shiro身份认证(第一章)

最新推荐文章于 2024-05-01 06:09:37 发布
最新推荐文章于 2024-05-01 06:09:37 发布
阅读量688 收藏 1
点赞数
分类专栏: shiro
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_30881357/article/details/78142328
版权 

shiro版本信息:

		<dependency>
			<groupId>org.apache.shiro</groupId>
			<artifactId>shiro-core</artifactId>
			<version>1.3.2</version>
		</dependency>
当我们调用shiro的subject.login(token)进行登录时,subject的默认实现是:org.apache.shiro.subject.support.DelegatingSubject 

		Subject subject=SecurityUtils.getSubject();
		UsernamePasswordToken token=new UsernamePasswordToken("zhang", "123");
		subject.login(token);

shiro的实现类的源码如下: 

public void login(AuthenticationToken token) throws AuthenticationException {
        clearRunAsIdentitiesInternal();
        Subject subject = securityManager.login(this, token);

        PrincipalCollection principals;

        String host = null;

        if (subject instanceof DelegatingSubject) {
            DelegatingSubject delegating = (DelegatingSubject) subject;
            //we have to do this in case there are assumed identities - we don't want to lose the 'real' principals:
            principals = delegating.principals;
            host = delegating.host;
        } else {
            principals = subject.getPrincipals();
        }

        if (principals == null || principals.isEmpty()) {
            String msg = "Principals returned from securityManager.login( token ) returned a null or " +
                    "empty value.  This value must be non null and populated with one or more elements.";
            throw new IllegalStateException(msg);
        }
        this.principals = principals;
        this.authenticated = true;
        if (token instanceof HostAuthenticationToken) {
            host = ((HostAuthenticationToken) token).getHost();
        }
        if (host != null) {
            this.host = host;
        }
        Session session = subject.getSession(false);
        if (session != null) {
            this.session = decorate(session);
        } else {
            this.session = null;
        }
    }
首先判断session是否已经存在,如果已经存在,就清除掉session中原来的信息。 

 private void clearRunAsIdentities() {
        Session session = getSession(false);
        if (session != null) {
            session.removeAttribute(RUN_AS_PRINCIPALS_SESSION_KEY);
        }
    }
然后委托给securityManager进行登录。securityManager的默认实现是:org.apache.shiro.mgt.DefaultSecurityManager,源码如下: 


public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException {
        AuthenticationInfo info;
        try {
            info = authenticate(token);
        } catch (AuthenticationException ae) {
            try {
                onFailedLogin(token, ae, subject);
            } catch (Exception e) {
                if (log.isInfoEnabled()) {
                    log.info("onFailedLogin method threw an " +
                            "exception.  Logging and propagating original AuthenticationException.", e);
                }
            }
            throw ae; //propagate
        }

        Subject loggedIn = createSubject(token, info, subject);

        onSuccessfulLogin(token, info, loggedIn);

        return loggedIn;
    }
securityManager委托给了org.apache.shiro.authc.Authenticator进行处理 

public AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {
        return this.authenticator.authenticate(token);
    }
Authenticator的默认实现是:org.apache.shiro.authc.pam.ModularRealmAuthenticator.ModularRealmAuthenticator



ModularRealmAuthenticator继承了org.apache.shiro.authc.AbstractAuthenticator,并实现了父类定义的抽象方法,AbstractAuthenticator的源码如下:



ModularRealmAuthenticator实现的doAuthenticate方法如下:

protected void assertRealmsConfigured() throws IllegalStateException {
        Collection<Realm> realms = getRealms();
        if (CollectionUtils.isEmpty(realms)) {
            String msg = "Configuration error:  No realms have been configured!  One or more realms must be " +
                    "present to execute an authentication attempt.";
            throw new IllegalStateException(msg);
        }
    }

 protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {
        assertRealmsConfigured();
        Collection<Realm> realms = getRealms();
        if (realms.size() == 1) {
            return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);
        } else {
            return doMultiRealmAuthentication(realms, authenticationToken);
        }
    }
首先验证了realm是否存在,然后针对多Realm和一个realm分别提供了不同的实现方法:

