参考:https://www.iteye.com/blog/lgbolgger-2163890
https://www.iteye.com/blog/jinnianshilongnian-2019547
身份验证,即在应用中谁能证明他就是他本人。一般提供如他们的身份ID一些标识信息来表明他就是他本人,如提供身份证,用户名/密码来证明。
在shiro中,用户需要提供principals (身份)和credentials(证明)给shiro,从而应用能验证用户身份:
principals:身份,即主体的标识属性,可以是任何东西,如用户名、邮箱等,唯一即可。一个主体可以有多个principals,但只有一个Primary principals,一般是用户名/密码/手机号。
credentials:证明/凭证,即只有主体知道的安全值,如密码/数字证书等。
最常见的principals和credentials组合就是用户名/密码了。接下来先进行一个基本的身份认证。
另外两个相关的概念是之前提到的Subject及Realm,分别是主体及验证主体的数据源。
2.2 环境准备
本文使用Maven构建,因此需要一点Maven知识。首先准备环境依赖:
Java代码
- <dependencies>
- <dependency>
- <groupId>junit</groupId>
- <artifactId>junit</artifactId>
- <version>4.9</version>
- </dependency>
- <dependency>
- <groupId>commons-logging</groupId>
- <artifactId>commons-logging</artifactId>
- <version>1.1.3</version>
- </dependency>
- <dependency>
- <groupId>org.apache.shiro</groupId>
- <artifactId>shiro-core</artifactId>
- <version>1.2.2</version>
- </dependency>
- </dependencies>
添加junit、common-logging及shiro-core依赖即可。
2.3 登录/退出
1、首先准备一些用户身份/凭据(shiro.ini)
Java代码
- [users]
- zhang=123
- wang=123
此处使用ini配置文件,通过[users]指定了两个主体:zhang/123、wang/123。
2、测试用例(com.github.zhangkaitao.shiro.chapter2.LoginLogoutTest)
Java代码
- @Test
- public void testHelloworld() {
- //1、获取SecurityManager工厂,此处使用Ini配置文件初始化SecurityManager
- Factory<org.apache.shiro.mgt.SecurityManager> factory =
- new IniSecurityManagerFactory("classpath:shiro.ini");
- //2、得到SecurityManager实例 并绑定给SecurityUtils
- org.apache.shiro.mgt.SecurityManager securityManager = factory.getInstance();
- SecurityUtils.setSecurityManager(securityManager);
- //3、得到Subject及创建用户名/密码身份验证Token(即用户身份/凭证)
- Subject subject = SecurityUtils.getSubject();
- UsernamePasswordToken token = new UsernamePasswordToken("zhang", "123");
- try {
- //4、登录,即身份验证
- subject.login(token);
- } catch (AuthenticationException e) {
- //5、身份验证失败
- }
- Assert.assertEquals(true, subject.isAuthenticated()); //断言用户已经登录
- //6、退出
- subject.logout();
- }
1、首先通过new IniSecurityManagerFactory并指定一个ini配置文件来创建一个SecurityManager工厂;
2、接着获取SecurityManager并绑定到SecurityUtils,这是一个全局设置,设置一次即可;
3、通过SecurityUtils得到Subject,其会自动绑定到当前线程;如果在web环境在请求结束时需要解除绑定;然后获取身份验证的Token,如用户名/密码;
4、调用subject.login方法进行登录,其会自动委托给SecurityManager.login方法进行登录;
5、如果身份验证失败请捕获AuthenticationException或其子类,常见的如: DisabledAccountException(禁用的帐号)、LockedAccountException(锁定的帐号)、UnknownAccountException(错误的帐号)、ExcessiveAttemptsException(登录失败次数过多)、IncorrectCredentialsException (错误的凭证)、ExpiredCredentialsException(过期的凭证)等,具体请查看其继承关系;对于页面的错误消息展示,最好使用如“用户名/密码错误”而不是“用户名错误”/“密码错误”,防止一些恶意用户非法扫描帐号库;
6、最后可以调用subject.logout退出,其会自动委托给SecurityManager.logout方法退出。
总结出身份验证的步骤:
1、收集用户身份/凭证,即如用户名/密码;
2、调用Subject.login进行登录,如果失败将得到相应的AuthenticationException异常,根据异常提示用户错误信息;否则登录成功;
3、最后调用Subject.logout进行退出操作。
a、使用工厂模式来得到SecurityManager,由于可以通过不同工厂创建出不同的SecurityManager,如通过配置文件的形式来创建的IniSecurityManagerFactory工厂。类图如下:
Factory接口:通过泛型定义了一个T getInstance()方法
AbstractFactory抽象类:对于getInstance返回的对象加入单例或者非单例的功能,而把真正创建实例对象的createInstance功能留给子类去实现
Java代码
- public T getInstance() {
- T instance;
- if (isSingleton()) {
- if (this.singletonInstance == null) {
- this.singletonInstance = createInstance();
- }
- instance = this.singletonInstance;
- } else {
- instance = createInstance();
- }
- if (instance == null) {
- String msg = "Factory 'createInstance' implementation returned a null object.";
- throw new IllegalStateException(msg);
- }
- return instance;
- }
- protected abstract T createInstance();
IniFactorySupport:加入了Ini ini属性,同过该对象来创建出一个实例,IniFactorySupport对于ini的获取给出了两种方式,方式一:在构造IniFactorySupport时传入Ini 对象,另一种就是加载类路径下默认的Ini,如下:
Java代码
- public static Ini loadDefaultClassPathIni() {
- Ini ini = null;
