Core Concepts: Subject, SecurityManager, and Realms
The word Subject is a security term that basically means “the currently executing user”.
You can easily acquire the Shiro Subject anywhere in your code.
1
Subject currentUser = SecurityUtils.getSubject();
While the Subject represents security operations for the current user, the SecurityManager manages security operations for all users.
Configuring Shiro with INI
1
2
3
4
5
6
7
8
9
10
11
[main]
cm = org.apache.shiro.authc.credential.HashedCredentialsMatcher
cm.hashAlgorithm = SHA-512
cm.hashIterations = 1024
# Base64 encoding (less text):
cm.storedCredentialsHexEncoded = false
iniRealm.credentialsMatcher = $cm
[users]
jdoe = TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJpcyByZWFzb2
asmith = IHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlciBhbXNoZWQsIG5vdCB
The [main] section is where you configure the SecurityManager object and/or any objects (like Realms) used by the SecurityManager.
The [users] section is where you can specify a static list of user accounts - convenient for simple applications or when testing.
A Realm acts as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data.
In this sense a Realm is essentially a security-specific DAO: it encapsulates connection details for data sources and makes the associated data available to Shiro as needed.
When configuring Shiro, you must specify at least one Realm to use for authentication and/or authorization. More than one Realm may be configured, but at least one is required.
an AuthenticationToken instance that represents the submitted principals and credentials