Apache Shiro Architecture
Apache Shiro’s design goals are to simplify application security by being intuitive and easy to use. Shiro’s core design models how most people think about application security - in the context of someone (or something) interacting with an application.
Apache Shiro的设计目标是直观的且易于使用来简化应用程序安全问题。Shrio的核心设计模块是大多数人对应用程序安全的看法 —— 某人或某事的互动在应用程序上下文环境中。。。
Software applications are usually designed based on user stories. That is, you’ll often design user interfaces or service APIs based on how a user would (or should) interact with the software. For example, you might say, “If the user interacting with my application is logged in, I will show them a button they can click to view their account information. If they are not logged in, I will show a sign-up button.”
软件应用程序通常是基于用户故事设计的。你会经常设计基于用户怎么于软件交互的用户接口或者服务API。例如,你可能会说,「如果用户与我的应用程序的交互是登录,如果他们登录了,我就会展示一个可点击的按钮,他们可以用来查看他们的账户信息。如果他们没有登录,我会展示他们注册按钮」
This example statement indicates that applications are largely written to satisfy user requirements and needs. Even if the ‘user’ is another software system and not a human being, you still write code to reflect behavior based on who (or what) is currently interacting with your software.
这个实例语句表明,编写应用程序是为了满足和用户的需求。甚至当一个user始另一个软件系统不是一个人类,你仍然编写代码去反映与当前系统交互的事物的的行为。
Shiro reflects these concepts in its own design. By matching what is already intuitive for software developers, Apache Shiro remains intuitive and easy to use in practically any application.
shiro的设计反映了这些概念。去匹配对应软件开发人员来说已经很直观的东西,Apache Shiro在任何应用中都保持着直观易用。(~~)
High-Level Overview
At the highest conceptual level, Shiro’s architecture has 3 primary concepts: the Subject, SecurityManager and Realms. The following diagram is a high-level overview of how these components interact, and we’ll cover each concept below:
在最高的概念上,shiro的架构有3个主要概念:Subject、SecurityManager和Realm.下图是这些组件如何相互作用的高级概述,我们将在下面依次解释这些概念:
Subject: As we’ve mentioned in our Tutorial, the Subject is essentially a security specific ‘view’ of the the currently executing user. Whereas the word ‘User’ often implies a human being, a Subject can be a person, but it could also represent a 3rd-party service, daemon account, cron job, or anything similar - basically anything that is currently interacting with the software.
正如我们在教程中所提及到的,Subject本质上是一个安全特殊的关于当前正在执行的用户的视图。然而user这个词通常是暗示人类的。一个Subject可以是一个人,但是他也可以代表第三方服务,守护进程账户,计划任务或者其他的类似的东西——当前正于软件交互的东西。
Subject instances are all bound to (and require) a SecurityManager. When you interact with a Subject, those interactions translate to subject-specific interactions with the SecurityManager.
Subject实例都是于一个SecurityManager绑定的(必须),当你与一个Subject交互,这些交互转换为与SecurityManager特殊Subject的交互。
SecurityManager: The SecurityManager is the heart of Shiro’s architecture and acts as a sort of ’umbrella’ object that coordinates its internal security components that together form an object graph. However, once the SecurityManager and its internal object graph is configured for an application, it is usually left alone and application developers spend almost all of their time with the Subject API.
SecurityManager是Shiro架构的核心,它充当一种“保护伞”对象,协调其内部的安全组件,这些组件共同构成一个对象图.然后一旦Security和它内部对象视图被配置,它通常是单独存在的,应用程序开发者几乎话费他们的所有时间在Subject的API上面。
We will talk about the SecurityManager in detail later on, but it is important to realize that when you interact with a Subject, it is really the SecurityManager behind the scenes that does all the heavy lifting for any Subject security operation. This is reflected in the basic flow diagram above.
我们稍后会继续详细讨论SecurityManager,但是必须意识到,当你和一个Subject交互,对于任何Subject的安全操作来说,真正负责幕后工作的是SecurityManager。这反映在上面的基本流程图中。
Realms: Realms act as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. When it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application.
