用户(UserAccount)和Realm的概念在Apache Shiro中有何关联? [英] How do concepts of User (UserAccount) and Realm relate in Apache Shiro?
问题描述
我正在阅读 Apache Shiro ,并希望看看我的心智模型是否合适。
I'm reading up on Apache Shiro and like to see if I got this mental model right.
来自 docs :A
Realm
是一个可以访问特定于应用程序的安全数据的组件,例如users
,roles
和permissions
。 ..领域通常与数据源(如关系数据库,LDAP目录,文件系统或其他类似资源)具有一对一的关联。
From the docs: "A
Realm
is a component that can access application-specific security data such asusers
,roles
, andpermissions
". .. "Realms usually have a 1-to-1 correlation with a data source such as a relational database, LDAP directory, file system, or other similar resource. "
此外,我已经读过一个应用程序
可能包含多个领域
用于其身份验证和授权目的。
Moreover, I've read that an application
may include multiple realms
for its authentication and authorization purposes.
好的,但这个领域
如何与用户的概念相关?
Ok so great, but how do this Realms
relate to the concept of a User?
- 每个
Realm
是否应该是用户空间的分区?即:用户
可能只发生在1领域
- 或者,这就是我所期待的,
领域
可以用于分层验证&彼此之上的授权和可能在相同的用户
上工作。但是,在这种情况下,用户
在哪里管理?它应该在Realm
之外的某个地方我想,但是在哪里?
- is every
Realm
expected to be a partition over the user-space? I.e: aUser
may only ever occur in 1Realm
- or, and this is what I'm expecting,
Realms
can be used to layer authentication & authorization on top of eachother and may work on the sameUser
. However in that case, where is theUser
managed? It should be somewhere external to aRealm
I guess, but where?
也许我对此感到困惑,因为我认为用户
是一个单一的实体(例如:我只能有一个)。而应该将用户
视为 UserAccount
。即:每个领域
管理它自己的 Useraccounts
(在名为用户$ c的文档中) $ c>),但
用户
可能有多个 UserAcounts
。那是对的吗?
Perhaps I'm confused by this because I'm thinking of User
as a single entity (e.g: of me there can be only one) . And should instead be thinking of User
as a UserAccount
. I.e.: Each Realm
manages it's own Useraccounts
(in the docs called User
), but a User
may have multiple UserAcounts
. Is that correct?
假设以上是正确的:
- 是否有任何逻辑可以让我查询给定用户的所有
UserAccounts
?即:基本上将所有Useraccounts
合并在一起,以获得用户
的完整视图? - 在这种情况下执行
用户
的概念(1用户
可能有多个UserAccounts
)甚至存在于Shiro?
- is there any logic that enables me to query for all
UserAccounts
of a given User? I.e: basically merging allUseraccounts
together to get a complete view of theUser
? - does the concept of
User
in this case (1User
possibly having multipleUserAccounts
) even exist in Shiro?
推荐答案
您定义领域
在 authenticationStrategy
中。让我们看看这个例子。用户只有在通过所有领域的身份验证时才会进行身份验证。您可以创建自己的authenticationStrategy实现,它只表示一次成功的身份验证就足够了。
You define relation between Realms
in authenticationStrategy
. Lets see the example. User will be authenticated only when he passes authentication against all realms. You can make your own authenticationStrategy implementation which says just one successful authentication is enough or whatsoever.
在本例中,我们将JDBC领域与商店用户名(无密码)结合起来,并针对LDAP进行身份验证。
In the example, we combine JDBC realm to store users names (no passwords) and authenticate it against LDAP.
假设您要添加另一个LDAP领域并创建authenticationStrategy,其中不需要针对领域的所有身份验证。但只有一个成功的LDAP认证就足够了。
Lets say you will add one another LDAP realm and create authenticationStrategy, where not all authentications against realm are needed. But just one successful authentication against LDAP is enough.
ds = org.apache.shiro.jndi.JndiObjectFactory
ds.requiredType = javax.sql.DataSource
ds.resourceName = java:comp/env/jdbc/xxx
noPassWordCredentialMatcher = eu.corp.domain.auth.NoPassMatcher
ldapRealm = eu.corp.domain.auth.CustomActiveDirectoryRealm
ldapRealm.searchBase = OU=USERS,OU=EN,DC=our,DC=corp
ldapRealm.url = ldap://our.corp:389
ldapRealm.principalSuffix = @our.corp
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.dataSource = $ds
jdbcRealm.credentialsMatcher = $noPassWordCredentialMatcher
jdbcRealm.authenticationQuery = SELECT name FROM auth WHERE name = ?
jdbcRealm.userRolesQuery = SELECT role.shortcut FROM auth LEFT JOIN auth_role ON auth_role.auth_id = auth.id LEFT JOIN role ON role.id = auth_role.role_id WHERE auth.name = ?
jdbcRealm.permissionsQuery = SELECT permission.shortcut FROM role JOIN role_permission ON role_permission.role_id = role.id JOIN permission ON permission.id = role_permission.permission_id WHERE role.shortcut = ?
cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
securityManager.cacheManager = $cacheManager
securityManager.realms = $ldapRealm, $jdbcRealm
authcStrategy = org.apache.shiro.authc.pam.AllSuccessfulStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy
这篇关于用户(UserAccount)和Realm的概念在Apache Shiro中有何关联?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!