Apache Shiro Architecture--官方文档
原文地址:http://shiro.apache.org/architecture.html
Apache Shiro's design goals are to simplify application security by being intuitive and easy to use. Shiro's core design models how most people think about application security - in the context of someone (or something) interacting with an application.
Software applications are usually designed based on user stories. That is, you'll often design user interfaces or service APIs based on how a user would (or should) interact with the software. For example, you might say, "If the user interacting with my application is logged in, I will show them a button they can click to view their account information. If they are not logged in, I will show a sign-up button."
This example statement indicates that applications are largely written to satisfy user requirements and needs. Even if the 'user' is another software system and not a human being, you still write code to reflect behavior based on who (or what) is currently interacting with your software.
Shiro reflects these concepts in its own design. By matching what is already intuitive for software developers, Apache Shiro remains intuitive and easy to use in practically any application.
High-Level Overview
At the highest conceptual level, Shiro's architecture has 3 primary concepts: the Subject, SecurityManager and Realms. The following diagram is a high-level overview of how these components interact, and we'll cover each concept below:
- Subject: As we've mentioned in our Tutorial, the Subject is essentially a security specific 'view' of the the currently executing user. Whereas the word 'User' often implies a human being, a Subject can be a person, but it could also represent a 3rd-party service, daemon account, cron job, or anything similar - basically anything that is currently interacting with the software.
Subject instances are all bound to (and require) a SecurityManager. When you interact with a Subject, those interactions translate to subject-specific interactions with the SecurityManager.
- SecurityManager: The SecurityManager is the heart of Shiro’s architecture and acts as a sort of 'umbrella’ object that coordinates its internal security components that together form an object graph. However, once the SecurityManager and its internal object graph is configured for an application, it is usually left alone and application developers spend almost all of their time with the Subject API.
We will talk about the SecurityManager in detail later on, but it is important to realize that when you interact with a Subject, it is really the SecurityManager behind the scenes that does all the heavy lifting for any Subject security operation. This is reflected in the basic flow diagram above.
- Realms: Realms act as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. When it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application.
In this sense a Realm is essentially a security-specific DAO: it encapsulates connection details for data sources and makes the associated data available to Shiro as needed. When configuring Shiro, you must specify at least one Realm to use for authentication and/or authorization. The SecurityManager may be configured with multiple Realms, but at least one is required.
Shiro provides out-of-the-box Realms to connect to a number of security data sources (aka directories) such as LDAP, relational databases (JDBC), text configuration sources like INI and properties files, and more. You can plug-in your own Realm implementations to represent custom data sources if the default Realms do not meet your needs.
Like other internal components, the Shiro SecurityManager manages how Realms are used to acquire security and identity data to be represented as Subject instances.
Detailed Architecture
The following diagram shows Shiro's core architectural concepts followed by short summaries of each:
- Subject (org.apache.shiro.subject.Subject)
A security-specific 'view' of the entity (user, 3rd-party service, cron job, etc) currently interacting with the software. - SecurityManager (org.apache.shiro.mgt.SecurityManager)
As mentioned above, the SecurityManager is the heart of Shiro's architecture. It is mostly an 'umbrella' object that coordinates its managed components to ensure they work smoothly together. It also manages Shiro's view of every application user, so it knows how to perform security operations per user. - Authenticator (org.apache.shiro.authc.Authenticator)
The Authenticator is the component that is responsible for executing and reacting to authentication (log-in) attempts by users. When a user tries to log-in, that logic is executed by the Authenticator. The Authenticator knows how to coordinate with one or more Realmsthat store relevant user/account information. The data obtained from these Realms is used to verify the user's identity to guarantee the user really is who they say they are.- Authentication Strategy (org.apache.shiro.authc.pam.AuthenticationStrategy)
If more than one Realm is configured, the AuthenticationStrategy will coordinate the Realms to determine the conditions under which an authentication attempt succeeds or fails (for example, if one realm succeeds but others fail, is the attempt successful? Must all realms succeed? Only the first?).
