Apache Shiro的登录过程分析

其他 2018-09-23 22:58:56 阅读次数: 0
来源:https://blog.csdn.net/jin5203344/article/details/53174341

关于shiro就不用做过多介绍了,今天主要分析下登录过程


首先我大致画了个流程图(可能不够详细):

第一步:用户登录,根据用户登录名密码生产Token 

  1. UsernamePasswordToken token = new UsernamePasswordToken(username, password);
  2. Subject subject = SecurityUtils.getSubject();
  3. subject.login(token);
这里调用了代理subject的login方法,代码如下:

  1. public void login(AuthenticationToken token) throws AuthenticationException {
  2. clearRunAsIdentitiesInternal();
  3. Subject subject = securityManager.login( this, token);
  5. PrincipalCollection principals;
  7. String host = null;
  9. if (subject instanceof DelegatingSubject) {
  10. DelegatingSubject delegating = (DelegatingSubject) subject;
  11. //we have to do this in case there are assumed identities - we don't want to lose the 'real' principals:
  12. principals = delegating.principals;
  13. host = delegating.host;
  14. } else {
  15. principals = subject.getPrincipals();
  16. }
  18. if (principals == null || principals.isEmpty()) {
  19. String msg = "Principals returned from securityManager.login( token ) returned a null or " +
  20. "empty value. This value must be non null and populated with one or more elements.";
  21. throw new IllegalStateException(msg);
  22. }
  23. this.principals = principals;
  24. this.authenticated = true;
  25. if (token instanceof HostAuthenticationToken) {
  26. host = ((HostAuthenticationToken) token).getHost();
  27. }
  28. if (host != null) {
  29. this.host = host;
  30. }
  31. Session session = subject.getSession( false);
  32. if (session != null) {
  33. this.session = decorate(session);
  34. } else {
  35. this.session = null;
  36. }
  37. }
可以看到第二行,实际是调用securityManager的login方法

第二步:调用securityManager的login方法 

  1. public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException {
  2. AuthenticationInfo info;
  3. try {
  4. info = authenticate(token);
  5. } catch (AuthenticationException ae) {
  6. try {
  7. onFailedLogin(token, ae, subject);
  8. } catch (Exception e) {
  9. if (log.isInfoEnabled()) {
  10. log.info( "onFailedLogin method threw an " +
  11. "exception. Logging and propagating original AuthenticationException.", e);
  12. }
  13. }
  14. throw ae; //propagate
  15. }
  17. Subject loggedIn = createSubject(token, info, subject);
  19. onSuccessfulLogin(token, info, loggedIn);
  21. return loggedIn;
  22. }
   第三步:调用securityManager的 authenticate方法 该方法在 其上级类 AuthenticatingSecurityManager中,代码如下:

  1. public AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {
  2. return this.authenticator.authenticate(token);
  3. }
实际调用了authenticator的authenticate方法,而AuthenticatingSecurityManager的无参构造函数中

  1. public AuthenticatingSecurityManager() {
  2. super();
  3. this.authenticator = new ModularRealmAuthenticator();
  4. }
而ModularRealmAuthenticator类继承了AbstractAuthenticator类

    第四步:调用AbstractAuthenticator的authenticate方法

  1. public final AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {
  3. if (token == null) {
  4. throw new IllegalArgumentException( "Method argumet (authentication token) cannot be null.");
  5. }
  7. log.trace( "Authentication attempt received for token [{}]", token);
  9. AuthenticationInfo info;
  10. try {
  11. info = doAuthenticate(token);
  12. if (info == null) {
  13. String msg = "No account information found for authentication token [" + token + "] by this " +
  14. "Authenticator instance. Please check that it is configured correctly.";
  15. throw new AuthenticationException(msg);
  16. }
  17. } catch (Throwable t) {
  18. AuthenticationException ae = null;
  19. if (t instanceof AuthenticationException) {
  20. ae = (AuthenticationException) t;
  21. }
  22. if (ae == null) {
  23. //Exception thrown was not an expected AuthenticationException. Therefore it is probably a little more
  24. //severe or unexpected. So, wrap in an AuthenticationException, log to warn, and propagate:
  25. String msg = "Authentication failed for token submission [" + token + "]. Possible unexpected " +
  26. "error? (Typical or expected login exceptions should extend from AuthenticationException).";
  27. ae = new AuthenticationException(msg, t);
  28. }
  29. try {
  30. notifyFailure(token, ae);
  31. } catch (Throwable t2) {
  32. if (log.isWarnEnabled()) {
  33. String msg = "Unable to send notification for failed authentication attempt - listener error?. " +
  34. "Please check your AuthenticationListener implementation(s). Logging sending exception " +
  35. "and propagating original AuthenticationException instead...";
  36. log.warn(msg, t2);
  37. }
  38. }
  41. throw ae;
  42. }
  44. log.debug( "Authentication successful for token [{}]. Returned account [{}]", token, info);
  46. notifySuccess(token, info);
  48. return info;
  49. }
看try语句中的 doAuthenticate()方法 则是在其子类ModularRealmAuthenticator中实现,所以

