Shulou(Shulou.com)06/03 Report--

This article mainly explains "what can Shiro do". Friends who are interested might as well take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor learn "what can Shiro do?"

Preface

Rights management is indispensable to every system, which belongs to the category of system security, realizes the control of user access to the system, and controls the user's access to resources according to the specified security policy.

Rights management usually includes two parts: user identity authentication and authorization, referred to as authentication authorization. For the resources that need access control, it is necessary to authenticate the user first, and then the user can access the resource after the authentication is passed.

For rights management, in the Java system, the common rights frameworks are Shiro and Spring Security. Of course, in some simple or ancient systems, handwritten filter may still be used to manage and control permissions. This article first from the functions, components, architecture and other aspects of Shiro to take you to understand the Shiro framework.

Introduction to Shiro

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, password, and session management. The counterpart is Spring Security, but in most projects developers prefer to use Shiro to manage permissions.

The main reason is that it is easy to use, while Spring Security is relatively heavyweight, the learning curve is steep, and the real environment does not require as much functionality as Spring Security. Therefore, in general, the use of Shiro is sufficient.

Shiro can be used quickly and easily in any application, from the smallest mobile application to the largest network and enterprise application.

What can Shiro do?

Shiro provides the following functions: authentication (Authentication), authorization (Authorization), encryption (Cryptography), Session management (Session Management), Web integration (Web Support), cache (Caching) and so on. Can be used to protect any application: from command-line applications to mobile applications to the largest Web and enterprise applications.

With regard to the core functions of Shiro, the following figure is provided:

With Shiro, we can achieve the following functions:

User authentication

User access control: determine whether the user has a specific role; determine whether the user can perform an operation

Use Session API in any environment, even applications outside of Web or EJB containers

Respond to events during authentication, access control, and session

Summarize the data sources of one or more user security data and display them all as a single composite user "view"

Support for single sign-on (SSO) function

Support the "remember" function when logging in

Other applications

Characteristics of Shiro

The goal of Shiro is to be independent of the dependencies of other three-party frameworks, containers or applications themselves in all kinds of applications, from the command line to large enterprise applications, and can be used directly in any environment. At the same time, it has the following characteristics:

Easy-to-understand Java Security API

Simple authentication (login), supporting multiple data sources (LDAP,JDBC,Kerberos,ActiveDirectory, etc.)

Simple signing rights for roles (access control), supporting fine-grained signing rights

Support for first-level caching to improve application performance

Built-in POJO-based enterprise session management for Web and non-Web environments

Heterogeneous client session access

Very simple to encrypt API

It is not bundled with any framework or container and can be run independently.

Function of each module of Shiro

Combined with the following figure, let's refine the corresponding functions of each module of Shiro:

Authentication: authentication / login to verify whether the user has the appropriate identity

Authorization: authorization, that is, permission verification. Verify that a user has permission to operate a function. For example, verify whether the user has a certain role and permission to operate a resource.

Session Management:Session management, storing user login information in the session, supporting Web environment and non-Web environment

Cryptography: encrypt data and keep it easy to use, such as storing passwords in a database after encryption

Web Support:Web support for easy integration into Web environment

Caching: caching, such as caching user information, roles / permissions after logging in

Concurrency:Shiro supports concurrent verification in multithreaded scenarios, that is, if you open another thread in one thread, permissions can be propagated automatically.

Testing: provide testing support

Run As: allow one user to pretend to be another user (if they allow it) to access

Remember Me: remember me, after logging in, you can enter the system directly next time.

After looking at the components above, do you suddenly feel that Shiro has been underestimated in practical application? Although Shiro provides us with so many functions, it will not help us to achieve specific users, permissions and other systems, about users, roles, permissions, and so on need to be designed by ourselves, and then dealt with in Shiro.

Core component

Shiro includes three core components: Subject,SecurityManager and Realms. The relationship between these three components is shown in the following figure:

Subject: the principal, that is, the "current operating user". In Shiro, Subject does not just refer to people, it is an abstract concept, it can also be a third-party process, back-end account (Daemon Account), or other similar things (such as crawlers, robots, etc.). In other words, it just means "what currently interacts with the software". All Subject are bound to SecurityManager, and SecurityManager is the actual executor.

SecurityManager: it is the core of the Shiro framework, a typical Facade pattern, Shiro manages internal component instances (including all Subject) through SecurityManager, and provides various security management services through it. Similar to the role of DispatcherServlet in SpringMVC.

Realm: domain, which acts as a "bridge" or "connector" between Shiro and application security data. That is, when authentication (login) and authorization (access control) authentication are performed on a user, Shiro looks up the user and their permission information from the Realm configured by the application. In this sense, Realm is essentially a security-related DAO: it encapsulates the connection details of the data source and provides the relevant data to the Shiro when needed. When configuring Shiro, at least one Realm is specified for authentication and / or authorization.

Shiro has built-in Realm that can connect to a large number of secure data sources (aka directories), such as LDAP, relational database (JDBC), INI-like text configuration resources, and property files. If the default Realm does not meet the requirements, you can also customize the Realm implementation.

Overview of Shiro architecture

After analyzing the above components, let's sort out the simple scenario used by Shiro: the application is authenticated and authorized through Subject, while Subject is delegated to SecurityManager management. SecurityManager authentication and authorization also need the support of Authenticator and Realm, so it is necessary to inject Realm into SecurityManager.

So what about the internal architecture of Shiro?

In the figure above, Subject, SecurityManager, and Realm have been mentioned earlier, so let's take a look at other modules:

Authenticator: authenticator, which is responsible for Subject authentication and supports custom implementation. Authentication policy (Authentication Strategy) is required, that is, the conditions for passing authentication.

Authrizer: the authorizer, or access controller, is used to determine whether the principal has permission to operate accordingly.

SessionManager:SessionManager is used to manage the lifecycle of Session. Shiro can be used in Web environment and non-Web environment, so Shiro abstracts a Session to manage the interactive data between agents and applications, so that the Session of different applications can be managed centrally, thus realizing distributed sessions.

SessionDAO: if you want to store the Session in a database or Memcached, you can implement the corresponding SessionDAO to implement the CRUD of the session. Cache can be used for caching in SessionDAO to improve performance

CacheManager: cache controller used to manage caches of users, roles, permissions, and so on.

Cryptography: password module, which provides common encryption and decryption components.

At this point, I believe you have a deeper understanding of "what Shiro can do". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.