shiro 简介

笔者相信官方文档和源码时最佳的学习资料，以下摘抄自官网介绍

一.What is Apache Shiro?

Apache Shiro (pronounced “shee-roh”, the Japanese word for ‘castle’) is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management and can be used to secure any application - from the command line applications, mobile applications to the largest web and enterprise applications.

shiro 可以在command line、mobile application、web 中使用的安全框架，其中有4个核心组件。

Shiro provides the application security API to perform the following aspects (I like to call these the 4 cornerstones of application security):

Authentication - proving user identity, often called user ‘login’.
Authorization - access control
Cryptography - protecting or hiding data from prying eyes
Session Management - per-user time-sensitive state

二.Core Concepts: Subject, SecurityManager, and Realms

1.Subject

When you’re securing your application, probably the most relevant questions to ask yourself are, “Who is the current user?” or “Is the current user allowed to do X”? It is common for us to ask ourselves these questions as we’re writing code or designing user interfaces: applications are usually built based on user stories, and you want functionality represented (and secured) based on a per-user basis. So, the most natural way for us to think about security in our application is based on the current user. Shiro’s API fundamentally represents this way of thinking in its Subject concept.

The word Subject is a security term that basically means “the currently executing user”. It’s just not called a ‘User’ because the word ‘User’ is usually associated with a human being. In the security world, the term ‘Subject’ can mean a human being, but also a 3rd party process, daemon account, or anything similar. It simply means ‘the thing that is currently interacting with the software’. For most intents and purposes though, you can think of this as Shiro’s ‘User’ concept. You can easily acquire the Shiro Subject anywhere in your code as shown in Listing 1 below.

Update on using Apache Shiro
Pairing Apache Shiro and Java EE 7 - Learn how to use Shiro in a JavaEE7 application and how to use it in a web application. Download the FREE gudeide.

Are you frustrated when you try to secure your applications? Do you feel existing Java security solutions are difficult to use and only confuse you further? This article introduces Apache Shiro, a Java security framework that provides a simple but powerful approach to application security. It explains Apache Shiro’s project goals, architectural philosophies and how you might use Shiro to secure your own applications.

What is Apache Shiro?
RELATED VENDOR CONTENT
DevOps Success Requires Shift-Right Testing in Production – Download the Gartner Report
Manual Monitoring Bad! Automatic Monitoring Good!
Monitor your applications built in Java, .NET , Ruby, PHP and Node.js
Managing Feature Flags - Download the eBook (By O’Reilly)
Obtain a holistic view of your application behaviour and troubleshoot errors with Site24x7
RELATED SPONSOR

GitLab is a single application for the entire software development lifecycle. Try GitLab for free.

Apache Shiro (pronounced “shee-roh”, the Japanese word for ‘castle’) is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management and can be used to secure any application - from the command line applications, mobile applications to the largest web and enterprise applications.

Shiro provides the application security API to perform the following aspects (I like to call these the 4 cornerstones of application security):

Authentication - proving user identity, often called user ‘login’.
Authorization - access control
Cryptography - protecting or hiding data from prying eyes
Session Management - per-user time-sensitive state
Shiro also supports some auxiliary features, such as web application security, unit testing, and multithreading support, but these exist to reinforce the above four primary concerns.

Why was Apache Shiro created?
For a framework to really make a good case for its existence, and therefore a reas