- if (ResourceUtils.resourceExists(DEFAULT_INI_RESOURCE_PATH)) {
- log.debug("Found shiro.ini at the root of the classpath.");
- ini = new Ini();
- ini.loadFromPath(DEFAULT_INI_RESOURCE_PATH);
- if (CollectionUtils.isEmpty(ini)) {
- log.warn("shiro.ini found at the root of the classpath, but it did not contain any data.");
- }
- }
- return ini;
- }
其中DEFAULT_INI_RESOURCE_PATH为classpath:shiro.ini。然而IniFactorySupport并不负责通过ini配置文件来创建出什么样的对象,它仅仅负责获取ini配置文件,所以它要留出了两个方法让子类实现:
- protected abstract T createInstance(Ini ini);
- protected abstract T createDefaultInstance();
第一个方法就是通过ini配置文件创建出什么对象,第二个方法就是当获取不到ini配置文件时,要创建默认的对象。
IniSecurityManagerFactory:通过Ini配置文件可以创建出SecurityManager对象,也可以通过ini配置文件创建FilterChainResolver对象,而IniSecurityManagerFactory则是通过ini配置文件来创建SecurityManager的,所以对于泛型的实例化是在该类完成的,如下:
Java代码
- public class IniSecurityManagerFactory extends IniFactorySupport<SecurityManager>
- public class IniFilterChainResolverFactory extends IniFactorySupport<FilterChainResolver>
IniSecurityManagerFactory 还不具有web功能,WebIniSecurityManagerFactory则加入了web功能。
可以看到,有很多的类继承关系,每一个类都完成了一个基本功能,把职责划分的更加明确,而不是一锅粥把很多功能放到一个类中,导致很难去复用某些功能。
b、将创建的SecurityManager放到SecurityUtils类的静态变量中,供所有对象来访问。
c、创建一个Subject实例,接口Subject的文档介绍如下: A {@code Subject} represents state and security operations for a <em>single</em> application user.These operations include authentication (login/logout), authorization (access control), and session access
即外界通过Subject接口来和SecurityManager进行交互,该接口含有登录、退出、权限判断、获取Session,其中的Session可不是平常我们所使用的HttpSession等,而是shiro自定义的,是一个数据上下文,与一个Subject相关联的。
先回到创建Subject的地方:
- public static Subject getSubject() {
- Subject subject = ThreadContext.getSubject();
- if (subject == null) {
- subject = (new Subject.Builder()).buildSubject();
- ThreadContext.bind(subject);
- }
- return subject;
- }
一看就是使用的是ThreadLocal设计模式,获取当前线程相关联的Subject对象,如果没有则创建一个,然后绑定到当前线程。然后我们来看下具体实现:
ThreadContext是org.apache.shiro.util包下的一个工具类,它是用来操作和当前线程绑定的SecurityManager和Subject,它必然包含了一个ThreadLocal对象如下:
Java代码
- public abstract class ThreadContext {
- public static final String SECURITY_MANAGER_KEY = ThreadContext.class.getName() + "_SECURITY_MANAGER_KEY";
- public static final String SUBJECT_KEY = ThreadContext.class.getName() + "_SUBJECT_KEY";
- private static final ThreadLocal<Map<Object, Object>> resources = new InheritableThreadLocalMap<Map<Object, Object>>();
- //略
- }
ThreadLocal中存放的数据是一个Map集合,集合中所存的key有两个SECURITY_MANAGER_KEY和SUBJECT_KEY,就是通过这两个key来存取SecurityManager和Subject两个对象。
当前线程还没有绑定一个Subject时,就需要通过Sucject.Builder来创建一个然后绑定到当前线程。Builder是Subject的一个内部类,它拥有两个重要的属性,SubjectContext和SecurityManger,创建Builder时使用SecurityUtils工具来获取它的全局静态变量SecurityManager,SubjectContext则是使用newSubjectContextInstance创建一个DefaultSubjectContext对象:
- public Builder() {
- this(SecurityUtils.getSecurityManager());
- }
- public Builder(SecurityManager securityManager) {
- if (securityManager == null) {
- throw new NullPointerException("SecurityManager method argument cannot be null.");
- }
- this.securityManager = securityManager;
- this.subjectContext = newSubjectContextInstance();
- if (this.subjectContext == null) {
- throw new IllegalStateException("Subject instance returned from 'newSubjectContextInstance' " +
- "cannot be null.");
- }
- this.subjectContext.setSecurityManager(securityManager);
- }
- protected SubjectContext newSubjectContextInstance() {
- return new DefaultSubjectContext();
- }
Builder准备工作完成后,调用buildSubject来创建一个Subject:
Java代码
- public Subject buildSubject() {
- return this.securityManager.createSubject(this.subjectContext);
- }
