Shiro practical combat series (I): introduction to practical combat
1、 What is Shiro?
Apache Shiro is a powerful and flexible open source security framework that cleanly handles authentication, authorization, enterprise session management and encryption. Apache Shiro's primary goal is ease of use and understanding. Security is sometimes very complex and even painful, but it is not necessary. The framework should cover up as much complexity as possible and expose a clean and intuitive API to simplify developers' efforts to secure their applications.
2、 What can Shiro do?
authenticate users to verify their identity.
implement access control for users,
For example:
(1) Determine whether the user is assigned a certain security role
(2) Determine whether the user is allowed to do something
use the session API in any environment, even if there is no web or EJB container.
respond to events during authentication, access control, or during the life cycle of a session.
gather the data source of one or more user security data and act as a single composite user "view".
enable the single sign on (SSO) function.
enable the "member me" service for users who are not associated with login.
Shiro view achieves these goals in all application environments - from the simplest command-line application to the largest enterprise application, without mandatory dependence on other third-party frameworks, containers, or application servers. Of course, the goal of the project is to integrate into these environments as much as possible, but it can be immediately available in any environment.
3、 Shiro structure diagram
Shiro calls the Shiro development team "the four cornerstones of applications" -- authentication, authorization, session management and encryption.
Shiro's core four elements are briefly summarized as authentication, authorization, session, encryption, etc.
authentication: sometimes referred to as "login", which is the act of proving that the user is who they say they are.
authorization: the process of access control, that is, absolutely "who" accesses "what".
session management: manage user specific sessions, even in non web or EJB applications.
Cryptography: keep data secure and easy to use by using encryption algorithms.
Overview of additional features:
web support: Shiro's web supported API can easily help protect web applications.
caching: caching is the first tier citizen in Apache Shiro to ensure fast and efficient security operations.
Concurrency: Apache Shiro uses its concurrency feature to support multi-threaded applications.
testing: test support exists to help you write unit tests and integration tests and ensure that your can be as safe as expected.
run as: a function that allows users to assume the identity of another user (if allowed), which is sometimes useful in managing scripts.
remember me: remember the user's identity in the session, so they only need to log in when forced.
4、 Simple application
The example is Maven project, jdk8, maven3 and above
(1) POM dependency
logger4j. Properties configuration file content:
If you do not join, you will not be able to see the results of log4j log printing
(2) Run the main method
Enable Shiro
The first thing to understand when enabling Shiro in an application is that almost everything in Shiro is related to a major / core component called securitymanager. For those familiar with Java security, this is Shiro's concept of Security Manager -- it's not equivalent to Java lang.SecurityManager。
Now it is beneficial to understand that Shiro's securitymanager is the core of the Shiro environment of the application and that there must be a securitymanager in each application. Therefore, the first thing to do in our practical series of applications is to configure the securitymanager instance.
Configuration
Although we can directly instantiate a securitymanager class, Shiro's securitymanager implementation has sufficient configuration options and built-in components, which makes it more painful to do this in Java source code - it will be easy to configure securitymanager using a flexible text-based configuration format.
To this end, Shiro provides a default "common denominator" through a text-based ini configuration file Solution. Recently, people have been quite tired of using bulky XML files, and INI files are easy to read, simple to use and low dependency. You will see later that with a simple understanding of the object navigation graph, INI files can be effectively used to configure simple object graphs, such as securitymanager.
Many Configuration Options
Shiro's securitymanager implementation and all supporting components are JavaBean compatible. This allows Shiro to be configured with almost any configuration format, such as XML (spring, JBoss, Guice, etc.), yaml, JSON, groovy builder, markup, and more. The INI file is just Shiro's "common" format. It allows configuration in any environment unless other options are not available.
The above simple application only proves that there is no problem adding Shiro related dependency operation. Now let's enter a simple real battle
shiro. INI file
Rules related to permission roles are written in this file:
The main method runs:
Apache Shiro's simple permission management framework, whether in GitHub or code cloud, has seen many projects, and basically adopts Shiro as permission control. Spring security is integrated with spring itself, but it is not easy to understand. Of course, mastering Shiro is very helpful to understand spring security.