securitymanager.md.vtl - shiro-site - Git at Google

 <a name="SecurityManager-UnderstandingtheSecurityManagerinApacheShiro"></a>
 Understanding the SecurityManager in Apache Shiro
 =================================================

 The [SecurityManager](static/current/apidocs/org/apache/shiro/mgt/SecurityManager.html) lies at the heart of Shiro's architecture. While the [Subject](subject.html "Subject") represents security functionality and state for a _single_ application user, the `SecurityManager` performs security operations and manages state for _all_ application users.

 Because Shiro's API encourages a `Subject`-centric programming approach, most application developers will rarely, if ever, interact with the `SecurityManager` directly (framework developers however might sometimes find it useful). Even so, it is still important to know how the `SecurityManager` functions, especially when configuring one for an application.

 <a name="SecurityManager-Design"></a>
 Design
 ------

 As stated previously, the application's `SecurityManager` performs security operations and manages state for _all_ application users. In Shiro's default `SecurityManager` implementations, this includes:

 *   Authentication
 *   Authorization
 *   Session Management
 *   Cache Management
 *   [Realm](realm.html "Realm") coordination
 *   Event propagation
 *   "Remember Me" Services
 *   Subject creation
 *   Logout
 and more.

 But this is a lot of functionality to try to manage in a single component. And, making these things flexible and customizable would be very difficult if everything were lumped into a single implementation class.

 To simplify configuration and enable flexible configuration/pluggability, Shiro's implementations are all highly modular in design - so modular in fact, that the SecurityManager implementation (and its class-hierarchy) does not do much at all. Instead, the `SecurityManager` implementations mostly act as a lightweight 'container' component, delegating almost all behavior to nested/wrapped components.

 <a name="SecurityManager-Modularity"></a>
 #[[###Modularity]]#

 To simplify the `SecurityManager` implementation complexity and allow for pluggable behavior, the Shiro `SecurityManager` implementations delegate almost all logic to a nested set of modular components that actually perform the necessary functionality. While the components actually execute the logic, the `SecurityManager` implementation knows how and when to coordinate the components for the correct behavior.

 The nested components that the `SecurityManager` coordinates and delegates to are:

 *   Authenticator (`org.apache.shiro.authc.Authenticator`)
 *   Authorizer (`org.apache.shiro.authz.Authorizer`)
 *   SessionManager (`org.apache.shiro.session.mgt.SessionManager`)
 *   [CacheManager](cachemanager.html "CacheManager") (`org.apache.shiro.cache.CacheManager`)
 *   RememberMeManager (`org.apache.shiro.mgt.RememberMeManager`)
 *   SubjectFactory(`org.apache.shiro.mgt.SubjectFactory`)

 The `SecurityManager` implementations and are also JavaBeans compatible, which allows you (or a configuration mechanism) to easily customize the pluggable components via standard JavaBeans accessor/mutator methods (get*/set*). This means the Shiro's architectural modularity can translate into very easy configuration for custom behavior.

 #tip('Easy Configuration', 'Because of JavaBeans compatibility, it is very easy to configure the <code>SecurityManager</code> with custom components via any mechanism that supports JavaBeans-style configuration, such as <a href="spring.html" title="Spring">Spring</a>, Guice, JBoss, etc.')

 <a name="SecurityManager-ProgrammaticConfiguration"></a>
 #[[###Programmatic Configuration]]#

 The absolute simplest way to create a SecurityManager and make it available to the application is to create a `org.apache.shiro.mgt.DefaultSecurityManager` and wire it up in code:

 ``` java
 Realm realm = //instantiate or acquire a Realm instance.  We'll discuss Realms later.
 SecurityManager securityManager = new DefaultSecurityManager(realm);
 //Make the SecurityManager instance available to the entire application:
 SecurityUtils.setSecurityManager(securityManager);
 ```

 Surprisingly, after only 3 lines of code, you now have a fully functional Shiro environment suitable for most applications. How easy was that!?

 You could additionally call any of the `SecurityManager` instance's setter methods with custom implementations of the nested components listed above to fully customize its behavior.

 But, as simple as programmatic customization is, these 3 lines of code do not represent the ideal configuration for most real world applications. There are a few reasons why programmatic configuration may not be suitable for your application:

 1.  It requires you to know about and instantiate a direct implementation. It would be nicer if you didn't have to know about concrete implementations and where to find them.
 2.  The `SecurityUtils.setSecurityManager` method call makes the instantiated `SecurityManager` instance a VM static singleton, which, while fine for many applications, would cause problems if more than one Shiro-enabled application was running on the same JVM. It could be better if the instance was an application singleton, but not a static memory reference.
 3.  It requires you to recompile your application every time you want to make a Shiro configuration change.

 Most applications instead benefit from text-based configuration that could be modified independently of source code and even make things easier to understand for those not intimately familiar with Shiro's APIs.

 <a name="SecurityManager-TextConfiguration"></a>
 #[[###Text Configuration]]#

 Shiro provides a simple INI-based [configuration](configuration.html "Configuration") that can be used out of the box, but any other JavaBeans-compatible mechanism can be used as well. For example, Shiro has excellent [Spring support](spring.html "Spring") too. Other similar frameworks (Guice, JBoss, etc) could also be used.

