本博文所有的代码均为shiro官网(http://shiro.apache.org/)中shiro 1.3.2版本中的源码。

追踪Subject的login(AuthenticationToken token)方法,其调用的为DelegatingSubject类的login方法,DelegatingSubject实现了Subject接口,DelegatingSubject#login如下:

 public void login(AuthenticationToken token) throws AuthenticationException {

     clearRunAsIdentitiesInternal();

     Subject subject = securityManager.login(this, token);

     PrincipalCollection principals;

     String host = null;

     if (subject instanceof DelegatingSubject) {

         DelegatingSubject delegating = (DelegatingSubject) subject;

         //we have to do this in case there are assumed identities - we don't want to lose the 'real' principals:

         principals = delegating.principals;

         host = delegating.host;

     } else {

         principals = subject.getPrincipals();

     }

     if (principals == null || principals.isEmpty()) {

         String msg = "Principals returned from securityManager.login( token ) returned a null or " +

                 "empty value.  This value must be non null and populated with one or more elements.";

         throw new IllegalStateException(msg);

     }

     this.principals = principals;

     this.authenticated = true;

     if (token instanceof HostAuthenticationToken) {

         host = ((HostAuthenticationToken) token).getHost();

     }

     if (host != null) {

         this.host = host;

     }

     Session session = subject.getSession(false);

     if (session != null) {

         this.session = decorate(session);

     } else {

         this.session = null;

     }

 }

在上面代码的第三行:Subject subject = securityManager.login(this, token); 注意到其调用了SecurityManager的login方法,SecurityManager为接口,实际上调用的其实现类DefaultSecurityManager的login方法,方法如下:

 public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException {

     AuthenticationInfo info;

     try {

         info = authenticate(token);

     } catch (AuthenticationException ae) {

         try {

             onFailedLogin(token, ae, subject);

         } catch (Exception e) {

             if (log.isInfoEnabled()) {

                 log.info("onFailedLogin method threw an " +

                         "exception.  Logging and propagating original AuthenticationException.", e);

             }

         }

         throw ae; //propagate

     }

     Subject loggedIn = createSubject(token, info, subject);

     onSuccessfulLogin(token, info, loggedIn);

     return loggedIn;

 }

在上面代码第四行:info = authenticate(token); 继续跟踪,发现authenticate(AuthenticationToken token);方法为DefaultSecurityManager的父类AuthenticatingSecurityManager的方法,AuthenticatingSecurityManager#authenticate方法如下:

 public AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {

     return this.authenticator.authenticate(token);

3 }

authenticator为Authenticator接口,继续跟踪,AbstractAuthenticator抽象类实现了Authenticator接口,接下来继续查看AbstractAuthenticator#authenticate(token);方法:

 public final AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {

     if (token == null) {

         throw new IllegalArgumentException("Method argument (authentication token) cannot be null.");

     }

     log.trace("Authentication attempt received for token [{}]", token);

     AuthenticationInfo info;

     try {

         info = doAuthenticate(token);

         if (info == null) {

             String msg = "No account information found for authentication token [" + token + "] by this " +

                     "Authenticator instance.  Please check that it is configured correctly.";

             throw new AuthenticationException(msg);

         }

     } catch (Throwable t) {

         AuthenticationException ae = null;

         if (t instanceof AuthenticationException) {

             ae = (AuthenticationException) t;

         }

         if (ae == null) {

             //Exception thrown was not an expected AuthenticationException.  Therefore it is probably a little more

             //severe or unexpected.  So, wrap in an AuthenticationException, log to warn, and propagate:

             String msg = "Authentication failed for token submission [" + token + "].  Possible unexpected " +

                     "error? (Typical or expected login exceptions should extend from AuthenticationException).";

             ae = new AuthenticationException(msg, t);

             if (log.isWarnEnabled())

                 log.warn(msg, t);

         }

         try {

             notifyFailure(token, ae);

         } catch (Throwable t2) {

             if (log.isWarnEnabled()) {

                 String msg = "Unable to send notification for failed authentication attempt - listener error?.  " +

                         "Please check your AuthenticationListener implementation(s).  Logging sending exception " +

