在Shiro中,登录操作是由Subject的login()方法完成的,Subject是个接口,在Web环境中,实现类为WebDelegatingSubject,login方法从DeletatingSubject继承而来:
- public void login(AuthenticationToken token) throws AuthenticationException {
- clearRunAsIdentitiesInternal();
- Subject subject = securityManager.login(this, token);
- // 省略一些代码...
- }
由上可见,Subject.login()方法委托给了SecurityManager对象,在Web环境中,SecurityManager实现类为DefaultWebSecurityManager,其login方法从DefaultSecurityManager继承而来:
- public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException {
- AuthenticationInfo info;
- try {
- // 对提交的AuthenticationToken进行认证
- info = authenticate(token);
- } catch (AuthenticationException ae) {
- try {
- // 如果认证失败
- onFailedLogin(token, ae, subject);
- } catch (Exception e) {
- if (log.isInfoEnabled()) {
- log.info("onFailedLogin method threw an " +
- "exception. Logging and propagating original AuthenticationException.", e);
- }
- }
- throw ae; //propagate,如果认证失败,使异常继续向上传播,从而返回至登录页面(见上篇)
- }
- // 如果认证成功则重新创建Subject对象
- Subject loggedIn = createSubject(token, info, subject);
- // 登录成功,主要处理RememberMe操作,即将登录信息存储在cookie中
- onSuccessfulLogin(token, info, loggedIn);
- return loggedIn;
- }
最关键的authenticate方法:
- public AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {
- return this.authenticator.authenticate(token);
- }
SecurityManager把认证方法委托给认证器Authenticator的authenticate方法,Authenticator的实现类为:ModularRealmAuthenticator,其可以实现多认证信息源综合认证。ModularRealmAuthenticator实现使用了模版方法模式,随后执行doAuthenticate方法:
- protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {
- assertRealmsConfigured();
- // Realm集合在为SecurityManager设置Realm时就会设置给Authenticator
- // 至于Realm代表什么,请参看:http://jinnianshilongnian.iteye.com/blog/2018936
- Collection<Realm> realms = getRealms();
- if (realms.size() == 1) {
- // 如果Realm只有一个
- return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);
- } else {
- // 如果Realm有多个
- return doMultiRealmAuthentication(realms, authenticationToken);
- }
- }
单一Realm认证:
- protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) {
- // 该Realm是否支持此种Token,因为并不是任何一种Realm与AuthenticationToken都是相互匹配的
- if (!realm.supports(token)) {
- String msg = "Realm [" + realm + "] does not support authentication token [" +
- token + "]. Please ensure that the appropriate Realm implementation is " +
- "configured correctly or that the realm accepts AuthenticationTokens of this type.";
- throw new UnsupportedTokenException(msg);
- }
- // 根据AuthenticationToken获取认证信息
- // Realm一般是由自己实现的,虽然说Shiro有一些自己的实现,但是在实际项目中,Shiro的实现直接就能使用的情况很少
- // 比较将认证信息(用户名密码等)存在数据库,则该getAuthenticationInfo方法就是根据Token中的信息去数据库中查找、
- // 匹配,如果匹配上了则返回相应认证后的认证信息
- AuthenticationInfo info = realm.getAuthenticationInfo(token);
- // 如果没有获取到则认证失败
- if (info == null) {
- String msg = "Realm [" + realm + "] was unable to find account data for the " +
- "submitted AuthenticationToken [" + token + "].";
- throw new UnknownAccountException(msg);
- }
- return info;
- }
一般来说,自定义实现的Realm会继承自AuthenticatingRealm,所以会执行至:
- public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
- // 先去缓存中查找,如果你使用了缓存,则不用每次都去文件或数据库中查找
- AuthenticationInfo info = getCachedAuthenticationInfo(token);
- if (info == null) {
- //otherwise not cached, perform the lookup:
- // 使用模版方法模式,进行直正的认证信息查找
- info = doGetAuthenticationInfo(token);
- log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info);
- if (token != null && info != null) {
- cacheAuthenticationInfoIfPossible(token, info);
- }
- } else {
- log.debug("Using cached authentication info [{}] to perform credentials matching.", info);
