【shiro】登錄經歷的流程(執行ShiroAccountRealm doGetAuthenticationInfo經歷的過程)
http://jinnianshilongnian.iteye.com/blog/2025656 攔截器機制。
在這裏
@Bean(name = "shiroFilter")
public ShiroFilterFactoryBean getShiroFilter() {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(getDefaultWebSecurityManager());
shiroFilterFactoryBean.setLoginUrl("/login");
shiroFilterFactoryBean.setSuccessUrl("/index");
Map<String, Filter> filters = new HashMap<>();
filters.put("authc", getFormAuthenticationCaptchaFilter()); //******************************//
filters.put("logout", getLogoutFilter());
shiroFilterFactoryBean.setFilters(filters);
shiroFilterFactoryBean.setFilterChainDefinitionMap(getFilterChainDefinitionMap());
return shiroFilterFactoryBean;
}
private Map<String, String> getFilterChainDefinitionMap() {
Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>();
filterChainDefinitionMap.put("/login", "authc"); //******************************//
filterChainDefinitionMap.put("/logout", "logout");
filterChainDefinitionMap.put("/druid", "anon");
filterChainDefinitionMap.put("/olv3", "anon");
filterChainDefinitionMap.put("/*", "anon");
return filterChainDefinitionMap;
}
————————————————————————————————————————————————————————
FormAuthenticationCaptchaFilter
繼承自 FormAuthenticationFilter
繼承自 AuthenticatingFilter
繼承自 AuthenticationFilter
繼承自 AccessControlFilter
isAccessAllowed和onAccessDenied是AccessControlFilter的方法
【-A-】調用 FormAuthenticationFilter onAccessDenied 方法
return executeLogin(request, response);
【-B-】調用 AuthenticatingFilter executeLogin 方法
AuthenticationToken token = createToken(request, response);
Subject subject = getSubject(request, response);
subject.login(token);
【-C-】Subject是一個接口
實際調用DelegatingSubject的login方法
Subject subject = securityManager.login(this, token);
【-D-】SecurityManager是一個接口
實際調用DefaultSecurityManager的login方法
AuthenticationInfo info;
info = authenticate(token);
【-E-】調用 AuthenticatingSecurityManager 的authenticate方法
return調用Authenticator接口的authenticate方法,
實際調用AbstractAuthenticator類的authenticate方法,
AuthenticationInfo info;
info = doAuthenticate(token);
【-F-】調用ModularRealmAuthenticator的doAuthenticate方法,
調用assertRealmsConfigured();
Collection<Realm> realms = getRealms();
if (realms.size() == 1) {
return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);
} else {
return doMultiRealmAuthentication(realms, authenticationToken);
}
【-G-】調用doSingleRealmAuthentication(Realm realm, AuthenticationToken token)
AuthenticationInfo info = realm.getAuthenticationInfo(token);
【-H-】調用Realm接口的getAuthenticationInfo(token)方法
實際調用AuthenticatingRealm的getAuthenticationInfo(token)方法
AuthenticationInfo info = getCachedAuthenticationInfo(token);
if (info == null) {
//otherwise not cached, perform the lookup:
info = doGetAuthenticationInfo(token);
【-I-】調用ShiroAccountRealm的doGetAuthenticationInfo(token)方法
而此方法是自己寫的!!!
AuthenticationInfo authcInfo = new SimpleAuthenticationInfo(username, user.getPassword(), this.getName());
返回authcInfo 繼續再往上返回。
【shiro】登錄經歷的流程(執行ShiroAccountRealm doGetAuthenticationInfo經歷的過程)