原帖位於IT老兵博客,沉澱着一個IT老兵對於這個行業的認知。
Java:Shiro的架構學習筆記。
前言
張開濤的第一章 Shiro簡介——《跟我學Shiro》,其實是解讀了一下Shiro的架構這篇文章,本着尋根究底的態度,我再一次去閱讀這篇文章。爲什麼說是再一次呢?因爲之前讀過好幾次了,不過就是沒有完全理解明白,自己也說不好卡在哪裏了,包括張開濤的文章,我也讀過兩遍了,這次第三遍讀,一下子豁然開朗,然後不明白之前爲啥就沒讀明白。
正文
3個主要的概念:Subject, SecurityManager和Realms。
Subject可以是一個用戶,但不僅僅可以代表一個用戶,所有對這個系統的外部請求的主體都可以看成是一個Subject,例如一個service,這裏是做了一個抽象概括的設計,這個我能理解,如果你理解不了的話,那說明你還沒有接觸過相關的業務,例如SSO,那就先把它理解成一個用戶,也沒有關係。將來總有一天,你會明白,會回來和我一起唱這首《噹噹噹》。
SecurityManager Shiro設計的核心的邏輯都在這裏面,但是,我們應該可以先不理會它是怎麼工作的,先把它當做一個黑匣子,它有它自己運行的邏輯。
Realms 這個單詞的意思是領域,範圍。原文這麼說:
Realms act as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. When it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application.
In this sense a Realm is essentially a security-specific DAO: it encapsulates connection details for data sources and makes the associated data available to Shiro as needed. When configuring Shiro, you must specify at least one Realm to use for authentication and/or authorization. The SecurityManager may be configured with multiple Realms, but at least one is required.
就是說和安全相關數據(security-specific)打交道的是這個對象,有關認證、授權都是通過它來打交道,或者說,通過不同的realm來和相關的“機構”(打個比方)打交道,每個機構有自己的realm,再或者說,realm可以理解成DAO,去訪問相關的數據。
更具體的分析:
Subject:A security-specific ‘view’ of the entity (user, 3rd-party service, cron job, etc) currently interacting with the software.
一個實體的安全相關的view–這個概念還需要好好理解一下,怎麼被稱爲一個view呢?
SecurityManager又分爲了一些子模塊:
Authenticator (org.apache.shiro.authc.Authenticator)
The Authenticator is the component that is responsible for executing and reacting to authentication (log-in) attempts by users. When a user tries to log-in, that logic is executed by the Authenticator. The Authenticator knows how to coordinate with one or more Realms that store relevant user/account information. The data obtained from these Realms is used to verify the user’s identity to guarantee the user really is who they say they are.
Authentication Strategy (org.apache.shiro.authc.pam.AuthenticationStrategy)
If more than one Realm is configured, the AuthenticationStrategy will coordinate the Realms to determine the conditions under which an authentication attempt succeeds or fails (for example, if one realm succeeds but others fail, is the attempt successful? Must all realms succeed? Only the first?).
Authenticator:認證器,用來負責用戶登錄認證,它對應着一個或者多個Realm。
Authentication Strategy:認證策略,如果多個Realm 被配置,那麼Authentication Strategy來負責協調這些Realm 產生矛盾的時候,該如何處理,例如一個realm成功,而其它的失敗了,改怎麼辦,等等。在這一點上,張開濤的文章解釋的不是太準確。
Authrizer:授權器,負責確認用戶的訪問權限。
SessionManager (org.apache.shiro.session.mgt.SessionManager)
The SessionManager knows how to create and manage user Session lifecycles to provide a robust Session experience for users in all environments. This is a unique feature in the world of security frameworks - Shiro has the ability to natively manage user Sessions in any environment, even if there is no Web/Servlet or EJB container available. By default, Shiro will use an existing session mechanism if available, (e.g. Servlet Container), but if there isn’t one, such as in a standalone application or non-web environment, it will use its built-in enterprise session management to offer the same programming experience. The SessionDAO exists to allow any datasource to be used to persist sessions.
SessionDAO (org.apache.shiro.session.mgt.eis.SessionDAO)
The SessionDAO performs Session persistence (CRUD) operations on behalf of the SessionManager. This allows any data store to be plugged in to the Session Management infrastructure.
SessionManager:session管理器,Shiro沒有完全依賴HTTP的session,而是設計了一個獨立的session。
SessionDAO:session的DAO,用來處理session數據的保存。
CacheManager:緩存管理器。
Cryptography:加密模塊。
Realms:上面介紹過。
SecurityManager
這個是核心,需要反覆理解的是這個,下面又用了一些篇幅來介紹這個,不過在沒有完全實踐之前,總還是不明白,所以就先不總結了。
總結
又閱讀了一遍架構這篇文章,結合着張開濤的文章,感覺明白了不少,現在感覺Shiro 還是挺簡單的,有個兩三天應該就大體理解了,不明白當時怎麼就堵住了,陷入了思維的死衚衕。