Home > Java > javaTutorial > Introduction to Java Permission Framework: Shiro's Unified Authentication and Authorization

Introduction to Java Permission Framework: Shiro's Unified Authentication and Authorization

php是最好的语言
Release: 2018-08-09 17:07:00
Original
3654 people have browsed it

Shiro’s Unified Authentication and Authorization

Shiro is a simple, easy-to-use Java permissions framework under Apache. For single applications, Shiro can perfectly and quickly meet permission requirements. Therefore, Shiro will generally become the first choice of developers when working on projects.

However, if you need to make a second, third, or nth application that also requires the same authentication and authorization, you may need to extend Shiro or integrate other frameworks. It meets your needs very well.

How Shiro performs authentication and authorization

Shiro itself does not help you achieve authentication and authorization, but Shiro has well defined some concepts related to permissions, allowing you to complete specific implementations

  • Authentication
    In Shiro, completing authentication is generally subject.login(token). Subject represents a user, and Token represents the authorization information submitted when a user requests authorization. Through AuthenticatingRealm .doGetAuthenticationInfo() obtains some information about the current Subject, such as Principals, Credentials, and verifies the submitted token. If the login is successful, save the current logged-in user

  • Authorization
    in Shiro , Permission control is generally like @RequiresPermissions. When a user accesses a protected resource, Shiro will use AuthorizingRealm.doGetAuthorizationInfo() to obtain the user's permissions from the Principals of the currently authenticated Subject to determine whether the user can access the resource

In Shiro, the above two things are accomplished by implementing Realm. When you have a single application, it is very simple to complete the authentication and authorization of the application.

But what should you do when you have multiple applications and need to reuse the same set of users and permission information? You can reuse Realm and the user permissions are in the same db. This is possible, but The coupling is too high, and different applications must access the same data source; or the DAO related to user permissions can be stripped out and used as an RPC or Rest call, which can also be implemented; but a better way is to separate the entire authentication and authorization Come out and serve as an authentication and authorization service alone

Unified authentication and authorization based on Shiro

In order to achieve unified authentication and authorization, Shiro has CasFilter, which can integrate CAS, but CAS is another set of frameworks, which is more important , there is a separate learning cost, so here is a simpler, lightweight, easy-to-use, Shiro-based authentication and authorization service shiro-uaa

Authentication and authorization process

  1. User requests protected resources Resource Server

  2. Resource Server determines whether the user is logged in

  3. If not logged in, Resource Server guides the user to UAA Server to log in

  4. The user logs in to the UAA Server. If the login is successful, the UAA Server returns the code to the user and guides the user to the previously visited Resource Server

  5. Resource Server uses code to obtain access-token from UAA Server. The token contains user authorization information

  6. Resource Server verifies whether the accessToken is legal. If it is legal, saves the user information in Resource Server

As shown below:

Introduction to Java Permission Framework: Shiros Unified Authentication and Authorization

Use

  • auth-server

  1. Quote maven

  2. Implement your own login

  • resource-server

    1. Quote maven

    2. Like shiro, use relevant annotations for permission control

    ##Basic It can be used out of the box. At present, auth-server is only provided as a jar package. You need to implement the login logic yourself. There will be deployable services in the future.

    shiro-uaaFor specific related instructions, you can check the project address

    Related recommendations:

    Detailed explanation of Shiro authorization implementation

    ##Apache Shiro User Manual (1) Shiro Architecture Introduction

    The above is the detailed content of Introduction to Java Permission Framework: Shiro's Unified Authentication and Authorization. For more information, please follow other related articles on the PHP Chinese website!

    Related labels:
    source:php.cn
    Statement of this Website
    The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
    Popular Tutorials
    More>
    Latest Downloads
    More>
    Web Effects
    Website Source Code
    Website Materials
    Front End Template