Shiro -- Basic authentication process

Keywords: Java Shiro Junit Attribute Mobile


In shiro, users need to provide principles and credentials to shiro so that the application can verify the user's identity:

Principles: identity, that is, the identity attribute of the principal, can be anything, such as user name, mailbox, etc., only. A principal can have multiple principals, but only one primary principal, usually user name / password / mobile number.

Credentials: certificates / credentials, that is, security values known only to the principal, such as passwords / digital certificates.

The most common combination of principals and credentials is user name / password. Next, a basic authentication is performed.

1. Introduce dependency:


2. Create the shrio.ini file under resources, which has two identities and credentials


3. Test class:

public class Test {
    public void t1(){
        //Obtain SecurityManager Factory, use here Ini Profile initialization SecurityManager
        Factory<SecurityManager> factory= new IniSecurityManagerFactory("classpath:shiro.ini");
        //obtain SecurityManager Instance and bind to SecurityUtils
        SecurityManager securityManager = factory.getInstance();
        //obtain Subject And create user name/Password authentication Token(I.e. user identity/Voucher)
        Subject subject = SecurityUtils.getSubject();
        UsernamePasswordToken token=new UsernamePasswordToken("lc","123");

        try {
            //use token Go to land
            System.out.println(subject.isAuthenticated()+" "+subject.getPrincipals());
        //Authentication failure exception
        }catch (AuthenticationException e){

After run: validation successful


Change the user to a wrong username, fail to log in, and throw the validation failure exception



4. Summary:



The process is as follows:

  1. First, call Subject.login(token) to log in, which will automatically delegate to Security Manager. Before calling, it must be set through SecurityUtils.setSecurityManager();
  2. The SecurityManager is responsible for the real authentication logic; it delegates to the Authenticator for authentication;
  3. Authenticator is the real authenticator. The core authentication entry point of Shiro API, where you can insert your own implementation;
  4. The Authenticator may delegate to the corresponding AuthenticationStrategy for multi Realm authentication. By default, modularealmauthenticator will call the AuthenticationStrategy for multi Realm authentication;
  5. The Authenticator will pass the corresponding token into the Realm and obtain the authentication information from the Realm. If there is no return / throw exception, it means that the authentication fails. Multiple realms can be configured here and will be accessed according to the corresponding order and policies.

Posted by lopes_andre on Wed, 26 Feb 2020 22:52:49 -0800