Simple. Java. Security.
Apache Shiro Architecture
|
Handy Hint
|
Shiro v1 version notice
As of February 282024Shiro v1 was superseded by v2.
|
Apache Shiro’s design goals are to simplify application security by being intuitive and easy to use. Shiro’s core design models how most people think about application security - in the context of someone (or something) interacting with an application.
Software applications are usually designed based on user stories. That isyou’ll often design user interfaces or service APIs based on how a user would (or should) interact with the software. For exampleyou might say"If the user interacting with my application is logged inI will show them a button they can click to view their account information. If they are not logged inI will show a sign-up button."
This example statement indicates that applications are largely written to satisfy user requirements and needs. Even if the 'user' is another software system and not a human beingyou still write code to reflect behavior based on who (or what) is currently interacting with your software.
Shiro reflects these concepts in its own design. By matching what is already intuitive for software developersApache Shiro remains intuitive and easy to use in practically any application.
High-Level Overview
At the highest conceptual levelShiro’s architecture has 3 primary concepts: the SubjectSecurityManager and Realms. The following diagram is a high-level overview of how these components interactand we’ll cover each concept below:
-
Subject: As we’ve mentioned in our Tutorialthe
Subjectis essentially a security specific 'view' of the currently executing user. Whereas the word 'User' often implies a human beingaSubjectcan be a personbut it could also represent a 3rd-party servicedaemon accountcron jobor anything similar - basically anything that is currently interacting with the software.Subjectinstances are all bound to (and require) aSecurityManager. When you interact with aSubjectthose interactions translate to subject-specific interactions with theSecurityManager. -
SecurityManager: The
SecurityManageris the heart of Shiro’s architecture and acts as a sort of 'umbrella’ object that coordinates its internal security components that together form an object graph. Howeveronce the SecurityManager and its internal object graph is configured for an applicationit is usually left alone and application developers spend almost all of their time with theSubjectAPI.We will talk about the
SecurityManagerin detail later onbut it is important to realize that when you interact with aSubjectit is really theSecurityManagerbehind the scenes that does all the heavy lifting for anySubjectsecurity operation. This is reflected in the basic flow diagram above. -
Realms: Realms act as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. When it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control)Shiro looks up many of these things from one or more Realms configured for an application.
In this sense a Realm is essentially a security-specific DAO: it encapsulates connection details for data sources and makes the associated data available to Shiro as needed. When configuring Shiroyou must specify at least one Realm to use for authentication and/or authorization. The
SecurityManagermay be configured with multiple Realmsbut at least one is required.
Detailed Architecture
The following diagram shows Shiro’s core architectural concepts followed by short summaries of each:
-
Subject (
org.apache.shiro.subject.Subject) A security-specific 'view' of the entity (user3rd-party servicecron jobetc.) currently interacting with the software. -
SecurityManager (org.apache.shiro.mgt.SecurityManager) As mentioned abovethe
SecurityManageris the heart of Shiro’s architecture. It is mostly an 'umbrella' object that coordinates its managed components to ensure they work smoothly together. It also manages Shiro’s view of every application userso it knows how to perform security operations per user. -
Authenticator (org.apache.shiro.authc.Authenticator) The
Authenticatoris the component that is responsible for executing and reacting to authentication (log-in) attempts by users. When a user tries to log-inthat logic is executed by theAuthenticator. TheAuthenticatorknows how to coordinate with one or moreRealmsthat store relevant user/account information. The data obtained from theseRealmsis used to verify the user’s identity to guarantee the user really is who they say they are.-
Authentication Strategy (org.apache.shiro.authc.pam.AuthenticationStrategy) If more than one
Realmis configuredtheAuthenticationStrategywill coordinate the Realms to determine the conditions under which an authentication attempt succeeds or fails (for exampleif one realm succeeds but others failis the attempt successful? Must all realms succeed? Only the first?).