最终还是通过securityManager根据subjectContext来创建一个Subject。最终是通过一个SubjectFactory来创建的,SubjectFactory是一个接口,接口方法为SubjectcreateSubject(SubjectContext context),默认的SubjectFactory实现是DefaultSubjectFactory,DefaultSubjectFactory创建的Subject是DelegatingSubject。至此创建Subject就简单说完了。
d、登录部分
登录方法为void login(AuthenticationToken token),AuthenticationToken接口如下:
- public interface AuthenticationToken extends Serializable {
- Object getPrincipal();
- Object getCredentials();
- }
Principal就相当于用户名,Credentials就相当于密码,AuthenticationToken 的实现UsernamePasswordToken有四个重要属性,即username、char[] password、boolean rememberMe、host。认证过程是由Authenticator来完成的,先来看下Authenticator的整体:
- public interface Authenticator {
- public AuthenticationInfo authenticate(AuthenticationToken authenticationToken)
- throws AuthenticationException;
- }
很简单,就是根据AuthenticationToken 返回一个AuthenticationInfo ,如果认证失败会抛出AuthenticationException异常。
AbstractAuthenticator实现了Authenticator 接口,它仅仅加入了对认证成功与失败的监听功能,即有一个Collection<AuthenticationListener>集合:
private Collection<AuthenticationListener> listeners;
对于认证过程:
- public final AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {
- if (token == null) {
- throw new IllegalArgumentException("Method argumet (authentication token) cannot be null.");
- }
- log.trace("Authentication attempt received for token [{}]", token);
- AuthenticationInfo info;
- try {
- info = doAuthenticate(token);
- if (info == null) {
- String msg = "No account information found for authentication token [" + token + "] by this " +
- "Authenticator instance. Please check that it is configured correctly.";
- throw new AuthenticationException(msg);
- }
- } catch (Throwable t) {
- AuthenticationException ae = null;
- if (t instanceof AuthenticationException) {
- ae = (AuthenticationException) t;
- }
- if (ae == null) {
- //Exception thrown was not an expected AuthenticationException. Therefore it is probably a little more
- //severe or unexpected. So, wrap in an AuthenticationException, log to warn, and propagate:
- String msg = "Authentication failed for token submission [" + token + "]. Possible unexpected " +
- "error? (Typical or expected login exceptions should extend from AuthenticationException).";
- ae = new AuthenticationException(msg, t);
- }
- try {
- notifyFailure(token, ae);
- } catch (Throwable t2) {
- if (log.isWarnEnabled()) {
- String msg = "Unable to send notification for failed authentication attempt - listener error?. " +
- "Please check your AuthenticationListener implementation(s). Logging sending exception " +
- "and propagating original AuthenticationException instead...";
- log.warn(msg, t2);
- }
- }
- throw ae;
- }
- log.debug("Authentication successful for token [{}]. Returned account [{}]", token, info);
- notifySuccess(token, info);
- return info;
- }
- protected abstract AuthenticationInfo doAuthenticate(AuthenticationToken token)
- throws AuthenticationException;
从上面可以看到实际的认证过程doAuthenticate是交给子类来实现的,AbstractAuthenticator只对认证结果进行处理,认证成功时调用notifySuccess(token, info)通知所有的listener,认证失败时调用notifyFailure(token, ae)通知所有的listener。
具体的认证过程就需要看AbstractAuthenticator子类对于doAuthenticate方法的实现,ModularRealmAuthenticator继承了AbstractAuthenticator,它有两个重要的属性如下
- private Collection<Realm> realms;
- private AuthenticationStrategy authenticationStrategy;
首先就是Realm的概念:就是配置各种角色、权限和用户的地方,即提供了数据源供shiro来使用,它能够根据一个AuthenticationToken中的用户名和密码来判定是否合法等,文档如下:
Java代码
A <tt>Realm</tt> is a security component that can access application-specific security entities such as users, roles, and permissions to determine authentication and authorization operations
接口如下:
Java代码
- public interface Realm {
- String getName();
- boolean supports(AuthenticationToken token);
- AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException;
- }