 #lendAHandDoc()

 <input type="hidden" id="ghEditPage" value="securitymanager.md.vtl"></input>
	<a name="SecurityManager-UnderstandingtheSecurityManagerinApacheShiro"></a>
	Understanding the SecurityManager in Apache Shiro
	=================================================

	The [SecurityManager](static/current/apidocs/org/apache/shiro/mgt/SecurityManager.html) lies at the heart of Shiro's architecture. While the [Subject](subject.html "Subject") represents security functionality and state for a _single_ application user, the `SecurityManager` performs security operations and manages state for _all_ application users.

	Because Shiro's API encourages a `Subject`-centric programming approach, most application developers will rarely, if ever, interact with the `SecurityManager` directly (framework developers however might sometimes find it useful). Even so, it is still important to know how the `SecurityManager` functions, especially when configuring one for an application.

	<a name="SecurityManager-Design"></a>
	Design
	------

	As stated previously, the application's `SecurityManager` performs security operations and manages state for _all_ application users. In Shiro's default `SecurityManager` implementations, this includes:

	* Authentication
	* Authorization
	* Session Management
	* Cache Management
	* [Realm](realm.html "Realm") coordination
	* Event propagation
	* "Remember Me" Services
	* Subject creation
	* Logout
	and more.

	But this is a lot of functionality to try to manage in a single component. And, making these things flexible and customizable would be very difficult if everything were lumped into a single implementation class.

	To simplify configuration and enable flexible configuration/pluggability, Shiro's implementations are all highly modular in design - so modular in fact, that the SecurityManager implementation (and its class-hierarchy) does not do much at all. Instead, the `SecurityManager` implementations mostly act as a lightweight 'container' component, delegating almost all behavior to nested/wrapped components.

	<a name="SecurityManager-Modularity"></a>
	#[[###Modularity]]#

	To simplify the `SecurityManager` implementation complexity and allow for pluggable behavior, the Shiro `SecurityManager` implementations delegate almost all logic to a nested set of modular components that actually perform the necessary functionality. While the components actually execute the logic, the `SecurityManager` implementation knows how and when to coordinate the components for the correct behavior.

	The nested components that the `SecurityManager` coordinates and delegates to are:

	* Authenticator (`org.apache.shiro.authc.Authenticator`)
	* Authorizer (`org.apache.shiro.authz.Authorizer`)
	* SessionManager (`org.apache.shiro.session.mgt.SessionManager`)
	* [CacheManager](cachemanager.html "CacheManager") (`org.apache.shiro.cache.CacheManager`)
	* RememberMeManager (`org.apache.shiro.mgt.RememberMeManager`)
	* SubjectFactory(`org.apache.shiro.mgt.SubjectFactory`)

	The `SecurityManager` implementations and are also JavaBeans compatible, which allows you (or a configuration mechanism) to easily customize the pluggable components via standard JavaBeans accessor/mutator methods (get/set). This means the Shiro's architectural modularity can translate into very easy configuration for custom behavior.

	#tip('Easy Configuration', 'Because of JavaBeans compatibility, it is very easy to configure the <code>SecurityManager</code> with custom components via any mechanism that supports JavaBeans-style configuration, such as <a href="spring.html" title="Spring">Spring</a>, Guice, JBoss, etc.')

	<a name="SecurityManager-ProgrammaticConfiguration"></a>
	#[[###Programmatic Configuration]]#

	The absolute simplest way to create a SecurityManager and make it available to the application is to create a `org.apache.shiro.mgt.DefaultSecurityManager` and wire it up in code:

	``` java
	Realm realm = //instantiate or acquire a Realm instance. We'll discuss Realms later.
	SecurityManager securityManager = new DefaultSecurityManager(realm);
	//Make the SecurityManager instance available to the entire application:
	SecurityUtils.setSecurityManager(securityManager);
	```

	Surprisingly, after only 3 lines of code, you now have a fully functional Shiro environment suitable for most applications. How easy was that!?

	You could additionally call any of the `SecurityManager` instance's setter methods with custom implementations of the nested components listed above to fully customize its behavior.

	But, as simple as programmatic customization is, these 3 lines of code do not represent the ideal configuration for most real world applications. There are a few reasons why programmatic configuration may not be suitable for your application:

	1. It requires you to know about and instantiate a direct implementation. It would be nicer if you didn't have to know about concrete implementations and where to find them.
	2. The `SecurityUtils.setSecurityManager` method call makes the instantiated `SecurityManager` instance a VM static singleton, which, while fine for many applications, would cause problems if more than one Shiro-enabled application was running on the same JVM. It could be better if the instance was an application singleton, but not a static memory reference.
	3. It requires you to recompile your application every time you want to make a Shiro configuration change.

	Most applications instead benefit from text-based configuration that could be modified independently of source code and even make things easier to understand for those not intimately familiar with Shiro's APIs.

	<a name="SecurityManager-TextConfiguration"></a>
	#[[###Text Configuration]]#

	Shiro provides a simple INI-based [configuration](configuration.html "Configuration") that can be used out of the box, but any other JavaBeans-compatible mechanism can be used as well. For example, Shiro has excellent [Spring support](spring.html "Spring") too. Other similar frameworks (Guice, JBoss, etc) could also be used.

	#lendAHandDoc()

	<input type="hidden" id="ghEditPage" value="securitymanager.md.vtl"></input>