第五步:调用ModularRealmAuthenticator的doAuthenticate方法

  1. protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {
  2. assertRealmsConfigured();
  3. Collection<Realm> realms = getRealms();
  4. if (realms.size() == 1) {
  5. return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);
  6. } else {
  7. return doMultiRealmAuthentication(realms, authenticationToken);
  8. }
  9. }
第二行获取realms,但我们记得只配置过realm,realms是什么时候赋值的呢,其实很简单  spring对bean属性的赋值是通过反射 实际调用的是set方法,即我们配置了

一个property 为realm的属性  对属性注入的时候调用的setRealm方法

  1. public void setRealm(Realm realm) {
  2. if (realm == null) {
  3. throw new IllegalArgumentException( "Realm argument cannot be null");
  4. }
  5. Collection<Realm> realms = new ArrayList<Realm>( 1);
  6. realms.add(realm);
  7. setRealms(realms);
  8. }
所以这里我们的realms实际就是配置的realm,当然前提是我们只配置了单个

第六步:调用ModularRealmAuthenticator的doSingleRealmAuthentication方法

  1. protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) {
  2. if (!realm.supports(token)) {
  3. String msg = "Realm [" + realm + "] does not support authentication token [" +
  4. token + "]. Please ensure that the appropriate Realm implementation is " +
  5. "configured correctly or that the realm accepts AuthenticationTokens of this type.";
  6. throw new UnsupportedTokenException(msg);
  7. }
  8. AuthenticationInfo info = realm.getAuthenticationInfo(token);
  9. if (info == null) {
  10. String msg = "Realm [" + realm + "] was unable to find account data for the " +
  11. "submitted AuthenticationToken [" + token + "].";
  12. throw new UnknownAccountException(msg);
  13. }
  14. return info;
  15. }
其中调用了realm自身的getAuthenticationInfo方法

第七步:调用AuthenticatingRealm的getAuthenticationInfo方法

  1. public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
  3. AuthenticationInfo info = getCachedAuthenticationInfo(token);
  4. if (info == null) {
  5. //otherwise not cached, perform the lookup:
  6. info = doGetAuthenticationInfo(token);
  7. log.debug( "Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info);
  8. if (token != null && info != null) {
  9. cacheAuthenticationInfoIfPossible(token, info);
  10. }
  11. } else {
  12. log.debug( "Using cached authentication info [{}] to perform credentials matching.", info);
  13. }
  15. if (info != null) {
  16. assertCredentialsMatch(token, info);
  17. } else {
  18. log.debug( "No AuthenticationInfo found for submitted AuthenticationToken [{}]. Returning null.", token);
  19. }
  21. return info;
  22. }
     第一行代码,通过缓存获取AuthenticationInfo,说到这里正好看看缓存是怎么实现的,同样代码全在这,跟着走就行

 而我们的cacheManager哪来的呢,我们发现在setRealm方法中调用了setRealms

  1. public void setRealms(Collection<Realm> realms) {
  2. if (realms == null) {
  3. throw new IllegalArgumentException( "Realms collection argument cannot be null.");
  4. }
  5. if (realms.isEmpty()) {
  6. throw new IllegalArgumentException( "Realms collection argument cannot be empty.");
  7. }
  8. this.realms = realms;
  9. afterRealmsSet();
  10. }
  12. protected void afterRealmsSet() {
  13. applyCacheManagerToRealms();
  14. applyEventBusToRealms();
  15. }
可以看到在设置完realms以后调用了一个后续处理方法,在afterRealmsSet中 有个调用 applyCacheManagerToRealms方法 ,字面意思也是很好理解 应用缓存管理器

到realms中,而这种方法代码为:

