Introduction to Shiro and construction of spring MVC + Shiro

1、 Introduction to Shiro

Apache Shiro is a security framework of Java. It is a powerful and easily integrated open source permission framework. It can complete the functions of authentication, authorization, encryption, session management and so on. Authentication and authorization are the core of permission control. In short, "authentication" is to prove "who are you?" The general practice of web applications is to achieve authentication through the user name and password submitted by the form. "Authorization" means "what can you do?", Many systems complete what users can do in the form of resource tables.

Shiro can easily develop good enough applications, which can be used not only in Java se environment, but also in Java EE environment. Shiro can help us complete: authentication, authorization, encryption, session management, integration with the web, caching, etc. This is what we want, and Shiro's API is also very simple; The basic function points are shown in the figure below:

Authentication: identity authentication / login to verify whether the user has the corresponding identity;

Authorization: authorization, i.e. permission verification, which verifies whether an authenticated user has a certain permission; That is, judge whether a user can do something. Common examples are: verify whether a user has a role. Or fine-grained verification of whether a user has certain permissions on a resource;

Session manager: session management, that is, after a user logs in, it is a session. Before exiting, all its information is in the session; The session can be in an ordinary Java se environment or in a web environment;

Cryptography: encryption to protect the security of data. For example, the password is encrypted and stored in the database instead of plaintext;

Web support: web support, which can be easily integrated into the web environment;

Caching: caching. For example, after a user logs in, the user information and roles / permissions do not need to be checked every time, which can improve efficiency;

Concurrency: Shiro supports concurrent verification of multithreaded applications, that is, if you start another thread in one thread, you can automatically propagate permissions in the past;

Testing: provide test support;

Run as: allow one user to access as another user (if they allow it);

Remember me: remember me, this is a very common function, that is, after logging in once, you don't need to log in next time.

Remember that Shiro will not maintain users and permissions; These need to be designed / provided by ourselves; Then inject it into Shiro through the corresponding interface.

Next, let's look at Shiro's architecture from the outside and inside. For a good framework, from the outside, it should have a very simple and easy-to-use API with clear API contract; Internally, it should have an extensible architecture, that is, it is very easy to insert user-defined implementation, because no framework can meet all requirements.

First, let's look at Shiro from the outside, that is, from an application perspective to see how to use Shiro to complete the work. As shown below:

It can be seen that the object directly interacted with the application code is subject, that is, the core of Shiro's external API is subject; Meaning of each API:

Subject: subject, which represents the current "user". This user is not necessarily a specific person. Anything interacting with the current application is a subject, such as web crawler, robot, etc; An abstract concept; All subjects are bound to the securitymanager, and all interactions with subjects are delegated to the securitymanager; You can think of subject as a facade; The securitymanager is the actual executor;

Securitymanager: Security Manager; That is, all security related operations will interact with the securitymanager; And it manages all subjects; It can be seen that it is the core of Shiro. It is responsible for interacting with other components introduced later. If you have studied spring MVC, you can regard it as the dispatcherservlet front-end controller;

Realm: domain, Shiro gets security data from realm (such as user, role and permission), that is, if securitymanager wants to verify user identity, it needs to obtain corresponding users from realm for comparison to determine whether the user identity is legal; it also needs to obtain corresponding roles / permissions from realm to verify whether the user can operate; real can be regarded as a datasource, that is, a secure data source.

In other words, for us, the simplest Shiro application:

1. The application code is authenticated and authorized through the subject, and the subject is delegated to the securitymanager;

2. We need to inject real into Shiro's securitymanager so that the securitymanager can obtain legal users and their permissions for judgment.

It can also be seen from the above that Shiro does not provide maintenance users / permissions, but allows developers to inject by themselves through realm.

Next, let's look at Shiro's architecture from the inside, as shown in the following figure:

Securitymanager: equivalent to dispatcher servlet in spring MVC or filterdispatcher in struts 2; It's Shiro's heart; All specific interactions are controlled through the securitymanager; It manages all subjects, and is responsible for authentication and authorization, session and cache management.

Authenticator: authenticator, which is responsible for principal authentication. This is an extension point. If users think Shiro's default is not good, they can customize the implementation; It requires authentication strategy, that is, when the user authentication is passed;

Authorizer: authorizer or access controller, which is used to determine whether the subject has permission to perform corresponding operations; That is, it controls which functions users can access in the application;

Realm: there can be one or more realms, which can be considered as the data source of security entity, that is, the data source used to obtain security entity; It can be implemented by JDBC, LDAP or memory; Provided by the user; Note: Shiro does not know where your users / permissions are stored and in what format; Therefore, we generally need to implement our own realm in applications;

SessionManager: if you have written servlets, you should know the concept of session. Session needs someone to manage its life cycle. This component is SessionManager; Shiro can be used not only in the web environment, but also in ordinary javase environment, EJB and other environments; In all, Shiro abstracts a session of its own to manage the data interaction between the subject and the application; In this case, for example, when we used it in the web environment, it was a web server at the beginning; Then I went to an EJB server; At this time, if you want to put the session data of the two servers in one place, you can realize your own distributed session (such as putting the data on the memcached server);

Sessiondao: Dao has been used by everyone. Data access objects and crud for sessions. For example, if we want to save sessions to the database, we can implement our own sessiondao and write to the database through JDBC; For example, if you want to put a session into memcached, you can implement your own memcached sessiondao; In addition, in sessiondao, cache can be used for caching to improve performance;

CacheManager: cache controller to manage the cache of users, roles, permissions, etc; Because these data are rarely changed, putting them in the cache can improve the access performance

Cryptography: password module. Shiro improves some common encryption components, such as password encryption / decryption.

2、 Shiro and spring integration

I use spring MVC + mybatis + Shiro integration here. For the integration of spring MVC + mybatis, see: Spring MVC + mybatis integration. The permissions and other information during Shiro implementation will be queried in the database. The mybatis query is used. The implementation method refers to the above connection and will not be repeated. The integration of Shiro and spring will be introduced directly.

　　2.1 web. XML configuration

2.2 add Shiro configuration in spring configuration file

I'm at springapplication XML introduces Shiro's separate configuration file:

Shiro's configuration file is as follows:

Configuration in the above configuration file:

The permission information will be loaded from the database when the project starts.

Permissions:

A person has multiple roles. A role contains multiple permissions. People and roles are 1 to many, and roles and permissions are 1 to many.

Corresponding database table:

　t_ User: user table

　　t_ user_ Role: user role intermediate table

　　t_ Role: role table

　　t_ role_ Permission: role permission intermediate table

　　t_ Permission: permission table

Implementation of class 2.3 automatic reading of permission information in database

　　t_ Data format of permission table:

2.4 Shiro certification authorization

In Shiro's XML configuration file, there is a configuration, authentication and authorization class: myshirodbrealm

In addition:

If you use Shiro tags on JSP pages, each tag will access Shiro's authorization function once. Therefore, it is recommended to cache Shiro's authorization function when querying and write a map by yourself

Getpermissionsbyuserid (string ID) method for querying permissions

Cache is implemented as follows:

The corresponding entity class and the corresponding page configured in the following configuration of Shiro will not be explained~

-------------------------------------------

reference resources:

　 https://www.iteye.com/blog/jinnianshilongnian-2018936

　　 https://my.oschina.net/wangt10/blog/523015