本博文所有的代码均为shiro官网(http://shiro.apache.org/)中shiro 1.3.2版本中的源码。

追踪Subject的login(AuthenticationToken token)方法,其调用的为DelegatingSubject类的login方法,DelegatingSubject实现了Subject接口,DelegatingSubject#login如下:

 public void login(AuthenticationToken token) throws AuthenticationException {

     clearRunAsIdentitiesInternal();

     Subject subject = securityManager.login(this, token);

     PrincipalCollection principals;

     String host = null;

     if (subject instanceof DelegatingSubject) {

         DelegatingSubject delegating = (DelegatingSubject) subject;

         //we have to do this in case there are assumed identities - we don't want to lose the 'real' principals:

         principals = delegating.principals;

         host = delegating.host;

     } else {

         principals = subject.getPrincipals();

     }

     if (principals == null || principals.isEmpty()) {

         String msg = "Principals returned from securityManager.login( token ) returned a null or " +

                 "empty value.  This value must be non null and populated with one or more elements.";

         throw new IllegalStateException(msg);

     }

     this.principals = principals;

     this.authenticated = true;

     if (token instanceof HostAuthenticationToken) {

         host = ((HostAuthenticationToken) token).getHost();

     }

     if (host != null) {

         this.host = host;

     }

     Session session = subject.getSession(false);

     if (session != null) {

         this.session = decorate(session);

     } else {

         this.session = null;

     }

 }

在上面代码的第三行:Subject subject = securityManager.login(this, token); 注意到其调用了SecurityManager的login方法,SecurityManager为接口,实际上调用的其实现类DefaultSecurityManager的login方法,方法如下:

 public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException {

     AuthenticationInfo info;

     try {

         info = authenticate(token);

     } catch (AuthenticationException ae) {

         try {

             onFailedLogin(token, ae, subject);

         } catch (Exception e) {

             if (log.isInfoEnabled()) {

                 log.info("onFailedLogin method threw an " +

                         "exception.  Logging and propagating original AuthenticationException.", e);

             }

         }

         throw ae; //propagate

     }

     Subject loggedIn = createSubject(token, info, subject);

     onSuccessfulLogin(token, info, loggedIn);

     return loggedIn;

 }

在上面代码第四行:info = authenticate(token); 继续跟踪,发现authenticate(AuthenticationToken token);方法为DefaultSecurityManager的父类AuthenticatingSecurityManager的方法,AuthenticatingSecurityManager#authenticate方法如下:

 public AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {

     return this.authenticator.authenticate(token);

3 }

authenticator为Authenticator接口,继续跟踪,AbstractAuthenticator抽象类实现了Authenticator接口,接下来继续查看AbstractAuthenticator#authenticate(token);方法:

 public final AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {

     if (token == null) {

         throw new IllegalArgumentException("Method argument (authentication token) cannot be null.");

     }

     log.trace("Authentication attempt received for token [{}]", token);

     AuthenticationInfo info;

     try {

         info = doAuthenticate(token);

         if (info == null) {

             String msg = "No account information found for authentication token [" + token + "] by this " +

                     "Authenticator instance.  Please check that it is configured correctly.";

             throw new AuthenticationException(msg);

         }

     } catch (Throwable t) {

         AuthenticationException ae = null;

         if (t instanceof AuthenticationException) {

             ae = (AuthenticationException) t;

         }

         if (ae == null) {

             //Exception thrown was not an expected AuthenticationException.  Therefore it is probably a little more

             //severe or unexpected.  So, wrap in an AuthenticationException, log to warn, and propagate:

             String msg = "Authentication failed for token submission [" + token + "].  Possible unexpected " +

                     "error? (Typical or expected login exceptions should extend from AuthenticationException).";

             ae = new AuthenticationException(msg, t);

             if (log.isWarnEnabled())

                 log.warn(msg, t);

         }

         try {

             notifyFailure(token, ae);

