to get the user's corresponding Role/permission from realm to verify whether the user can operate, can regard realm as datasource, that is, secure data source.

That is to say, for us, the simplest of a Shiro application:

1, the application code through the subject for authentication and authorization, and subject entrusted to SecurityManager;

2, we need to Shiro SecurityManager injected realm, so that SecurityManager get legitimate users and permissions to judge.

as can be seen from the above, Shiro do not provide maintenance users/ permissions, but through Realm let the developers inject themselves.

Let's take a look at the Shiro architecture from within Shiro, as shown in the following:

Subject ( body): The subject is any "user" that can interact with the app.

SecurityManager ( security Manager): equivalent to Dispatcherservlet in Springmvc or filterdispatcher in Struts2; it's the heart of Shiro. All specific interactions are controlled through SecurityManager, which manages all subject, and is responsible for authentication and authorization, and session and cache management.

1.Authenticator ( Authenticator): Responsible for the certification of the main body, this is an extension point, if the user feels Shiro default is not good, can be customized implementation, it requires authentication policy (authentication strategy), That is, under what circumstances the user authentication passed.

2.Authorizer ( authorization): Used to determine whether the principal has permission to do the appropriate actions, that is, to control what resources the user can access in the app.

3.Realm : can have 1 or more realms, can be considered realm is a security Entity data source, that is used to provide security entity data (can be a JDBC implementation, or LDAP implementation, or memory implementation, etc.), provided by the user; Note: Shiro does not know your user/ Where permissions are stored and in what format, we generally need to implement our realm in the application.

4.SessionManager : If you write a servlet you should know the concept of the session, the session need someone to manage its life cycle, this component is SessionManager, and Shiro not only can be used in the Web environment, can also be used in the environment such as ordinary javase environment, EJB, and so on, so Shiro abstract a session to manage the interaction between the subject and the data, so, for example, we use in the Web environment, just started a Web server, and then on the EJB server, When you want to put the session data of the two servers in one place, you can implement your own distributed session (such as putting the data on the memcached server).

5.SessionDAO : data Access Object DAO Everyone has used, for the session of CRUD, for example, we want to save the session to the database, then we can implement their own sessiondao, through such as JDBC write to the database , for example, to put the session into the memcached, you can implement your own memcached Sessiondao, in addition Sessiondao can use cache caching, to improve performance.

6.CacheManager ( cache Controller): Used to manage caches such as users, roles, permissions, and so on, since these data are rarely changed

Improves access performance when you go to the cache

Cryptography ( cipher module): Shiro improves some common cryptographic components for password encryption/decryption.

By the end of this Shiro architecture and its components, learn the components of Shiro next to each other.

The 1th Chapter Shiro Introduction