shiro登陆:首先创建一个token,然后执行subject.login方法,自己实现一个Realm来对token进行验证,验证成功,则登陆成功,否则登陆失败。显然,subject.login在其中起到了非常重要的作用!那么它到底干了什么呢?
1.subject.login执行过程的类图
如上图所示,subject.login的执行过程大体如下:首先委托给securityManager的login方法,而securityManager通过使用Authenticator验证器来验证token,Authenticator验证器使用我们自己实现的Realm的doGetAuthenticationInfo方法,来最终实现对token的验证。而RemeberMeManger是用来实现shiro的remeberme功能的,如果配置了RemeberMeManger,那么登陆成功失败都会通知RemeberMeManger,从而实现remeberme功能。而AuthenticationListener是用来监听登陆的结果的,这是观察者模式的实现,登陆成功失败Authenticator会通知AuthenticationListener来执行相应的动作。
2.源码解读
Subject.login(AuthenticationToken token),subject只是一个接口,实际实现的是DelegatingSubject.login。
public void login(AuthenticationToken token) throws AuthenticationException {
//清除session中的RUN_AS_PRINCIPALS_SESSION_KEY
clearRunAsIdentitiesInternal();
//调用securityManager的login方法
Subject subject = securityManager.login(this, token);
...
//认证成功
this.authenticated = true;
}
subject会委托给SecurityManager.login()来执行登陆,DefaultSecurityManager的login方法如下:
public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException {
AuthenticationInfo info;
try {
//验证token,见下文,验证失败抛出AuthenticationException 异常
info = authenticate(token);
} catch (AuthenticationException ae) {
try {
//验证失败,执行RememberMeManager.onFailedLogin来忘记主体
onFailedLogin(token, ae, subject);
} catch (Exception e) {
if (log.isInfoEnabled()) {
log.info("onFailedLogin method threw an " +
"exception. Logging and propagating original AuthenticationException.", e);
}
}
//继续向上抛出异常
throw ae; //propagate
}
//登陆成功,创建subject。
Subject loggedIn = createSubject(token, info, subject);
//登陆成功,执行RememberMeManager的onSuccessfulLogin,用来记住主体
onSuccessfulLogin(token, info, loggedIn);
return loggedIn;
}
info = authenticate(token);这步骤最终会调用AbstractorAuthenticator.authenticate()方法。如下:
public final AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {
if (token == null) {
throw new IllegalArgumentException("Method argument (authentication token) cannot be null.");
}
log.trace("Authentication attempt received for token [{}]", token);
AuthenticationInfo info;
try {
//重点:这里就会调用自己实现的realm的doGetAuthenticationInfo方法
info = doAuthenticate(token);
//如果验证失败,那么抛出AuthenticationException
if (info == null) {
String msg = "No account information found for authentication token [" + token + "] by this " +
"Authenticator instance. Please check that it is configured correctly.";
throw new AuthenticationException(msg);
}
} catch (Throwable t) {
AuthenticationException ae = null;
if (t instanceof AuthenticationException) {
ae = (AuthenticationException) t;
}
if (ae == null) {
//Exception thrown was not an expected AuthenticationException. Therefore it is probably a little more
//severe or unexpected. So, wrap in an AuthenticationException, log to warn, and propagate:
String msg = "Authentication failed for token submission [" + token + "]. Possible unexpected " +
"error? (Typical or expected login exceptions should extend from AuthenticationException).";
ae = new AuthenticationException(msg, t);
if (log.isWarnEnabled())
log.warn(msg, t);
}
try {
//验证失败,触发listener的监听事件
notifyFailure(token, ae);
} catch (Throwable t2) {
if (log.isWarnEnabled()) {
String msg = "Unable to send notification for failed authentication attempt - listener error?. " +
"Please check your AuthenticationListener implementation(s). Logging sending exception " +
"and propagating original AuthenticationException instead...";
log.warn(msg, t2);
}
}
//继续向上抛出AuthenticationException
throw ae;
}
log.debug("Authentication successful for token [{}]. Returned account [{}]", token,info);
//验证成功:触发listener的监听事件。
notifySuccess(token, info);
return info;
}
总结:从上面可以看出shiro提供了很多扩展点,我们可以扩展shiro框架,来满足自己的需求。