针对一个Realm的方法实现,首先判断Realm是否支持验证这种token,然后调用realm的getAuthenticationInfo方法进行验证

protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) {
        if (!realm.supports(token)) {
            String msg = "Realm [" + realm + "] does not support authentication token [" +
                    token + "].  Please ensure that the appropriate Realm implementation is " +
                    "configured correctly or that the realm accepts AuthenticationTokens of this type.";
            throw new UnsupportedTokenException(msg);
        }
        AuthenticationInfo info = realm.getAuthenticationInfo(token);
        if (info == null) {
            String msg = "Realm [" + realm + "] was unable to find account data for the " +
                    "submitted AuthenticationToken [" + token + "].";
            throw new UnknownAccountException(msg);
        }
        return info;
    }
Realm的默认实现是org.apache.shiro.realm.AuthenticatingRealm,AuthenticatingRealm实现了 getAuthenticationInfo方法: 

public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

        AuthenticationInfo info = getCachedAuthenticationInfo(token);
        if (info == null) {
            //otherwise not cached, perform the lookup:
            info = doGetAuthenticationInfo(token);
            log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info);
            if (token != null && info != null) {
                cacheAuthenticationInfoIfPossible(token, info);
            }
        } else {
            log.debug("Using cached authentication info [{}] to perform credentials matching.", info);
        }

        if (info != null) {
            assertCredentialsMatch(token, info);
        } else {
            log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}].  Returning null.", token);
        }

        return info;
    }

doGetAuthenticationInfo是一个抽象方法,先根据token去缓存中取,如果缓存中没有,就交给子类去实现,子类找到了之后把用户信息放到缓存里。
protected void assertCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) throws AuthenticationException {
        CredentialsMatcher cm = getCredentialsMatcher();
        if (cm != null) {
            if (!cm.doCredentialsMatch(token, info)) {
                //not successful - throw an exception to indicate this:
                String msg = "Submitted credentials for token [" + token + "] did not match the expected credentials.";
                throw new IncorrectCredentialsException(msg);
            }
        } else {
            throw new AuthenticationException("A CredentialsMatcher must be configured in order to verify " +
                    "credentials during authentication.  If you do not wish for credentials to be examined, you " +
                    "can configure an " + AllowAllCredentialsMatcher.class.getName() + " instance.");
        }
    }











assertCredentialsMatch方法用来验证token的密码是否正确,验证不通过则抛出异常。
针对多个realm的方法的实现如下:
 protected AuthenticationInfo doMultiRealmAuthentication(Collection<Realm> realms, AuthenticationToken token) {

        AuthenticationStrategy strategy = getAuthenticationStrategy();

        AuthenticationInfo aggregate = strategy.beforeAllAttempts(realms, token);

        if (log.isTraceEnabled()) {
            log.trace("Iterating through {} realms for PAM authentication", realms.size());
        }

        for (Realm realm : realms) {

            aggregate = strategy.beforeAttempt(realm, token, aggregate);

            if (realm.supports(token)) {

                log.trace("Attempting to authenticate token [{}] using realm [{}]", token, realm);

                AuthenticationInfo info = null;
                Throwable t = null;
                try {
                    info = realm.getAuthenticationInfo(token);
                } catch (Throwable throwable) {
                    t = throwable;
                    if (log.isWarnEnabled()) {
                        String msg = "Realm [" + realm + "] threw an exception during a multi-realm authentication attempt:";
                        log.warn(msg, t);
                    }
                }

                aggregate = strategy.afterAttempt(realm, token, info, aggregate, t);

            } else {
                log.debug("Realm [{}] does not support token {}.  Skipping realm.", realm, token);
            }
        }

        aggregate = strategy.afterAllAttempts(token, aggregate);

        return aggregate;
    }









此处委托给了AuthenticationStrategy依次调用realm进行多realm进行认证。使用AuthenticationStrategy进行认证可以配置不同的策略,例如:一个realm认证通过就可以,或者所有realm都认证通过,以及realm认证的顺序。


完。





                

        

        

    




    

      

        

            

              
                
                  qq_30881357
                
              
            

            

                关注
              
            

        

        

          
    
            
  • 
              
                
                
                
                
                      0
                
              
              
    点赞
    
            
    • 
            
  • 
              
                
                
                
              
              
    
            
    • 
            
  • 
              
                
                
                
                
                    1
                
              
              
    
                
    
                  
                    收藏
                  
                
    
              
    
              
    
                
    
                  觉得还不错?
                  
                    一键收藏
                  
                 
                
    
              
    
            
    • 
          
  • 
            
    
              
              
            
    
              
              
              
                    0
              
            
            
    评论
    
          
    • 
          
  • 
          
    • 
          
  • 
            
              
            
              
    
            
              
                
            
    
          
    • 
        

      

      

            

                专栏目录
          










                



	

		

			

				
					
shiro 中出现  does not support authentication token

				
			

			

				

					u012587407的博客
				

				

					03-25
					
					2580
					
				

			

		

		

			
				
在使用Shiro时,我们需要
自定义的CustomRealm继承AuthorizingRealm、
并且重写父类中的doGetAuthorizationInfo(权限相关)、	 doGetAuthenticationInfo(身份认证)这两个方法。

每一个Ream都有一个supports方法,用于检测是否支持此Token ,如果没有重写supports就会报错  does not support...

