ports str logging eat assert lec base side turn

接觸和使用shiro還是有好大一段時間，可惜並沒有搞明白其實的原理和機制。因為工作中使用的框架都封裝好了，so......並沒有去研究。

原來一直猜想的是shiro可以直接連接數據庫，驗證用戶名和密碼。但是又沒在實體類中找到有什麽特殊的標記註解之類的。

就有點好奇了，於是趁這兩天工作不是那麽緊張了，就跟了下源碼。

如有不對，請留言指正。蟹蟹！

紅色部分是主要代碼； UsernamePasswordToken token = new UsernamePasswordToken(user.getUserName(), password, rememberMe.equals("0") ? false : true); Subject currentUser = AppUtils.getSubject(); try { currentUser.login(token); } catch (AuthenticationException e) { token.clear(); model.addAttribute("user_err", "用戶名或密碼錯誤"); return loginUrl; } 將登錄委托給subjectManager public void login(AuthenticationToken token) throws AuthenticationException { clearRunAsIdentitiesInternal(); Subject subject = securityManager.login(this, token); PrincipalCollection principals; String host = null; if (subject instanceof DelegatingSubject) { DelegatingSubject delegating = (DelegatingSubject) subject; //we have to do this in case there are assumed identities - we don‘t want to lose the ‘real‘ principals: principals = delegating.principals; host = delegating.host; } else { principals = subject.getPrincipals(); } if (principals == null || principals.isEmpty()) { String msg = "Principals returned from securityManager.login( token ) returned a null or " + "empty value. This value must be non null and populated with one or more elements."; throw new IllegalStateException(msg); } this.principals = principals; this.authenticated = true; if (token instanceof HostAuthenticationToken) { host = ((HostAuthenticationToken) token).getHost(); } if (host != null) { this.host = host; } Session session = subject.getSession(false); if (session != null) { this.session = decorate(session); } else { this.session = null; } } subjectManager調authenticate模塊進行身份認證 public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException { AuthenticationInfo info; try { info = authenticate(token); } catch (AuthenticationException ae) { try { onFailedLogin(token, ae, subject); } catch (Exception e) { if (log.isInfoEnabled()) { log.info("onFailedLogin method threw an " + "exception. Logging and propagating original AuthenticationException.", e); } } throw ae; //propagate } Subject loggedIn = createSubject(token, info, subject); onSuccessfulLogin(token, info, loggedIn); return loggedIn; } public AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException { return this.authenticator.authenticate(token); } public final AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException { if (token == null) { throw new IllegalArgumentException("Method argumet (authentication token) cannot be null."); } log.trace("Authentication attempt received for token [{}]", token); AuthenticationInfo info; try { info = doAuthenticate(token); if (info == null) { String msg = "No account information found for authentication token [" + token + "] by this " + "Authenticator instance. Please check that it is configured correctly."; throw new AuthenticationException(msg); } } catch (Throwable t) {...... 判斷Realm是否有實現類 protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException { assertRealmsConfigured(); //配置文件中註入了bean Collection<Realm> realms = getRealms(); if (realms.size() == 1) { return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken); } else { //這一步還不清楚 return doMultiRealmAuthentication(realms, authenticationToken); } } 調用重寫的登錄方法getAuthenticationInfo protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) { if (!realm.supports(token)) { String msg = "Realm [" + realm + "] does not support authentication token [" + token + "]. Please ensure that the appropriate Realm implementation is " + "configured correctly or that the realm accepts AuthenticationTokens of this type."; throw new UnsupportedTokenException(msg); } AuthenticationInfo info = realm.getAuthenticationInfo(token); if (info == null) { String msg = "Realm [" + realm + "] was unable to find account data for the " + "submitted AuthenticationToken [" + token + "]."; throw new UnknownAccountException(msg); } return info; }

最後調用自己實現的用戶名密碼驗證

protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken arg0) { UsernamePasswordToken upToken = (UsernamePasswordToken) arg0; String password = String.valueOf(upToken.getPassword()); SysUserMember us = sysUserRepository.doGetAuthenticationInfoAvailable(upToken.getUsername()); if (us == null) { throw new AuthenticationException("查詢無此用戶."); } else if (StringUtils.isBlank(us.getUserName()) || StringUtils.isBlank(us.getUserPassword())) { throw new AuthenticationException("查詢無此用戶."); } else if (!us.getUserPassword().equals(password)) { throw new AuthenticationException("用戶名或密碼錯誤."); } else { SecurityUtils.getSubject().getSession().setAttribute(AppConfig.SESSION_KEY, us); SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(us.getUserName(), us.getUserPassword(), getName()); return info; } }

shiro登錄模塊源碼分析