-
-
Authorizer (org.apache.shiro.authz.Authorizer) The
Authorizeris the component responsible determining users' access control in the application. It is the mechanism that ultimately says if a user is allowed to do something or not. Like theAuthenticatortheAuthorizeralso knows how to coordinate with multiple back-end data sources to access role and permission information. TheAuthorizeruses this information to determine exactly if a user is allowed to perform a given action. -
SessionManager (org.apache.shiro.session.mgt.SessionManager) The
SessionManagerknows how to create and manage userSessionlifecycles to provide a robust Session experience for users in all environments. This is a unique feature in the world of security frameworks - Shiro has the ability to natively manage user Sessions in any environmenteven if there is no Web/Servlet or EJB container available. By defaultShiro will use an existing session mechanism if available(e.g. Servlet Container)but if there isn’t onesuch as in a standalone application or non-web environmentit will use its built-in enterprise session management to offer the same programming experience. TheSessionDAOexists to allow any datasource to be used to persist sessions.-
SessionDAO (org.apache.shiro.session.mgt.eis.SessionDAO) The
SessionDAOperformsSessionpersistence (CRUD) operations on behalf of theSessionManager. This allows any data store to be plugged in to the Session Management infrastructure.
-
-
CacheManager (org.apache.shiro.cache.CacheManager) The
CacheManagercreates and managesCacheinstance lifecycles used by other Shiro components. Because Shiro can access many back-end data sources for authenticationauthorization and session managementcaching has always been a first-class architectural feature in the framework to improve performance while using these data sources. Any of the modern open-source and/or enterprise caching products can be plugged in to Shiro to provide a fast and efficient user-experience. -
Cryptography (org.apache.shiro.crypto.cipher.*) Cryptography is a natural addition to an enterprise security framework. Shiro’s
cryptopackage contains easy-to-use and understand representations of cryptographic CiphersHashes (aka digests) and different codec implementations. All the classes in this package are carefully designed to be very easy to use and easy to understand. Anyone who has used Java’s native cryptography support knows it can be a challenging animal to tame. Shiro’s crypto APIs simplify the complicated Java mechanisms and make cryptography easy to use for normal mortal human beings. -
Realms (org.apache.shiro.realm.Realm) As mentioned aboveRealms act as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. When it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control)Shiro looks up many of these things from one or more Realms configured for an application. You can configure as many
Realmsas you need (usually one per data source) and Shiro will coordinate with them as necessary for both authentication and authorization.
The SecurityManager
Because Shiro’s API encourages a Subject-centric programming approachmost application developers will rarelyif everinteract with the SecurityManager directly (framework developers however might sometimes find it useful). Even soit is still important to know how the SecurityManager functionsespecially when configuring one for an application.
Design
As stated previouslythe application’s SecurityManager performs security operations and manages state for <em>all</em> application users. In Shiro’s default SecurityManager implementationsthis includes:
-
Authentication
-
Authorization
-
Session Management
-
Cache Management
-
Realm coordination
-
Event propagation
-
"Remember Me" Services
-
Subject creation
-
Logout and more.
But this is a lot of functionality to try to manage in a single component. Andmaking these things flexible and customizable would be very difficult if everything were lumped into a single implementation class.
To simplify configuration and enable flexible configuration/pluggabilityShiro’s implementations are all highly modular in design - so modular in factthat the SecurityManager implementation (and its class-hierarchy) does not do much at all. Insteadthe SecurityManager implementations mostly act as a lightweight 'container' componentdelegating almost all behavior to nested/wrapped components. This 'wrapper' design is reflected in the detailed architecture diagram above.
While the components actually execute the logicthe SecurityManager implementation knows how and when to coordinate the components for the correct behavior.
The SecurityManager implementations and the components are also JavaBeans compatiblewhich allows you (or a configuration mechanism) to easily customize the pluggable components via standard JavaBeans accessor/mutator methods (get*/set*). This means the Shiro’s architectural modularity can translate into very easy configuration for custom behavior.
|
Easy Configuration
|
Because of JavaBeans compatibilityit is very easy to configure the |
We will cover Configuration next.