Realm 首先有一个重要的name属性,全局唯一的标示。supports、getAuthenticationInfo方法就是框架中非常常见的一种写法,ModularRealmAuthenticator拥有Collection<Realm> realms集合,在判定用户合法性时,会首先调用每个Realm的supports方法,如果支持才会去掉用相应的getAuthenticationInfo方法。
关于Realm的详细接口设计之后再给出详细说明,此时先继续回到ModularRealmAuthenticator认证的地方
- protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {
- assertRealmsConfigured();
- Collection<Realm> realms = getRealms();
- if (realms.size() == 1) {
- return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);
- } else {
- return doMultiRealmAuthentication(realms, authenticationToken);
- }
- }
代码很简单,当只有一个Realm时先调用Realm的supports方法看是否支持,若不支持则抛出认证失败的异常,若支持则调用Realm的getAuthenticationInfo(token)方法如下:
Java代码
- protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) {
- if (!realm.supports(token)) {
- String msg = "Realm [" + realm + "] does not support authentication token [" +
- token + "]. Please ensure that the appropriate Realm implementation is " +
- "configured correctly or that the realm accepts AuthenticationTokens of this type.";
- throw new UnsupportedTokenException(msg);
- }
- AuthenticationInfo info = realm.getAuthenticationInfo(token);
- if (info == null) {
- String msg = "Realm [" + realm + "] was unable to find account data for the " +
- "submitted AuthenticationToken [" + token + "].";
- throw new UnknownAccountException(msg);
- }
- return info;
- }
若有多个Realm 时怎样才算是认证成功的呢?这就需要ModularRealmAuthenticator的认证策略AuthenticationStrategy 来指定,对于AuthenticationStrategy目前有三种实现
AllSuccessfulStrategy:即所有的Realm 都验证通过才算是通过
AtLeastOneSuccessfulStrategy:只要有一个Realm 验证通过就算通过
FirstSuccessfulStrategy:这个刚开始不太好理解,和AtLeastOneSuccessfulStrategy稍微有些区别。AtLeastOneSuccessfulStrategy返回了所有Realm认证成功的信息,FirstSuccessfulStrategy只返回了第一个Realm认证成功的信息。
试想一下,如果让你来设计,你会怎么设计?
然后来具体看下AuthenticationStrategy 的接口设计:
- public interface AuthenticationStrategy {
- AuthenticationInfo beforeAllAttempts(Collection<? extends Realm> realms, AuthenticationToken token) throws AuthenticationException;
- AuthenticationInfo beforeAttempt(Realm realm, AuthenticationToken token, AuthenticationInfo aggregate) throws AuthenticationException;
- AuthenticationInfo afterAttempt(Realm realm, AuthenticationToken token, AuthenticationInfo singleRealmInfo, AuthenticationInfo aggregateInfo, Throwable t)
- throws AuthenticationException;
- AuthenticationInfo afterAllAttempts(AuthenticationToken token, AuthenticationInfo aggregate) throws AuthenticationException;
- }
验证过程是这样的,每一个Realm验证token后都会返回一个当前Realm的验证信息AuthenticationInfo singleRealmInfo,然后呢会有一个贯穿所有Realm验证过程的验证信息AuthenticationInfo aggregateInfo,每一个Realm验证过后会进行singleRealmInfo和aggregateInfo的合并,这是大体的流程
对于AllSuccessfulStrategy来说:它要确保每一个Realm都要验证成功,所以必然
(1)要在beforeAttempt中判断当前realm是否支持token,如不支持抛出异常结束验证过程
(2)要在afterAttempt(Realm realm, AuthenticationToken token, AuthenticationInfo singleRealmInfo, AuthenticationInfo aggregateInfo, Throwable t)中判断是否验证通过了,即异常t为空,并且singleRealmInfo不为空,则表示验证通过了,然后将singleRealmInfo和aggregateInfo合并,所以最终返回的aggregateInfo是几个Realm认证信息合并后的结果
AllSuccessfulStrategy就会在这两处进行把关,一旦不符合抛出异常,认证失败,如下:
- public AuthenticationInfo beforeAttempt(Realm realm, AuthenticationToken token, AuthenticationInfo info) throws AuthenticationException {
- if (!realm.supports(token)) {
- String msg = "Realm [" + realm + "] of type [" + realm.getClass().getName() + "] does not support " +
- " the submitted AuthenticationToken [" + token + "]. The [" + getClass().getName() +
- "] implementation requires all configured realm(s) to support and be able to process the submitted " +
- "AuthenticationToken.";
- throw new UnsupportedTokenException(msg);
- }
- return info;
- }