         } catch (Throwable t2) {

             if (log.isWarnEnabled()) {

                 String msg = "Unable to send notification for failed authentication attempt - listener error?.  " +

                         "Please check your AuthenticationListener implementation(s).  Logging sending exception " +

                         "and propagating original AuthenticationException instead...";

                 log.warn(msg, t2);

             }

         }

         throw ae;

     }

     log.debug("Authentication successful for token [{}].  Returned account [{}]", token, info);

     notifySuccess(token, info);

     return info;

 }

上面代码第11行:info = doAuthenticate(token); 这个方法为ModularRealmAuthticator类中的方法,因为ModularRealmAuthticator继承了AbstractAuthenticator抽象类。另外,要注意第12行-第16行,如果info==null,就会抛出异常。ModularRealmAuthticator的doAuthenticate(token);方法如下:

 protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {

     assertRealmsConfigured();

     Collection<Realm> realms = getRealms();

     if (realms.size() == 1) {

         return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);

     } else {

         return doMultiRealmAuthentication(realms, authenticationToken);

     }

 }

这里,我们关注上面第五行代码:doSingleRealmAuthentication(realms.iterator().next(), authenticationToken); else语句中的doMultiRealmAuthentication(realms, authenticationToken);类似。跟踪到doSingleRealmAuthentication方法如下:

 protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) {

     if (!realm.supports(token)) {

         String msg = "Realm [" + realm + "] does not support authentication token [" +

                 token + "].  Please ensure that the appropriate Realm implementation is " +

                 "configured correctly or that the realm accepts AuthenticationTokens of this type.";

         throw new UnsupportedTokenException(msg);

     }

     AuthenticationInfo info = realm.getAuthenticationInfo(token);

     if (info == null) {

         String msg = "Realm [" + realm + "] was unable to find account data for the " +

                 "submitted AuthenticationToken [" + token + "].";

         throw new UnknownAccountException(msg);

     }

     return info;

 }

上面代码第八行:AuthenticationInfo info = realm.getAuthenticationInfo(token); realm为Realm接口,实际上调用的是其实现类AuthenticatingRealm中的getAuthenticationInfo方法,方法如下:

 public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

     AuthenticationInfo info = getCachedAuthenticationInfo(token);

     if (info == null) {

         //otherwise not cached, perform the lookup:

         info = doGetAuthenticationInfo(token);

         log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info);

         if (token != null && info != null) {

             cacheAuthenticationInfoIfPossible(token, info);

         }

     } else {

         log.debug("Using cached authentication info [{}] to perform credentials matching.", info);

     }

     if (info != null) {

         assertCredentialsMatch(token, info);

     } else {

         log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}].  Returning null.", token);

     }

     return info;

 }

上面代码第三行:AuthenticationInfo info = getCachedAuthenticationInfo(token);从缓存中获取认证信息,如果未获取到,则调用第六行的doGetAuthenticationInfo(token); 方法获取认证信息。继续跟踪,发现有几个类实现了该方法,如下图所示:

最后,附上SecurityManager和Realm等的类关系图:

Realm:

SecurityManager:

Authenticator:

shiro学习笔记-Subject#login(token)实现过程的更多相关文章

  1. shiro学习笔记-Subject#login(token)源码实现过程

    追踪Subject的login(AuthenticationToken token)方法,其调用的为DelegatingSubject类的login方法,DelegatingSubject实现了Sub ...

  2. Shiro学习笔记(5)——web集成

    Web集成 shiro配置文件shiroini 界面 webxml最关键 Servlet 測试 基于 Basic 的拦截器身份验证 Web集成 大多数情况.web项目都会集成spring.shiro在 ...

  3. Shiro学习笔记四(Shiro集成WEB)

    这两天由于家里出了点事情,没有准时的进行学习.今天补上之前的笔记 -----没有学不会的技术,只有不停找借口的人 学习到的知识点: 1.Shiro 集成WEB 2.基于角色的权限控制 3.基于权限的控 ...

