Shiro理解与总结

Feature

Apache Shiro is a comprehensive application security framework with many features. The following diagram shows where Shiro focuses its energy, and this reference manual will be organized similarly:

Shiro targets what the Shiro development team calls “the four cornerstones of application security” - Authentication, Authorization, Session Management, and Cryptography:

• Authentication: Sometimes referred to as ‘login’, this is the act of proving a user is who they say they are.

• Authorization: The process of access control, i.e. determining ‘who’ has access to ‘what’.

• Session Management: Managing user-specific sessions, even in non-web or EJB applications.

• Cryptography: Keeping data secure using cryptographic algorithms while still being easy to use.

There are also additional features to support and reinforce these concerns in different application environments, especially:

• Web Support: Shiro’s web support APIs help easily secure web applications.
• Caching: Caching is a first-tier citizen in Apache Shiro’s API to ensure that security operations remain fast and efficient.
• Concurrency: Apache Shiro supports multi-threaded applications with its concurrency features.
• Testing: Test support exists to help you write unit and integration tests and ensure your code will be secured as expected.
• “Run As”: A feature that allows users to assume the identity of another user (if they are allowed), sometimes useful in administrative scenarios.
• “Remember Me”: Remember users’ identities across sessions so they only need to log in when mandatory.

Architecture

• Subject (org.apache.shiro.subject.Subject)
  A security-specific ‘view’ of the entity (user, 3rd-party service, cron job, etc) currently interacting with the software.

• SecurityManager (org.apache.shiro.mgt.SecurityManager)
  As mentioned above, the SecurityManager is the heart of Shiro’s architecture. It is mostly an ‘umbrella’ object that coordinates its managed components to ensure they work smoothly together. It also manages Shiro’s view of every application user, so it knows how to perform security operations per user.

• Authenticator (org.apache.shiro.authc.Authenticator)
  The Authenticator is the component that is responsible for executing and reacting to authentication (log-in) attempts by users. When a user tries to log-in, that logic is executed by the Authenticator. The Authenticator knows how to coordinate with one or more Realms that store relevant user/account information. The data obtained from these Realms is used to verify the user’s identity to guarantee the user really is who they say they are.

  • Authentication Strategy (org.apache.shiro.authc.pam.AuthenticationStrategy)
    If more than one Realm is configured, the AuthenticationStrategy will coordinate the Realms to determine the conditions under which an authentication attempt succeeds or fails (for example, if one realm succeeds but others fail, is the attempt successful? Must all realms succeed? Only the first?).

• Authorizer (org.apache.shiro.authz.Authorizer)
  The Authorizer is the component responsible determining users’ access control in the application. It is the mechanism that ultimately says if a user is allowed to do something or not. Like the Authenticator, the Authorizer also knows how to coordinate with multiple back-end data sources to access role and permission information. The Authorizer uses this information to determine exactly if a user is allowed to perform a given action.

• SessionManager (org.apache.shiro.session.mgt.SessionManager)
  The SessionManager knows how to create and manage user Session lifecycles to provide a robust Session experience for users in all environments. This is a unique feature in the world of security frameworks - Shiro has the ability to natively manage user Sessions in any environment, even if there is no Web/Servlet or EJB container available. By default, Shiro will use an existing session mechanism if available, (e.g. Servlet Container), but if there isn’t one, such as in a standalone application or non-web environment, it will use its built-in enterprise session management to offer the same programming experience. The SessionDAO exists to allow any datasource to be used to persist sessions.

  • SessionDAO (org.apache.shiro.session.mgt.eis.SessionDAO)
    The SessionDAO performs Session persistence (CRUD) operations on behalf of the SessionManager. This allows any data store to be plugged in to the Session Management infrastructure.

• CacheManager (org.apache.shiro.cache.CacheManager)
  The CacheManager creates and manages Cache instance lifecycles used by other Shiro components. Because Shiro can access many back-end data sources for authentication, authorization and session management, caching has always been a first-class architectural feature in the framework to improve performance while using these data sources. Any of the modern open-source and/or enterprise caching products can be plugged in to Shiro to provide a fast and efficient user-experience.

• Cryptography (org.apache.shiro.crypto.*)
  Cryptography is a natural addition to an enterprise security framework. Shiro’s crypto package contains easy-to-use and understand representations of crytographic Ciphers, Hashes (aka digests) and different codec implementations. All of the classes in this package are carefully designed to be very easy to use and easy to understand. Anyone who has used Java’s native cryptography support knows it can be a challenging animal to tame. Shiro’s crypto APIs simplify the complicated Java mechanisms and make cryptography easy to use for normal mortal human beings.

• Realms (org.apache.shiro.realm.Realm)
  As mentioned above, Realms act as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. When it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application. You can configure as many Realms as you need (usually one per data source) and Shiro will coordinate with them as necessary for both authentication and authorization.

