翻译自官方文档–原文地址
Apache Shiro Architecture (Apache Shiro 架构)
Apache Shiro’s design goals are to simplify application security by being intuitive and easy to use. Shiro’s core design models how most people think about application security - in the context of someone (or something) interacting with an application.
Aache Shiro设计的目标是通过直觉化和简易实用设计来简化应用程序安全性开发. Shiro 核心设计模型是 在某人或某物与应用程序交互的场景下,人们对应用程序安全思维方式
Software applications are usually designed based on user stories. That is, you’ll often design user interfaces or service APIs based on how a user would (or should) interact with the software. For example, you might say, “If the user interacting with my application is logged in, I will show them a button they can click to view their account information. If they are not logged in, I will show a sign-up button.”
应用程序软件通常基于用户故事设计。这意味着,你将在设计用户接口或服务API时经常基于一个用户将(或应该)如何和软件交互。举个例子,你可能会说”如果一个用户与我程序交互式已经登入,我将给他们展示一个可以点击查看他们账户信息的按钮,如果他们没有登入,我将展示一个注册按钮”
This example statement indicates that applications are largely written to satisfy user requirements and needs. Even if the ‘user’ is another software system and not a human being, you still write code to reflect behavior based on who (or what) is currently interacting with your software.
这个例子的陈述表明一个应用程序通常为了满足用户要求或需求而编写。甚至这个”用户”是其他软件系统而非人类时,你仍需要基于当前与你的软件系统交互的人或物表现出的行为来编写代码
Shiro reflects these concepts in its own design. By matching what is already intuitive for software developers, Apache Shiro remains intuitive and easy to use in practically any application.
Shiro 使用自身的设计来表现这些概念。通过联系对于软件开发者来说已有的直观事物,Apache Shiro 几乎可以在任意应用中保留直观性和易用性
Hign-Level Overview (高层总览)
At the highest conceptual level, Shiro’s architecture has 3 primary concepts: the Subject, SecurityManager and Realms. The following diagram is a high-level overview of how these components interact, and we’ll cover each concept below:
在最顶层的概念层中,Shiro 架构有三个主要概念:Subject,SecurityManager和Realms,下图就是这些组件如何交互的一个概念层总览。我们会在下面阐述各个概念
Subject: As we’ve mentioned in our Tutorial, the
Subjectis essentially a security specific ‘view’ of the the currently executing user. Whereas the word ‘User’ often implies a human being, aSubjectcan be a person, but it could also represent a 3rd-party service, daemon account, cron job, or anything similar - basically anything that is currently interacting with the software.
Subjectinstances are all bound to (and require) aSecurityManager. When you interact with aSubject, those interactions translate to subject-specific interactions with theSecurityManager.Subject: 就像我们在教程中提到的,
Subject本质上就是当前执行用户的在安全领域上一个特定的视角,然而”用户”一词通常暗指人类,一个Subject可以是一个人,也可以表示为第三方服务,守护进程账户,定时任务或者任意相似的与当前软件交互的事物
Subject实例都和一个SecurityManager绑定。当你和一个Subject交互时,这些交互就转化为subject-specific 与SecurityManager交互SecurityManager: The
SecurityManageris the heart of Shiro’s architecture and acts as a sort of ’umbrella’ object that coordinates its internal security components that together form an object graph. However, once the SecurityManager and its internal object graph is configured for an application, it is usually left alone and application developers spend almost all of their time with theSubjectAPI.We will talk about the
SecurityManagerin detail later on, but it is important to realize that when you interact with aSubject, it is really theSecurityManagerbehind the scenes that does all the heavy lifting for anySubjectsecurity operation. This is reflected in the basic flow diagram above.SecurityManager:
SecurityManager是Shiro框架的核心并扮演像是一个协调内部组合成一副对象图景的安全组件的”保护伞”角色。 不管怎样,当SecurityManager和其内部的对象图景配置完成后,通常可以不管他 ,应用程序开发大部分时候都花在和Subject的交互上。我们稍后会讨论
SecurityManager的细节,但是,当你和Subject交互的时候,意识到在幕后SecurityManager为任人一个Subject的安全操作做了所有的艰难操作.这也反应在上面的基本流程图上。Realms: Realms act as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. When it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application.
In this sense a Realm is essentially a security-specific DAO: it encapsulates connection details for data sources and makes the associated data available to Shiro as needed. When configuring Shiro, you must specify at least one Realm to use for authentication and/or authorization. The
SecurityManagermay be configured with multiple Realms, but at least one is required.Shiro provides out-of-the-box Realms to connect to a number of security data sources (aka directories) such as LDAP, relational databases (JDBC), text configuration sources like INI and properties files, and more. You can plug-in your own Realm implementations to represent custom data sources if the default Realms do not meet your needs.
