shiro之模块介绍

2019独角兽企业重金招聘Python工程师标准>>>

shiro之模块介绍

1、模块图

2、模块

    a）Subject （主体）

        A Subject is just fancy security term that basically means a security-specific 'view' of an application user. A Subject does not always need to reflect a human being though - it can represent an external process calling your application, or perhaps a daemon system account that executes something intermittently over a period of time (such as a cron job). It is basically a representation of any entity that is doing something with the application. 

    ps：shiro中的主体，就是一次therad，无论是什么应用，在shiro里面，每一个thread都会转化为一个subject。一般我们登录的userName和password，都生成UsernamePasswordToken，然后进行认证、授权等活动。

    b）Session

    A Session is a stateful data context associated with a single user/Subject who interacts with a software system over a period of time. Data can be added/read/removed from the Session while the subject uses the application and the application can use this data later where necessary. Sessions are terminated when the user/Subject logs out of the application or when it times out due to inactivity. 

    For those familiar with the HttpSession, a Shiro Session serves the same purpose, except Shiro sessions can be used in any environment even if there is no Servlet container or EJB container available. 

    ps：session和request.Session结构和用法相似，每次连接都能单独生成，也可以不生成。sessionDAO就是用来构建分布式shiro安全模块的工具。

    c）cache

    

        cache用来存放认证、授权、session等信息。shiro的cache默认是用的是EHcache。

    d）Realm

        A Realm is a component that can access application-specific security data such as users, roles, and permissions. It can be thought of as a security-specific DAO (Data Access Object). The Realm translates this application-specific data into a format that Shiro understands so Shiro can in turn provide a single easy-to-understand Subject programming API no matter how many data sources exist or how application-specific your data might be. 

        Realms usually have a 1-to-1 correlation with a data source such as a relational database, LDAP directory, file system, or other similar resource. As such, implementations of the Realm interface use data source-specific APIs to discover authorization data (roles, permissions, etc), such as JDBC, File IO, Hibernate or JPA, or any other Data Access API. 

        ps：在shiro中，存放用户信息（userName，password，role，privilege）都叫realm。无论是我们去认证、授权、验证权限都需要从realm中获取数据。通常是xxx.ini配置文件，或者是数据库

    e）Cryptography

Cryptography is the practice of protecting information from undesired access by hiding it or converting it into nonsense so know one else can read it. Shiro focuses on two core elements of Cryptography: ciphers that encrypt data like email using a public or private key, and hashes (aka message digests) that irreversibly encrypt data like passwords. 

        ps：Cryptography 更新是一个打得加密、解密工具包。除了在shiro中使用，我们也可以在应用程序其它地方用。

    f）Authentication（认证）

Authentication is the process of verifying a Subject's identity - essentially proving that someone really is who they say they are. When an authentication attempt is successful the application can trust that the subject is guaranteed to be who the application expects. 

        ps：我们使用subject.login(usernamePasswordToken)的时候，都是通过Authentication模块去realm里面查找。

    g）Authorization

Authorization, also known as Access Control, is the process of determining if a user/Subject is allowed to do something or not. It is usually accomplished by inspecting and interpreting a Subject's roles and permissions (see below) and then allowing or denying access to a requested resource or function. 

        ps：授权模块，一般会在权限认证的时候去查询realm。设计者应该是为了安全考虑，每次都会去查询realm，所以推荐大家将realm存放在cache中。减轻I/O的读写压力。

转载于:https://my.oschina.net/u/2246410/blog/608550