本博文所有的代码均为shiro官网(http://shiro.apache.org/)中shiro 1.3.2版本中的源码。

追踪Subject的login(AuthenticationToken token)方法,其调用的为DelegatingSubject类的login方法,DelegatingSubject实现了Subject接口,DelegatingSubject#login如下:

 public void login(AuthenticationToken token) throws AuthenticationException {

     clearRunAsIdentitiesInternal();

     Subject subject = securityManager.login(this, token);

     PrincipalCollection principals;

     String host = null;

     if (subject instanceof DelegatingSubject) {

         DelegatingSubject delegating = (DelegatingSubject) subject;

         //we have to do this in case there are assumed identities - we don't want to lose the 'real' principals:

         principals = delegating.principals;

         host = delegating.host;

     } else {

         principals = subject.getPrincipals();

     }

     if (principals == null || principals.isEmpty()) {

         String msg = "Principals returned from securityManager.login( token ) returned a null or " +

                 "empty value.  This value must be non null and populated with one or more elements.";

         throw new IllegalStateException(msg);

     }

     this.principals = principals;

     this.authenticated = true;

     if (token instanceof HostAuthenticationToken) {

         host = ((HostAuthenticationToken) token).getHost();

     }

     if (host != null) {

         this.host = host;

     }

     Session session = subject.getSession(false);

     if (session != null) {

         this.session = decorate(session);

     } else {

         this.session = null;

     }

 }

在上面代码的第三行:Subject subject = securityManager.login(this, token); 注意到其调用了SecurityManager的login方法,SecurityManager为接口,实际上调用的其实现类DefaultSecurityManager的login方法,方法如下:

 public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException {

     AuthenticationInfo info;

     try {

         info = authenticate(token);

     } catch (AuthenticationException ae) {

         try {

             onFailedLogin(token, ae, subject);

         } catch (Exception e) {

             if (log.isInfoEnabled()) {

                 log.info("onFailedLogin method threw an " +

                         "exception.  Logging and propagating original AuthenticationException.", e);

             }

         }

         throw ae; //propagate

     }

     Subject loggedIn = createSubject(token, info, subject);

     onSuccessfulLogin(token, info, loggedIn);

     return loggedIn;

 }

在上面代码第四行:info = authenticate(token); 继续跟踪,发现authenticate(AuthenticationToken token);方法为DefaultSecurityManager的父类AuthenticatingSecurityManager的方法,AuthenticatingSecurityManager#authenticate方法如下:

 public AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {

     return this.authenticator.authenticate(token);

3 }

authenticator为Authenticator接口,继续跟踪,AbstractAuthenticator抽象类实现了Authenticator接口,接下来继续查看AbstractAuthenticator#authenticate(token);方法:

 public final AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {

     if (token == null) {

         throw new IllegalArgumentException("Method argument (authentication token) cannot be null.");

     }

     log.trace("Authentication attempt received for token [{}]", token);

     AuthenticationInfo info;

     try {

         info = doAuthenticate(token);

         if (info == null) {

             String msg = "No account information found for authentication token [" + token + "] by this " +

                     "Authenticator instance.  Please check that it is configured correctly.";

             throw new AuthenticationException(msg);

         }

     } catch (Throwable t) {

         AuthenticationException ae = null;

         if (t instanceof AuthenticationException) {

             ae = (AuthenticationException) t;

         }

         if (ae == null) {

             //Exception thrown was not an expected AuthenticationException.  Therefore it is probably a little more

             //severe or unexpected.  So, wrap in an AuthenticationException, log to warn, and propagate:

             String msg = "Authentication failed for token submission [" + token + "].  Possible unexpected " +

                     "error? (Typical or expected login exceptions should extend from AuthenticationException).";

             ae = new AuthenticationException(msg, t);

             if (log.isWarnEnabled())

                 log.warn(msg, t);

         }

         try {

             notifyFailure(token, ae);

         } catch (Throwable t2) {

             if (log.isWarnEnabled()) {

                 String msg = "Unable to send notification for failed authentication attempt - listener error?.  " +