  1. protected void applyCacheManagerToRealms() {
  2. CacheManager cacheManager = getCacheManager();
  3. Collection<Realm> realms = getRealms();
  4. if (cacheManager != null && realms != null && !realms.isEmpty()) {
  5. for (Realm realm : realms) {
  6. if (realm instanceof CacheManagerAware) {
  7. ((CacheManagerAware) realm).setCacheManager(cacheManager);
  8. }
  9. }
  10. }
  11. }
实际就是判断如果cacheManager不为空 就循环realms设置cacheManager

(有点啰嗦,哈哈,自己当时就是这么想的)

在上面getAuthenticationInfo方法中,我们刚才说过第一行是从缓存中取AuthenticationInfo,如果为空

第八步:调用realm的doGetAuthenticationInfo方法

  1. protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
  2. // TODO Auto-generated method stub
  3. String userName = (String) token.getPrincipal();
  4. //通过token获取用户信息,这里我们一般从数据库中查询
  5. SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(user, password, getName());
  6. return authenticationInfo;
  7. }
返回AuthenticationInfo,接着下面代码

  1. if (token != null && info != null) {
  2. cacheAuthenticationInfoIfPossible(token, info);
  3. }
判断 如果token与获取到的 AuthenticationInfo都不为空,缓存 AuthenticationInfo信息

关于从缓存中查询AuthenticationInfo以及缓存AuthenticationInfo信息的方法 这里就不作分析了,可以看做对一个map的操作吧

当然到这里还没完,同样在上面方法中,

  1. if (info != null) {
  2. assertCredentialsMatch(token, info);
  3. } else {
  4. log.debug( "No AuthenticationInfo found for submitted AuthenticationToken [{}]. Returning null.", token);
  5. }
如果 AuthenticationInfo不为空 即通过登录用户查询到了对应的信息

第九步:调用assertCredentialsMatch方法

  1. protected void assertCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) throws AuthenticationException {
  2. CredentialsMatcher cm = getCredentialsMatcher();
  3. if (cm != null) {
  4. if (!cm.doCredentialsMatch(token, info)) {
  5. //not successful - throw an exception to indicate this:
  6. String msg = "Submitted credentials for token [" + token + "] did not match the expected credentials.";
  7. throw new IncorrectCredentialsException(msg);
  8. }
  9. } else {
  10. throw new AuthenticationException( "A CredentialsMatcher must be configured in order to verify " +
  11. "credentials during authentication. If you do not wish for credentials to be examined, you " +
  12. "can configure an " + AllowAllCredentialsMatcher.class.getName() + " instance.");
  13. }
  14. }
第一行获取CredentialsMatcher,如果不为空

第十步:调用CredentialsMatcher的doCredentialsMatch方法,当然CredentialsMatcher我们可以自定义了

第十一步:上面步骤都通过以后回到DefualtSecurityManager的login方法中

	Subject loggedIn = createSubject(token, info, subject);
创建Subject 

  1. protected Subject createSubject(AuthenticationToken token, AuthenticationInfo info, Subject existing) {
  2. SubjectContext context = createSubjectContext();
  3. context.setAuthenticated( true);
  4. context.setAuthenticationToken(token);
  5. context.setAuthenticationInfo(info);
  6. if (existing != null) {
  7. context.setSubject(existing);
  8. }
  9. return createSubject(context);
  10. }
接着就是通过SubjectFactory生成subject,这里就不说了,就是从我们查询把我们查询到的用户身份信息关联到对应的subject中

猜你喜欢

转载自blog.csdn.net/binglong_world/article/details/81004234
今日推荐
面壁智能发布 Eurux-8x22B 开源大模型 —— 堪称「理科状元」
开源日报 | 谷歌扶持鸿蒙上位;开源Rabbit R1;Docker加持的安卓手机;微软的焦虑和野心;海尔电器把开放平台关了
中国码农的“35岁魔咒”
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Arc Browser for Windows 1.0 正式 GA
90后程序员开发视频搬运软件、不到一年获利超 700 万,结局很刑!
周排行
【转】spring中对控制反转和依赖注入的理解
tms webcore 安装和使用
java程序员进阶相关书籍
SpringMVC接受请求参数、
如何保存训练好的机器学习模型
MyEclipse、Eclipse设置项目JDK的三个地方
商超行业微信小程序开发定制一般多少钱 (行业技术人员解读)
Markdown编辑器语言——30分钟入门到到精通
Linux系统下MongoDB的简单安装与基本操作
Power Strings
每日归档
更多
2024-05-07(14)
2024-05-06(40)
2024-05-05(0)
2024-05-04(7)
2024-05-03(19)
2024-05-02(0)
2024-05-01(4)
2024-04-30(1)
2024-04-29(40)
2024-04-28(0)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022