			
		

	



                

              
                



	

		

			

				
					
shiro碰到的问题 does not support authentication token

				
			

			

				

					ywyngq的博客
				

				

					06-09
					
					525
					
				

			

		

		

			
				
每一个Ream都有一个supports方法,用于检测是否支持此Token, 而我在该函数中,默认的采用了return false;修改为了:public class ShiroRealm extends CasRealm 重写这个supports方法。自己写了一个Ream,配置到了SecurityManager中,但是验证的时候,一直报这个错。需在SecurityManager中新增多个realm,把自己自定义的Realm包含进去。查了半天,没进展,最后还是发现自己粗心,代码的问题。

			
		

	



                


  
              

                


	

		

			

				
					
2024年最全Shiro安全框架——【快速入门、登录拦截、用户认证

					
最新发布

				
			

			

				

					
				

				

					05-01
					
					332
					
				

			

		

		

			
				
);} else {”);//注销//退出三、SpringBoot 集成 Shiro1.编写测试环境1.在刚刚的父项目中新建一个 springboot 模块2.导入 SpringBoot 和 Shiro 整合包的依赖SpringBoot 和 Shiro 整合包1.4.1下面是编写配置文件Shiro 三大要素用户      ->    ShiroFilterFactoryBean管理所有用户  -> DefaultWebSecurityManager连接数据。

			
		

	





	

		

			

				
					
2020-11-03

				
			

			

				

					tutukl的博客
				

				

					11-03
					
					248
					
				

			

		

		

			
				
shiro 遇到does not support authentication token问题
解决方法,主要就是重写supports方法
   public boolean supports(AuthenticationToken token) {

       return token instanceof  UsernamePasswordToken; 
   }





			
		

	



		

			
		



	

		

			

				
					
shiro: Odd number of characters.

				
			

			

				

					ITHomeZSL的博客
				

				

					10-21
					
					1686
					
				

			

		

		

			
				
java.lang.IllegalArgumentException: Odd number of characters.
 at org.apache.shiro.codec.Hex.decode(Hex.java:128)
 at org.apache.shiro.codec.Hex.decode(Hex.java:107)
 at org.apache.shiro.code...

			
		

	





	

		

			

				
					
shiro 第七章 完整Demo

				
			

			

				

					08-30
				

			

		

		

			
				
Apache Shiro 是一个强大且易用的 Java 安全框架,提供身份认证、授权、会话管理和加密等核心功能。在第七章中,我们将重点讨论如何将 Shiro 集成到 Web 应用程序中,以实现全面的安全管理。  首先,Shiro 的集成...

			
		

	





	

		

			

				
					
跟我学Shiro第11章Demo

				
			

			

				

					09-16
				

			

		

		

			
				
总的来说,"跟我学Shiro第11章Demo"是一份详尽的实践教程,涵盖了Shiro的核心功能,包括缓存管理、会话管理、认证和授权。通过这个Demo,你可以更好地理解Shiro的工作原理,并学习如何在实际项目中应用这些知识,...

			
		

	





	

		

			

				
					
跟我学Shiro第13章Demo(RememberMe)

				
			

			

				

					09-23
				

			

		

		

			
				
"跟我学Shiro第13章Demo(RememberMe)"是一个实战教程,旨在帮助开发者理解并实现Shiro中的RememberMe特性。RememberMe功能允许用户在一段时间内免于重新登录,提高了用户体验。  在这个Demo中,我们将探讨以下几个...

			
		

	





	

		

			

				
					
shiro第六章Realm完整Demo

				
			

			

				

					08-23
				

			

		

		

			
				
Apache Shiro是一个强大的Java安全框架,它为应用程序提供了身份验证、授权、会话管理和加密等功能。在本"shiro第六章Realm完整Demo"中,我们将深入理解Shiro的核心组件——Realm,以及如何通过 Realm 实现用户认证...

			
		

	





	

		

			

				
					
跟我学Shiro第12章Demo(仅JAVA SE+Web+Shiro权限注解)

				
			

			

				

					09-22
				

			

		

		

			
				
《跟我学Shiro第12章Demo:Java SE、Web与Shiro权限注解实践》  Apache Shiro是一款强大的安全框架,广泛应用于Java项目中,提供了身份验证、授权、会话管理和加密等功能。本Demo主要涵盖了Shiro在Java Standard ...

