本博文所有的代码均为shiro官网(http://shiro.apache.org/)中shiro 1.3.2版本中的源码。

追踪Subject的login(AuthenticationToken token)方法,其调用的为DelegatingSubject类的login方法,DelegatingSubject实现了Subject接口,DelegatingSubject#login如下:

 public void login(AuthenticationToken token) throws AuthenticationException {

     clearRunAsIdentitiesInternal();

     Subject subject = securityManager.login(this, token);

     PrincipalCollection principals;

     String host = null;

     if (subject instanceof DelegatingSubject) {

         DelegatingSubject delegating = (DelegatingSubject) subject;

         //we have to do this in case there are assumed identities - we don't want to lose the 'real' principals:

         principals = delegating.principals;

         host = delegating.host;

     } else {

         principals = subject.getPrincipals();

     }

     if (principals == null || principals.isEmpty()) {

         String msg = "Principals returned from securityManager.login( token ) returned a null or " +

                 "empty value.  This value must be non null and populated with one or more elements.";

         throw new IllegalStateException(msg);

     }

     this.principals = principals;

     this.authenticated = true;

     if (token instanceof HostAuthenticationToken) {

         host = ((HostAuthenticationToken) token).getHost();

     }

     if (host != null) {

         this.host = host;

     }

     Session session = subject.getSession(false);

     if (session != null) {

         this.session = decorate(session);

     } else {

         this.session = null;

     }

 }

在上面代码的第三行:Subject subject = securityManager.login(this, token); 注意到其调用了SecurityManager的login方法,SecurityManager为接口,实际上调用的其实现类DefaultSecurityManager的login方法,方法如下:

 public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException {

     AuthenticationInfo info;

     try {

         info = authenticate(token);

     } catch (AuthenticationException ae) {

         try {

             onFailedLogin(token, ae, subject);

         } catch (Exception e) {

             if (log.isInfoEnabled()) {

                 log.info("onFailedLogin method threw an " +

                         "exception.  Logging and propagating original AuthenticationException.", e);

             }

         }

         throw ae; //propagate

     }

     Subject loggedIn = createSubject(token, info, subject);

     onSuccessfulLogin(token, info, loggedIn);

     return loggedIn;

 }

在上面代码第四行:info = authenticate(token); 继续跟踪,发现authenticate(AuthenticationToken token);方法为DefaultSecurityManager的父类AuthenticatingSecurityManager的方法,AuthenticatingSecurityManager#authenticate方法如下:

 public AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {

     return this.authenticator.authenticate(token);

3 }

authenticator为Authenticator接口,继续跟踪,AbstractAuthenticator抽象类实现了Authenticator接口,接下来继续查看AbstractAuthenticator#authenticate(token);方法:

 public final AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {

     if (token == null) {

         throw new IllegalArgumentException("Method argument (authentication token) cannot be null.");

     }

     log.trace("Authentication attempt received for token [{}]", token);

     AuthenticationInfo info;

     try {

         info = doAuthenticate(token);

         if (info == null) {

             String msg = "No account information found for authentication token [" + token + "] by this " +

                     "Authenticator instance.  Please check that it is configured correctly.";

             throw new AuthenticationException(msg);

         }

     } catch (Throwable t) {

         AuthenticationException ae = null;

         if (t instanceof AuthenticationException) {

             ae = (AuthenticationException) t;

         }

         if (ae == null) {

             //Exception thrown was not an expected AuthenticationException.  Therefore it is probably a little more

             //severe or unexpected.  So, wrap in an AuthenticationException, log to warn, and propagate:

             String msg = "Authentication failed for token submission [" + token + "].  Possible unexpected " +

                     "error? (Typical or expected login exceptions should extend from AuthenticationException).";

             ae = new AuthenticationException(msg, t);

             if (log.isWarnEnabled())

                 log.warn(msg, t);

         }

         try {

             notifyFailure(token, ae);

         } catch (Throwable t2) {

             if (log.isWarnEnabled()) {

                 String msg = "Unable to send notification for failed authentication attempt - listener error?.  " +

