shiro之模块介绍

shiro之模块介绍

一、模块图

二、模块

    a）Subject （主体）

        A Subject is just fancy security term that basically means a security-specific 'view' of an application user. A Subject does not always need to reflect a human being though - it can represent an external process calling your application, or perhaps a daemon system account that executes something intermittently over a period of time (such as a cron job). It is basically a representation of any entity that is doing something with the application. 

    ps：shiro中的主体，就是一次therad，不管是什么应用，在shiro里面，每个thread都会转化为一个subject。通常咱们登陆的userName和password，都生成UsernamePasswordToken，而后进行认证、受权等活动。

    b）Session

    A Session is a stateful data context associated with a single user/Subject who interacts with a software system over a period of time. Data can be added/read/removed from the Session while the subject uses the application and the application can use this data later where necessary. Sessions are terminated when the user/Subject logs out of the application or when it times out due to inactivity. 

    For those familiar with the HttpSession, a Shiro Session serves the same purpose, except Shiro sessions can be used in any environment even if there is no Servlet container or EJB container available. 

    ps：session和request.Session结构和用法类似，每次链接都能单独生成，也能够不生成。sessionDAO就是用来构建分布式shiro安全模块的工具。

    c）cache

    

        cache用来存放认证、受权、session等信息。shiro的cache默认是用的是EHcache。

    d）Realm

        A Realm is a component that can access application-specific security data such as users, roles, and permissions. It can be thought of as a security-specific DAO (Data Access Object). The Realm translates this application-specific data into a format that Shiro understands so Shiro can in turn provide a single easy-to-understand Subject programming API no matter how many data sources exist or how application-specific your data might be. 

        Realms usually have a 1-to-1 correlation with a data source such as a relational database, LDAP directory, file system, or other similar resource. As such, implementations of the Realm interface use data source-specific APIs to discover authorization data (roles, permissions, etc), such as JDBC, File IO, Hibernate or JPA, or any other Data Access API. 

        ps：在shiro中，存放用户信息（userName，password，role，privilege）都叫realm。不管是咱们去认证、受权、验证权限都须要从realm中获取数据。一般是xxx.ini配置文件，或者是数据库

    e）Cryptography

Cryptography is the practice of protecting information from undesired access by hiding it or converting it into nonsense so know one else can read it. Shiro focuses on two core elements of Cryptography: ciphers that encrypt data like email using a public or private key, and hashes (aka message digests) that irreversibly encrypt data like passwords. 

        ps：Cryptography 更新是一个打得加密、解密工具包。除了在shiro中使用，咱们也能够在应用程序其它地方用。

    f）Authentication（认证）

Authentication is the process of verifying a Subject's identity - essentially proving that someone really is who they say they are. When an authentication attempt is successful the application can trust that the subject is guaranteed to be who the application expects. 

        ps：咱们使用subject.login(usernamePasswordToken)的时候，都是经过Authentication模块去realm里面查找。

    g）Authorization

Authorization, also known as Access Control, is the process of determining if a user/Subject is allowed to do something or not. It is usually accomplished by inspecting and interpreting a Subject's roles and permissions (see below) and then allowing or denying access to a requested resource or function. 

        ps：受权模块，通常会在权限认证的时候去查询realm。设计者应该是为了安全考虑，每次都会去查询realm，因此推荐你们将realm存放在cache中。减轻I/O的读写压力。