- Authentication Strategy (org.apache.shiro.authc.pam.AuthenticationStrategy)
- Authorizer (org.apache.shiro.authz.Authorizer)
The Authorizer is the component responsible determining users' access control in the application. It is the mechanism that ultimately says if a user is allowed to do something or not. Like the Authenticator, the Authorizer also knows how to coordinate with multiple back-end data sources to access role and permission information. The Authorizer uses this information to determine exactly if a user is allowed to perform a given action. - SessionManager (org.apache.shiro.session.mgt.SessionManager)
The SessionManager knows how to create and manage user Session lifecycles to provide a robust Session experience for users in all environments. This is a unique feature in the world of security frameworks - Shiro has the ability to natively manage user Sessions in any environment, even if there is no Web/Servlet or EJB container available. By default, Shiro will use an existing session mechanism if available, (e.g. Servlet Container), but if there isn't one, such as in a standalone application or non-web environment, it will use its built-in enterprise session management to offer the same programming experience. The SessionDAO exists to allow any datasource to be used to persist sessions.- SessionDAO (org.apache.shiro.session.mgt.eis.SessionDAO)
The SessionDAO performs Session persistence (CRUD) operations on behalf of the SessionManager. This allows any data store to be plugged in to the Session Management infrastructure.
- SessionDAO (org.apache.shiro.session.mgt.eis.SessionDAO)
- CacheManager (org.apache.shiro.cache.CacheManager)
The CacheManager creates and manages Cache instance lifecycles used by other Shiro components. Because Shiro can access many back-end data sources for authentication, authorization and session management, caching has always been a first-class architectural feature in the framework to improve performance while using these data sources. Any of the modern open-source and/or enterprise caching products can be plugged in to Shiro to provide a fast and efficient user-experience. - Cryptography (org.apache.shiro.crypto.*)
Cryptography is a natural addition to an enterprise security framework. Shiro's crypto package contains easy-to-use and understand representations of crytographic Ciphers, Hashes (aka digests) and different codec implementations. All of the classes in this package are carefully designed to be very easy to use and easy to understand. Anyone who has used Java's native cryptography support knows it can be a challenging animal to tame. Shiro's crypto APIs simplify the complicated Java mechanisms and make cryptography easy to use for normal mortal human beings. - Realms (org.apache.shiro.realm.Realm)
As mentioned above, Realms act as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. When it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application. You can configure as manyRealms as you need (usually one per data source) and Shiro will coordinate with them as necessary for both authentication and authorization.
The SecurityManager
Because Shiro's API encourages a Subject-centric programming approach, most application developers will rarely, if ever, interact with the SecurityManager directly (framework developers however might sometimes find it useful). Even so, it is still important to know how theSecurityManager functions, especially when configuring one for an application.
Design
As stated previously, the application's SecurityManager performs security operations and manages state for all application users. In Shiro's default SecurityManager implementations, this includes:
- Authentication
- Authorization
- Session Management
- Cache Management
- Realm coordination
- Event propagation
- "Remember Me" Services
- Subject creation
- Logout
and more.
But this is a lot of functionality to try to manage in a single component. And, making these things flexible and customizable would be very difficult if everything were lumped into a single implementation class.
To simplify configuration and enable flexible configuration/pluggability, Shiro's implementations are all highly modular in design - so modular in fact, that the SecurityManager implementation (and its class-hierarchy) does not do much at all. Instead, the SecurityManagerimplementations mostly act as a lightweight 'container' component, delegating almost all behavior to nested/wrapped components. This 'wrapper' design is reflected in the detailed architecture diagram above.
While the components actually execute the logic, the SecurityManager implementation knows how and when to coordinate the components for the correct behavior.
The SecurityManager implementations and are also JavaBeans compatible, which allows you (or a configuration mechanism) to easily customize the pluggable components via standard JavaBeans accessor/mutator methods (get*/set*). This means the Shiro's architectural modularity can translate into very easy configuration for custom behavior.
Apache Shiro Architecture--官方文档的更多相关文章
- HBase 官方文档
HBase 官方文档 Copyright © 2010 Apache Software Foundation, 盛大游戏-数据仓库团队-颜开(译) Revision History Revision ...
