概要
Java:Shiro的架构学习笔记。
博客
前言
张开涛的第一章 Shiro简介——《跟我学Shiro》,其实是解读了一下Shiro的架构这篇文章,本着寻根究底的态度,我再一次去阅读这篇文章。为什么说是再一次呢?因为之前读过好几次了,不过就是没有完全理解明白,自己也说不好卡在哪里了,包括张开涛的文章,我也读过两遍了,这次第三遍读,一下子豁然开朗,然后不明白之前为啥就没读明白–这可能就是“书读百遍,其义自见”的道理吧。
正文
3个主要的概念:Subject, SecurityManager和Realms。
Subject可以是一个用户,但不仅仅可以代表一个用户,所有对这个系统的外部请求的主体都可以看成是一个Subject,例如一个service,这里是做了一个抽象概括的设计。(这个我能理解,如果你理解不了的话,那说明你还没有接触过相关的业务,例如SSO,那就先把它理解成一个用户,也没有关系。将来总有一天,你会明白,会回来和我一起唱这首《当当当》。)
SecurityManager Shiro设计的核心的逻辑都在这里面,但是,我们应该可以先不理会它是怎么工作的,先把它当做一个黑匣子,它有它自己运行的逻辑,Shiro的核心调度逻辑是在这里完成的。
Realms 这个单词的意思是领域,范围。原文这么说:
Realms act as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. When it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application.
In this sense a Realm is essentially a security-specific DAO: it encapsulates connection details for data sources and makes the associated data available to Shiro as needed. When configuring Shiro, you must specify at least one Realm to use for authentication and/or authorization. The SecurityManager may be configured with multiple Realms, but at least one is required.
就是说和安全相关数据(security-specific)打交道的是这个对象,有关登录认证、授权(访问控制)都是通过它来打交道,或者说,通过不同的realm来和相关的“机构”(打个比方)打交道,每个机构有自己的realm,再或者说,realm可以理解成DAO,去访问相关的数据。
这个地方可以这么理解,Shiro是把认证、获取授权相关的流程,相对固定的流程固化在代码中,把变化的内容暴露出来给使用者去配置,这里的realm就是把认证的信息、授权的信息暴露出来给使用者来进行配置。
更具体的分析:
Subject:A security-specific ‘view’ of the entity (user, 3rd-party service, cron job, etc) currently interacting with the software.
一个实体的安全相关的view–这个概念还需要好好理解一下,怎么被称为一个view呢?
这里应该是以MVC的概念去划分,那么这里称成一个view就相对来说,好理解一些,因为它是一些信息的聚合体。
SecurityManager又分为了一些子模块:
- Authenticator
Authenticator (org.apache.shiro.authc.Authenticator)
The Authenticator is the component that is responsible for executing and reacting to authentication (log-in) attempts by users. When a user tries to log-in, that logic is executed by the Authenticator. The Authenticator knows how to coordinate with one or more Realms that store relevant user/account information. The data obtained from these Realms is used to verify the user’s identity to guarantee the user really is who they say they are.
Authentication Strategy (org.apache.shiro.authc.pam.AuthenticationStrategy)
If more than one Realm is configured, the AuthenticationStrategy will coordinate the Realms to determine the conditions under which an authentication attempt succeeds or fails (for example, if one realm succeeds but others fail, is the attempt successful? Must all realms succeed? Only the first?).
Authenticator:认证器,用来负责用户登录认证,它对应着一个或者多个Realm。
Authentication Strategy:认证策略,如果多个Realm 被配置,那么Authentication Strategy来负责协调这些Realm 产生矛盾的时候,该如何处理,例如一个realm成功,而其它的失败了,改怎么办,等等。在这一点上,张开涛的文章解释的不是太准确。
- Authorizer
The Authorizer is the component responsible determining users’ access control in the application. It is the mechanism that ultimately says if a user is allowed to do something or not. Like the Authenticator, the Authorizer also knows how to coordinate with multiple back-end data sources to access role and permission information. The Authorizer uses this information to determine exactly if a user is allowed to perform a given action.
Authorizer:授权器,负责确认用户的访问权限。
这些信息需要由使用者来维护,所以也是暴露出来,交由使用者配置一个数据源给Shiro去调用。
- SessionManager
SessionManager (org.apache.shiro.session.mgt.SessionManager)
The SessionManager knows how to create and manage user Session lifecycles to provide a robust Session experience for users in all environments. This is a unique feature in the world of security frameworks - Shiro has the ability to natively manage user Sessions in any environment, even if there is no Web/Servlet or EJB container available. By default, Shiro will use an existing session mechanism if available, (e.g. Servlet Container), but if there isn’t one, such as in a standalone application or non-web environment, it will use its built-in enterprise session management to offer the same programming experience. The SessionDAO exists to allow any datasource to be used to persist sessions.
SessionDAO (org.apache.shiro.session.mgt.eis.SessionDAO)
The SessionDAO performs Session persistence (CRUD) operations on behalf of the SessionManager. This allows any data store to be plugged in to the Session Management infrastructure.
SessionManager:session管理器,Shiro没有完全依赖HTTP的session,而是设计了一个独立的session。
SessionDAO:session的DAO,用来处理session数据的保存。
- CacheManager
The CacheManager creates and manages Cache instance lifecycles used by other Shiro components. Because Shiro can access many back-end data sources for authentication, authorization and session management, caching has always been a first-class architectural feature in the framework to improve performance while using these data sources. Any of the modern open-source and/or enterprise caching products can be plugged in to Shiro to provide a fast and efficient user-experience.
CacheManager:缓存管理器,用于加快访问速度,但是这里只是一个管理器,具体的缓存工具应该是由使用者来定义的。
- Cryptography
Cryptography is a natural addition to an enterprise security framework. Shiro’s crypto package contains easy-to-use and understand representations of crytographic Ciphers, Hashes (aka digests) and different codec implementations. All of the classes in this package are carefully designed to be very easy to use and easy to understand. Anyone who has used Java’s native cryptography support knows it can be a challenging animal to tame. Shiro’s crypto APIs simplify the complicated Java mechanisms and make cryptography easy to use for normal mortal human beings.
Cryptography:加密模块。
- Realms
As mentioned above, Realms act as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. When it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application. You can configure as many Realms as you need (usually one per data source) and Shiro will coordinate with them as necessary for both authentication and authorization.
Realms:上面介绍过。
SecurityManager
As stated previously, the application’s SecurityManager performs security operations and manages state for all application users. In Shiro’s default SecurityManager implementations, this includes:
Authentication
Authorization
Session Management
Cache Management
Realm coordination
Event propagation
“Remember Me” Services
Subject creation
Logout and more.
在我的理解,其实SecurityManager就是Shiro的核心,它决定了业务的处理流,在什么样的时机去调用哪一个服务,这些服务会有父类来占位,可以由使用者定义子类来进行具体实现的修改。
总结
又阅读了一遍架构这篇文章,结合着张开涛的文章,感觉明白了不少,现在感觉Shiro 还是挺简单的,有个两三天应该就大体理解了,不明白当时怎么就堵住了,陷入了思维的死胡同。