[英]How do concepts of User (UserAccount) and Realm relate in Apache Shiro?
I'm reading up on Apache Shiro and like to see if I got this mental model right. 我正在阅读Apache Shiro,并希望看看我的心智模型是否合适。
From the docs : "A
Realm
is a component that can access application-specific security data such asusers
,roles
, andpermissions
".从文档 :“
Realm
是一个可以访问特定于应用程序的安全数据的组件,如users
,roles
和permissions
”。 .. "Realms usually have a 1-to-1 correlation with a data source such as a relational database, LDAP directory, file system, or other similar resource. "“领域通常与数据源(如关系数据库,LDAP目录,文件系统或其他类似资源)具有一对一的关联。”
Moreover, I've read that an application
may include multiple realms
for its authentication and authorization purposes. 此外,我已经读过,
application
可能包含多个realms
用于其身份验证和授权。
Ok so great, but how do this Realms
relate to the concept of a User? 好的,但这个
Realms
如何与用户的概念相关?
Realm
expected to be a partition over the user-space? Realm
希望成为用户空间的分区吗? Ie: a User
may only ever occur in 1 Realm
User
可能只在1 Realm
Realms
can be used to layer authentication & authorization on top of eachother and may work on the same User
. Realms
可以用于在彼此之上进行身份验证和授权,并且可以在同一个User
上工作。 However in that case, where is the User
managed? User
在哪里管理? It should be somewhere external to a Realm
I guess, but where? Realm
外部,我想,但在哪里? Perhaps I'm confused by this because I'm thinking of User
as a single entity (eg: of me there can be only one) . 也许我对此感到困惑,因为我认为
User
是一个单一的实体(例如:我只能有一个)。 And should instead be thinking of User
as a UserAccount
. 而应该将
User
视为UserAccount
。 Ie: Each Realm
manages it's own Useraccounts
(in the docs called User
), but a User
may have multiple UserAcounts
. 即:每个
Realm
管理它自己的Useraccounts
(在称为User
的文档中),但User
可能有多个UserAcounts
。 Is that correct? 那是对的吗?
Assuming the above is correct: 假设以上是正确的:
UserAccounts
of a given User? UserAccounts
? Ie: basically merging all Useraccounts
together to get a complete view of the User
? Useraccounts
合并在一起以获得User
的完整视图? User
in this case (1 User
possibly having multiple UserAccounts
) even exist in Shiro? User
的概念(1个User
可能有多个UserAccounts
)? You define relation between Realms
in authenticationStrategy
. 您可以在
authenticationStrategy
定义Realms
之间的关系。 Lets see the example. 让我们看看这个例子。 User will be authenticated only when he passes authentication against all realms.
用户只有在通过所有领域的身份验证时才会进行身份验证。 You can make your own authenticationStrategy implementation which says just one successful authentication is enough or whatsoever.
您可以创建自己的authenticationStrategy实现,只需一次成功的身份验证就足够了。
In the example, we combine JDBC realm to store users names (no passwords) and authenticate it against LDAP. 在该示例中,我们将JDBC领域与商店用户名(无密码)相结合,并针对LDAP进行身份验证。
Lets say you will add one another LDAP realm and create authenticationStrategy, where not all authentications against realm are needed. 假设您将添加另一个LDAP领域并创建authenticationStrategy,其中不需要针对领域的所有身份验证。 But just one successful authentication against LDAP is enough.
但只有一个成功的LDAP身份验证就足够了。
ds = org.apache.shiro.jndi.JndiObjectFactory
ds.requiredType = javax.sql.DataSource
ds.resourceName = java:comp/env/jdbc/xxx
noPassWordCredentialMatcher = eu.corp.domain.auth.NoPassMatcher
ldapRealm = eu.corp.domain.auth.CustomActiveDirectoryRealm
ldapRealm.searchBase = OU=USERS,OU=EN,DC=our,DC=corp
ldapRealm.url = ldap://our.corp:389
ldapRealm.principalSuffix = @our.corp
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.dataSource = $ds
jdbcRealm.credentialsMatcher = $noPassWordCredentialMatcher
jdbcRealm.authenticationQuery = SELECT name FROM auth WHERE name = ?
jdbcRealm.userRolesQuery = SELECT role.shortcut FROM auth LEFT JOIN auth_role ON auth_role.auth_id = auth.id LEFT JOIN role ON role.id = auth_role.role_id WHERE auth.name = ?
jdbcRealm.permissionsQuery = SELECT permission.shortcut FROM role JOIN role_permission ON role_permission.role_id = role.id JOIN permission ON permission.id = role_permission.permission_id WHERE role.shortcut = ?
cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
securityManager.cacheManager = $cacheManager
securityManager.realms = $ldapRealm, $jdbcRealm
authcStrategy = org.apache.shiro.authc.pam.AllSuccessfulStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.