- }
- if (info != null) {
- // 断言AuthenticationToken与AuthenticationInfo是匹配的,简单点来说就是判断密码是否正确,不正确则抛异常
- // doGetAuthenticationInfo方法主要判断账户是否存在
- assertCredentialsMatch(token, info);
- } else {
- log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}]. Returning null.", token);
- }
- return info;
- }
单一Realm认证时,只需要判断一个Realm认证是否成功即可,但是当存在多个Realm时情况就有点复杂了。因为有可能有些Realm认证成功了,有些Realm又认证失败了,这时到底算是认证成功还是失败呢?所以这时Shiro使用了策略模式,用具体的策略类来处理这个问题。多个Realm认证时的doMultiRealmAuthentication方法如下:
- protected AuthenticationInfo doMultiRealmAuthentication(Collection<Realm> realms, AuthenticationToken token) {
- // 首先就得获取认证策略,Shiro实现了三种:
- //1. AllSuccessfulStrategy: 必须所有Realm认证成功了才算是认证成功
- //2. AtLeastOneSuccessfulStrategy: 至少有一个Realm认证成功了就算是认证成功
- //3. FirstSuccessfulStrategy: 第一个Realm认证成功了就算是认证成功
- // 默认实现为AtLeastOneSuccessfulStrategy
- AuthenticationStrategy strategy = getAuthenticationStrategy();
- // 假设我们现在使用的就是AtLeastOneSuccessfulStrategy
- // 返回SimpleAuthenticationInfo,这是一个空认证信息,并不含有principal与credentials
- AuthenticationInfo aggregate = strategy.beforeAllAttempts(realms, token);
- if (log.isTraceEnabled()) {
- log.trace("Iterating through {} realms for PAM authentication", realms.size());
- }
- for (Realm realm : realms) {
- // 直接返回aggregate
- aggregate = strategy.beforeAttempt(realm, token, aggregate);
- if (realm.supports(token)) {
- log.trace("Attempting to authenticate token [{}] using realm [{}]", token, realm);
- AuthenticationInfo info = null;
- Throwable t = null;
- try {
- info = realm.getAuthenticationInfo(token);
- } catch (Throwable throwable) {
- t = throwable;
- if (log.isDebugEnabled()) {
- String msg = "Realm [" + realm + "] threw an exception during a multi-realm authentication attempt:";
- log.debug(msg, t);
- }
- }
- //如果认证成功则info不为null,且包含有principal与credentials
- //afterAttempt方法会将info与aggregate合并,也就是将AuthenticationInfo的principal与credentials
- //分别用一集合存储
- aggregate = strategy.afterAttempt(realm, token, info, aggregate, t);
- } else {
- log.debug("Realm [{}] does not support token {}. Skipping realm.", realm, token);
- }
- }
- // 检测合并后的AuthenticationInfo中是否含用principal,如果有则返回aggregate
- // 没有则抛出异常认证失败,由此可见只要有一个Realm认证成功则算是认证成功
- aggregate = strategy.afterAllAttempts(token, aggregate);
- return aggregate;
- }
上面只分析了AtLeastOneSuccessfulStrategy策略,其它两个请自行查看源码。
假设现在认证成功了,接下来执行DefaultSecurityManager.createSubject方法:
- protected Subject createSubject(AuthenticationToken token, AuthenticationInfo info, Subject existing) {
- // 创建SubjectContext对象
- SubjectContext context = createSubjectContext();
- // 设置为已认证
- context.setAuthenticated(true);
- // 设置Token
- context.setAuthenticationToken(token);
- // 设置认证通过后的认证信息
- context.setAuthenticationInfo(info);
- if (existing != null) {
- // 设置先前存在的Subject
- context.setSubject(existing);
- }
- return createSubject(context);
- }
- public Subject createSubject(SubjectContext subjectContext) {
- // 复制SubjectContext,原SubjectContext信息得以保留
- SubjectContext context = copy(subjectContext);
- // 确保SubjectContext与SecurityManager关联
- context = ensureSecurityManager(context);
- // 解析会话,有可能使用Servlet中的Session实现,也可能使用Shiro自己实现的Session
- context = resolveSession(context);
- context = resolvePrincipals(context);
- // 交由DefaultWebSubjectFactory.createSubject重新创建Subject
- Subject subject = doCreateSubject(context);
- // 将Subject中的principal与credentials存储在Session中
- save(subject);
- return subject;
- }
个人感觉createSubject重新创建是为了更新一些内部状态,至于为什么也没有去深入了解,望请高人指点一二。