- public AuthenticationInfo afterAttempt(Realm realm, AuthenticationToken token, AuthenticationInfo info, AuthenticationInfo aggregate, Throwable t)
- throws AuthenticationException {
- if (t != null) {
- if (t instanceof AuthenticationException) {
- //propagate:
- throw ((AuthenticationException) t);
- } else {
- String msg = "Unable to acquire account data from realm [" + realm + "]. The [" +
- getClass().getName() + " implementation requires all configured realm(s) to operate successfully " +
- "for a successful authentication.";
- throw new AuthenticationException(msg, t);
- }
- }
- if (info == null) {
- String msg = "Realm [" + realm + "] could not find any associated account data for the submitted " +
- "AuthenticationToken [" + token + "]. The [" + getClass().getName() + "] implementation requires " +
- "all configured realm(s) to acquire valid account data for a submitted token during the " +
- "log-in process.";
- throw new UnknownAccountException(msg);
- }
- log.debug("Account successfully authenticated using realm [{}]", realm);
- // If non-null account is returned, then the realm was able to authenticate the
- // user - so merge the account with any accumulated before:
- merge(info, aggregate);
- return aggregate;
- }
对于AtLeastOneSuccessfulStrategy来说:它只需确保在所有Realm验证完成之后,判断下aggregateInfo是否含有用户信息即可,若有则表示有些Realm是验证通过了,此时aggregateInfo也是合并后的信息,如下
Java代码
- public AuthenticationInfo afterAllAttempts(AuthenticationToken token, AuthenticationInfo aggregate) throws AuthenticationException {
- //we know if one or more were able to succesfully authenticate if the aggregated account object does not
- //contain null or empty data:
- if (aggregate == null || CollectionUtils.isEmpty(aggregate.getPrincipals())) {
- throw new AuthenticationException("Authentication token of type [" + token.getClass() + "] " +
- "could not be authenticated by any configured realms. Please ensure that at least one realm can " +
- "authenticate these tokens.");
- }
- return aggregate;
- }
对于FirstSuccessfulStrategy来说:它只需要第一个Realm验证成功的信息,不需要去进行合并,所以它必须在合并上做手脚,即不会进行合并,一旦有一个Realm验证成功,信息保存到
aggregateInfo中,之后即使再次验证成功也不会进行合并,如下
Java代码
- protected AuthenticationInfo merge(AuthenticationInfo info, AuthenticationInfo aggregate) {
- if (aggregate != null && !CollectionUtils.isEmpty(aggregate.getPrincipals())) {
- return aggregate;
- }
- return info != null ? info : aggregate;
- }
验证策略分析完成之后,我们来看下ModularRealmAuthenticator的真个验证的代码过程:
Java代码
- protected AuthenticationInfo doMultiRealmAuthentication(Collection<Realm> realms, AuthenticationToken token) {
- AuthenticationStrategy strategy = getAuthenticationStrategy();
- AuthenticationInfo aggregate = strategy.beforeAllAttempts(realms, token);
- if (log.isTraceEnabled()) {
- log.trace("Iterating through {} realms for PAM authentication", realms.size());
- }
- for (Realm realm : realms) {
- aggregate = strategy.beforeAttempt(realm, token, aggregate);
- if (realm.supports(token)) {
- log.trace("Attempting to authenticate token [{}] using realm [{}]", token, realm);
- AuthenticationInfo info = null;
- Throwable t = null;
- try {
- info = realm.getAuthenticationInfo(token);
- } catch (Throwable throwable) {
- t = throwable;
- if (log.isDebugEnabled()) {
- String msg = "Realm [" + realm + "] threw an exception during a multi-realm authentication attempt:";
- log.debug(msg, t);
- }
- }
- aggregate = strategy.afterAttempt(realm, token, info, aggregate, t);
- } else {
- log.debug("Realm [{}] does not support token {}. Skipping realm.", realm, token);
- }
- }
- aggregate = strategy.afterAllAttempts(token, aggregate);
- return aggregate;
- }
有了之前的分析,这个过程便变的相当容易了。
再回到我们的入门案例中,有了AuthenticationInfo 验证信息,之后进行了那些操作呢?