Like other internal components, the Shiro
SecurityManagermanages how Realms are used to acquire security and identity data to be represented asSubjectinstances.Realms: Realms 扮演者Shiro 和 你的应用程序的安全数据之间的’桥梁’或者说’连接器’的角色。当到Shrio运行到与安全相关的数据交互的时候,如用户账户去执行 认证(登录),授权(访问控制), Shiro 从应用程序配置好的一个或多个Realm中搜寻这些数据
从这个角度,Realm 本质上是一个特定的安全DAO(Data Access Object):他封装和数据源连接的细节,并且使得相关的数据按Shiro所需的方式被Shiro使用。当配置Shiro时,你必须至少指定一个用户认证和(或)授权的Relam。
SecurityManager可能会配置多个领域,但至少需要一个Shiro 提供一些开箱即用的Realm去和一些安全数据源建立连接,比如说LDAP(轻量级目录访问协议),关系型数据库(JDBC),文本配置源如ini和属性文件等等。如果默认的Realms不满足你的需求,你可以插入你自己的领域实现去表示自定义的数据源
就像其他的内部组件,Shiro的
SecurityManager管理着如何将 Realms 获取安全和身份数据的表示为Subject实例
##Detailed Architecture(详细的架构)
The following diagram shows Shiro’s core architectural concepts followed by short summaries of each:
下面展示了Shiro的核心架构概念,并为每一个概念有一个简短的总结
Subject (
org.apache.shiro.subject.Subject)
A security-specific ‘view’ of the entity (user, 3rd-party service, cron job, etc) currently interacting with the software.Subject (
org.apache.shiro.subject.Subject)当前与软件交互的实体(用户,第三方服务,定时任务等等)的一个特定的安全’视图’
SecurityManager (org.apache.shiro.mgt.SecurityManager)
As mentioned above, theSecurityManageris the heart of Shiro’s architecture. It is mostly an ‘umbrella’ object that coordinates its managed components to ensure they work smoothly together. It also manages Shiro’s view of every application user, so it knows how to perform security operations per user.SecurityManager (org.apache.shiro.mgt.SecurityManager)
如上所述,
SecurityManager时Shiro架构的核心.通常是协调受管组件,确保他们一起平稳的工作的’保护伞’,他管理着每一个应用程序用户的视图,因此他知道如何为每一个用户执行安全的操作Authenticator (org.apache.shiro.authc.Authenticator)
TheAuthenticatoris the component that is responsible for executing and reacting to authentication (log-in) attempts by users. When a user tries to log-in, that logic is executed by theAuthenticator. TheAuthenticatorknows how to coordinate with one or moreRealmsthat store relevant user/account information. The data obtained from theseRealmsis used to verify the user’s identity to guarantee the user really is who they say they are.Authenticator (org.apache.shiro.authc.Authenticator)
Authenticator是以执行和反应用户的认证(登录)为职责的组件。当一个用户试图登录时,这个逻辑就被Authenticator执行。Authenticator知道如何与存储者用户/账户信息的一个或多个Realm协作。由这些Realms维护的数据用于验证用户的身份,保证用户的确是他们所说的那一个Authorizer (org.apache.shiro.authz.Authorizer)
TheAuthorizeris the component responsible determining users’ access control in the application. It is the mechanism that ultimately says if a user is allowed to do something or not. Like theAuthenticator, theAuthorizeralso knows how to coordinate with multiple back-end data sources to access role and permission information. TheAuthorizeruses this information to determine exactly if a user is allowed to perform a given action.
Authorizer是对确定应用程序中用户的访问控制负责的组件。这个机制最终判断一个用户允许或不允许做一些事。就像Authenticator,Authorizer知道如何使用多个后台数据源企业访问角色和权限信息。Authorizer使用这些数据去正确的确定一个用户是否允许执行一个给定的行为SessionManager (org.apache.shiro.session.mgt.SessionManager)
TheSessionManagerknows how to create and manage userSessionlifecycles to provide a robust Session experience for users in all environments. This is a unique feature in the world of security frameworks - Shiro has the ability to natively manage user Sessions in any environment, even if there is no Web/Servlet or EJB container available. By default, Shiro will use an existing session mechanism if available, (e.g. Servlet Container), but if there isn’t one, such as in a standalone application or non-web environment, it will use its built-in enterprise session management to offer the same programming experience. TheSessionDAOexists to allow any datasource to be used to persist sessions.
