想学Shior、那就先了解它

想学Shior、那就先了解它

1. 什么是权限?

权限分为很多种，功能权限，数据权限，管理权限等等。简单来说让指定的用户只能去操作指定的权限也就是增删改查

2. 主流的权限框架 Spring Security 、 Apache Shiro

**Spring Security：**是一个功能强大且高度定制的身份验证和访问控制框架。它是保护基于Spring的应用程序的事实上的标准。SpringSecurity是一个侧重于向Java应用程序提供身份验证和授权的框架。与所有Spring项目一样，SpringSecurity的真正强大之处在于它能够很容易地扩展以满足自定义需求。

（全面和可扩展的身份验证和授权支持、防止攻击，如会话固定、点击劫持、跨站点请求伪造等、ServletAPI集成、与SpringWebMVC的可选集成等）

Apache Shiro： 是一个功能强大、易于使用的Java安全框架，可以执行身份验证、授权、加密和会话管 理。通过Shiro易于理解的API，您可以快速轻松地保护任何应用程序——从最小的移动应用程序到最大的web和企业应用程序。

3. 两个的优缺点

• Apache Shiro比Spring Security , 前者使用更简单

• Shiro 功能强大、 简单、灵活不跟任何的框架或者容器绑定，可以独立运行

• Spring Security脱离Spring体系则很难开发

• SpringSecutiry 支持Oauth鉴权 Shiro需要自己实现

  所以Shiro 相对于新手来说是个很不错的选择

4. Shiro 的四个模块

Authentication：Sometimes referred to as ‘login’, this is the act of proving a user is who they say they are.

​ （身份验证:有时也称为“登录”，这是证明用户是谁的行为。）

Authorization： The process of access control, i.e. determining ‘who’ has access to ‘what’.

​ （授权:访问控制的过程，即确定“谁”有权访问“什么”。）

Session Management：Managing user-specific sessions, even in non-web or EJB applications.

​ （会话管理:管理特定于用户的会话，即使是在非web或EJB应用程序中。）

Cryptography： Keeping data secure using cryptographic algorithms while still being easy to use.

​ （密码学:使用加密算法保护数据安全，同时仍然易于使用。）

5. 详细的架构

• Subject (org.apache.shiro.subject.Subject)
  A security-specific ‘view’ of the entity (user, 3rd-party service, cron job, etc) currently interacting with the software.
  （当前与软件交互的实体(用户、第三方服务、cron作业等)的特定于安全的“视图”。）

• SecurityManager (org.apache.shiro.mgt.SecurityManager)
  As mentioned above, the SecurityManager is the heart of Shiro’s architecture. It is mostly an ‘umbrella’ object that coordinates its managed components to ensure they work smoothly together. It also manages Shiro’s view of every application user, so it knows how to perform security operations per user.

  （如上所述，SecurityManager是Shiro架构的核心。它主要是一个“伞形”对象，用于协调其托管组件，以确保它们顺利地一起工作。它还管理Shiro的每个应用程序用户视图，因此它知道如何对每个用户执行安全操作。 安全管理器，Subject的认证和授权都要在安全管理器下进行）

• Authenticator (org.apache.shiro.authc.Authenticator)
  The Authenticator is the component that is responsible for executing and reacting to authentication (log-in) attempts by users. When a user tries to log-in, that logic is executed by the Authenticator. The Authenticator knows how to coordinate with one or more Realms that store relevant user/account information. The data obtained from these Realms is used to verify the user’s identity to guarantee the user really is who they say they are.

  （Authenticator是负责执行和响应用户的身份验证(登录)尝试的组件。当用户尝试登录时，该逻辑由Authenticator执行。Authenticator知道如何与一个或多个存储相关用户/帐户信息的领域进行协调。从这些Realms中获取的数据被用来验证用户的身份，以保证用户的真实身份。 可以理解为认证器、主要负责Subject的认证）

  • Authentication Strategy (org.apache.shiro.authc.pam.AuthenticationStrategy)
    If more than one Realm is configured, the AuthenticationStrategy will coordinate the Realms to determine the conditions under which an authentication attempt succeeds or fails (for example, if one realm succeeds but others fail, is the attempt successful? Must all realms succeed? Only the first?).

    （ 如果配置了多个“Realm”，“AuthenticationStrategy”将协调Realm来确定身份验证尝试成功或失败的条件(例如，如果一个域成功而其他域失败，那么尝试成功吗?)所有的领域都必须成功吗?只有第一个?)）

• Authorizer (org.apache.shiro.authz.Authorizer)
  The Authorizer is the component responsible determining users’ access control in the application. It is the mechanism that ultimately says if a user is allowed to do something or not. Like the Authenticator, the Authorizer also knows how to coordinate with multiple back-end data sources to access role and permission information. The Authorizer uses this information to determine exactly if a user is allowed to perform a given action.