Realms在shiro和你的应用程序安全数据之间扮演着桥梁和连接器的角色。当需要与安全相关的数据(如用户帐户)进行交互以执行身份验证(登录)和授权(访问控制)时,Shiro会从为应用程序配置的一个或多个Realms中查找其中的许多内容。
In this sense a Realm is essentially a security-specific DAO: it encapsulates connection details for data sources and makes the associated data available to Shiro as needed. When configuring Shiro, you must specify at least one Realm to use for authentication and/or authorization. The SecurityManager may be configured with multiple Realms, but at least one is required.
从这个意义上说,一个Realm本质上是一个特定于安全的DAO:它压缩了连接详情,使shiro需要的相关联的数据可用。在配置Shiro时,必须指定至少一个Realm用于认证或者授权。SecurityManager可以配置多个Realm,但是至少需要一个。
Shiro provides out-of-the-box Realms to connect to a number of security data sources (aka directories) such as LDAP, relational databases (JDBC), text configuration sources like INI and properties files, and more. You can plug-in your own Realm implementations to represent custom data sources if the default Realms do not meet your needs.
Shiro提供了开箱即用的Realm去连接到许多安全数据源(又叫做目录)例如LDAP,关系型数据库(JDBC),文本配置源如INI何properties文件等等。如果默认的Realm不满足你的需求,你可以自己插入Realm实现自定义数据源数据源。
Like other internal components, the Shiro SecurityManager manages how Realms are used to acquire security and identity data to be represented as Subject instances.
就像其他内部组件,Shiro的SecurityManager管理如何使用Realm获取安全和身份数据作为Subject实例。
Detailed Architecture
The following diagram shows Shiro’s core architectural concepts followed by short summaries of each:
下面的图表展示了Shiro核心架构概念,然后是每一个简短的总结:
Subject (org.apache.shiro.subject.Subject)
A security-specific ‘view’ of the entity (user, 3rd-party service, cron job, etc) currently interacting with the software.
安全特定(用户,第三方服务、定时任务等)当前与系统交互的实体视图。
SecurityManager (org.apache.shiro.mgt.SecurityManager)
As mentioned above, the SecurityManager is the heart of Shiro’s architecture. It is mostly an ‘umbrella’ object that coordinates its managed components to ensure they work smoothly together. It also manages Shiro’s view of every application user, so it knows how to perform security operations per user.
正如上面所提及到的,SecurityManager是Shiro架构的核心。它主要是一个“伞形”对象,协调其托管组件以确保它们能够顺利地一起工作。它也管理者Shiro关于每一个应用程序用户的视图。所以它知道如何对每一个用户执行安全操作。
Authenticator (org.apache.shiro.authc.Authenticator)
The Authenticator is the component that is responsible for executing and reacting to authentication (log-in) attempts by users. When a user tries to log-in, that logic is executed by the Authenticator. The Authenticator knows how to coordinate with one or more Realms that store relevant user/account information. The data obtained from these Realms is used to verify the user’s identity to guarantee the user really is who they say they are.
Authenticator(认证器)是对正在执行试图认证(登录)的用户负责的组件.当一个用户试图登录,这个逻辑是由authenticator执行的。Authenticator知道怎么协调存储用户信息的一个或多个Realms。从这些Realm获取数据去核实用户的身份确保用户确实是他们所说的自己。
Authentication Strategy (org.apache.shiro.authc.pam.AuthenticationStrategy)
If more than one Realm is configured, the AuthenticationStrategy will coordinate the Realms to determine the conditions under which an authentication attempt succeeds or fails (for example, if one realm succeeds but others fail, is the attempt successful? Must all realms succeed? Only the first?).
如果超过一个Realm被配置了,AuthenticationStrategy将会调整Realm去确定身份认证器尝试成功或失败的条件(例如,如果一个领域成功,但是其他领域失败,那么尝试成功吗?)所有领域都必须成功吗?只有第一个?.)
Authorizer (org.apache.shiro.authz.Authorizer)
The Authorizer is the component responsible determining users’ access control in the application. It is the mechanism that ultimately says if a user is allowed to do something or not. Like the Authenticator, the Authorizer also knows how to coordinate with multiple back-end data sources to access role and permission information. The Authorizer uses this information to determine exactly if a user is allowed to perform a given action.
