Shulou(Shulou.com)06/02 Report--

This article mainly introduces "what is the principle of Shiro". In daily operation, I believe many people have doubts about the principle of Shiro. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful for you to answer the doubts about "what is the principle of Shiro?" Next, please follow the editor to study!

Brief introduction

Apache Shiro is a powerful and easy-to-use Java security framework, which provides authentication, authorization, encryption and session management functions. For any application, Shiro can provide comprehensive security management services. And Shiro is much simpler than other security frameworks (such as Spring Security).

Shiro can easily develop good enough applications, which can be used not only in JavaSE environment, but also in JavaEE environment. Shiro can help us with authentication, authorization, encryption, session management, integration with Web, caching, etc.

Its basic function points are shown in the following figure

Authentication: authentication / login to verify whether the user has the appropriate identity

Authorization: authorization, that is, permission verification, to verify whether an authenticated user has a certain permission; that is, to determine whether a user can do something, such as verifying whether a user has a role. Or fine-grained verification of whether a user has certain permissions on a resource.

Session Manager: session management, that is, after the user logs in, there is a session, and all its information is in the session before exiting. The session can be in a normal JavaSE environment or in a Web environment.

Cryptography: encrypt, protect the security of data, such as password encrypted storage to the database, rather than plaintext storage

Web Support:Web support, which can be easily integrated into Web environment

Caching: cache, for example, after a user logs in, their user information, roles / permissions do not have to be checked every time, which can improve efficiency.

Concurrency:shiro supports concurrent verification of multithreaded applications, that is, if you open another thread in one thread, permissions can be propagated automatically.

Testing: provide testing support

Run As: allows one user to access pretending to be another user (if they allow it)

Remember Me: remember me, this is a very common feature, that is, after logging in once, you don't have to log in next time.

For a good framework, it generally has a very simple and easy to use API, and the API contract is clear; and its architecture is extensible, that is, it is very easy to insert a user-defined implementation, because no framework can meet all the requirements. First of all, let's take a look at Shiro using the API method. Its core API is shown below:

It can be seen that the core of Shiro's external API is Subject.

Subject: the subject represents the current "user". This user is not necessarily a concrete person, and everything that interacts with the current application is Subject, such as web crawlers, robots, etc.; that is, an abstract concept; all Subject are bound to SecurityManager, and all interactions with Subject are delegated to SecurityManager;. Subject can be regarded as a facade; SecurityManager is the actual executor.

SecurityManager: the security manager, that is, all security-related operations interact with SecurityManager; and it manages all Subject;. You can see that it is the core of Shiro, and it is responsible for interacting with other components described later. If you have studied SpringMVC, you can think of it as a DispatcherServlet front-end controller.

Realm: domain, Shiro obtains security data (such as users, roles, permissions) from Realm, that is to say, if SecurityManager wants to verify the user's identity, it needs to obtain the corresponding user from Realm for comparison to determine whether the user's identity is legitimate; it also needs to get the corresponding user's role / authority from Realm to verify whether the user can operate; Realm can be regarded as DataSource, that is, secure data source.

From the point of view of the above API, a simplest Shiro application should include: the application code authenticates and authorizes through Subject, and Subject entrusts to SecurityManager; SecurityManager and has a dependent Realm, so that SecurityManager can get legitimate users and their permissions to judge. It can also be seen from this that Shiro does not provide maintenance users / permissions, but rather allows developers to inject it themselves through Realm.

Next, let's take a look at the architecture of Shiro from within Shiro, as shown in the following figure:

Subject: subject. You can see that the principal can be any "user" that can interact with the application.

SecurityManager: the equivalent of DispatcherServlet in SpringMVC or FilterDispatcher; in Struts2 is the heart of Shiro; all specific interactions are controlled by SecurityManager; it manages all Subject and is responsible for authentication and authorization, as well as session and cache management.

Authenticator: authenticator, responsible for subject authentication. This is an extension point. If you think Shiro is not good by default, you can customize its implementation. It requires authentication policy (Authentication Strategy), that is, under what circumstances the user's authentication has been passed.

Authrizer: an authorizer, or access controller, that determines whether the principal has the authority to operate accordingly; that is, to control which functions in the application the user can access

Realm: there can be one or more Realm, which can be thought of as a secure entity data source, that is, it can be used to obtain a security entity; it can be implemented by JDBC, LDAP, memory, etc.; it is provided by the user; Note: Shiro does not know where and in what format your user / permissions are stored; so we generally need to implement our own Realm in our applications.

SessionManager: if you have written about Servlet, you should know the concept of Session. Session needs someone to manage its life cycle. This component is SessionManager;, and Shiro can be used not only in Web environment, but also in ordinary JavaSE environment, EJB environment and so on. So, Shiro abstracts its own Session to manage the data between the agent and the application. In this case, for example, when we use it in the Web environment, it starts as a Web server. Then there is an EJB server; when you want to put the session data of the two servers in one place, you can implement your own distributed session (such as putting the data to the Memcached server)

SessionDAO:DAO has been used by everyone. Data access objects, CRUD for conversations, for example, if we want to save Session to a database, we can implement our own SessionDAO and write to the database through JDBC; for example, if we want to put Session into Memcached, we can implement our own Memcached SessionDAO; and use Cache for caching in SessionDAO to improve performance.

CacheManager: cache controller to manage caches such as users, roles, permissions, etc. Because these data are rarely changed, the performance of access can be improved by putting them in the cache.

Cryptography: password module, Shiro enhances some common encryption components such as password encryption / decryption.

At this point, we should have a preliminary understanding of the basic information and architecture of Shiro and its components, and then begin to formally learn how to develop with Shiro.

At this point, the study of "what is the principle of Shiro" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.