Shiro官方文件之架構
Apache Shiro Architecture
Apache Shiro’s design goals are to simplify application security by being intuitive and easy to use. Shiro’s core design models how most people think about application security - in the context of someone (or something) interacting with an application.
Apache Shiro的設計目標是直觀的且易於使用來簡化應用程式安全問題。Shrio的核心設計模組是大多數人對應用程式安全的看法 —— 某人或某事的互動在應用程式上下文環境中。。。
Software applications are usually designed based on user stories. That is, you’ll often design user interfaces or service APIs based on how a user would (or should) interact with the software. For example, you might say, “If the user interacting with my application is logged in, I will show them a button they can click to view their account information. If they are not logged in, I will show a sign-up button.”
軟體應用程式通常是基於使用者故事設計的。你會經常設計基於使用者怎麼於軟體互動的使用者介面或者服務API。例如,你可能會說,「如果使用者與我的應用程式的互動是登入,如果他們登入了,我就會展示一個可點選的按鈕,他們可以用來檢視他們的賬戶資訊。如果他們沒有登入,我會展示他們註冊按鈕」
This example statement indicates that applications are largely written to satisfy user requirements and needs. Even if the ‘user’ is another software system and not a human being, you still write code to reflect behavior based on who (or what) is currently interacting with your software.
這個例項語句表明,編寫應用程式是為了滿足和使用者的需求。甚至當一個user始另一個軟體系統不是一個人類,你仍然編寫程式碼去反映與當前系統互動的事物的的行為。
Shiro reflects these concepts in its own design. By matching what is already intuitive for software developers, Apache Shiro remains intuitive and easy to use in practically any application.
shiro的設計反映了這些概念。去匹配對應軟體開發人員來說已經很直觀的東西,Apache Shiro在任何應用中都保持著直觀易用。(~~)
High-Level Overview
At the highest conceptual level, Shiro’s architecture has 3 primary concepts: the Subject, SecurityManager and Realms. The following diagram is a high-level overview of how these components interact, and we’ll cover each concept below:
在最高的概念上,shiro的架構有3個主要概念:Subject、SecurityManager和Realm.下圖是這些元件如何相互作用的高階概述,我們將在下面依次解釋這些概念:
Subject: As we’ve mentioned in our Tutorial, the Subject is essentially a security specific ‘view’ of the the currently executing user. Whereas the word ‘User’ often implies a human being, a Subject can be a person, but it could also represent a 3rd-party service, daemon account, cron job, or anything similar - basically anything that is currently interacting with the software.
正如我們在教程中所提及到的,Subject本質上是一個安全特殊的關於當前正在執行的使用者的檢視。然而user這個詞通常是暗示人類的。一個Subject可以是一個人,但是他也可以代表第三方服務,守護程序賬戶,計劃任務或者其他的類似的東西——當前正於軟體互動的東西。
Subject instances are all bound to (and require) a SecurityManager. When you interact with a Subject, those interactions translate to subject-specific interactions with the SecurityManager.
Subject例項都是於一個SecurityManager繫結的(必須),當你與一個Subject互動,這些互動轉換為與SecurityManager特殊Subject的互動。
SecurityManager: The SecurityManager is the heart of Shiro’s architecture and acts as a sort of ’umbrella’ object that coordinates its internal security components that together form an object graph. However, once the SecurityManager and its internal object graph is configured for an application, it is usually left alone and application developers spend almost all of their time with the Subject API.
SecurityManager是Shiro架構的核心,它充當一種“保護傘”物件,協調其內部的安全元件,這些元件共同構成一個物件圖.然後一旦Security和它內部物件檢視被配置,它通常是單獨存在的,應用程式開發者幾乎話費他們的所有時間在Subject的API上面。
We will talk about the SecurityManager in detail later on, but it is important to realize that when you interact with a Subject, it is really the SecurityManager behind the scenes that does all the heavy lifting for any Subject security operation. This is reflected in the basic flow diagram above.
我們稍後會繼續詳細討論SecurityManager,但是必須意識到,當你和一個Subject互動,對於任何Subject的安全操作來說,真正負責幕後工作的是SecurityManager。這反映在上面的基本流程圖中。
Realms: Realms act as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. When it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application.
