Apache Shiro is a new security framework that is still in the development phase.

Shiro focuses on the process of authorization, session management, cryptography, and authentication.

In this post, I’ll talk about specifically about the authentication process.

The Authentication Problem

The authentication is the process makes sure that users are who they say they are.

The problem is having multiple developers with access to the database of stored credentials. With Shiro, developers can authenticate users without ever getting direct access to this security data.

The Solution

Shiro encapsulates this information in tokens that can then be manipulated through a Realm.
A Realms is a Data Object Access (DAO) which intermediates access to credential data (e.g., users, passwords, etc.)

These operations include,

  • Authentication (login)
  • Authorization (access control)
  • Session access
  • Logout

Shiro’s Magic

First, you must create a subject and a realm.

To create a subject with the info the user in typing in, do this,

To define a realm,

Next, pass both of them to the login method,

Now that you have the user’s input credentials, you can can use the SecurityManager class to authenticate the user.

Then, call,

It returns an encapsulate object with the account information.

Finally …

Easy, right? You can authenticate a user without ever getting direct access to its credentials.

Besides authentication, Apache Shiro provides other tools to make your Java applications secure.