Apache Shiro – Features and Terminologies

Have you ever thought about how to secure your application with features like authentication of users, authorizing them to allow/restrict to access some features or to quickly secure your data by cryptography and session creation. It might be difficult for you to write code for all these things and include them in your application. So here’s the powerful and easy to use solution which gives you opportunity to add all such features in few minutes without wasting your time on developing everything from scratch.

Apache Shiro is a Security framework which offers key features like Authentication, Authorization, Cryptography, and Session management. It has easy to use APIs, which can be used quickly and easily by you to secure any type of application, be a web application, mobile application, or an enterprise application.

Before jumping into anything we should know the common terms used in Shiro, which will help us in using it in our projects.

Shiro’s Terminologies :

  • Subject
    A Subject is the user/system/process/application/etc. which access our system using an identity. It’s a security specific common term for accessing party. A Subject does not always reflect a human being, it can be an external process calling your application, or a daemon process which executes some cron job on your application. It is basically a representation of any entity that is doing something with the application.
  • Principal
    A Principal is any identifying attribute of an application user (Subject). An ‘identifying attribute’ can be anything that makes sense to your application – a username, a surname, a given name, a social security number, a user ID, etc. That’s it – nothing crazy. There is only one principal for users (Subjects) in an application.
  • Credential
    Credential is that information which identifies a Subject. One (or more) credentials are submitted along with Principal(s) during an authentication attempt to verify that the user/Subject submitting them is actually the associated user. Credentials are set of username and password or biometric data, etc., which is a secret.
    The idea is that for a principal, only one person would know the correct credential to ‘pair’ with that principal. If the current user/Subject provides the correct credential matching the one stored in the system, then the system can assume and trust that the current user/Subject is really who they say they are. The degree of trust increases with more secure credential types (e.g. biometric signature > password).
  • Authentication
    Authentication is the process of verifying a Subject’s identity. It validates the Subject’s credentials and then application can trust the Subject’s identity, that accessing party is the same as expected.
  • Role
    Role is defined as the functionalities offered to the Subject, or the allowed access to a Subject on the application defined by the security policies. Shiro interpret the Role as the names collection of Permissions. This is a more concrete definition than the implicit one used by many applications. If you choose to have your data model reflect Shiro’s assumption, you’ll find you will have much more power in controlling security policies.
  • Permission
    A Permission, at least as Shiro interprets it, is a statement that describes raw functionality in an application and nothing more. Permissions are the lowest-level constructs in security policies. They define only “What” the application can do. They do not describe “Who” is able to perform the actions. A Permission is only a statement of behavior, nothing more.
  • Authorization
    Authorization is the process of determining a Subject’s permission to access the specific functionality of the application. It is an interpretation of inspection of roles and permissions of Subject, and giving them access to resource or functionality.
  • Realm
    A Realm is a component that can access application-specific security data such as users, roles, and permissions. It can be thought of as a security-specific DAO (Data Access Object). The Realm translates this application-specific data into a format that Shiro understands so Shiro can in turn provide a single easy-to-understand Subject programming API no matter how many data sources exist or how application-specific your data might be.
    Realms usually have a 1-to-1 correlation with a data source such as a relational database, LDAP directory, file system, or other similar resource. As such, implementations of the Realm interface use data source-specific APIs to discover authorization data (roles, permissions, etc.), such as JDBC, File IO, Hibernate or JPA, or any other Data Access API.
  • Credential Matcher
    Credential Matcher as name suggests is that feature of Shiro which matches the credentials provided by Subject and credentials fetched by the realm from the data source. It returns the state of credential matching to the Shiro’s environment.
  • Session
    A Session is a stateful data context associated with a single user/Subject who interacts with a software system over a period of time. Data can be added/read/removed from the Session while the subject uses the application and the application can use this data later where necessary. Sessions are terminated when the user/Subject logs out of the application or when it times out due to inactivity. For those familiar with the HttpSession, a Shiro Session serves the same purpose, except Shiro sessions can be used in any environment even if there is no Servlet container or EJB container available.
  • Cipher
    A cipher is an algorithm for performing encryption or decryption. The algorithm generally relies on a piece of information called a key. And the encryption varies based on the key so decryption is extremely difficult without it. Ciphers come in different variations. Block Ciphers work on blocks of symbols usually of a fixed size while Stream Ciphers work on a continuous stream of symbols. Symmetric Ciphers use the same key for encryption and decryption while Asymmetric Ciphers use different keys. And if a key in an asymmetric cipher cannot be derived from the other, then one can be shared publicly creating public/private key pairs.
  • Cryptography
    Cryptography is the practice of protecting information from undesired access by hiding it or converting it into nonsense so no one else can read it. Shiro focuses on two core elements of Cryptography: ciphers that encrypt data like email using a public or private key, and hashes (aka message digests) that irreversibly encrypt data like passwords.
  • Hash
    A Hash function is a one-way, irreversible conversion of an input source, sometimes called the message, into an encoded hash value, sometimes called the message digest. It is often used for passwords, digital fingerprints, or data with an underlying byte array.