- [E] Shiro 官方文档阅读笔记 The Reading Notes of Shiro's Offical Docs
官方文档: https://shiro.apache.org/reference.html https://shiro.apache.org/java-authentication-guide.htm ...
- Apache Flume入门指南[翻译自官方文档]
声明: 根据官方文档选择性的翻译了下,不对请指正 https://flume.apache.org/FlumeUserGuide.html
- 《Apache Velocity用户指南》官方文档
http://ifeve.com/apache-velocity-dev/ <Apache Velocity用户指南>官方文档 原文链接 译文连接 译者:小村长 校对:方腾飞 Qui ...
- kafka安装配置及操作(官方文档)http://kafka.apache.org/documentation/(有单节点多代理配置)
https://www.cnblogs.com/biehongli/p/7767710.html w3school https://www.w3cschool.cn/apache_kafka/apac ...
- Apache Mesos 官方文档 V1.0
Apache Mesos 官方文档 V1.0 2016-11-07 中文版:http://mesos.mydoc.io/ gitBook :https://www.gitbook.com/book/m ...
- cassandra 3.x官方文档(5)---探测器
写在前面 cassandra3.x官方文档的非官方翻译.翻译内容水平全依赖本人英文水平和对cassandra的理解.所以强烈建议阅读英文版cassandra 3.x 官方文档.此文档一半是翻译,一半是 ...
- hbase官方文档(转)
FROM:http://www.just4e.com/hbase.html Apache HBase™ 参考指南 HBase 官方文档中文版 Copyright © 2012 Apache Soft ...
- HBase官方文档
HBase官方文档 目录 序 1. 入门 1.1. 介绍 1.2. 快速开始 2. Apache HBase (TM)配置 2.1. 基础条件 2.2. HBase 运行模式: 独立和分布式 2.3. ...
- Lagom 官方文档之随手记
引言 Lagom是出品Akka的Lightbend公司推出的一个微服务框架,目前最新版本为1.6.2.Lagom一词出自瑞典语,意为"适量". https://www.lagomf ...
随机推荐
- Binder机制
在Android系统的Binder机制中,由一系统组件组成,分别是Client.Server.Service Manager和Binder驱动程序,其中Client.Server和Service Ma ...
- Jquery扩展-手把手带你体验
Jquery扩展是在项目中经常用到的,有时候为了提取一些公共方法,有时候为了模块化管理等等,下面我们来体验一下.当然扩展离不开Jquery几个基础方法 1:$.extend() 2:$.fn.func ...
- 在Raspberry Pi上安装XBMC
2013-05-22 XBMC is a free and open source media player application developed by the XBMC Foundation, ...
- VB IE 清除历史记录
VB删除Cookie,仅适用于IE7版本 IE7版本为我们提供了命令行删除Cookie,清除临时文件缓存,清除历史记录表单的方法,下面是详细的命令运行方式. '注:以下代码仅支持IE7. '清除Int ...
- Layout No collapsible
center 不可折叠 其它的,没有 title 没法折叠 title 使用子控件的
- 转】机器学习开源框架Mahout配置与入门研究
原博文出自于:http://www.ha97.com/5803.html 感谢! PS:机器学习这两年特别火,ATB使劲开百万到几百万年薪招美国牛校的机器学习方向博士,作为一个技术控,也得折腾下 ...
- Spring+Quartz 整合一:常规整合
步骤一: 定时任务需要一个配置文件(spring-mvc-timeTask.xml 随便起名),将其在web.xml中加载 <context-param> <param-name&g ...
- JSP学习初体验
JSP简介: 1)JSP--Java Server Pages 2)拥有servlet的特性与优点(本身就是一个servlet) 3)直接在HEML中内嵌JSP代码 4)JSP程序由JSP Engin ...
- DB2 递归查询
上一篇中讲解了ORACLE中的递归查询,下面我们看一下DB2中如何使用递归查询: 同样的我们先新建一个表来存储以上信息,并插入测试数据: --建表 create table FAMILY ( pers ...
- CodeForces 489D Unbearable Controversy of Being (搜索)
Unbearable Controversy of Being 题目链接: http://acm.hust.edu.cn/vjudge/contest/121332#problem/B Descrip ...