                         "Please check your AuthenticationListener implementation(s).  Logging sending exception " +

                         "and propagating original AuthenticationException instead...";

                 log.warn(msg, t2);

             }

         }

         throw ae;

     }

     log.debug("Authentication successful for token [{}].  Returned account [{}]", token, info);

     notifySuccess(token, info);

     return info;

 }

上面代码第11行:info = doAuthenticate(token); 这个方法为ModularRealmAuthticator类中的方法,因为ModularRealmAuthticator继承了AbstractAuthenticator抽象类。另外,要注意第12行-第16行,如果info==null,就会抛出异常。ModularRealmAuthticator的doAuthenticate(token);方法如下:

 protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {

     assertRealmsConfigured();

     Collection<Realm> realms = getRealms();

     if (realms.size() == 1) {

         return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);

     } else {

         return doMultiRealmAuthentication(realms, authenticationToken);

     }

 }

这里,我们关注上面第五行代码:doSingleRealmAuthentication(realms.iterator().next(), authenticationToken); else语句中的doMultiRealmAuthentication(realms, authenticationToken);类似。跟踪到doSingleRealmAuthentication方法如下:

 protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) {

     if (!realm.supports(token)) {

         String msg = "Realm [" + realm + "] does not support authentication token [" +

                 token + "].  Please ensure that the appropriate Realm implementation is " +

                 "configured correctly or that the realm accepts AuthenticationTokens of this type.";

         throw new UnsupportedTokenException(msg);

     }

     AuthenticationInfo info = realm.getAuthenticationInfo(token);

     if (info == null) {

         String msg = "Realm [" + realm + "] was unable to find account data for the " +

                 "submitted AuthenticationToken [" + token + "].";

         throw new UnknownAccountException(msg);

     }

     return info;

 }

上面代码第八行:AuthenticationInfo info = realm.getAuthenticationInfo(token); realm为Realm接口,实际上调用的是其实现类AuthenticatingRealm中的getAuthenticationInfo方法,方法如下:

 public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

     AuthenticationInfo info = getCachedAuthenticationInfo(token);

     if (info == null) {

         //otherwise not cached, perform the lookup:

         info = doGetAuthenticationInfo(token);

         log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info);

         if (token != null && info != null) {

             cacheAuthenticationInfoIfPossible(token, info);

         }

     } else {

         log.debug("Using cached authentication info [{}] to perform credentials matching.", info);

     }

     if (info != null) {

         assertCredentialsMatch(token, info);

     } else {

         log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}].  Returning null.", token);

     }

     return info;

 }

上面代码第三行:AuthenticationInfo info = getCachedAuthenticationInfo(token);从缓存中获取认证信息,如果未获取到,则调用第六行的doGetAuthenticationInfo(token); 方法获取认证信息。继续跟踪,发现有几个类实现了该方法,如下图所示:

最后,附上SecurityManager和Realm等的类关系图:

Realm:

SecurityManager:

Authenticator:

shiro学习笔记-Subject#login(token)实现过程的更多相关文章

  1. shiro学习笔记-Subject#login(token)源码实现过程

    追踪Subject的login(AuthenticationToken token)方法,其调用的为DelegatingSubject类的login方法,DelegatingSubject实现了Sub ...

  2. Shiro学习笔记(5)——web集成

    Web集成 shiro配置文件shiroini 界面 webxml最关键 Servlet 測试 基于 Basic 的拦截器身份验证 Web集成 大多数情况.web项目都会集成spring.shiro在 ...

  3. Shiro学习笔记四(Shiro集成WEB)

    这两天由于家里出了点事情,没有准时的进行学习.今天补上之前的笔记 -----没有学不会的技术,只有不停找借口的人 学习到的知识点: 1.Shiro 集成WEB 2.基于角色的权限控制 3.基于权限的控 ...