                         "Please check your AuthenticationListener implementation(s).  Logging sending exception " +

                         "and propagating original AuthenticationException instead...";

                 log.warn(msg, t2);

             }

         }

         throw ae;

     }

     log.debug("Authentication successful for token [{}].  Returned account [{}]", token, info);

     notifySuccess(token, info);

     return info;

 }

上面代码第11行:info = doAuthenticate(token); 这个方法为ModularRealmAuthticator类中的方法,因为ModularRealmAuthticator继承了AbstractAuthenticator抽象类。另外,要注意第12行-第16行,如果info==null,就会抛出异常。ModularRealmAuthticator的doAuthenticate(token);方法如下:

 protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {

     assertRealmsConfigured();

     Collection<Realm> realms = getRealms();

     if (realms.size() == 1) {

         return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);

     } else {

         return doMultiRealmAuthentication(realms, authenticationToken);

     }

 }

这里,我们关注上面第五行代码:doSingleRealmAuthentication(realms.iterator().next(), authenticationToken); else语句中的doMultiRealmAuthentication(realms, authenticationToken);类似。跟踪到doSingleRealmAuthentication方法如下:

 protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) {

     if (!realm.supports(token)) {

         String msg = "Realm [" + realm + "] does not support authentication token [" +

                 token + "].  Please ensure that the appropriate Realm implementation is " +

                 "configured correctly or that the realm accepts AuthenticationTokens of this type.";

         throw new UnsupportedTokenException(msg);

     }

     AuthenticationInfo info = realm.getAuthenticationInfo(token);

     if (info == null) {

         String msg = "Realm [" + realm + "] was unable to find account data for the " +

                 "submitted AuthenticationToken [" + token + "].";

         throw new UnknownAccountException(msg);

     }

     return info;

 }

上面代码第八行:AuthenticationInfo info = realm.getAuthenticationInfo(token); realm为Realm接口,实际上调用的是其实现类AuthenticatingRealm中的getAuthenticationInfo方法,方法如下:

 public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

     AuthenticationInfo info = getCachedAuthenticationInfo(token);

     if (info == null) {

         //otherwise not cached, perform the lookup:

         info = doGetAuthenticationInfo(token);

         log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info);

         if (token != null && info != null) {

             cacheAuthenticationInfoIfPossible(token, info);

         }

     } else {

         log.debug("Using cached authentication info [{}] to perform credentials matching.", info);

     }

     if (info != null) {

         assertCredentialsMatch(token, info);

     } else {

         log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}].  Returning null.", token);

     }

     return info;

 }

上面代码第三行:AuthenticationInfo info = getCachedAuthenticationInfo(token);从缓存中获取认证信息,如果未获取到,则调用第六行的doGetAuthenticationInfo(token); 方法获取认证信息。继续跟踪,发现有几个类实现了该方法,如下图所示:

最后,附上SecurityManager和Realm等的类关系图:

Realm:

SecurityManager:

Authenticator:

shiro学习笔记-Subject#login(token)实现过程的更多相关文章

  1. shiro学习笔记-Subject#login(token)源码实现过程

    追踪Subject的login(AuthenticationToken token)方法,其调用的为DelegatingSubject类的login方法,DelegatingSubject实现了Sub ...

  2. Shiro学习笔记(5)——web集成

    Web集成 shiro配置文件shiroini 界面 webxml最关键 Servlet 測试 基于 Basic 的拦截器身份验证 Web集成 大多数情况.web项目都会集成spring.shiro在 ...

  3. Shiro学习笔记四(Shiro集成WEB)

    这两天由于家里出了点事情,没有准时的进行学习.今天补上之前的笔记 -----没有学不会的技术,只有不停找借口的人 学习到的知识点: 1.Shiro 集成WEB 2.基于角色的权限控制 3.基于权限的控 ...

  4. shiro学习笔记_0600_自定义realm实现授权

    博客shiro学习笔记_0400_自定义Realm实现身份认证 介绍了认证,这里介绍授权. 1,仅仅通过配置文件来指定权限不够灵活且不方便.在实际的应用中大多数情况下都是将用户信息,角色信息,权限信息 ...

