In practice, I found that although many friends are using Shiro, they seem to have no idea about it. Some projects even use Filter to implement permission management, and related tutorials on the Internet are quite old. Therefore, I decided to update this series of Shiro tutorials and share them with you. If you’d like to learn more about Shiro’s framework, check out the app New Vision to get the latest articles and share them as soon as this series is complete. The first chapter, to give you some basic concepts popular science, the text begins.

preface

Permission management is indispensable to every system. It belongs to the category of system security to control users’ access to the system and control users’ access to resources according to specified security policies. Permission management usually includes user identity authentication and authorization, or authentication and authorization for short. User identity authentication is required for resources that require access control. After the authentication succeeds, the user can access the resources.

For permission management, in the Java system, the common permission framework is Shiro and Spring Security, of course, in some simple or ancient systems may still use handwritten filter for permission management and control. This article will take you through the Shiro framework in terms of its functions, components, and architecture.

Shiro profile

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, password, and session management. The counterpart is Spring Security, but on most projects developers prefer to use Shiro to manage permissions. The main reason is that it’s relatively simple to use, Spring Security is a bit heavier, has a steep learning curve, and doesn’t require as much functionality in a real-world environment. So, in general, Shiro is sufficient.

Shiro can be quickly and easily deployed in any application, from the smallest mobile applications to the largest web and enterprise applications.

What can Shiro do

Shiro provides the following features: Authentication, Authorization, Cryptography, Session Management, Web Support, Caching, etc. Can be used to secure any application: from command line applications and mobile applications to the largest Web and enterprise applications.

Shiro’s core features are as follows:

Using Shiro we can implement the following functions:

  • User authentication;
  • User access control: Determine whether a user has a specific role. Determine whether a user can perform an operation.
  • Use the Session API in any environment, even outside of the Web or EJB container;
  • Can respond to events during authentication, access control, and sessions;
  • Aggregate one or more data sources of user security data and display them all as a single composite user “view”;
  • Support single sign-on (SSO) function;
  • Support login “remember” function;
  • Other applications;

Shiro characteristics

Shiro’s goal is to be able to be used directly in any environment in a variety of applications, from the command line to large enterprise applications, without dependencies on other tripartite frameworks, containers, or the application itself. At the same time, it has the following characteristics:

  • An easy-to-understand Java Security API;
  • Simple authentication (login), support for multiple data sources (LDAP, JDBC, Kerberos, ActiveDirectory, etc.);
  • Simple sign-off (access control) for roles, supporting fine-grained sign-off;
  • Support level 1 caching to improve application performance;
  • Built-in POJO-based enterprise session management for Both Web and non-Web environments;
  • Heterogeneous client session access;
  • Very simple encryption API;
  • Not tied to any framework or container, can run independently;

Shiro module functions

Combined with the following figure, we can refine the corresponding functions of each Shiro module:

Authentication: Authentication/login to verify whether the user has the corresponding identity.

Authorization: indicates Authorization verification. Verify that a user has the permission to operate a function. For example, check whether a user has a role and the permission to operate a resource.

Session Management: Stores user login information in sessions. It supports both Web and non-Web environments.

Cryptography: Encrypt data and keep it easy to use, such as passwords encrypted and stored in a database;

Web Support: Web Support can be easily integrated into the Web environment.

Caching: For example, after a user logs in, user information, roles, and permissions are cached.

Concurrency Concurrency allows Concurrency validation in multi-threaded scenarios. For example, when a thread is opened within another thread, the Concurrency is automatically propagating.

Testing: Provide Testing support;

Run As: allows a user to pretend to access for another user (if they allow it);

Remember Me, after logging in, next time you can directly access the system.

Looking at the above components, does Shiro suddenly feel underappreciated in the real world? While Shiro provides us with all this functionality, it does not help us to implement a specific system of users, privileges, etc. We need to design users, roles, privileges, etc., and then handle them in Shiro.

Core components

Shiro consists of three core components: Subject, SecurityManager, and Realms. The relationship between these three components is shown below:

Subject: indicates the current user. In Shiro, Subject is not just a person, it is an abstract concept, but can also be a third party process, a Daemon Account, or something similar (such as crawlers, robots, etc.). That is, it simply means “what is currently interacting with the software.” All subjects are bound to the SecurityManager, which is the actual performer.

SecurityManager: It is the core of Shiro’s framework, a typical Facade pattern through which Shiro manages internal component instances (including all subjects) and provides various services for security management. Similar to the role of the DispatcherServlet in SpringMVC.

Realm: The Realm that acts as a “bridge” or “connector” between Shiro and application security data. That is, when authenticating a user (login) and authenticating a user (access control), Shiro looks up the user and their permission information from an application-configured Realm. In this sense, a Realm is essentially a security-related DAO: It encapsulates the connection details of the data source, providing the relevant data to Shiro when needed. When Shiro is configured, specify at least one Realm for authentication and/or authorization.

Shiro has built-in Realms that can connect to a large number of secure data sources (aka directories), such as LDAP, relational databases (JDBC), ini-like text configuration resources, and properties files. You can also customize a Realm implementation if the default Realm does not meet your requirements.

Shiro Architecture Overview

With the above components in mind, let’s tease out a simple scenario Shiro uses: An application authenticates and authorizes through a Subject that is delegated to the SecurityManager. The SecurityManager requires the support of Authenticator and Realm for authentication and authorization. Therefore, you need to inject Realm into the SecurityManager.

So what about Shiro’s internal architecture?

In the figure above, Subject, SecurityManager, and Realm are already covered, but here are the other modules:

Authenticator: Authenticator, responsible for the authentication of Subject, support custom implementation; An Authentication Strategy is required, that is, the conditions for passing Authentication.

Authrizer: The authorizer, or access controller, used to determine whether the principal has permission to perform the corresponding operation.

SessionManager: The SessionManager is used to manage the Session life cycle. Shiro can be used in both Web and non-Web environments, so Shiro abstracts a Session to manage the data between subjects and applications. In this way, sessions of different applications can be centrally managed to achieve distributed sessions.

SessionDAO: If you want to store the Session in a database or Memcached, you can implement the corresponding SessionDAO to implement THE CRUD of the Session. SessionDAO can use Cache for caching to improve performance;

CacheManager: cache controller used to manage caches of users, roles, and permissions.

Cryptography: a Cryptography module that provides common encryption and decryption components.

Now that you know what these components do, and then think about how they’re used in practice, isn’t it a bit of an Epiphany?

summary

Shiro is often used by people who find a piece of code on the Internet and simply modify it. However, the relationship between each component and the principle of implementing this function are not deeply explored. Even if you practice many projects, you still can’t improve your skills. This article explains shiro’s functions, architecture, components and other aspects. After learning this article, you must have mastered the basic principles and concepts of using Shiro, which is also ready for further study and practice.

Shiro: Still checking permissions on Handwritten Filter? Try Shiro

Program new horizon

\

The public account “program new vision”, a platform for simultaneous improvement of soft power and hard technology, provides massive information

\