  4. shiro学习笔记_0600_自定义realm实现授权

    博客shiro学习笔记_0400_自定义Realm实现身份认证 介绍了认证,这里介绍授权. 1,仅仅通过配置文件来指定权限不够灵活且不方便.在实际的应用中大多数情况下都是将用户信息,角色信息,权限信息 ...

  5. Shiro学习笔记总结,附加" 身份认证 "源码案例(一)

    Shiro学习笔记总结 内容介绍: 一.Shiro介绍 二.subject认证主体 三.身份认证流程 四.Realm & JDBC reaml介绍 五.Shiro.ini配置介绍 六.源码案例 ...

  6. shiro 学习笔记

    1. 权限管理 1.1 什么是权限管理? 权限管理实现对用户访问系统的控制,按照安全规则或者安全策略,可以控制用户只能访问自己被授权的资源 权限管理包括用户身份认证和授权两部分,简称认证授权 1.2 ...

  7. shiro学习笔记_0400_自定义realm实现身份认证

     自定义Realm实现身份认证 先来看下Realm的类继承关系: Realm接口有三个方法,最重要的是第三个方法: a) String getName():返回此realm的名字 b) boolean ...

  8. shiro学习笔记_0300_jdbcRealm和认证策略

    使用shiro框架来完成认证工作,默认是iniRealm,如果需要使用其他的realm,需要配置. ini配置文件详解,官方文档的说明如下: [main] section 是你配置应用程序的 Secu ...

  9. shiro学习笔记_0200_认证

    认证,身份验证,验证用户是否合法 在shiro中,用户需要提供principals (身份)和credentials(证明)给shiro,从而应用能验证用户身份: principals:用户的身份信息 ...

随机推荐

  1. 20145321《网络对抗技术》逆向与Bof基础

    20145321<网络对抗技术>逆向与Bof基础 实践目标 本次实践的对象是一个名为pwn1的linux可执行文件. 该程序正常执行流程是:main调用foo函数,foo函数会简单回显任何 ...

  2. HttpClient4.5简单使用

    一.HttpClient简介 HttpClient是一个客户端的HTTP通信实现库,它不是一个浏览器.关于HTTP协议,可以搜索相关的资料.它设计的目的是发送与接收HTTP报文.它不会执行嵌入在页面中 ...

  3. Python3基础 str endswith 是否以指定字符串结束

             Python : 3.7.0          OS : Ubuntu 18.04.1 LTS         IDE : PyCharm 2018.2.4       Conda ...

  4. POJ 2029 (二维树状数组)题解

    思路: 大力出奇迹,先用二维树状数组存,然后暴力枚举 算某个矩形区域的值的示意图如下,代码在下面慢慢找... 代码: #include<cstdio> #include<map> ...

  5. icpc 2017北京 J题 Pangu and Stones 区间DP

    #1636 : Pangu and Stones 时间限制:1000ms 单点时限:1000ms 内存限制:256MB 描述 In Chinese mythology, Pangu is the fi ...

  6. 51NOD 1117 聪明的木匠

    来源:http://www.51nod.com/onlineJudge/questionCode.html#!problemId=1117 挑战原题吧  大概 每次挑选最小的两个,合起来 #inclu ...

  7. 使用Docfx生成项目文档

    使用docfx.console生成本项目的文档 使用docfx.console生成其他项目的文档 直接使用docfx.exe生成项目文档 指定配置文档模板   文档地址:http://gitlab.l ...

  8. @SuppressWarings注解的作用和用法

    一.前言 编码时我们总会发现如下变量未被使用的警告提示: 上述代码编译通过且可以运行,但每行前面的“感叹号”就严重阻碍了我们判断该行是否设置的断点了.这时我们可以在方法前添加 @SuppressWar ...

  9. 06_Flume_interceptor_时间戳+Host

    1.目标场景 2.flume agent配置文件 # define agent name, source/sink/channel name a1.sources = r1 a1.sinks = k1 ...

  10. WCF 统一处理异常利用行为服务扩展

    https://www.cnblogs.com/niaowo/p/4727378.html using System; using System.Collections.Generic; using ...