  5. Shiro学习笔记总结,附加" 身份认证 "源码案例(一)

    Shiro学习笔记总结 内容介绍: 一.Shiro介绍 二.subject认证主体 三.身份认证流程 四.Realm & JDBC reaml介绍 五.Shiro.ini配置介绍 六.源码案例 ...

  6. shiro 学习笔记

    1. 权限管理 1.1 什么是权限管理? 权限管理实现对用户访问系统的控制,按照安全规则或者安全策略,可以控制用户只能访问自己被授权的资源 权限管理包括用户身份认证和授权两部分,简称认证授权 1.2 ...

  7. shiro学习笔记_0400_自定义realm实现身份认证

     自定义Realm实现身份认证 先来看下Realm的类继承关系: Realm接口有三个方法,最重要的是第三个方法: a) String getName():返回此realm的名字 b) boolean ...

  8. shiro学习笔记_0300_jdbcRealm和认证策略

    使用shiro框架来完成认证工作,默认是iniRealm,如果需要使用其他的realm,需要配置. ini配置文件详解,官方文档的说明如下: [main] section 是你配置应用程序的 Secu ...

  9. shiro学习笔记_0200_认证

    认证,身份验证,验证用户是否合法 在shiro中,用户需要提供principals (身份)和credentials(证明)给shiro,从而应用能验证用户身份: principals:用户的身份信息 ...

随机推荐

  1. 在ubuntu下随意编译安装需要的python版本

    一.环境 ubuntu14.04 二.准备 2.1更新软件库 sudo apt-get update 2.2安装编译器及相应工具 2.3安装相应的开发库 sudo apt-get install zl ...

  2. 【第二十一章】 springboot + 定时任务

    1.application.properties #cron job.everysecond.cron=0/1 * * * * * job.everytensecond.cron=0/10 * * * ...

  3. [BZOJ1044][HAOI2008]木棍分割 二分 + 单调队列优化dp + 滚动数组优化dp

    Description 有n根木棍, 第i根木棍的长度为Li,n根木棍依次连结了一起, 总共有n-1个连接处. 现在允许你最多砍断m个连接处, 砍完后n根木棍被分成了很多段,要求满足总长度最大的一段长 ...

  4. C#学习笔记(一):C#简介

    计算机语言计算机语言是指用于人与计算机之间通讯的语言机器码——汇编语言——高级语言(面向过程(线性).面向对象(类).面向组件(Unity)) 一.计算机语言发展趋势1.简单:代码生成逻辑2.面向人类 ...

  5. POJ 2728 Desert King(最优比率生成树 01分数规划)

    http://poj.org/problem?id=2728 题意: 在这么一个图中求一棵生成树,这棵树的单位长度的花费最小是多少? 思路: 最优比率生成树,也就是01分数规划,二分答案即可,题目很简 ...

  6. POJ 2506 Tiling(递推+大整数加法)

    http://poj.org/problem?id=2506 题意: 思路:递推.a[i]=a[i-1]+2*a[i-2]. 计算的时候是大整数加法.错了好久,忘记考虑1了...晕倒. #includ ...

  7. asp.net webform 自定义 select 绑定数值

    前台: <select id="ddlAddedItemType" runat="server"> <option value="& ...

  8. 如何新建一个datatable,并往表里赋值

    顺序是新建对象-->新建列-->新建行,示例代码如下: DataTable dt=new DataTable(); //新建对象 dt.Columns.Add("姓名" ...

  9. python PIL 图像处理库简介(一)

    1. Introduction     PIL(Python Image Library)是python的第三方图像处理库,但是由于其强大的功能与众多的使用人数,几乎已经被认为是python官方图像处 ...

  10. Qt_2D_画图教程

    1. ZC: 看点:相同的API,QPainter.QPainterDevice和QPainterEngine这3个类 Qt学习之2D绘图(画刷和画笔) http://blog.csdn.net/lp ...