回到DefaultSecurityManager的如下login方法中:
Java代码
- public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException {
- AuthenticationInfo info;
- try {
- info = authenticate(token);
- } catch (AuthenticationException ae) {
- try {
- onFailedLogin(token, ae, subject);
- } catch (Exception e) {
- if (log.isInfoEnabled()) {
- log.info("onFailedLogin method threw an " +
- "exception. Logging and propagating original AuthenticationException.", e);
- }
- }
- throw ae; //propagate
- }
- Subject loggedIn = createSubject(token, info, subject);
- onSuccessfulLogin(token, info, loggedIn);
- return loggedIn;
- }
Subject loggedIn = createSubject(token, info, subject)会根据已有的token、认证结果信息info、和subject从新创建一个已登录的Subject,含有Session信息,创建过程如下:
Java代码
- protected Subject createSubject(AuthenticationToken token, AuthenticationInfo info, Subject existing) {
- SubjectContext context = createSubjectContext();
- context.setAuthenticated(true);
- context.setAuthenticationToken(token);
- context.setAuthenticationInfo(info);
- if (existing != null) {
- context.setSubject(existing);
- }
- return createSubject(context);
- }
就是填充SubjectContext,然后根据SubjectContext来创建Subject,此Subject的信息是经过SubjectDAO保存的,再回到登陆方法:
Java代码
- public void login(AuthenticationToken token) throws AuthenticationException {
- clearRunAsIdentitiesInternal();
- Subject subject = securityManager.login(this, token);
- PrincipalCollection principals;
- String host = null;
- if (subject instanceof DelegatingSubject) {
- DelegatingSubject delegating = (DelegatingSubject) subject;
- //we have to do this in case there are assumed identities - we don't want to lose the 'real' principals:
- principals = delegating.principals;
- host = delegating.host;
- } else {
- principals = subject.getPrincipals();
- }
- if (principals == null || principals.isEmpty()) {
- String msg = "Principals returned from securityManager.login( token ) returned a null or " +
- "empty value. This value must be non null and populated with one or more elements.";
- throw new IllegalStateException(msg);
- }
- this.principals = principals;
- this.authenticated = true;
- if (token instanceof HostAuthenticationToken) {
- host = ((HostAuthenticationToken) token).getHost();
- }
- if (host != null) {
- this.host = host;
- }
- Session session = subject.getSession(false);
- if (session != null) {
- this.session = decorate(session);
- } else {
- this.session = null;
- }
- }
最后的这些操作就是将刚才创建出来的Subject信息复制到我们所使用的Subject上,即
Java代码
- subject.login(token)
中的subject中。至此已经太长了,先告一段落,如SubjectDAO和Session的细节后面再详细说明。
如上测试的几个问题:
1、用户名/密码硬编码在ini配置文件,以后需要改成如数据库存储,且密码需要加密存储;
2、用户身份Token可能不仅仅是用户名/密码,也可能还有其他的,如登录时允许用户名/邮箱/手机号同时登录。
2.4 身份认证流程
流程如下:
1、首先调用Subject.login(token)进行登录,其会自动委托给Security Manager,调用之前必须通过SecurityUtils. setSecurityManager()设置;
2、SecurityManager负责真正的身份验证逻辑;它会委托给Authenticator进行身份验证;
3、Authenticator才是真正的身份验证者,Shiro API中核心的身份认证入口点,此处可以自定义插入自己的实现;
4、Authenticator可能会委托给相应的AuthenticationStrategy进行多Realm身份验证,默认ModularRealmAuthenticator会调用AuthenticationStrategy进行多Realm身份验证;
5、Authenticator会把相应的token传入Realm,从Realm获取身份验证信息,如果没有返回/抛出异常表示身份验证失败了。此处可以配置多个Realm,将按照相应的顺序及策略进行访问。
2.5 Realm
Realm:域,Shiro从从Realm获取安全数据(如用户、角色、权限),就是说SecurityManager要验证用户身份,那么它需要从Realm获取相应的用户进行比较以确定用户身份是否合法;也需要从Realm得到用户相应的角色/权限进行验证用户是否能进行操作;可以把Realm看成DataSource,即安全数据源。如我们之前的ini配置方式将使用org.apache.shiro.realm.text.IniRealm。
org.apache.shiro.realm.Realm接口如下:
Java代码
- String getName(); //返回一个唯一的Realm名字
- boolean supports(AuthenticationToken token); //判断此Realm是否支持此Token
- AuthenticationInfo getAuthenticationInfo(AuthenticationToken token)
- throws AuthenticationException; //根据Token获取认证信息
单Realm配置
1、自定义Realm实现(com.github.zhangkaitao.shiro.chapter2.realm.MyRealm1):
Java代码
- public class MyRealm1 implements Realm {
- @Override
- public String getName() {
