Shiro(Apache)
Shiro framework is a security management framework, which mainly implements authentication and authorization functions and authority control.
Apache Shiro is a security framework for Java. Powerful, using a simple Java security framework, it provides developers with an intuitive and comprehensive solution for authentication, authorization, encryption and session management
Apache Shiro is not as powerful as Spring Security, but Shiro is simple to use and can manage security.
Shiro can easily develop applications that are good enough to be used in both JavaSE and JavaEE environments. Shiro can help with: authentication, authorization, encryption, session management, integration with the Web, caching, and more.
Functional architecture diagram of Shiro
| function | role |
|---|---|
| Authentication | Authentication/login. Verify that the user has the appropriate identity |
| Authroization | Authorization, that is, permission authentication. Verify that an authenticated user has a permission. That is to determine whether the user can do something. Common scenarios: Verify whether a user has a role. Or it can be as subtle as whether a user can manipulate a resource |
| SessionManager | Session management: After a user logs in, it is a session. All of its information is stored in the session until it exits. It is available in both JavaSE and JavaEE. |
| Cryptography [kr ɑ ɪ p ‘t gr goes f] | Encryption to protect data security. For example, the password is encrypted and stored in the database, not in plain text. |
Web Supprot:Web support, easy to integrate into the Web environment.
Technical architecture diagram of Shiro
| technology | Break down |
|---|---|
| The subject (the subject) | A principal can be thought of as any “user” that interacts with an application (various programming languages) |
| SecurityManager(Security Management) | Shiro’s heart. The same as struts2’s core filter. All specific interactions are controlled through the securityManager; It manages all subjects and is responsible for authentication and authorization, as well as session and cache management. |
| Authenticator | Authenticator, responsible for authenticating the subject. The technology can be extended to allow custom authentication. An Authentication Strategy is required. Under what circumstances can users be authenticated? |
| Authrizer | The authorizer, or access controller, is used to determine whether the principal has the permission to perform the corresponding operation. It controls what functions users can access in the application. |
Realm: There can be one or more realms, which can be considered a secure entity data source for obtaining secure entities. It could be a JDBC implementation, it could be an LDAP implementation, it could be an in-memory implementation, etc.; Provided by the user; Note: Shiro does not know where and in what format your users/permissions are stored; So we generally need to implement our own Realm in our applications
SessionManager: If you’ve written servlets, you know the concept of a Session. A Session needs someone to manage its life cycle. This component is the SessionManager. Shiro can be used not only in the Web environment, but also in normal JavaSE environment, EJB environment, etc. Therefore, Shiro abstracts its own Session to manage the data exchanged between subjects and applications. In this case, let’s say we use it in the Web environment, we start with a Web server; Then it went to the EJB server; You can implement your own distributed session if you want to keep the session data from both servers in one place (for example, put the data on a Memcached server)
System interaction with Shiro
Current user —->SecurityManager– >Realm
