Apache Shiro User Manual (1) Introduction to Shiro Architecture
1. What is Shiro
Apache Shiro is a powerful and easy-to-use Java security framework that provides authentication, authorization, encryption and Session management and other functions:
Authentication-user identification, often called user "login";
Authorization-access control;
Password encryption-protect or hide data to prevent peeping;
Session Management - Time-sensitive state associated with each user.
For any application, Shiro can provide comprehensive security management services. And compared to other security frameworks, Shiro is much simpler.
2. Introduction to Shiro’s architecture
First, let’s take a look at Shiro’s three core components: Subject, SecurityManager and Realms. As shown below:
Subject: namely "current operating user". However, in Shiro, the concept of Subject does not only refer to people, but can also be third-party processes, background accounts (Daemon Accounts), or other similar things. It simply means "what the software is currently interacting with". But for most purposes and uses, you can think of it as Shiro's "user" concept.
Subject represents the security operations of the current user, and SecurityManager manages the security operations of all users.
SecurityManager: It is the core of the Shiro framework, a typical Facade mode. Shiro uses SecurityManager to manage internal component instances and provide various services for security management through it.
Realm: Realm acts as a "bridge" or "connector" between Shiro and application security data. That is to say, when performing authentication (login) and authorization (access control) verification on a user, Shiro will look up the user and their permission information from the Realm configured in the application.
In this sense, Realm is essentially a security-related DAO: it encapsulates the connection details of the data source and provides relevant data to Shiro when needed. When configuring Shiro, you must specify at least one Realm for authentication and/or authorization. It is possible to configure multiple Realms, but at least one is required.
Shiro has built-in Realm that can connect to a large number of secure data sources (also known as directories), such as LDAP, relational databases (JDBC), INI-like text configuration resources, and property files. If the default Realm does not meet your needs, you can also plug in your own Realm implementation that represents a custom data source.
Shiro complete architecture diagram:
In addition to the three core components of Subject, SecurityManager and Realm mentioned above, Shiro’s main components also include:
Authenticator: Authentication is the process of verifying user identity. A common example of this process is the familiar "user/password" combination. When most users log into a software system, they usually provide their username (the principal) and the password that supports them (the certificate). If the password (or password representation) stored in the system matches the one provided by the user, they are considered authenticated.
Authorizer: Authorization is essentially access control - controlling what content in the application users can access, such as resources, web pages, etc.
SessionManager: In the world of security frameworks, Apache Shiro offers something unique: consistent use of the Session API at any application or architecture layer. That is, Shiro provides a conversational programming paradigm for any application - from small backend standalone applications to large clustered web applications. This means that application developers who wish to use sessions are not forced to use a Servlet or EJB container. Alternatively, if these containers are being used, developers can now choose to use a consistent session API at any layer instead of Servlet or EJB mechanisms.
CacheManager: Provides caching support for other components of Shiro.
The above is the content of the Apache Shiro User Manual (1) Shiro Architecture Introduction. For more related content, please pay attention to the PHP Chinese website (www.php.cn)!