  （“Authorizer”是负责确定应用程序中用户访问控制的组件。它是最终决定用户是否被允许做某事的机制。与“身份验证者”一样，“授权者”也知道如何协调多个后端数据源来访问角色和权限信息。“授权者”使用此信息来准确地确定是否允许用户执行给定的操作。 授权器，主要负责Subject的授权, 控制subject拥有的角色或者权限）

• SessionManager (org.apache.shiro.session.mgt.SessionManager)
  The SessionManager knows how to create and manage user Session lifecycles to provide a robust Session experience for users in all environments. This is a unique feature in the world of security frameworks - Shiro has the ability to natively manage user Sessions in any environment, even if there is no Web/Servlet or EJB container available. By default, Shiro will use an existing session mechanism if available, (e.g. Servlet Container), but if there isn’t one, such as in a standalone application or non-web environment, it will use its built-in enterprise session management to offer the same programming experience. The SessionDAO exists to allow any datasource to be used to persist sessions.
  （“SessionManager”知道如何创建和管理用户的“会话”生命周期，以在所有环境中为用户提供健壮的会话体验。这是安全框架领域的一个独特特性——Shiro能够在任何环境中本地管理用户会话，即使没有可用的Web/Servlet或EJB容器。默认情况下，Shiro将使用现有的会话机制(如Servlet Container)，但如果没有，例如在独立应用程序或非web环境中，它将使用其内置的企业会话管理来提供相同的编程体验。’ SessionDAO '的存在是为了允许使用任何数据源来持久化会话。）

  • SessionDAO (org.apache.shiro.session.mgt.eis.SessionDAO)
    The SessionDAO performs Session persistence (CRUD) operations on behalf of the SessionManager. This allows any data store to be plugged in to the Session Management infrastructure.

    (’ SessionDAO ‘代表’ SessionManager ‘执行’ Session '持久性(CRUD)操作。这允许将任何数据存储插入到会话管理基础设施中。)

• CacheManager (org.apache.shiro.cache.CacheManager)
  The CacheManager creates and manages Cache instance lifecycles used by other Shiro components. Because Shiro can access many back-end data sources for authentication, authorization and session management, caching has always been a first-class architectural feature in the framework to improve performance while using these data sources. Any of the modern open-source and/or enterprise caching products can be plugged in to Shiro to provide a fast and efficient user-experience.
  (’ CacheManager ‘创建并管理其他Shiro组件使用的’ Cache '实例生命周期。因为Shiro可以访问许多后端数据源进行身份验证、授权和会话管理，所以缓存一直是框架中的一流架构特性，可以在使用这些数据源时提高性能。任何现代的开源和/或企业缓存产品都可以插入到Shiro中，以提供快速、高效的用户体验。 缓存管理器，比如认证或授权信息，通过缓存进行管理，提高性能)

• Cryptography (org.apache.shiro.crypto.*)
  Cryptography is a natural addition to an enterprise security framework. Shiro’s crypto package contains easy-to-use and understand representations of crytographic Ciphers, Hashes (aka digests) and different codec implementations. All of the classes in this package are carefully designed to be very easy to use and easy to understand. Anyone who has used Java’s native cryptography support knows it can be a challenging animal to tame. Shiro’s crypto APIs simplify the complicated Java mechanisms and make cryptography easy to use for normal mortal human beings.

  (密码学是企业安全框架的自然补充。Shiro的“crypto”包包含易于使用和理解的加密密码的表示，哈希(又名摘要)和不同的编解码器实现。这个包中的所有类都经过精心设计，非常易于使用和理解。任何使用过Java本机加密支持的人都知道，这可能是一种难以驯服的动物。Shiro的加密api简化了复杂的Java机制，并使加密便于普通人使用。 加解密，Shiro的包含易于使用和理解的数据加解密方法，简化了很多复杂的api)

• Realms (org.apache.shiro.realm.Realm)
  As mentioned above, Realms act as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. When it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application. You can configure as many Realms as you need (usually one per data source) and Shiro will coordinate with them as necessary for both authentication and authorization.
  (如上所述，领域充当了Shiro和应用程序安全数据之间的“桥梁”或“连接器”。当需要与安全相关的数据(如用户帐户)进行实际交互，以执行身份验证(登录)和授权(访问控制)时，Shiro会从一个或多个应用程序配置的Realms中查找这些内容。您可以根据需要配置任意多个“Realms”(通常每个数据源一个)，Shiro会根据身份验证和授权的需要协调它们。数据域，Shiro和安全数据的连接器，类似jdbc连接数据库； 通过realm获取认证授权相关信息)