Application Security With Apache Shiro - 0 views
-
previously known as the JSecurity project
-
The word Subject is a security term that basically means "the currently executing user"
-
Core Concepts: Subject, SecurityManager, and Realms
- ...12 more annotations...
-
Subject
-
'Subject' can mean a human being, but also a 3rd party process, daemon account, or anything similar. It simply means 'the thing that is currently interacting with the software'
-
Subject currentUser = SecurityUtils.getSubject();
-
SecurityManager
-
SecurityManager manages security operations for all users
-
Realms
-
Realm acts as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. That is, when it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application.
-
Realm is essentially a security-specific DAO
-
Shiro provides out-of-the-box Realms to connect to a number of security data sources (aka directories) such as LDAP, relational databases (JDBC), text configuration sources like INI and properties files, and more
-
Authorization
-
A permission is a raw statement of functionality, for example ‘open a door’, ‘create a blog entry’, ‘delete the ‘jsmith’ user’, etc. By having permissions reflect your application’s raw functionality, you only need to change permission checks when you change your application’s functionality. In turn, you can assign permissions to roles or to users as necessary at runtime.
-
“Run As” support for assuming the identity of another Subject