SessionManager知道如何创建和管理用户Session的生命周期并在任何环境下提供给用户一个健壮的会话体验。在安全框架的世界中这是个独特的特性–即使不在Web/Servlet或EJB容器中,Shiro天然的有在任何环境下管理用户会话的能力。如果有可以使用的会话机制(如Servlet Container),Shiro默认会使用它,但是如果没有,就像独立的应用程序或非web环境下,他会使用他内建的企业级会话管理以提供相同的编程体验。SessionDAO为允许任何用于持久化会话的数据源而存在CacheManager (org.apache.shiro.cache.CacheManager)
TheCacheManagercreates and managesCacheinstance lifecycles used by other Shiro components. Because Shiro can access many back-end data sources for authentication, authorization and session management, caching has always been a first-class feature in the framework to improve performance while using these data sources. Any of the modern open-source and/or enterprise caching products can be plugged in to Shiro to provide a fast and efficient user-experience.CacheManager (org.apache.shiro.cache.CacheManager)
CacheManager创建和管理被其他Shiro组件使用的缓存实例的生命周期。由于Shiro 能够访问许多用户认证,授权和会话管理的后台数据,在框架中缓存通常是在使用这些数据源时提高性能的一个优秀的特性。任何一个现代的开源和(或)企业级缓存产品能够嵌入到Shiro中以提高快且高效的用户体验Cryptography (org.apache.shiro.crypto.*)
Cryptography is a natural addition to an enterprise security framework. Shiro’scryptopackage contains easy-to-use and understand representations of crytographic Ciphers, Hashes (aka digests) and different codec implementations. All of the classes in this package are carefully designed to be very easy to use and easy to understand. Anyone who has used Java’s native cryptography support knows it can be a challenging animal to tame. Shiro’s crypto APIs simplify the complicated Java mechanisms and make cryptography easy to use for normal mortal human beings.对于一个企业级安全框架,加密是一个自然而然的功能。Shiro 的
crypto包含易于使用和理解的密码学上的加密工具,哈希(众所周知的信息摘要算法 ),和不同的编码解码器实现.在这个包中的所有类,都为易于理解和使用而设计。任何一个用过Java原生的加密支持的人都知道,it can be a challenging animal to tame。Shiro的crypto API 简化这些复杂的Java机制并且让加密功能对正常的普通人来说使用简单。Realms (org.apache.shiro.realm.Realm)
As mentioned above, Realms act as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. When it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application. You can configure as manyRealmsas you need (usually one per data source) and Shiro will coordinate with them as necessary for both authentication and authorization.Realms (org.apache.shiro.realm.Realm)
如上所述,Realm 扮演的Shiro和你应用程序的安全数据的’桥梁’或’连接器’。当到Shrio运行到与安全相关的数据交互的时候,如用户账户去执行 认证(登录),授权(访问控制), Shiro 从应用程序配置好的一个或多个Realm中搜寻这些数据。你可以按你的需要的Realm数来配置Realm(通常每个数据源一个Realm)并且Shiro会按需为认证和授权协调他们
The SecurityManager
Because Shiro’s API encourages a Subject-centric programming approach, most application developers will rarely, if ever, interact with the SecurityManagerdirectly (framework developers however sometimes find it useful). Even so, it is still important to know how the SecurityManager functions, especially when configuring one for an application.
由于 Shiro 的API鼓励一个以Subject为中心的编程方式,大多数应用程序开发者将很少的,与SecurityManager交互(框架开发者却有时认为这是非常有用的)。即使如此,知道SecurityManager的功能依旧是重要的,尤其是在配置一个应用程序的时候
Design
As stated previously, the application’s SecurityManager performs security operations and manages state for all application users. In Shiro’s default SecurityManager implementations, this includes:
如前所述,应用程序的SecurityManager执行安全操作并且为所有应用程序用户管理状态。在Shiro默认的SecurityManager实现中他包含:
- Authentication 认证
- Authorization 授权
- Session Management 会话管理
- Cache Management 缓存管理
- Realm coordination 领域协作
- Event propagation 事件传递
- “Remember Me” Services ‘记住我’ 服务
- Subject creation 创建Subject
- Logout and more. 登出 等等
But this is a lot of functionality to try to manage in a single component. And, making these things flexible and customizable would be very difficult if everything were lumped into a single implementation class.
但是有大量的功能尝试放在单个组件中。并且,如果把所有的东西集中在单个实现类中,让这些功能变得灵活和可自定义将会变得非常困难。
To simplify configuration and enable flexible configuration/pluggability, Shiro’s implementations are all highly modular in design - so modular in fact, that the SecurityManager implementation (and its class-hierarchy) does not do much at all. Instead, the SecurityManager implementations mostly act as a lightweight ‘container’ component, delegating almost all behavior to nested/wrapped components. This ‘wrapper’ design is reflected in the detailed architecture diagram above.
为了简化配置并能够灵活的配置化/插件化,Shiro的实现在设计上都高度的模块化。事实上由于如此的模块化,SecurityManager 的实现(和他的类层次结构)没有做太多的事情。反而,SecurityManager的实现扮演者轻量级’容器’组件,将大部分行为委托给内嵌的/包装的的组件.这个’包装器’的设计反应在上面的detailed architecture图中
While the components actually execute the logic, the SecurityManager implementation knows how and when to coordinate the components for the correct behavior.
当组件实际执行逻辑时,SecurityManager知道如何以及何时协调这些组件来表现正确的行为
The SecurityManager implementations and the components are also JavaBeans compatible, which allows you (or a configuration mechanism) to easily customize the pluggable components via standard JavaBeans accessor/mutator methods (get/set). This means the Shiro’s architectural modularity can translate into very easy configuration for custom behavior.
SecurityManager的实现和组件都是JavaBeans兼容的,能够允许你(或其他配置机制)通过标准JavaBeans的访问器/修改器方法(get/set)来简洁的自定义这些可插入的组件。这意味着 Shiro的架构模块能否变化非常简易的配置来自定义行为。
This is copyright.