- return "myrealm1";
- }
- @Override
- public boolean supports(AuthenticationToken token) {
- //仅支持UsernamePasswordToken类型的Token
- return token instanceof UsernamePasswordToken;
- }
- @Override
- public AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
- String username = (String)token.getPrincipal(); //得到用户名
- String password = new String((char[])token.getCredentials()); //得到密码
- if(!"zhang".equals(username)) {
- throw new UnknownAccountException(); //如果用户名错误
- }
- if(!"123".equals(password)) {
- throw new IncorrectCredentialsException(); //如果密码错误
- }
- //如果身份认证验证成功,返回一个AuthenticationInfo实现;
- return new SimpleAuthenticationInfo(username, password, getName());
- }
- }
2、ini配置文件指定自定义Realm实现(shiro-realm.ini)
Java代码
- #声明一个realm
- myRealm1=com.github.zhangkaitao.shiro.chapter2.realm.MyRealm1
- #指定securityManager的realms实现
- securityManager.realms=$myRealm1
通过$name来引入之前的realm定义
3、测试用例请参考com.github.zhangkaitao.shiro.chapter2.LoginLogoutTest的testCustomRealm测试方法,只需要把之前的shiro.ini配置文件改成shiro-realm.ini即可。
多Realm配置
1、ini配置文件(shiro-multi-realm.ini)
Java代码
- #声明一个realm
- myRealm1=com.github.zhangkaitao.shiro.chapter2.realm.MyRealm1
- myRealm2=com.github.zhangkaitao.shiro.chapter2.realm.MyRealm2
- #指定securityManager的realms实现
- securityManager.realms=$myRealm1,$myRealm2
securityManager会按照realms指定的顺序进行身份认证。此处我们使用显示指定顺序的方式指定了Realm的顺序,如果删除“securityManager.realms=$myRealm1,$myRealm2”,那么securityManager会按照realm声明的顺序进行使用(即无需设置realms属性,其会自动发现),当我们显示指定realm后,其他没有指定realm将被忽略,如“securityManager.realms=$myRealm1”,那么myRealm2不会被自动设置进去。
2、测试用例请参考com.github.zhangkaitao.shiro.chapter2.LoginLogoutTest的testCustomMultiRealm测试方法。
Shiro默认提供的Realm
以后一般继承AuthorizingRealm(授权)即可;其继承了AuthenticatingRealm(即身份验证),而且也间接继承了CachingRealm(带有缓存实现)。其中主要默认实现如下:
org.apache.shiro.realm.text.IniRealm:[users]部分指定用户名/密码及其角色;[roles]部分指定角色即权限信息;
org.apache.shiro.realm.text.PropertiesRealm: user.username=password,role1,role2指定用户名/密码及其角色;role.role1=permission1,permission2指定角色及权限信息;
org.apache.shiro.realm.jdbc.JdbcRealm:通过sql查询相应的信息,如“select password from users where username = ?”获取用户密码,“select password, password_salt from users where username = ?”获取用户密码及盐;“select role_name from user_roles where username = ?”获取用户角色;“select permission from roles_permissions where role_name = ?”获取角色对应的权限信息;也可以调用相应的api进行自定义sql;
JDBC Realm使用
1、数据库及依赖
Java代码
- <dependency>
- <groupId>mysql</groupId>
- <artifactId>mysql-connector-java</artifactId>
- <version>5.1.25</version>
- </dependency>
- <dependency>
- <groupId>com.alibaba</groupId>
- <artifactId>druid</artifactId>
- <version>0.2.23</version>
- </dependency>
本文将使用mysql数据库及druid连接池;
2、到数据库shiro下建三张表:users(用户名/密码)、user_roles(用户/角色)、roles_permissions(角色/权限),具体请参照shiro-example-chapter2/sql/shiro.sql;并添加一个用户记录,用户名/密码为zhang/123;
3、ini配置(shiro-jdbc-realm.ini)
Java代码
- jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
- dataSource=com.alibaba.druid.pool.DruidDataSource
- dataSource.driverClassName=com.mysql.jdbc.Driver
- dataSource.url=jdbc:mysql://localhost:3306/shiro
- dataSource.username=root
- #dataSource.password=
- jdbcRealm.dataSource=$dataSource
- securityManager.realms=$jdbcRealm
1、变量名=全限定类名会自动创建一个类实例
2、变量名.属性=值 自动调用相应的setter方法进行赋值
3、$变量名 引用之前的一个对象实例
4、测试代码请参照com.github.zhangkaitao.shiro.chapter2.LoginLogoutTest的testJDBCRealm方法,和之前的没什么区别。
2.6 Authenticator及AuthenticationStrategy
Authenticator的职责是验证用户帐号,是Shiro API中身份验证核心的入口点:
Java代码
- public AuthenticationInfo authenticate(AuthenticationToken authenticationToken)
- throws AuthenticationException;
如果验证成功,将返回AuthenticationInfo验证信息;此信息中包含了身份及凭证;如果验证失败将抛出相应的AuthenticationException实现。
SecurityManager接口继承了Authenticator,另外还有一个ModularRealmAuthenticator实现,其委托给多个Realm进行验证,验证规则通过AuthenticationStrategy接口指定,默认提供的实现:
FirstSuccessfulStrategy:只要有一个Realm验证成功即可,只返回第一个Realm身份验证成功的认证信息,其他的忽略;
