Shiro学习--Apache Shiro Architecture（Shiro架构）

Apache Shiro Architecture

参考

http://shiro.apache.org/architecture.html

本文有点翻译的意思，是为了梳理Shiro的知识而做的Shiro学习。

Shiro的架构

Software applications are usually designed based on user stories. That is, you’ll often design user interfaces or service APIs based on how a user would (or should) interact with the software. For example, you might say, “If the user interacting with my application is logged in, I will show them a button they can click to view their account information. If they are not logged in, I will show a sign-up button.”

用户故事：我们的接口和API通常基于用户如何与我们的软件交互，例如：如果是已经登录的用户，将会看到一个按钮，这个按钮用来显示用户的个人信息，如果用户退出了系统，给用户呈现一个登录按钮。

High-Level Overview

高级概述

At the highest conceptual level, Shiro’s architecture has 3 primary concepts: the Subject, SecurityManager and Realms. The following diagram is a high-level overview of how these components interact, and we’ll cover each concept below:

从上层架构来看，Shiro有三个主要的概念，Subject、SecurityManager 和Realms，下图是这三个组件的交互关系。

下面介绍以下上述的三个概念。

Subject

Subject: As we’ve mentioned in our Tutorial, the Subject is essentially a security specific ‘view’ of the the currently executing user. Whereas the word ‘User’ often implies a human being, a Subject can be a person, but it could also represent a 3rd-party service, daemon account, cron job, or anything similar - basically anything that is currently interacting with the software.

Subject instances are all bound to (and require) a SecurityManager. When you interact with a Subject, those interactions translate to subject-specific interactions with the SecurityManager.

Subject

上一篇文章中介绍了，Subject就是与系统交互的当前”用户”，用户不仅仅是人，也可以是第三方服务，爬虫等正在与系统交互的任何事物。

SecurityManager

SecurityManager: The SecurityManager is the heart of Shiro’s architecture and acts as a sort of ‘umbrella’ object that coordinates its internal security components that together form an object graph. However, once the SecurityManager and its internal object graph is configured for an application, it is usually left alone and application developers spend almost all of their time with the Subject API.

We will talk about the SecurityManager in detail later on, but it is important to realize that when you interact with a Subject, it is really the SecurityManager behind the scenes that does all the heavy lifting for any Subject security operation. This is reflected in the basic flow diagram above.

SecurityManager

SecurityManager是Shiro架构的核心，协调内部各个安全组件之间的交互，通常情况下，一旦SecurityManager和它的内部各个组件被配置好之后就不会再用到，开发者通常是查看Subject 的API。

稍后讲介绍SecurityManager的详细情况，但是一定要意识到，当我们和Subject交互的时候，实际上是SecurityManager在背后协调跟Subject安全相关的操作，下面会有详细的介绍。

Realms

Realms: Realms act as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. When it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application.

In this sense a Realm is essentially a security-specific DAO: it encapsulates connection details for data sources and makes the associated data available to Shiro as needed. When configuring Shiro, you must specify at least one Realm to use for authentication and/or authorization. The SecurityManager may be configured with multiple Realms, but at least one is required.

Shiro provides out-of-the-box Realms to connect to a number of security data sources (aka directories) such as LDAP, relational databases (JDBC), text configuration sources like INI and properties files, and more. You can plug-in your own Realm implementations to represent custom data sources if the default Realms do not meet your needs.

Realms

Realms在Shiro和用户的应用程序之间扮演着桥梁和连接器的作用。当需要验证或者授权的时候，Shiro从一个或者多个配置的Realms中查找。

这种情况下，Realm是一个安全的DAO，它封装了具体数据库连接的细节，当Shiro需要的时候为Shiro提供需要的数据。当配置Shiro的时候，必须配置至少一个Realm来验证和授权。SecurityManager 可以配置多个Realm，至少需要一个。

Shiro提供了即用的Realm用来连接到各种安全的数据源，像LDAP, 关系型数据库(JDBC), 文本配置的INI和properties文件等。 用户可以插入自己的Realm 实现，如果默认的Realm 不能满足需求的话。

Detailed Architecture

详细架构

下图是Shiro的核心架构

Subject (org.apache.shiro.subject.Subject)

A security-specific ‘view’ of the entity (user, 3rd-party service, cron job, etc) currently interacting with the software.

与软件交互的具体的安全视图实体（可以是用户，第三方服务，定时任务等）

SecurityManager (org.apache.shiro.mgt.SecurityManager)

As mentioned above, the SecurityManager is the heart of Shiro’s architecture. It is mostly an ‘umbrella’ object that coordinates its managed components to ensure they work smoothly together. It also manages Shiro’s view of every application user, so it knows how to perform security operations per user.

