shiro登錄模塊源碼分析
阿新 • • 發佈:2017-07-27
ports str logging eat assert lec base side turn
} catch (AuthenticationException e) {
token.clear();
model.addAttribute("user_err", "用戶名或密碼錯誤");
return loginUrl;
}
將登錄委托給subjectManager
public void login(AuthenticationToken token) throws AuthenticationException {
clearRunAsIdentitiesInternal();
Subject subject = securityManager.login(this, token);
PrincipalCollection principals;
String host = null;
if (subject instanceof DelegatingSubject) {
DelegatingSubject delegating = (DelegatingSubject) subject;
//we have to do this in case there are assumed identities - we don‘t want to lose the ‘real‘ principals:
principals = delegating.principals;
host = delegating.host;
} else {
principals = subject.getPrincipals();
}
if (principals == null || principals.isEmpty()) {
String msg = "Principals returned from securityManager.login( token ) returned a null or " +
"empty value. This value must be non null and populated with one or more elements.";
throw new IllegalStateException(msg);
}
this.principals = principals;
this.authenticated = true;
if (token instanceof HostAuthenticationToken) {
host = ((HostAuthenticationToken) token).getHost();
}
if (host != null) {
this.host = host;
}
Session session = subject.getSession(false);
if (session != null) {
this.session = decorate(session);
} else {
this.session = null;
}
}
subjectManager調authenticate模塊進行身份認證
public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException {
AuthenticationInfo info;
try {
info = authenticate(token);
} catch (AuthenticationException ae) {
try {
onFailedLogin(token, ae, subject);
} catch (Exception e) {
if (log.isInfoEnabled()) {
log.info("onFailedLogin method threw an " +
"exception. Logging and propagating original AuthenticationException.", e);
}
}
throw ae; //propagate
}
Subject loggedIn = createSubject(token, info, subject);
onSuccessfulLogin(token, info, loggedIn);
return loggedIn;
}
public AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {
return this.authenticator.authenticate(token);
}
public final AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {
if (token == null) {
throw new IllegalArgumentException("Method argumet (authentication token) cannot be null.");
}
log.trace("Authentication attempt received for token [{}]", token);
AuthenticationInfo info;
try {
info = doAuthenticate(token);
if (info == null) {
String msg = "No account information found for authentication token [" + token + "] by this " +
"Authenticator instance. Please check that it is configured correctly.";
throw new AuthenticationException(msg);
}
} catch (Throwable t) {......
判斷Realm是否有實現類
protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {
assertRealmsConfigured();
//配置文件中註入了bean
Collection<Realm> realms = getRealms();
if (realms.size() == 1) {
return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);
} else {
//這一步還不清楚
return doMultiRealmAuthentication(realms, authenticationToken);
}
}
調用重寫的登錄方法getAuthenticationInfo
protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) {
if (!realm.supports(token)) {
String msg = "Realm [" + realm + "] does not support authentication token [" +
token + "]. Please ensure that the appropriate Realm implementation is " +
"configured correctly or that the realm accepts AuthenticationTokens of this type.";
throw new UnsupportedTokenException(msg);
}
AuthenticationInfo info = realm.getAuthenticationInfo(token);
if (info == null) {
String msg = "Realm [" + realm + "] was unable to find account data for the " +
"submitted AuthenticationToken [" + token + "].";
throw new UnknownAccountException(msg);
}
return info;
}
接觸和使用shiro還是有好大一段時間,可惜並沒有搞明白其實的原理和機制。因為工作中使用的框架都封裝好了,so......並沒有去研究。
原來一直猜想的是shiro可以直接連接數據庫,驗證用戶名和密碼。但是又沒在實體類中找到有什麽特殊的標記註解之類的。
就有點好奇了,於是趁這兩天工作不是那麽緊張了,就跟了下源碼。
如有不對,請留言指正。蟹蟹!
紅色部分是主要代碼; UsernamePasswordToken token = new UsernamePasswordToken(user.getUserName(), password, rememberMe.equals("0") ? false : true); Subject currentUser = AppUtils.getSubject(); try { currentUser.login(token);
最後調用自己實現的用戶名密碼驗證
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken arg0) { UsernamePasswordToken upToken = (UsernamePasswordToken) arg0; String password = String.valueOf(upToken.getPassword()); SysUserMember us = sysUserRepository.doGetAuthenticationInfoAvailable(upToken.getUsername()); if (us == null) { throw new AuthenticationException("查詢無此用戶."); } else if (StringUtils.isBlank(us.getUserName()) || StringUtils.isBlank(us.getUserPassword())) { throw new AuthenticationException("查詢無此用戶."); } else if (!us.getUserPassword().equals(password)) { throw new AuthenticationException("用戶名或密碼錯誤."); } else { SecurityUtils.getSubject().getSession().setAttribute(AppConfig.SESSION_KEY, us); SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(us.getUserName(), us.getUserPassword(), getName()); return info; } }shiro登錄模塊源碼分析