Apache Shiro is a security (permission) framework for Java.

Shiro can accomplish: authentication, authorization, encryption, session management, caching and Web integration.

Shiro has ten functions:

  • Authentication: Authentication/login, verify that the user has the corresponding identity, password matching is done by Shiro;

  • Authorization: Authorization, that is, Authorization verification, verifies whether an authenticated user has a certain permission. Check whether a user can do something, for example, check whether a user has a role. Or fine-grained verification whether a user has a certain permission on a resource.

  • Session Manager: A Session is managed. After a user logs in, all the information is stored in the Session before the user logs out. The session can be in a normal JavaSE environment or in a Web environment;

  • 1. Cryptography: the act of encrypting and securing data, such as encrypted passwords stored in a database rather than in clear text;

  • Web Support: Web Support can be easily integrated into the Web environment.

  • Caching: For example, after a user logs in, the user information and role/permission do not need to be queried every time. This improves efficiency.

  • Concurrency: Shiro supports concurrent validation for multi-threaded applications. For example, when you start another thread within a thread, Concurrency automatically propagates permissions.

  • Testing: Provide Testing support;

  • Run As: allows one user to pretend to be another user (if they allow it) for access;

  • Remember Me, this is a very common feature, that is, once you log in, the next time you come back, you don’t need to log in.

Shiro workflow:

  1. Subject: Actions of the current user

  2. SecurityManager: Used to manage all subjects

  3. Realms: Used for validation of permission information

Other components:

Authentication and Authorization

Shiro authenticates user rights in two ways:

1. Authentication: The process of authenticating the user’s identity.

2. Authorization: Authorization access control is used to authenticate user operations and verify whether the user is allowed to perform current operations, such as accessing a link or a resource file.

In addition to the above components, Shiro has several other components:

SessionManager: Shiro provides a session programming paradigm for any application.

CacheManager: Provides cache support for other Shiro components.

Shiro workflow

That said, the simplest Shiro application for us is:

1. The application code authenticates and authorizes through the Subject, which delegates to the SecurityManager;

We need to inject Realm into Shiro’s SecurityManager so that the SecurityManager can determine the legitimate users and their permissions.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — line — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — –

Why use MD5 salt encryption?

When two or more people have the same original password, the password will be different after salt encryption, which is more secure.

How to do it:

  1. You need to use SimpleAuthenticationInfo(Principal, Credentials, credentialsSalt, realmName); The constructor.
  2. Use ByteSource credentialsSalt = bytesource.util.bytes (userID); To calculate the salt value.
  3. The salt value needs to be unique: a random string or userID is generally used.
  4. Use new SimpleHash(” MD5 “, password, salt value, encrypt times); To calculate the salt value of the encrypted password.