AtLeastOneSuccessfulStrategy:只要有一个Realm验证成功即可,和FirstSuccessfulStrategy不同,返回所有Realm身份验证成功的认证信息;
AllSuccessfulStrategy:所有Realm验证成功才算成功,且返回所有Realm身份验证成功的认证信息,如果有一个失败就失败了。
ModularRealmAuthenticator默认使用AtLeastOneSuccessfulStrategy策略。
假设我们有三个realm:
myRealm1: 用户名/密码为zhang/123时成功,且返回身份/凭据为zhang/123;
myRealm2: 用户名/密码为wang/123时成功,且返回身份/凭据为wang/123;
myRealm3: 用户名/密码为zhang/123时成功,且返回身份/凭据为zhang@163.com/123,和myRealm1不同的是返回时的身份变了;
1、ini配置文件(shiro-authenticator-all-success.ini)
Java代码
- #指定securityManager的authenticator实现
- authenticator=org.apache.shiro.authc.pam.ModularRealmAuthenticator
- securityManager.authenticator=$authenticator
- #指定securityManager.authenticator的authenticationStrategy
- allSuccessfulStrategy=org.apache.shiro.authc.pam.AllSuccessfulStrategy
- securityManager.authenticator.authenticationStrategy=$allSuccessfulStrategy
Java代码
- myRealm1=com.github.zhangkaitao.shiro.chapter2.realm.MyRealm1
- myRealm2=com.github.zhangkaitao.shiro.chapter2.realm.MyRealm2
- myRealm3=com.github.zhangkaitao.shiro.chapter2.realm.MyRealm3
- securityManager.realms=$myRealm1,$myRealm3
2、测试代码(com.github.zhangkaitao.shiro.chapter2.AuthenticatorTest)
2.1、首先通用化登录逻辑
Java代码
- private void login(String configFile) {
- //1、获取SecurityManager工厂,此处使用Ini配置文件初始化SecurityManager
- Factory<org.apache.shiro.mgt.SecurityManager> factory =
- new IniSecurityManagerFactory(configFile);
- //2、得到SecurityManager实例 并绑定给SecurityUtils
- org.apache.shiro.mgt.SecurityManager securityManager = factory.getInstance();
- SecurityUtils.setSecurityManager(securityManager);
- //3、得到Subject及创建用户名/密码身份验证Token(即用户身份/凭证)
- Subject subject = SecurityUtils.getSubject();
- UsernamePasswordToken token = new UsernamePasswordToken("zhang", "123");
- subject.login(token);
- }
2.2、测试AllSuccessfulStrategy成功:
Java代码
- @Test
- public void testAllSuccessfulStrategyWithSuccess() {
- login("classpath:shiro-authenticator-all-success.ini");
- Subject subject = SecurityUtils.getSubject();
- //得到一个身份集合,其包含了Realm验证成功的身份信息
- PrincipalCollection principalCollection = subject.getPrincipals();
- Assert.assertEquals(2, principalCollection.asList().size());
- }
即PrincipalCollection包含了zhang和zhang@163.com身份信息。
2.3、测试AllSuccessfulStrategy失败:
Java代码
- @Test(expected = UnknownAccountException.class)
- public void testAllSuccessfulStrategyWithFail() {
- login("classpath:shiro-authenticator-all-fail.ini");
- Subject subject = SecurityUtils.getSubject();
- }
shiro-authenticator-all-fail.ini与shiro-authenticator-all-success.ini不同的配置是使用了securityManager.realms=$myRealm1,$myRealm2;即myRealm验证失败。
对于AtLeastOneSuccessfulStrategy和FirstSuccessfulStrategy的区别,请参照testAtLeastOneSuccessfulStrategyWithSuccess和testFirstOneSuccessfulStrategyWithSuccess测试方法。唯一不同点一个是返回所有验证成功的Realm的认证信息;另一个是只返回第一个验证成功的Realm的认证信息。
自定义AuthenticationStrategy实现,首先看其API:
Java代码
- //在所有Realm验证之前调用
- AuthenticationInfo beforeAllAttempts(
- Collection<? extends Realm> realms, AuthenticationToken token)
- throws AuthenticationException;
- //在每个Realm之前调用
- AuthenticationInfo beforeAttempt(
- Realm realm, AuthenticationToken token, AuthenticationInfo aggregate)
- throws AuthenticationException;
- //在每个Realm之后调用
- AuthenticationInfo afterAttempt(
- Realm realm, AuthenticationToken token,
- AuthenticationInfo singleRealmInfo, AuthenticationInfo aggregateInfo, Throwable t)
- throws AuthenticationException;
- //在所有Realm之后调用
- AuthenticationInfo afterAllAttempts(
- AuthenticationToken token, AuthenticationInfo aggregate)
- throws AuthenticationException;
因为每个AuthenticationStrategy实例都是无状态的,所有每次都通过接口将相应的认证信息传入下一次流程;通过如上接口可以进行如合并/返回第一个验证成功的认证信息。
自定义实现时一般继承org.apache.shiro.authc.pam.AbstractAuthenticationStrategy即可,具体可以参考代码com.github.zhangkaitao.shiro.chapter2.authenticator.strategy包下OnlyOneAuthenticatorStrategy 和AtLeastTwoAuthenticatorStrategy。