  4. shiro学习笔记_0600_自定义realm实现授权

    博客shiro学习笔记_0400_自定义Realm实现身份认证 介绍了认证,这里介绍授权. 1,仅仅通过配置文件来指定权限不够灵活且不方便.在实际的应用中大多数情况下都是将用户信息,角色信息,权限信息 ...

  5. Shiro学习笔记总结,附加" 身份认证 "源码案例(一)

    Shiro学习笔记总结 内容介绍: 一.Shiro介绍 二.subject认证主体 三.身份认证流程 四.Realm & JDBC reaml介绍 五.Shiro.ini配置介绍 六.源码案例 ...

  6. shiro 学习笔记

    1. 权限管理 1.1 什么是权限管理? 权限管理实现对用户访问系统的控制,按照安全规则或者安全策略,可以控制用户只能访问自己被授权的资源 权限管理包括用户身份认证和授权两部分,简称认证授权 1.2 ...

  7. shiro学习笔记_0400_自定义realm实现身份认证

     自定义Realm实现身份认证 先来看下Realm的类继承关系: Realm接口有三个方法,最重要的是第三个方法: a) String getName():返回此realm的名字 b) boolean ...

  8. shiro学习笔记_0300_jdbcRealm和认证策略

    使用shiro框架来完成认证工作,默认是iniRealm,如果需要使用其他的realm,需要配置. ini配置文件详解,官方文档的说明如下: [main] section 是你配置应用程序的 Secu ...

  9. shiro学习笔记_0200_认证

    认证,身份验证,验证用户是否合法 在shiro中,用户需要提供principals (身份)和credentials(证明)给shiro,从而应用能验证用户身份: principals:用户的身份信息 ...

随机推荐

  1. htm5之视频音频(shit IE10都不支持)

    <p style="color: red; background-color: black;"> 视频<br /> autoplay autoplay 如果 ...

  2. 使用ShellExecute打开默认程序(邮件客户端)

    转载:http://www.cnblogs.com/xubin0523/archive/2012/11/01/2749729.html ShellExecute ShellExecute的功能是运行一 ...

  3. Java propertis文件中组装配置

    目的: 实现在配置文件中,进行组装 1.Properties文件配置如下: dns=http://211.103.227.133:8080 qrcode=${dns}/wx/views/invite/ ...

  4. VS中自动选择x86或x64的dll

    http://www.cnblogs.com/lzjsky/archive/2010/09/06/1819321.html 原来使用Win7的32位系统,进行C#工程的开发,后来重装系统,换成了win ...

  5. Source not found :Edit Source Lookup Path 解决方案

    作者原创,转载请注明转载地址 在eclipse中用debug调试的时候,出现了以下问题,很是尴尬,经常碰到,所以有必要进行总结一下: 对该问题有两种解决方案, 一种比较文明:解决方法可参考如下网址: ...

  6. UVa 818 切断圆环链(dfs+二进制枚举)

    https://vjudge.net/problem/UVA-818 题意:有n个圆环,其中有一些已经扣在了一起.现在需要打开尽量少的圆环,使得所有圆环可以组成一条链,例如,有5个圆环,1-2,2-3 ...

  7. LoadRunner测试流程

    使用LoadRunner 完成测试一般分为四个步骤: 2 Vvitrual User Generator 创建脚本 创建脚本,选择协议 录制脚本 编辑脚本 检查修改脚本是否有误 3 中央控制器(Con ...

  8. MVC ---- EF三层代码

    1.DAL层 using Night.Models; using System; using System.Collections.Generic; using System.Data.Entity. ...

  9. shell 清空指定大小的日志文件

    #!/bin/bash # 当/var/log/syslog大于68B时 if ! [ -f /var/log/syslog ] then echo "file not exist!&quo ...

  10. DEV-C++设置C++11标准

    DEV-C++默认的标准是C++98,改成C++11的方法如下: Tools -> Compiler Options -> Setting -> Code Generation -& ...