Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management and cryptography.
Apache Shiro是一个功能强大且灵活的用于处理认证、授权、企业级会话管理和加密的开源安全框架。
Apache Shiro’s first and foremost goal is to be easy to use and understand. Security can be very complex at times, even painful, but it doesn’t have to be. A framework should mask complexities where possible and expose a clean and intuitive API that simplifies the developer’s effort to make their application(s) secure.
Apache Shiro首先并且最重要的目标是容易使用和理解。安全有时是非常复杂的,甚至痛苦的,但是还不得不去处理安全。一个框架应该掩饰可能的复杂性并且提供一个清晰和易用的,以此来简化开发者构建他们的应用。
Here are some things that you can do with Apache Shiro:
- Authenticate a user to verify their identity
- Perform access control for a user, such as:
- Determine if a user is assigned a certain security role or not
- Determine if a user is permitted to do something or not
- Use a Session API in any environment, even without web or EJB containers.
- React to events during authentication, access control, or during a session’s lifetime.
- Aggregate 1 or more data sources of user security data and present this all as a single composite user ‘view’.
- Enable Single Sign On (SSO) functionality
- Enable ‘Remember Me’ services for user association without login … and much more - all integrated into a cohesive easy-to-use API.
你可以利用Apache Shiro做如下的事情:
- 鉴定用户身份。
- 对用户执行访问控制,例如
- 决定是否赋予一个用户某几个权限或角色
- 决定一个用户是否允许做一些操作
- 在任何环境使用会话API,甚至没有web或EJB容器
- 对身份验证、访问控制或会话期间的事件作出反应。
- 汇总1个或多个用户安全数据源,并将其全部呈现为单个复合用户视图。
- 启用单点登录(SSO)功能
- 启用记住我服务使用户免去登录
等等,-所有集成为一个内聚的易于使用的API。
Shiro attempts to achieve these goals for all application environments - from the simplest command line application to the largest enterprise applications, without forcing dependencies on other 3rd party frameworks, containers, or application servers. Of course the project aims to integrate into these environments wherever possible, but it could be used out-of-the-box in any environment.
Shiro尝试为所有应用实现这一目标,从简单的命令行应用至最大的企业级应用,不强制依赖其他的第三方框架、容器或应用服务器。当然,该项目的目的是尽可能融入这些环境,但它可以在任何环境下使用。
Apache Shiro Features
Apache Shiro is a comprehensive application security framework with many features. The following diagram shows where Shiro focuses its energy, and this reference manual will be organized similarly:
Apache Shiro是一个有许多特性的综合的安全应用框架。下图展示了Shiro主要关注的地方,并且这个参考手册与这个结构类似。
Shiro targets what the Shiro development team calls “the four cornerstones of application security” - Authentication, Authorization, Session Management, and Cryptography:
- Authentication: Sometimes referred to as ‘login’, this is the act of proving a user is who they say they are.
- Authorization: The process of access control, i.e. determining ‘who’ has access to ‘what’.
- Session Management: Managing user-specific sessions, even in non-web or EJB applications.
- Cryptography: Keeping data secure using cryptographic algorithms while still being easy to use.
Shiro 的目标是Shiro 开发团队称为的应用安全的四大基础。
- 认证:有时被称为“登录”,证明用户是否为本人。
- 授权:访问控制的过程,即确定“谁”访问“什么”。
- 会话管理:甚至在非web或EJB应用程序中管理用户特定会话。
- 密码:保持数据安全使用加密算法,同时仍然易于使用。
There are also additional features to support and reinforce these concerns in different application environments, especially:
- Web Support: Shiro’s web support APIs help easily secure web applications.
- Caching: Caching is a first-tier citizen in Apache Shiro’s API to ensure that security operations remain fast and efficient.
- Concurrency: Apache Shiro supports multi-threaded applications with its concurrency features.
- Testing: Test support exists to help you write unit and integration tests and ensure your code will be secured as expected.
- “Run As”: A feature that allows users to assume the identity of another user (if they are allowed), sometimes useful in administrative scenarios.
- “Remember Me”: Remember users’ identities across sessions so they only need to log in when mandatory.
也有额外的功能,支持和加强这些在不同的应用环境问题,特别是:
- 网络支持:Shiro的支持Web API帮助轻松管理Web应用程序。
- 缓存:缓存是Apache Shiro的API一个关键的因素来确保安全操作保持快速和有效。
- 并发性:Apache Shiro支持多线程并发性的应用程序。
- 测试:测试支持的存在是为了帮助您编写单元和集成测试,并确保您的代码安全。
- “运行为”:一个功能,允许用户承担另一个用户的身份(如果允许的话),有时在管理方案有用。
- “记住我”:通过会话记住用户的身份,所以他们只需要在要求时需要登陆。