			
		

	





	

		

			

				
					
shiro-No realms have been configured

				
			

			

				

					qq_45716444的博客
				

				

					04-23
					
					1219
					
				

			

		

		

			
				
Configuration error:  No realms have been configured!  One or more realms must be present to execute

			
		

	





	

		

			

				
					
Shiro与Spring结合时报Configuration error:  No realms have been configured!  One or more realms must be……

				
			

			

				

					柏拉图的IT爬坑旅程
				

				

					07-23
					
					2586
					
				

			

		

		

			
				
最近在跟着网上的教学视频学习Shiro安全框架,使用Shiro可以方便的做验证、授权等,其中在谈到使用多realm做验证,授权时,报了个缺少realm配置的错误。
Configuration error: No realms have been configured! One or more realms must be present to execute an authorization o...

			
		

	





	

		

			

				
					
No realms have been configured! One or more realms must be present to execut

				
			

			

				

					sword_anyone的博客
				

				

					06-12
					
					1325
					
				

			

		

		

			
				
刚刚在做shiro这边的测试时,出现了这么一个bug:
No realms have been configured! One or more realms must be present to execut。。。。。。。
这是我出错的代码:
 @Bean("securityManager")
    public SecurityManager securityManager(@Qualifier("userAuth") UserAuthRealm userAuthRealm,
             

			
		

	





	

		

			

				
					
shiro架构&认证 -Shiro

				
			

			

				

					qq_43409973的博客
				

				

					03-22
					
					781
					
				

			

		

		

			
				
shiro架构&认证 -Shiro

			
		

	





	

		

			

				
					
shiro 不管登录成功还是失败都出现这个bug

				
			

			

				

					m0_67391907的博客
				

				

					04-22
					
					681
					
				

			

		

		

			
				
28 回复
package com.coracle.fast.service.impl.shiro;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.LockedAccountExcept

			
		

	





	

		

			

				
					
shiro源码解析

				
			

			

				

					xajh_czbk的博客
				

				

					03-01
					
					277
					
				

			

		

		

			
				
什么是shiroshiro,安全框架。它的认证,授权,加密和会话管理可以用于保护任何应用程序。

shiro为以下几个方面提供应用程序的安全API(应用程序安全的4大基石):

Authentication - 提供用户身份认证,俗称登录
Authorization - 访问权限控制
Cryptography - 使用加密算法保护或者隐藏数据
Session Management - 用户的会话管理

Login
登录时需要进行shiro认证。以自己的项目为例,如下图:



在这个方法里会有shir

			
		

	





	

		

			

				
					
Shiro: No realms have been configured!  One or more realms must be ……

				
			

			

				

					weixin_33724059的博客
				

				

					05-31
					
					287
					
				

			

		

		

			
				
为什么80%的码农都做不了架构师?>>> 
                                        
                ...

			
		

	





	

		

			

				
					
Shiro教程详解:身份验证、授权与Web集成

				
			

			

				

					
				

			

		

		

			
				
1. **第一章Shiro简介** - 介绍了Shiro的基本概念,包括其在Web安全领域的地位,以及其主要功能和用途。这一章可能探讨了Shiro的核心组件和架构。  2. **第二章:身份验证** - 讲述了如何设置和管理用户登录过程,...

			
		

	



              




          




        



    





    



      

      

        
      

      





	

		评论	
	

	
	




  

    

      添加红包
      
    

    

      

        
        

          
          
        

        
请填写红包祝福语或标题

      

      

        
        

          
          
        

        
红包个数最小为10个

      

      

        
        

          
          
        

        
红包金额最低5元

      

      

        
        

          当前余额3.43前往充值 >
        

      

      

        

          需支付:10.00

        
        
      

    

  





  

    
    
  

  

    
    
  








  

    

      

        

          

            
            
成就一亿技术人!

          

          

        

        

          

          

            领取后你会自动成为博主和红包主的粉丝
            规则
          

        

      

      

        

          

            
              
            
            

              
hope_wisdom
 发出的红包
            

          

        

        

          

          

          

        

      

    

    

  



      
      

      
实付

      
使用余额支付

      

        

          

            
            点击重新获取
          

        

        
扫码支付

      

      

        
          
            
          
          
        
      

      

        
        钱包余额
          0
          

            
            

              

                
抵扣说明:

                
 1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
 2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

              

            

          

      

      余额充值