Realms在shiro和你的應用程式安全資料之間扮演著橋樑和聯結器的角色。當需要與安全相關的資料(如使用者帳戶)進行互動以執行身份驗證(登入)和授權(訪問控制)時,Shiro會從為應用程式配置的一個或多個Realms中查詢其中的許多內容。
In this sense a Realm is essentially a security-specific DAO: it encapsulates connection details for data sources and makes the associated data available to Shiro as needed. When configuring Shiro, you must specify at least one Realm to use for authentication and/or authorization. The SecurityManager may be configured with multiple Realms, but at least one is required.
從這個意義上說,一個Realm本質上是一個特定於安全的DAO:它壓縮了連線詳情,使shiro需要的相關聯的資料可用。在配置Shiro時,必須指定至少一個Realm用於認證或者授權。SecurityManager可以配置多個Realm,但是至少需要一個。
Shiro provides out-of-the-box Realms to connect to a number of security data sources (aka directories) such as LDAP, relational databases (JDBC), text configuration sources like INI and properties files, and more. You can plug-in your own Realm implementations to represent custom data sources if the default Realms do not meet your needs.
Shiro提供了開箱即用的Realm去連線到許多安全資料來源(又叫做目錄)例如LDAP,關係型資料庫(JDBC),文字配置源如INI何properties檔案等等。如果預設的Realm不滿足你的需求,你可以自己插入Realm實現自定義資料來源資料來源。
Like other internal components, the Shiro SecurityManager manages how Realms are used to acquire security and identity data to be represented as Subject instances.
就像其他內部元件,Shiro的SecurityManager管理如何使用Realm獲取安全和身份資料作為Subject例項。
Detailed Architecture
The following diagram shows Shiro’s core architectural concepts followed by short summaries of each:
下面的圖表展示了Shiro核心架構概念,然後是每一個簡短的總結:
Subject (org.apache.shiro.subject.Subject)
A security-specific ‘view’ of the entity (user, 3rd-party service, cron job, etc) currently interacting with the software.
安全特定(使用者,第三方服務、定時任務等)當前與系統互動的實體檢視。
SecurityManager (org.apache.shiro.mgt.SecurityManager)
As mentioned above, the SecurityManager is the heart of Shiro’s architecture. It is mostly an ‘umbrella’ object that coordinates its managed components to ensure they work smoothly together. It also manages Shiro’s view of every application user, so it knows how to perform security operations per user.
正如上面所提及到的,SecurityManager是Shiro架構的核心。它主要是一個“傘形”物件,協調其託管元件以確保它們能夠順利地一起工作。它也管理者Shiro關於每一個應用程式使用者的檢視。所以它知道如何對每一個使用者執行安全操作。
Authenticator (org.apache.shiro.authc.Authenticator)
The Authenticator is the component that is responsible for executing and reacting to authentication (log-in) attempts by users. When a user tries to log-in, that logic is executed by the Authenticator. The Authenticator knows how to coordinate with one or more Realms that store relevant user/account information. The data obtained from these Realms is used to verify the user’s identity to guarantee the user really is who they say they are.
Authenticator(認證器)是對正在執行試圖認證(登入)的使用者負責的元件.當一個使用者試圖登入,這個邏輯是由authenticator執行的。Authenticator知道怎麼協調儲存使用者資訊的一個或多個Realms。從這些Realm獲取資料去核實使用者的身份確保使用者確實是他們所說的自己。
Authentication Strategy (org.apache.shiro.authc.pam.AuthenticationStrategy)
If more than one Realm is configured, the AuthenticationStrategy will coordinate the Realms to determine the conditions under which an authentication attempt succeeds or fails (for example, if one realm succeeds but others fail, is the attempt successful? Must all realms succeed? Only the first?).
如果超過一個Realm被配置了,AuthenticationStrategy將會調整Realm去確定身份認證器嘗試成功或失敗的條件(例如,如果一個領域成功,但是其他領域失敗,那麼嘗試成功嗎?)所有領域都必須成功嗎?只有第一個?.)
Authorizer (org.apache.shiro.authz.Authorizer)
The Authorizer is the component responsible determining users’ access control in the application. It is the mechanism that ultimately says if a user is allowed to do something or not. Like the Authenticator, the Authorizer also knows how to coordinate with multiple back-end data sources to access role and permission information. The Authorizer uses this information to determine exactly if a user is allowed to perform a given action.
