tessl/maven-org-apache-shiro--shiro-core
A powerful and flexible open-source Java security framework providing authentication, authorization, session management, and cryptographic services
—
Pending
security-manager.mddocs/
Security Manager
The SecurityManager is the central coordinator for all security operations in Apache Shiro. It manages the interaction between subjects, realms, sessions, caches, and other security components. The SecurityManager is responsible for creating subjects, orchestrating authentication and authorization operations, and managing the overall security context.
Capabilities
Core Security Manager Interface
The primary interface defining the essential security management operations.
/**
* A SecurityManager executes all security operations for all Subjects (aka users) across a single application.
*/
public interface SecurityManager {
/**
* Logs in a Subject based on the submitted AuthenticationToken.
* @param subject the subject to log in
* @param token the authentication token submitted for the login attempt
* @return updated AuthenticationInfo for the logged-in Subject
* @throws AuthenticationException if the login attempt failed
*/
Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException;
/**
* Logs out the specified Subject from the system.
* @param subject the subject to log out
*/
void logout(Subject subject);
/**
* Creates a Subject instance reflecting the application's current execution state.
* @param context the contextual data used by the implementation to construct an appropriate Subject
* @return a Subject instance reflecting the application's current execution state
*/
Subject createSubject(SubjectContext context);
}Default Security Manager Implementation
The primary implementation of SecurityManager that provides comprehensive security management.
/**
* The DefaultSecurityManager is a concrete implementation of the SecurityManager interface
* that supports most out-of-the-box requirements for single-application security management.
*/
public class DefaultSecurityManager implements SecurityManager {
/**
* Default no-argument constructor.
*/
public DefaultSecurityManager();
/**
* Creates a new DefaultSecurityManager instance with a single Realm.
* @param realm the single Realm to use for authentication and authorization operations
*/
public DefaultSecurityManager(Realm realm);
/**
* Creates a new DefaultSecurityManager instance with the specified collection of Realms.
* @param realms the collection of Realms to use for authentication and authorization operations
*/
public DefaultSecurityManager(Collection<Realm> realms);
/**
* Sets the collection of Realms used by this SecurityManager.
* @param realms the collection of Realms to use for authentication and authorization operations
*/
public void setRealms(Collection<Realm> realms);
/**
* Returns the collection of Realms used by this SecurityManager for authentication and authorization.
* @return the collection of Realms used by this SecurityManager
*/
public Collection<Realm> getRealms();
/**
* Sets the Authenticator used during authentication attempts.
* @param authenticator the Authenticator used during authentication attempts
*/
public void setAuthenticator(Authenticator authenticator);
/**
* Returns the Authenticator used during authentication attempts.
* @return the Authenticator used during authentication attempts
*/
public Authenticator getAuthenticator();
/**
* Sets the Authorizer used during authorization operations.
* @param authorizer the Authorizer used during authorization operations
*/
public void setAuthorizer(Authorizer authorizer);
/**
* Returns the Authorizer used during authorization operations.
* @return the Authorizer used during authorization operations
*/
public Authorizer getAuthorizer();
/**
* Sets the SessionManager used to manage Sessions for all application users.
* @param sessionManager the SessionManager used to manage Sessions for all application users
*/
public void setSessionManager(SessionManager sessionManager);
/**
* Returns the SessionManager used to manage Sessions for all application users.
* @return the SessionManager used to manage Sessions for all application users
*/
public SessionManager getSessionManager();
/**
* Sets the CacheManager used for caching authentication and authorization information.
* @param cacheManager the CacheManager used for caching
*/
public void setCacheManager(CacheManager cacheManager);
/**
* Returns the CacheManager used for caching authentication and authorization information.
* @return the CacheManager used for caching
*/
public CacheManager getCacheManager();
/**
* Sets the RememberMeManager used to manage remember-me functionality.
* @param rememberMeManager the RememberMeManager used to manage remember-me functionality
*/
public void setRememberMeManager(RememberMeManager rememberMeManager);
/**
* Returns the RememberMeManager used to manage remember-me functionality.
* @return the RememberMeManager used to manage remember-me functionality
*/
public RememberMeManager getRememberMeManager();
}Usage Example:
// Basic setup with single realm
Realm myRealm = new MyCustomRealm();
SecurityManager securityManager = new DefaultSecurityManager(myRealm);
SecurityUtils.setSecurityManager(securityManager);
// Advanced setup with multiple components
DefaultSecurityManager manager = new DefaultSecurityManager();
// Configure realms
Collection<Realm> realms = Arrays.asList(
new JdbcRealm(),
new LdapRealm(),
new IniRealm()
);
manager.setRealms(realms);
// Configure session management
DefaultSessionManager sessionManager = new DefaultSessionManager();
sessionManager.setGlobalSessionTimeout(30 * 60 * 1000); // 30 minutes
manager.setSessionManager(sessionManager);
// Configure caching
EhCacheManager cacheManager = new EhCacheManager();
manager.setCacheManager(cacheManager);
// Set as application security manager
SecurityUtils.setSecurityManager(manager);Specialized Security Manager Implementations
Additional SecurityManager implementations for specific use cases.
/**
* SecurityManager implementation that uses a single Realm to do all of its authentication and authorization operations.
