Apache Shiro 权限管理

What is Apache Shiro?

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management and cryptography.

Apache Shiro’s first and foremost goal is to be easy to use and understand. Security can be very complex at times, even painful, but it doesn’t have to be. A framework should mask complexities where possible and expose a clean and intuitive API that simplifies the developer’s effort to make their application(s) secure.

Here are some things that you can do with Apache Shiro:

1. Authenticate a user to verify their identity
2. Perform access controlfor a user, such as:
   Determine if a user is assigned a certain security role or not
   Determine if a user is permitted to do something or not
3. Use a Session API in any environment, even without web or EJB containers.
4. React to events during authentication, access control, or during a session’s lifetime.
5. Aggregate 1 or more data sources of user security data and present this all as a single
   composite user ‘view’.
6. Enable Single Sign On (SSO) functionality
7. Enable ‘Remember Me’ services for user association without login

权限管理概念

只要有用户参与的系统一般都要有权限管理，权限管理实现对用户访问系统的控制，按照安全规则或者安全策略控制用户可以访问而且只能访问自己被授权的资源。

权限管理包括用户认证和授权两部分。