訪問控制是負責決定應用程式中使用者訪問控制的元件。它是一種機制,最終決定使用者是否被允許做某事。就像Authenticator,Authorizer還知道如何與多個後端資料來源協調以訪問角色和許可權資訊。Authorizer使用這些資訊正確的決定一個使用者是否被允許執行給定的操作。
SessionManager (org.apache.shiro.session.mgt.SessionManager
The SessionManager knows how to create and manage user Session lifecycles to provide a robust Session experience for users in all environments. This is a unique feature in the world of security frameworks - Shiro has the ability to natively manage user Sessions in any environment, even if there is no Web/Servlet or EJB container available. By default, Shiro will use an existing session mechanism if available, (e.g. Servlet Container), but if there isn’t one, such as in a standalone application or non-web environment, it will use its built-in enterprise session management to offer the same programming experience. The SessionDAO exists to allow any datasource to be used to persist sessions.
SessionManager知道如何建立和管理使用者會話生命週期,在所有的環境中為使用者提供健壯的Session體驗。這是安全世界中一個獨特的特性——Shiro有能力在任何環境下在本地(就是用Session來管理的意思~~)管理使用者Session,即使沒有可用的eb/Servlet或者EJB容器。但是如果一個都沒有,例如一個獨立的應用程式或者不是一個web環境,將會使用內建的企業級會話管理器提供一個相同的程式體驗.SessionDao的存在是為了允許任何資料來源被持久化使用。
SessionDAO (org.apache.shiro.session.mgt.eis.SessionDAO)
The SessionDAO performs Session persistence (CRUD) operations on behalf of the SessionManager. This allows any data store to be plugged in to the Session Management infrastructure.
SessionDao代表SessionManager執行Session持久化操作(CRUD)。它允許任何資料儲存插入到Session Management基礎設施中…
CacheManager (org.apache.shiro.cache.CacheManager)
The CacheManager creates and manages Cache instance lifecycles used by other Shiro components. Because Shiro can access many back-end data sources for authentication, authorization and session management, caching has always been a first-class architectural feature in the framework to improve performance while using these data sources. Any of the modern open-source and/or enterprise caching products can be plugged in to Shiro to provide a fast and efficient user-experience.
CacheManager建立和管理Cache例項生命週期,並被Shiro的其他元件使用。因為Shiro可以進入許多後端資料來源進行身份驗證,授權和會話管理,在使用資料來源時快取一直是一級體系結構特性,以提高效能。任何現代的開源或企業級快取產品可以插入Shiro並提高快速高效的使用者體驗。
Cryptography (org.apache.shiro.crypto.*)
Cryptography is a natural addition to an enterprise security framework. Shiro’s crypto package contains easy-to-use and understand representations of crytographic Ciphers, Hashes (aka digests) and different codec implementations. All of the classes in this package are carefully designed to be very easy to use and easy to understand. Anyone who has used Java’s native cryptography support knows it can be a challenging animal to tame. Shiro’s crypto APIs simplify the complicated Java mechanisms and make cryptography easy to use for normal mortal human beings.
密碼學是一個企業級安全框架的自然補充。Shiro的crypto包包含了易於使用和理解的密碼學、密碼錶現。Hashes (又叫做摘要)和不同的解密實現。這個包中的所有這些類被精心設計,使用和理解都非常簡單。任何使用過Java原生密碼支援的都知道,這是一個具有挑戰性的(要使用好java原生密碼學).Shiro的crypto api簡化了複雜的Java機制,使密碼術易於普通人使用。
Realms (org.apache.shiro.realm.Realm)
As mentioned above, Realms act as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. When it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application. You can configure as many Realms as you need (usually one per data source) and Shiro will coordinate with them as necessary for both authentication and authorization.
正如上面提到的,Realms在Shiro和你的應用程式安全資料扮演著橋樑和聯結器。當需要與安全相關的資料(如使用者帳戶)進行互動以執行身份驗證(登入)和授權(訪問控制)時,Shiro從為應用程式配置的一個或多個Realm中查詢這些內容。您可以配置所需的多個Realm(通常每個資料來源一個領域),Shiro將根據需要與它們協調身份驗證和授權。
The SecurityManager
Because Shiro’s API encourages a Subject-centric programming approach, most application developers will rarely, if ever, interact with the SecurityManager directly (framework developers however might sometimes find it useful). Even so, it is still important to know how the SecurityManager functions, especially when configuring one for an application.