*/
public class RealmSecurityManager extends DefaultSecurityManager {
/**
* Default no-argument constructor that initializes an internal default Realm.
*/
public RealmSecurityManager();
/**
* Constructs a RealmSecurityManager instance with the single specified Realm.
* @param realm the single Realm to use for authentication and authorization operations
*/
public RealmSecurityManager(Realm realm);
/**
* Sets the single Realm used by this SecurityManager.
* @param realm the single Realm to use for authentication and authorization operations
*/
public void setRealm(Realm realm);
/**
* Returns the single Realm used by this SecurityManager.
* @return the single Realm used by this SecurityManager
*/
public Realm getRealm();
}
/**
* SecurityManager implementation that only provides authentication capabilities.
*/
public class AuthenticatingSecurityManager extends RealmSecurityManager {
public AuthenticatingSecurityManager();
public AuthenticatingSecurityManager(Realm realm);
}
/**
* SecurityManager implementation that provides both authentication and authorization capabilities.
*/
public class AuthorizingSecurityManager extends AuthenticatingSecurityManager {
public AuthorizingSecurityManager();
public AuthorizingSecurityManager(Realm realm);
}
/**
* SecurityManager implementation that provides session management capabilities.
*/
public class SessionsSecurityManager extends AuthorizingSecurityManager {
public SessionsSecurityManager();
public SessionsSecurityManager(Realm realm);
}
/**
* SecurityManager implementation that provides caching capabilities.
*/
public class CachingSecurityManager extends SessionsSecurityManager {
public CachingSecurityManager();
public CachingSecurityManager(Realm realm);
}Subject Factory
Interface and implementation for creating Subject instances.
/**
* A SubjectFactory creates Subject instances based on contextual information.
*/
public interface SubjectFactory {
/**
* Creates a new Subject instance reflecting the state specified in the given SubjectContext.
* @param context the context information to use when creating the Subject instance
* @return a new Subject instance reflecting the state specified in the given SubjectContext
*/
Subject createSubject(SubjectContext context);
}
/**
* Default SubjectFactory implementation that creates DefaultSubject instances.
*/
public class DefaultSubjectFactory implements SubjectFactory {
public DefaultSubjectFactory();
public Subject createSubject(SubjectContext context);
}Subject Context
Context information used when creating Subject instances.
/**
* A SubjectContext is a data structure that holds contextual information about a Subject
* that is used to construct Subject instances.
*/
public interface SubjectContext extends Map<String, Object> {
/**
* Returns the SecurityManager instance that should be used to back the constructed Subject.
* @return the SecurityManager instance that should be used to back the constructed Subject
*/
SecurityManager getSecurityManager();
/**
* Sets the SecurityManager instance that should be used to back the constructed Subject.
* @param securityManager the SecurityManager instance that should be used to back the constructed Subject
*/
void setSecurityManager(SecurityManager securityManager);
/**
* Returns the Session that should be associated with the constructed Subject.
* @return the Session that should be associated with the constructed Subject
*/
Session getSession();
/**
* Sets the Session that should be associated with the constructed Subject.
* @param session the Session that should be associated with the constructed Subject
*/
void setSession(Session session);
/**
* Returns the principals (identity) that the constructed Subject should reflect.
* @return the principals (identity) that the constructed Subject should reflect
*/
PrincipalCollection getPrincipals();
/**
* Sets the principals (identity) that the constructed Subject should reflect.
* @param principals the principals (identity) that the constructed Subject should reflect
*/
void setPrincipals(PrincipalCollection principals);
/**
* Returns true if the constructed Subject should be considered authenticated, false otherwise.
* @return true if the constructed Subject should be considered authenticated, false otherwise
*/
boolean isAuthenticated();
/**
* Sets whether or not the constructed Subject should be considered authenticated.
* @param authenticated whether or not the constructed Subject should be considered authenticated
*/
void setAuthenticated(boolean authenticated);
}
/**
* Default implementation of the SubjectContext interface.
*/
public class DefaultSubjectContext implements SubjectContext {
public DefaultSubjectContext();
public DefaultSubjectContext(SubjectContext context);
}Usage Example:
// Custom subject creation
DefaultSubjectContext context = new DefaultSubjectContext();
context.setSecurityManager(SecurityUtils.getSecurityManager());
context.setAuthenticated(true);
context.setPrincipals(new SimplePrincipalCollection("username", "realm"));
Subject customSubject = SecurityUtils.getSecurityManager().createSubject(context);
// Use custom subject
customSubject.execute(() -> {
// Code executing with custom subject context
performOperation();
});Types
public interface SubjectDAO {
Subject save(Subject subject);
void delete(Subject subject);
}
public class DefaultSubjectDAO implements SubjectDAO {
public DefaultSubjectDAO();
public Subject save(Subject subject);
public void delete(Subject subject);
}
public interface RememberMeManager {
PrincipalCollection getRememberedPrincipals(SubjectContext subjectContext);
void forgetIdentity(SubjectContext subjectContext);
void onSuccessfulLogin(Subject subject, AuthenticationToken token, AuthenticationInfo info);
void onFailedLogin(Subject subject, AuthenticationToken token, AuthenticationException ae);
void onLogout(Subject subject);
}Install with Tessl CLI
npx tessl i tessl/maven-org-apache-shiro--shiro-core