首先,打断点进入到delegateSubject的isPermitted(String perssion)函数中,该函数要对主体进行身份的认证然后才是授权工作。
public boolean isPermitted(String permission) {
return this.hasPrincipals() && this.securityManager.isPermitted(this.getPrincipals(), permission);
}
进入到AuthorizingSecurityManager的isPermitted函数中。
public boolean isPermitted(PrincipalCollection principals, String permissionString) {
return this.authorizer.isPermitted(principals, permissionString);
}
进入到ModuleRealmAuthorizer中的isPermitted函数中。
public boolean isPermitted(PrincipalCollection principals, String permission) {
this.assertRealmsConfigured();
Iterator i$ = this.getRealms().iterator();
Realm realm;
do {
if (!i$.hasNext()) {
return false;
}
realm = (Realm)i$.next();
} while(!(realm instanceof Authorizer) || !((Authorizer)realm).isPermitted(principals, permission));
return true;
}
在while判断中进入到isPermitted函数中。其中将会进入到this.getAuthorizationInfo()中。
public boolean isPermitted(PrincipalCollection principals, String permission) {
Permission p = this.getPermissionResolver().resolvePermission(permission);
return this.isPermitted(principals, p);
}
public boolean isPermitted(PrincipalCollection principals, Permission permission) {
AuthorizationInfo info = this.getAuthorizationInfo(principals);
return this.isPermitted(permission, info);
}
如下所示。
protected AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals) {
if (principals == null) {
return null;
} else {
AuthorizationInfo info = null;
if (log.isTraceEnabled()) {
log.trace("Retrieving AuthorizationInfo for principals [" + principals + "]");
}
Cache<Object, AuthorizationInfo> cache = this.getAvailableAuthorizationCache();
Object key;
if (cache != null) {
if (log.isTraceEnabled()) {
log.trace("Attempting to retrieve the AuthorizationInfo from cache.");
}
key = this.getAuthorizationCacheKey(principals);
info = (AuthorizationInfo)cache.get(key);
if (log.isTraceEnabled()) {
if (info == null) {
log.trace("No AuthorizationInfo found in cache for principals [" + principals + "]");
} else {
log.trace("AuthorizationInfo found in cache for principals [" + principals + "]");
}
}
}
if (info == null) {
info = this.doGetAuthorizationInfo(principals);
if (info != null && cache != null) {
if (log.isTraceEnabled()) {
log.trace("Caching authorization info for principals: [" + principals + "].");
}
key = this.getAuthorizationCacheKey(principals);
cache.put(key, info);
}
}
return info;
}
}
在上面的位置,将会进入到我们自定义的realm。这里将会返回一个AuthorizationInfo,而这个对象是我们从数据库中获取的,用于后面的匹配验证工作。
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
String username = (String) principalCollection.getPrimaryPrincipal();
//查询数据库,事先指定的角色
List<String> roles=new ArrayList<String>();
//假设用户有role1角色
roles.add("role1");
List<String> permission=new ArrayList<String>();
permission.add("user:delete");
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
info.addRoles(roles);
info.addStringPermissions(permission);
return info;
}