Understanding Apache Shiro: Core Concepts and Architecture Explained

Introduction

Apache Shiro is a lightweight, easy‑to‑use Java security framework that provides authentication, authorization, cryptography and session management. It can be used for anything from small apps to enterprise‑level permission control.

Key Components

From an architectural perspective Shiro revolves around three core concepts: Subject, SecurityManager and Realms.

Subject : Represents the currently executing user, which may be a human, a third‑party service, an account proxy, etc. The Subject is bound to a SecurityManager, so interacting with a Subject actually interacts with the SecurityManager.

SecurityManager : The central hub of Shiro’s security architecture. It maintains various security components and delegates operations to the Subject interface.

Realms : Act as the bridge between Shiro and the application’s security data store. A Realm implements the logic for login and authorization, essentially a DAO for security data. At least one Realm must be configured; multiple Realms can be used together.

System Architecture

The full Shiro architecture consists of several components:

Subject (org.apache.shiro.subject.Subject) : Abstracts the user interacting with the system.

SecurityManager (org.apache.shiro.mgt.SecurityManager) : Core manager that coordinates internal components and maintains user roles.

Authenticator (org.apache.shiro.authc.Authenticator) : Handles authentication requests, coordinating one or more Realms.

Authentication Strategy (org.apache.shiro.authentication) : Determines how results from multiple Realms are combined when more than one is configured.

Authorizer (org.apache.shiro.authz.Authorizer) : Decides whether a Subject may access a particular resource or perform an action.

SessionManager (org.apache.shiro.session.mgt.SessionManager) : Creates and manages the lifecycle of user sessions, providing a robust session experience even outside web applications.

SessionDao (org.apache.shiro.session.mgt.eis.SessionDao) : Persists session data; supports various storage mechanisms such as Redis, Memcached, or databases.

CacheManager (org.apache.shiro.cache.CacheManager) : Caches authentication and authorization data using any compatible caching product.

Cryptography (org.apache.shiro.crypto) : Provides encryption utilities as needed.

Realms (org.apache.shiro.realm.Realm) : One or more implementations that supply security data (e.g., user accounts) to Shiro.

Shiro also supplies default DAO implementations like LDAP and JDBC, and developers can create custom Realms, for example using Redis.