访问控制是负责决定应用程序中用户访问控制的组件。它是一种机制,最终决定用户是否被允许做某事。就像Authenticator,Authorizer还知道如何与多个后端数据源协调以访问角色和权限信息。Authorizer使用这些信息正确的决定一个用户是否被允许执行给定的操作。
SessionManager (org.apache.shiro.session.mgt.SessionManager
The SessionManager knows how to create and manage user Session lifecycles to provide a robust Session experience for users in all environments. This is a unique feature in the world of security frameworks - Shiro has the ability to natively manage user Sessions in any environment, even if there is no Web/Servlet or EJB container available. By default, Shiro will use an existing session mechanism if available, (e.g. Servlet Container), but if there isn’t one, such as in a standalone application or non-web environment, it will use its built-in enterprise session management to offer the same programming experience. The SessionDAO exists to allow any datasource to be used to persist sessions.
SessionManager知道如何创建和管理用户会话生命周期,在所有的环境中为用户提供健壮的Session体验。这是安全世界中一个独特的特性——Shiro有能力在任何环境下在本地(就是用Session来管理的意思~~)管理用户Session,即使没有可用的eb/Servlet或者EJB容器。但是如果一个都没有,例如一个独立的应用程序或者不是一个web环境,将会使用内置的企业级会话管理器提供一个相同的程序体验.SessionDao的存在是为了允许任何数据源被持久化使用。
SessionDAO (org.apache.shiro.session.mgt.eis.SessionDAO)
The SessionDAO performs Session persistence (CRUD) operations on behalf of the SessionManager. This allows any data store to be plugged in to the Session Management infrastructure.
SessionDao代表SessionManager执行Session持久化操作(CRUD)。它允许任何数据存储插入到Session Management基础设施中…
CacheManager (org.apache.shiro.cache.CacheManager)
The CacheManager creates and manages Cache instance lifecycles used by other Shiro components. Because Shiro can access many back-end data sources for authentication, authorization and session management, caching has always been a first-class architectural feature in the framework to improve performance while using these data sources. Any of the modern open-source and/or enterprise caching products can be plugged in to Shiro to provide a fast and efficient user-experience.
CacheManager创建和管理Cache实例生命周期,并被Shiro的其他组件使用。因为Shiro可以进入许多后端数据源进行身份验证,授权和会话管理,在使用数据源时缓存一直是一级体系结构特性,以提高性能。任何现代的开源或企业级缓存产品可以插入Shiro并提高快速高效的用户体验。
Cryptography (org.apache.shiro.crypto.*)
Cryptography is a natural addition to an enterprise security framework. Shiro’s crypto package contains easy-to-use and understand representations of crytographic Ciphers, Hashes (aka digests) and different codec implementations. All of the classes in this package are carefully designed to be very easy to use and easy to understand. Anyone who has used Java’s native cryptography support knows it can be a challenging animal to tame. Shiro’s crypto APIs simplify the complicated Java mechanisms and make cryptography easy to use for normal mortal human beings.
密码学是一个企业级安全框架的自然补充。Shiro的crypto包包含了易于使用和理解的密码学、密码表现。Hashes (又叫做摘要)和不同的解密实现。这个包中的所有这些类被精心设计,使用和理解都非常简单。任何使用过Java原生密码支持的都知道,这是一个具有挑战性的(要使用好java原生密码学).Shiro的crypto api简化了复杂的Java机制,使密码术易于普通人使用。
Realms (org.apache.shiro.realm.Realm)
As mentioned above, Realms act as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. When it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application. You can configure as many Realms as you need (usually one per data source) and Shiro will coordinate with them as necessary for both authentication and authorization.
正如上面提到的,Realms在Shiro和你的应用程序安全数据扮演着桥梁和连接器。当需要与安全相关的数据(如用户帐户)进行交互以执行身份验证(登录)和授权(访问控制)时,Shiro从为应用程序配置的一个或多个Realm中查找这些内容。您可以配置所需的多个Realm(通常每个数据源一个领域),Shiro将根据需要与它们协调身份验证和授权。
The SecurityManager
Because Shiro’s API encourages a Subject-centric programming approach, most application developers will rarely, if ever, interact with the SecurityManager directly (framework developers however might sometimes find it useful). Even so, it is still important to know how the SecurityManager functions, especially when configuring one for an application.