Shiro example

java:

 package com.hjp.shiro.shiro_tutorial;

 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.authc.*;
 import org.apache.shiro.config.IniSecurityManagerFactory;
 import org.apache.shiro.mgt.SecurityManager;
 import org.apache.shiro.session.Session;
 import org.apache.shiro.subject.Subject;
 import org.apache.shiro.util.Factory;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 public class Tutorial {

     private static final transient Logger log = LoggerFactory.getLogger(Tutorial.class);

     public static void main(String[] args) {
         log.info("My First Apache Shiro Application");

         Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
         SecurityManager securityManager = factory.getInstance();
         SecurityUtils.setSecurityManager(securityManager);

         // get the currently executing user:
         Subject currentUser = SecurityUtils.getSubject();

         // Do some stuff with a Session (no need for a web or EJB container!!!)
         Session session = currentUser.getSession();
         session.setAttribute("someKey", "aValue");
         String value = (String) session.getAttribute("someKey");
         if (value.equals("aValue")) {
             log.info("Retrieved the correct value! [" + value + "]");
         }

         // let's login the current user so we can check against roles and
         // permissions:
         if (!currentUser.isAuthenticated()) {
             UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa");
             token.setRememberMe(true);
             try {
                 currentUser.login(token);
             } catch (UnknownAccountException uae) {
                 log.info("There is no user with username of " + token.getPrincipal());
             } catch (IncorrectCredentialsException ice) {
                 log.info("Password for account " + token.getPrincipal() + " was incorrect!");
             } catch (LockedAccountException lae) {
                 log.info("The account for username " + token.getPrincipal() + " is locked.  "
                         + "Please contact your administrator to unlock it.");
             }
             // ... catch more exceptions here (maybe custom ones specific to
             // your application?
             catch (AuthenticationException ae) {
                 // unexpected condition? error?
             }
         }

         // say who they are:
         // print their identifying principal (in this case, a username):
         log.info("User [" + currentUser.getPrincipal() + "] logged in successfully.");

         // test a role:
         if (currentUser.hasRole("schwartz")) {
             log.info("May the Schwartz be with you!");
         } else {
             log.info("Hello, mere mortal.");
         }

         // test a typed permission (not instance-level)
         if (currentUser.isPermitted("lightsaber:weild")) {
             log.info("You may use a lightsaber ring.  Use it wisely.");
         } else {
             log.info("Sorry, lightsaber rings are for schwartz masters only.");
         }

         // a (very powerful) Instance Level permission:
         if (currentUser.isPermitted("winnebago:drive:eagle5")) {
             log.info("You are permitted to 'drive' the winnebago with license plate (id) 'eagle5'.  "
                     + "Here are the keys - have fun!");
         } else {
             log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!");
         }

         // all done - log out!
         currentUser.logout();

         System.exit(0);

     }

 }

pom:

 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

     <modelVersion>4.0.0</modelVersion>
     <groupId>org.apache.shiro.tutorials</groupId>
     <artifactId>shiro-tutorial</artifactId>
     <version>1.0.0-SNAPSHOT</version>
     <name>First Apache Shiro Application</name>
     <packaging>jar</packaging>

     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     </properties>

     <build>
         <plugins>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
                 <version>2.0.2</version>
                 <configuration>
                     <source>1.5</source>
                     <target>1.5</target>
                     <encoding>${project.build.sourceEncoding}</encoding>
                 </configuration>
             </plugin>

             <!-- This plugin is only to test run our little application. It is not
                 needed in most Shiro-enabled applications: -->
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>exec-maven-plugin</artifactId>
                 <version>1.1</version>
                 <executions>
                     <execution>
                         <goals>
                             <goal>java</goal>
                         </goals>
                     </execution>
                 </executions>
                 <configuration>
                     <classpathScope>test</classpathScope>
                     <mainClass>Tutorial</mainClass>
                 </configuration>
             </plugin>
         </plugins>
     </build>

     <dependencies>
         <dependency>
             <groupId>org.apache.shiro</groupId>
             <artifactId>shiro-core</artifactId>
             <version>1.1.0</version>
         </dependency>
         <!-- Shiro uses SLF4J for logging. We'll use the 'simple' binding in this
             example app. See http://www.slf4j.org for more info. -->
          <dependency>
        <groupId>org.slf4j</groupId>
        <artifactId>slf4j-api</artifactId>
        <version>1.7.5</version>
    </dependency>
    <dependency>
        <groupId>org.slf4j</groupId>
        <artifactId>slf4j-simple</artifactId>
        <version>1.6.4</version>
    </dependency>

     </dependencies>

 </project>

output:

0 [main] INFO com.hjp.shiro.shiro_tutorial.Tutorial - My First Apache Shiro Application
26582 [main] INFO org.apache.shiro.session.mgt.AbstractValidatingSessionManager - Enabling session validation scheduler...
44789 [main] INFO com.hjp.shiro.shiro_tutorial.Tutorial - Retrieved the correct value! [aValue]
80397 [main] INFO com.hjp.shiro.shiro_tutorial.Tutorial - User [lonestarr] logged in successfully.
85201 [main] INFO com.hjp.shiro.shiro_tutorial.Tutorial - May the Schwartz be with you!
90551 [main] INFO com.hjp.shiro.shiro_tutorial.Tutorial - You may use a lightsaber ring.  Use it wisely.
95185 [main] INFO com.hjp.shiro.shiro_tutorial.Tutorial - You are permitted to 'drive' the winnebago with license plate (id) 'eagle5'.  Here are the keys - have fun!

Refer

http://shiro.apache.org/architecture.html