Shiro的心脏，协调其他被管理的组件，以确保他们有条不紊地工作。

Authenticator (org.apache.shiro.authc.Authenticator)

The Authenticator is the component that is responsible for executing and reacting to authentication (log-in) attempts by users. When a user tries to log-in, that logic is executed by the Authenticator. The Authenticator knows how to coordinate with one or more Realms that store relevant user/account information. The data obtained from these Realms is used to verify the user’s identity to guarantee the user really is who they say they are.

（认证）Authenticator是用来验证用户的。当用户尝试登陆的时候，通过Authenticator 来执行。Authenticator 知道如何和Realm进行协调，Realm存储这用户的账户信息。从Realm从获取到用户信息来验证用户的身份。

Authentication Strategy (org.apache.shiro.authc.pam.AuthenticationStrategy)

If more than one Realm is configured, the AuthenticationStrategy will coordinate the Realms to determine the conditions under which an authentication attempt succeeds or fails (for example, if one realm succeeds but others fail, is the attempt successful? Must all realms succeed? Only the first?).

当配置了不止一个Realm的时候，AuthenticationStrategy 将会和Realm进行协调来确定哪一个用来验证。

Authorizer (org.apache.shiro.authz.Authorizer)

The Authorizer is the component responsible determining users’ access control in the application. It is the mechanism that ultimately says if a user is allowed to do something or not. Like the Authenticator, the Authorizer also knows how to coordinate with multiple back-end data sources to access role and permission information. The Authorizer uses this information to determine exactly if a user is allowed to perform a given action.

（授权）Authorizer 用来验证用户的权限，用来验证用户是否被允许做某件事情。

SessionManager (org.apache.shiro.session.mgt.SessionManager)

The SessionManager knows how to create and manage user Session lifecycles to provide a robust Session experience for users in all environments. This is a unique feature in the world of security frameworks - Shiro has the ability to natively manage user Sessions in any environment, even if there is no Web/Servlet or EJB container available. By default, Shiro will use an existing session mechanism if available, (e.g. Servlet Container), but if there isn’t one, such as in a standalone application or non-web environment, it will use its built-in enterprise session management to offer the same programming experience. The SessionDAO exists to allow any datasource to be used to persist sessions.

管理Session的，在任何环境中都可以，即使没有web容器。默认情况下，Shiro将会使用一个已经存在的session机制，如果没有session，它讲使用自己内置的企业级session管理器来提供。SessionDAO 允许任何的数据源用来做持久化session。

SessionDAO (org.apache.shiro.session.mgt.eis.SessionDAO)

The SessionDAO performs Session persistence (CRUD) operations on behalf of the SessionManager. This allows any data store to be plugged in to the Session Management infrastructure.

SessionDAO 执行Session持久化（CRUD）操作，允许任何能存储数据的都可以被当作Session Management 的基础设计。

CacheManager (org.apache.shiro.cache.CacheManager)

The CacheManager creates and manages Cache instance lifecycles used by other Shiro components. Because Shiro can access many back-end data sources for authentication, authorization and session management, caching has always been a first-class architectural feature in the framework to improve performance while using these data sources. Any of the modern open-source and/or enterprise caching products can be plugged in to Shiro to provide a fast and efficient user-experience.

CacheManager 是用来创建和管理缓存的。任何开源的或者企业级缓存产品都可以被Shiro用作提供快速和高效的用户体验。

Cryptography (org.apache.shiro.crypto.*)

Cryptography is a natural addition to an enterprise security framework. Shiro’s crypto package contains easy-to-use and understand representations of crytographic Ciphers, Hashes (aka digests) and different codec implementations. All of the classes in this package are carefully designed to be very easy to use and easy to understand. Anyone who has used Java’s native cryptography support knows it can be a challenging animal to tame. Shiro’s crypto APIs simplify the complicated Java mechanisms and make cryptography easy to use for normal mortal human beings.

加密体系，Shiro的加密包，包含了方便使用和易于理解的加密算法。

Realms (org.apache.shiro.realm.Realm)

As mentioned above, Realms act as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. When it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application. You can configure as many Realms as you need (usually one per data source) and Shiro will coordinate with them as necessary for both authentication and authorization.

Realms在Shiro和用户的应用程序之间扮演着桥梁和连接器的作用。

The SecurityManager

SecurityManager 执行安全操作，管理用户的状态，Shiro的默认SecurityManager 实现包括以下部分

• Authentication
• Authorization
• Session Management
• Cache Management
• Realm coordination
• Event propagation
• “Remember Me”
• Services
• Subject creation
• Logout
  and more.

为了简化配置并且使应用灵活，Shiro的实现都是高度模块化设计的。
SecurityManager 通常扮演一个轻量的容器，代表其他组件，这个装饰模式的设计可以通过上面的架构图看出。

其他组件各司其职，而SecurityManager 负责协调各个组件。

Shiro的架构就到这里

参考文献

http://shiro.apache.org/architecture.html