因為Shiro的API鼓勵Subject為中心的程式設計方法。大多數應用程式開發人員很少(如果有的話)直接與SecurityManager互動(然而框架開發人員有時會發現它很有用)。儘管如此,瞭解SecurityManager的功能仍然很重要,特別是在為應用程式配置一個時。
Design
As stated previously, the application’s SecurityManager performs security operations and manages state for all application users. In Shiro’s default SecurityManager implementations, this includes:
如前所述,應用程式的SecurityManager執行安全操作,併為所有應用程式使用者管理狀態。在Shiro的預設SecurityManager實現中,這包括:
Authentication 認證
Authorization 授權
Session Management 會話管理
Cache Management 快取管理
Realm coordination Realm協調
Event propagation 事件傳播
“Remember Me” Services 記住我服務
Subject creation Subject建立
Logout and more. 登出等。
But this is a lot of functionality to try to manage in a single component. And, making these things flexible and customizable would be very difficult if everything were lumped into a single implementation class.
但是在單個元件中要管理大量的功能。而且,如果把所有東西都集中到一個實現類中,那麼使這些東西變得靈活和可定製將非常困難
To simplify configuration and enable flexible configuration/pluggability, Shiro’s implementations are all highly modular in design - so modular in fact, that the SecurityManager implementation (and its class-hierarchy) does not do much at all. Instead, the SecurityManager implementations mostly act as a lightweight ‘container’ component, delegating almost all behavior to nested/wrapped components. This ‘wrapper’ design is reflected in the detailed architecture diagram above.
為了簡化配置並支援靈活的配置/可插拔性,Shiro的實現在設計上都是高度模組化的——實際上模組化到SecurityManager實現(及其類層次結構)根本不做什麼。相反,SecurityManager實現主要充當輕量級的“容器”元件,將幾乎所有行為委託給巢狀/封裝的元件。這種“包裝器”設計反映在上面詳細的架構圖中。
While the components actually execute the logic, the SecurityManager implementation knows how and when to coordinate the components for the correct behavior.
當元件實際執行邏輯時,SecurityManager實現知道如何以及何時協調元件以實現正確的行為。
The SecurityManager implementations and the components are also JavaBeans compatible, which allows you (or a configuration mechanism) to easily customize the pluggable components via standard JavaBeans accessor/mutator methods (get*/set*). This means the Shiro’s architectural modularity can translate into very easy configuration for custom behavior.
SecurityManager實現和元件也相容javabean,這允許您(或配置機制)通過標準javabean訪問器/變數方法(get*/set*)輕鬆地定製可插入元件。這意味著Shiro的體系結構模組化可以轉換為非常容易的自定義行為配置。
Easy Configuration
Because of JavaBeans compatibility, it is very easy to configure the SecurityManager
with custom components via any mechanism that supports JavaBeans-style configuration, such as Spring, Guice, JBoss, etc.
由於javabean的相容性,通過任何支援javabean風格配置的機制(如Spring、Guice、JBoss等),都可以很容易地使用自定義元件配置“SecurityManager”。
We will cover Configuration next.
接下來我們將介紹配置。
Lend a hand with documentation
While we hope this documentation helps you with the work you’re doing with Apache Shiro, the community is improving and expanding the documentation all the time. If you’d like to help the Shiro project, please consider correcting, expanding, or adding documentation where you see a need. Every little bit of help you provide expands the community and in turn improves Shiro.
幫忙整理檔案
雖然我們希望這些文件可以幫助您完成Apache Shiro的工作,但是社群一直在改進和擴充套件這些文件。如果您想幫助Shiro專案,請考慮在需要的地方修改、擴充套件或新增文件。你提供的每一點幫助都能擴充套件社群,進而改善Shiro。
The easiest way to contribute your documentation is to submit a pull-request by clicking on the Edit link below, send it to the User Forum or the User Mailing List.
提交文件的最簡單方法是通過單擊下面的Edit連結提交下拉請求,將其傳送到使用者論壇或使用者郵件列表。