用户（UserAccount）和Realm的概念在Apache Shiro中有何关联？ [英] How do concepts of User (UserAccount) and Realm relate in Apache Shiro?

问题描述

我正在阅读 Apache Shiro ，并希望看看我的心智模型是否合适。

I'm reading up on Apache Shiro and like to see if I got this mental model right.

来自 docs ：A Realm 是一个可以访问特定于应用程序的安全数据的组件，例如 users ， roles 和 permissions 。 ..领域通常与数据源（如关系数据库，LDAP目录，文件系统或其他类似资源）具有一对一的关联。

From the docs: "A Realm is a component that can access application-specific security data such as users, roles, and permissions". .. "Realms usually have a 1-to-1 correlation with a data source such as a relational database, LDAP directory, file system, or other similar resource. "

此外，我已经读过一个应用程序可能包含多个领域用于其身份验证和授权目的。

Moreover, I've read that an application may include multiple realms for its authentication and authorization purposes.

好的，但这个领域如何与用户的概念相关？

Ok so great, but how do this Realms relate to the concept of a User?

• 每个 Realm 是否应该是用户空间的分区？即：用户可能只发生在1 领域


• 或者，这就是我所期待的，领域可以用于分层验证&彼此之上的授权和可能在相同的用户上工作。但是，在这种情况下，用户在哪里管理？它应该在 Realm 之外的某个地方我想，但是在哪里？

• is every Realm expected to be a partition over the user-space? I.e: a User may only ever occur in 1 Realm
• or, and this is what I'm expecting, Realms can be used to layer authentication & authorization on top of eachother and may work on the same User. However in that case, where is the User managed? It should be somewhere external to a Realm I guess, but where?

也许我对此感到困惑，因为我认为用户是一个单一的实体（例如：我只能有一个）。而应该将用户视为 UserAccount 。即：每个领域管理它自己的 Useraccounts （在名为用户），但用户可能有多个 UserAcounts 。那是对的吗？

Perhaps I'm confused by this because I'm thinking of User as a single entity (e.g: of me there can be only one) . And should instead be thinking of User as a UserAccount. I.e.: Each Realm manages it's own Useraccounts (in the docs called User), but a User may have multiple UserAcounts. Is that correct?

假设以上是正确的：

• 是否有任何逻辑可以让我查询给定用户的所有 UserAccounts ？即：基本上将所有 Useraccounts 合并在一起，以获得用户的完整视图？


• 在这种情况下执行用户的概念（1 用户可能有多个 UserAccounts ）甚至存在于Shiro？

• is there any logic that enables me to query for all UserAccounts of a given User? I.e: basically merging all Useraccounts together to get a complete view of the User?
• does the concept of User in this case (1 User possibly having multiple UserAccounts) even exist in Shiro?

推荐答案

您定义领域在 authenticationStrategy 中。让我们看看这个例子。用户只有在通过所有领域的身份验证时才会进行身份验证。您可以创建自己的authenticationStrategy实现，它只表示一次成功的身份验证就足够了。

You define relation between Realms in authenticationStrategy. Lets see the example. User will be authenticated only when he passes authentication against all realms. You can make your own authenticationStrategy implementation which says just one successful authentication is enough or whatsoever.

在本例中，我们将JDBC领域与商店用户名（无密码）结合起来，并针对LDAP进行身份验证。

In the example, we combine JDBC realm to store users names (no passwords) and authenticate it against LDAP.

假设您要添加另一个LDAP领域并创建authenticationStrategy，其中不需要针对领域的所有身份验证。但只有一个成功的LDAP认证就足够了。

Lets say you will add one another LDAP realm and create authenticationStrategy, where not all authentications against realm are needed. But just one successful authentication against LDAP is enough.

ds = org.apache.shiro.jndi.JndiObjectFactory
ds.requiredType = javax.sql.DataSource
ds.resourceName = java:comp/env/jdbc/xxx

noPassWordCredentialMatcher = eu.corp.domain.auth.NoPassMatcher

ldapRealm = eu.corp.domain.auth.CustomActiveDirectoryRealm
ldapRealm.searchBase = OU=USERS,OU=EN,DC=our,DC=corp
ldapRealm.url = ldap://our.corp:389
ldapRealm.principalSuffix = @our.corp

jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.dataSource = $ds
jdbcRealm.credentialsMatcher = $noPassWordCredentialMatcher

jdbcRealm.authenticationQuery = SELECT name FROM auth WHERE name = ?
jdbcRealm.userRolesQuery = SELECT role.shortcut FROM auth LEFT JOIN auth_role ON auth_role.auth_id = auth.id LEFT JOIN role ON role.id = auth_role.role_id WHERE auth.name = ?
jdbcRealm.permissionsQuery = SELECT permission.shortcut FROM role JOIN role_permission ON role_permission.role_id = role.id JOIN permission ON permission.id = role_permission.permission_id WHERE role.shortcut = ?

cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
securityManager.cacheManager = $cacheManager

securityManager.realms = $ldapRealm, $jdbcRealm
authcStrategy = org.apache.shiro.authc.pam.AllSuccessfulStrategy
securityManager.authenticator.authenticationStrategy = $authcStrategy

这篇关于用户（UserAccount）和Realm的概念在Apache Shiro中有何关联？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！