a)Subject (主體)數據庫
A Subject is just fancy security term that basically means a security-specific 'view' of an application user. A Subject does not always need to reflect a human being though - it can represent an external process calling your application, or perhaps a daemon system account that executes something intermittently over a period of time (such as a cron job). It is basically a representation of any entity that is doing something with the application. 安全
ps:shiro中的主體,就是一次therad,不管是什麼應用,在shiro裏面,每個thread都會轉化爲一個subject。通常咱們登陸的userName和password,都生成UsernamePasswordToken,而後進行認證、受權等活動。session
b)Sessionapp
A Session is a stateful data context associated with a single user/Subject who interacts with a software system over a period of time. Data can be added/read/removed from the Session while the subject uses the application and the application can use this data later where necessary. Sessions are terminated when the user/Subject logs out of the application or when it times out due to inactivity. 分佈式
For those familiar with the HttpSession, a Shiro Session serves the same purpose, except Shiro sessions can be used in any environment even if there is no Servlet container or EJB container available. ide
ps:session和request.Session結構和用法類似,每次鏈接都能單獨生成,也能夠不生成。sessionDAO就是用來構建分佈式shiro安全模塊的工具。
工具
c)cache
this
cache用來存放認證、受權、session等信息。shiro的cache默認是用的是EHcache。
加密
d)Realmspa
A Realm is a component that can access application-specific security data such as users, roles, and permissions. It can be thought of as a security-specific DAO (Data Access Object). The Realm translates this application-specific data into a format that Shiro understands so Shiro can in turn provide a single easy-to-understand Subject programming API no matter how many data sources exist or how application-specific your data might be.
Realms usually have a 1-to-1 correlation with a data source such as a relational database, LDAP directory, file system, or other similar resource. As such, implementations of the Realm interface use data source-specific APIs to discover authorization data (roles, permissions, etc), such as JDBC, File IO, Hibernate or JPA, or any other Data Access API.
ps:在shiro中,存放用戶信息(userName,password,role,privilege)都叫realm。不管是咱們去認證、受權、驗證權限都須要從realm中獲取數據。一般是xxx.ini配置文件,或者是數據庫
e)Cryptography
Cryptography is the practice of protecting information from undesired access by hiding it or converting it into nonsense so know one else can read it. Shiro focuses on two core elements of Cryptography: ciphers that encrypt data like email using a public or private key, and hashes (aka message digests) that irreversibly encrypt data like passwords.
ps:Cryptography 更新是一個打得加密、解密工具包。除了在shiro中使用,咱們也能夠在應用程序其它地方用。
f)Authentication(認證)
Authentication is the process of verifying a Subject's identity - essentially proving that someone really is who they say they are. When an authentication attempt is successful the application can trust that the subject is guaranteed to be who the application expects.
ps:咱們使用subject.login(usernamePasswordToken)的時候,都是經過Authentication模塊去realm裏面查找。
g)Authorization
Authorization, also known as Access Control, is the process of determining if a user/Subject is allowed to do something or not. It is usually accomplished by inspecting and interpreting a Subject's roles and permissions (see below) and then allowing or denying access to a requested resource or function.
ps:受權模塊,通常會在權限認證的時候去查詢realm。設計者應該是爲了安全考慮,每次都會去查詢realm,因此推薦你們將realm存放在cache中。減輕I/O的讀寫壓力。