                         "and propagating original AuthenticationException instead...";

                 log.warn(msg, t2);

             }

         }

         throw ae;

     }

     log.debug("Authentication successful for token [{}].  Returned account [{}]", token, info);

     notifySuccess(token, info);

     return info;

 }

上面代码第11行:info = doAuthenticate(token); 这个方法为ModularRealmAuthticator类中的方法,因为ModularRealmAuthticator继承了AbstractAuthenticator抽象类。另外,要注意第12行-第16行,如果info==null,就会抛出异常。ModularRealmAuthticator的doAuthenticate(token);方法如下:

 protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {

     assertRealmsConfigured();

     Collection<Realm> realms = getRealms();

     if (realms.size() == 1) {

         return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);

     } else {

         return doMultiRealmAuthentication(realms, authenticationToken);

     }

 }

这里,我们关注上面第五行代码:doSingleRealmAuthentication(realms.iterator().next(), authenticationToken); else语句中的doMultiRealmAuthentication(realms, authenticationToken);类似。跟踪到doSingleRealmAuthentication方法如下:

 protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) {

     if (!realm.supports(token)) {

         String msg = "Realm [" + realm + "] does not support authentication token [" +

                 token + "].  Please ensure that the appropriate Realm implementation is " +

                 "configured correctly or that the realm accepts AuthenticationTokens of this type.";

         throw new UnsupportedTokenException(msg);

     }

     AuthenticationInfo info = realm.getAuthenticationInfo(token);

     if (info == null) {

         String msg = "Realm [" + realm + "] was unable to find account data for the " +

                 "submitted AuthenticationToken [" + token + "].";

         throw new UnknownAccountException(msg);

     }

     return info;

 }

上面代码第八行:AuthenticationInfo info = realm.getAuthenticationInfo(token); realm为Realm接口,实际上调用的是其实现类AuthenticatingRealm中的getAuthenticationInfo方法,方法如下:

 public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

     AuthenticationInfo info = getCachedAuthenticationInfo(token);

     if (info == null) {

         //otherwise not cached, perform the lookup:

         info = doGetAuthenticationInfo(token);

         log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info);

         if (token != null && info != null) {

             cacheAuthenticationInfoIfPossible(token, info);

         }

     } else {

         log.debug("Using cached authentication info [{}] to perform credentials matching.", info);

     }

     if (info != null) {

         assertCredentialsMatch(token, info);

     } else {

         log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}].  Returning null.", token);

     }

     return info;

 }

上面代码第三行:AuthenticationInfo info = getCachedAuthenticationInfo(token);从缓存中获取认证信息,如果未获取到,则调用第六行的doGetAuthenticationInfo(token); 方法获取认证信息。继续跟踪,发现有几个类实现了该方法,如下图所示:

最后,附上SecurityManager和Realm等的类关系图:

Realm:

SecurityManager:

Authenticator:

shiro学习笔记-Subject#login(token)实现过程的更多相关文章

  1. shiro学习笔记-Subject#login(token)源码实现过程

    追踪Subject的login(AuthenticationToken token)方法,其调用的为DelegatingSubject类的login方法,DelegatingSubject实现了Sub ...

  2. Shiro学习笔记(5)——web集成

    Web集成 shiro配置文件shiroini 界面 webxml最关键 Servlet 測试 基于 Basic 的拦截器身份验证 Web集成 大多数情况.web项目都会集成spring.shiro在 ...

  3. Shiro学习笔记四(Shiro集成WEB)

    这两天由于家里出了点事情,没有准时的进行学习.今天补上之前的笔记 -----没有学不会的技术,只有不停找借口的人 学习到的知识点: 1.Shiro 集成WEB 2.基于角色的权限控制 3.基于权限的控 ...

  4. shiro学习笔记_0600_自定义realm实现授权

    博客shiro学习笔记_0400_自定义Realm实现身份认证 介绍了认证,这里介绍授权. 1,仅仅通过配置文件来指定权限不够灵活且不方便.在实际的应用中大多数情况下都是将用户信息,角色信息,权限信息 ...