Remember above terminologies as these are the terms which you will come against again and again while using it in your application. Following are the features offered by the Shiro, which makes it comfortable,robust and preferred to be used on first hand.

Features of Shiro:

  • Easy to Use and Comprehensive: It has easiest Java Security API than any other security framework and gives ready to use jars and settings which can get you started in few minutes.
  • Flexible: Can be used in any environment – web, EJB, mobile apps etc. and can be made available with a Single Sign On(SSO) feature for clustered and distributed environments, so all the application can share single session data.
  • Web Capable: It can secure a web application from any angle from REST to JSPs. It gives URL chain filtering support and JSP tags for the dynamic web pages. You can use Shiro’s native session support so that you can enhance the session support with cache for improved performance. Also it will make your web application independent of the containers session feature.
  • Pluggable: Shiro is extremely flexible. It can be easily integrated with other frameworks like Spring, Grails, Wicket, Tapestry, Mule, Apache Camel, Vaadin, etc. Also it’s very easy to plug data source to the Shiro’s environment for authentication. It supports different data sources (LDAP, JDBC, Active Directory, etc.).
  • Cryptography: It provides APIs to secure your data by hashing it. Gives interfaces to implementations like MD5, SHA1, SHA-256. It has built in Hex and Base64 conversion APIs, which helps you to encode data without getting troubled. Other than this it supports built in Salt and repeated Hashing.

I hope this post will help you to understand what Shiro is and what all you can get by using it. In our coming Posts about Shiro we will bring how to jump start with Shiro and use it in your Project without any major efforts.

Please feel free to comment and ask your queries 🙂 .

Related Posts

14 thoughts on “Apache Shiro – Features and Terminologies

  1. Hi! I could have sworn I’ve visited this site before but after browsing through many of the articles I
    realized it’s new to me. Regardless, I’m definitely happy I stumbled upon it and I’ll
    be book-marking it and checking back regularly!

    1. Thanks Minuman, I hope we can bring up different and informative articles. Just keep checking for the new posts :).

  2. I’m realօly еnjoying tthe design and layout of ƴour blog.
    It’s ɑ vedry easƴ on the eyes which makes it much more pleаsant for mme
    to cօme here and viѕit more often. Did yoս
    hire out a developer tߋ creatе youг theme? Great work!

  3. Very informative article, i’m regular reader of your blog.

    I noticed that your blog is outranked by many other websites in google’s search results.

    You deserve to be in top10. I know what can help you, search in google
    Mosis’s Tips Outsource The Work

  4. Appreciating the commitment you put into your blog and detailed information you offer.

    It’s nice to come across a blog every once in a while that isn’t the same unwanted rehashed
    information. Wonderful read! I’ve bookmarked
    your site and I’m including your RSS feeds to my Google account.

  5. Somebody essentially help to make severely articles I’d state.
    That is the first time I frequented your web page and thus far?
    I surprised with the research you made to create this actual put
    up amazing. Fantastic process!

  6. hello there and thank you for your info – I’ve certainly picked up anything
    new from right here. I did however expertise a few technical issues using this web site, since I experienced to
    reload the website lots of times previous to I could get it to load properly.
    I had been wondering if your web host is OK? Not that I am complaining, but slow loading
    instances times will often affect your placement in google and
    could damage your quality score if advertising and marketing with
    Adwords. Well I’m adding this RSS to my e-mail and
    can look out for a lot more of your respective exciting
    content. Ensure that you update this again very soon.

  7. My spouse and I stumbled over here from a different web address and thought I may as well check things out.
    I like what I see so now i am following you.

    Look forward to checking out your web page
    yet again.

  8. This design is wicked! You most certainly know how to keep
    a reader entertained. Between your wit and your videos, I was almost moved to
    start my own blog (well, almost…HaHa!) Wonderful job. I really loved what you had to say, and more than that,
    how you presented it. Too cool!

Leave a Reply

Your email address will not be published.