Shiro淺析:Shiro的登入驗證過程
阿新 • • 發佈:2021-06-22
Shiro淺析:Shiro的登入驗證過程
shiro的登入驗證是從Subject.login開始的
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePassword(username, password [, remenberme]);
subject.login(token);
下面來看看Subject的實現類org.apache.shiro.subject.support.DelegatingSubject類的login方法是怎麼實現的
public void login(AuthenticationToken token) throws AuthenticationException { clearRunAsIdentitiesInternal(); // 代理的SecurityManager Subject subject = securityManager.login(this, token); /**……*/ this.principals = principals; this.authenticated = true; if (token instanceof HostAuthenticationToken) { host = ((HostAuthenticationToken) token).getHost(); } if (host != null) { this.host = host; } Session session = subject.getSession(false); if (session != null) { this.session = decorate(session); } else { this.session = null; } }
可以發現Subject的login方法其實是SecurityManger介面實現的DefaultSecurityManager的代理。我們接著往下看DefaultSecurityManager的login方法
public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException { AuthenticationInfo info; try { info = authenticate(token); } catch (AuthenticationException ae) { try { onFailedLogin(token, ae, subject); } catch (Exception e) { if (log.isInfoEnabled()) { log.info("onFailedLogin method threw an " + "exception. Logging and propagating original AuthenticationException.", e); } } throw ae; //propagate } Subject loggedIn = createSubject(token, info, subject); onSuccessfulLogin(token, info, loggedIn); return loggedIn; } public AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException { return this.authenticator.authenticate(token); }
呼叫Authenticator.authenticate方法獲取info,最後到了AbstractAuthenticator類
if (token == null) { throw new IllegalArgumentException("Method argument (authentication token) cannot be null."); } log.trace("Authentication attempt received for token [{}]", token); AuthenticationInfo info; try { info = doAuthenticate(token); if (info == null) { String msg = "No account information found for authentication token [" + token + "] by this " + "Authenticator instance. Please check that it is configured correctly."; throw new AuthenticationException(msg); } } catch (Throwable t) { } log.debug("Authentication successful for token [{}]. Returned account [{}]", token, info); notifySuccess(token, info); return info;
我們可以看到一個與重寫realm中類似方法doAuthenticate,我們接著問下翻,發現doAuthenticate是來自AbstractAuthenticator的ModularRealmAuthenticator子類
protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {
assertRealmsConfigured();
Collection<Realm> realms = getRealms();
if (realms.size() == 1) {
return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);
} else {
return doMultiRealmAuthentication(realms, authenticationToken);
}
}
可以發現這裡實際上是獲取了我們在Shiro的配置類註冊的Realm類,同時對一個或是多個Realm配置執行不同的方法。
@Bean
public SecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(loginRealm());
securityManager.setSessionManager(sessionManager());
return securityManager;
}
接下來doSingleRealmAuthentication獲取AuthenticationInfo型別的實體, 。而我們重寫的realm類也是返回的AuthenticationInfo
protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) {
if (!realm.supports(token)) {
String msg = "Realm [" + realm + "] does not support authentication token [" +
token + "]. Please ensure that the appropriate Realm implementation is " +
"configured correctly or that the realm accepts AuthenticationTokens of this type.";
throw new UnsupportedTokenException(msg);
}
AuthenticationInfo info = realm.getAuthenticationInfo(token);
// 賬戶錯誤異常
if (info == null) {
String msg = "Realm [" + realm + "] was unable to find account data for the " +
"submitted AuthenticationToken [" + token + "].";
throw new UnknownAccountException(msg);
}
return info;
}
public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
// 嘗試從快取中讀取token
AuthenticationInfo info = getCachedAuthenticationInfo(token);
if (info == null) {
//otherwise not cached, perform the lookup:
// 呼叫自己realm類的doGetAuthenticationInfo
info = doGetAuthenticationInfo(token);
log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info);
if (token != null && info != null) {
cacheAuthenticationInfoIfPossible(token, info);
}
} else {
log.debug("Using cached authentication info [{}] to perform credentials matching.", info);
}
if (info != null) {
assertCredentialsMatch(token, info);
} else {
log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}]. Returning null.", token);
}
return info;
}
protected abstract AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException;
getAuthenticationInfo來自AuthenticatingRealm類,我們寫的realm類也是繼承自這個抽象類