  5. Shiro学习笔记总结,附加" 身份认证 "源码案例(一)

    Shiro学习笔记总结 内容介绍: 一.Shiro介绍 二.subject认证主体 三.身份认证流程 四.Realm & JDBC reaml介绍 五.Shiro.ini配置介绍 六.源码案例 ...

  6. shiro 学习笔记

    1. 权限管理 1.1 什么是权限管理? 权限管理实现对用户访问系统的控制,按照安全规则或者安全策略,可以控制用户只能访问自己被授权的资源 权限管理包括用户身份认证和授权两部分,简称认证授权 1.2 ...

  7. shiro学习笔记_0400_自定义realm实现身份认证

     自定义Realm实现身份认证 先来看下Realm的类继承关系: Realm接口有三个方法,最重要的是第三个方法: a) String getName():返回此realm的名字 b) boolean ...

  8. shiro学习笔记_0300_jdbcRealm和认证策略

    使用shiro框架来完成认证工作,默认是iniRealm,如果需要使用其他的realm,需要配置. ini配置文件详解,官方文档的说明如下: [main] section 是你配置应用程序的 Secu ...

  9. shiro学习笔记_0200_认证

    认证,身份验证,验证用户是否合法 在shiro中,用户需要提供principals (身份)和credentials(证明)给shiro,从而应用能验证用户身份: principals:用户的身份信息 ...

随机推荐

  1. ELK之elasticsearch6.5集群

    前面介绍并初试了es6.5系列的单节点的操作,现在搭建es6.5系列的集群: 环境:三节点:master-172.16.23.128.node1-172.16.23.129.node2-172.16. ...

  2. Thinkphp5 引入第三方类库的方法

    原文链接:http://www.zhaisui.com/article/42.html

  3. 20145127《java程序设计》第十周学习总结

    Java的网络编程 1.计算机网络概述 (1)路由器和交换机组成了核心的计算机网络,计算机只是这个网络上的节点以及控制等,通过光纤.网线等连接将设备连接起来,从而形成了一张巨大的计算机网络. (2)网 ...

  4. 20165310 学习基础和C语言基础调查

    学习基础和C语言基础调查 做中学体会 阅读做中学之后,了解老师关于五笔练习.减肥.乒乓和背单词的经历,不禁联想到自己学古筝的经历. 成功的经验 兴趣 我其实小时候学过一段时间古筝,但是那时候是因为父母 ...

  5. SVC(STM32)

    这两个都是 system level service,有什么区别呢?…… 手册上说 SVC 这个指令是同步的,而 PendSV 是异步的,请问是什么意思呢?…… 高手路过尽请留言啊

  6. linux提示usb_serial_generic_write_bulk_callback - urb stoped: -32

    1.环境: 上位机:ubuntu16.04 Linux jello 4.4.0-89-generic #112-Ubuntu SMP Mon Jul 31 19:38:41 UTC 2017 x86_ ...

  7. 【Streaming】30分钟概览Spark Streaming 实时计算

    本文主要介绍四个问题: 什么是Spark Streaming实时计算? Spark实时计算原理流程是什么? Spark 2.X下一代实时计算框架Structured Streaming Spark S ...

  8. poj 8469 特殊密码锁

    a:特殊密码锁 总时间限制: 1000ms 内存限制: 1024kB 描述 有一种特殊的二进制密码锁,由n个相连的按钮组成(n<30),按钮有凹/凸两种状态,用手按按钮会改变其状态. 然而让人头 ...

  9. LOJ#2170. 「POI2011」木棍 Sticks

    题目链接 题意就是给你一堆线段,然后线段有长度和颜色,让你选三条组成一个三角形,这三条线段颜色不能一样 题解: 做法:贪心 首先按照长度给这些线段排序一遍 然后贪心的去选,对于已经选出来同种颜色的,就 ...

  10. UVa 1660 电视网络(点连通度+最小割最大流+Dinic)

    https://vjudge.net/problem/UVA-1660 题意:给出一个无向图,求出点连通度.即最少删除多少个点,使得图不连通. 思路: 如果求线连通度的话,直接求个最大流就可以了.但这 ...