因为Shiro的API鼓励Subject为中心的编程方法。大多数应用程序开发人员很少(如果有的话)直接与SecurityManager交互(然而框架开发人员有时会发现它很有用)。尽管如此,了解SecurityManager的功能仍然很重要,特别是在为应用程序配置一个时。
Design
As stated previously, the application’s SecurityManager performs security operations and manages state for all application users. In Shiro’s default SecurityManager implementations, this includes:
如前所述,应用程序的SecurityManager执行安全操作,并为所有应用程序用户管理状态。在Shiro的默认SecurityManager实现中,这包括:
Authentication 认证
Authorization 授权
Session Management 会话管理
Cache Management 缓存管理
Realm coordination Realm协调
Event propagation 事件传播
“Remember Me” Services 记住我服务
Subject creation Subject创建
Logout and more. 登出等。
But this is a lot of functionality to try to manage in a single component. And, making these things flexible and customizable would be very difficult if everything were lumped into a single implementation class.
但是在单个组件中要管理大量的功能。而且,如果把所有东西都集中到一个实现类中,那么使这些东西变得灵活和可定制将非常困难
To simplify configuration and enable flexible configuration/pluggability, Shiro’s implementations are all highly modular in design - so modular in fact, that the SecurityManager implementation (and its class-hierarchy) does not do much at all. Instead, the SecurityManager implementations mostly act as a lightweight ‘container’ component, delegating almost all behavior to nested/wrapped components. This ‘wrapper’ design is reflected in the detailed architecture diagram above.
为了简化配置并支持灵活的配置/可插拔性,Shiro的实现在设计上都是高度模块化的——实际上模块化到SecurityManager实现(及其类层次结构)根本不做什么。相反,SecurityManager实现主要充当轻量级的“容器”组件,将几乎所有行为委托给嵌套/封装的组件。这种“包装器”设计反映在上面详细的架构图中。
While the components actually execute the logic, the SecurityManager implementation knows how and when to coordinate the components for the correct behavior.
当组件实际执行逻辑时,SecurityManager实现知道如何以及何时协调组件以实现正确的行为。
The SecurityManager implementations and the components are also JavaBeans compatible, which allows you (or a configuration mechanism) to easily customize the pluggable components via standard JavaBeans accessor/mutator methods (get*/set*). This means the Shiro’s architectural modularity can translate into very easy configuration for custom behavior.
SecurityManager实现和组件也兼容javabean,这允许您(或配置机制)通过标准javabean访问器/变量方法(get*/set*)轻松地定制可插入组件。这意味着Shiro的体系结构模块化可以转换为非常容易的自定义行为配置。
Easy Configuration
Because of JavaBeans compatibility, it is very easy to configure the SecurityManager
with custom components via any mechanism that supports JavaBeans-style configuration, such as Spring, Guice, JBoss, etc.
由于javabean的兼容性,通过任何支持javabean风格配置的机制(如Spring、Guice、JBoss等),都可以很容易地使用自定义组件配置“SecurityManager”。
We will cover Configuration next.
接下来我们将介绍配置。
Lend a hand with documentation
While we hope this documentation helps you with the work you’re doing with Apache Shiro, the community is improving and expanding the documentation all the time. If you’d like to help the Shiro project, please consider correcting, expanding, or adding documentation where you see a need. Every little bit of help you provide expands the community and in turn improves Shiro.
帮忙整理文件
虽然我们希望这些文档可以帮助您完成Apache Shiro的工作,但是社区一直在改进和扩展这些文档。如果您想帮助Shiro项目,请考虑在需要的地方修改、扩展或添加文档。你提供的每一点帮助都能扩展社区,进而改善Shiro。
The easiest way to contribute your documentation is to submit a pull-request by clicking on the Edit link below, send it to the User Forum or the User Mailing List.
提交文档的最简单方法是通过单击下面的Edit链接提交下拉请求,将其发送到用户论坛或用户邮件列表。