Shiro源码学习之二

最新推荐文章于 2024-07-21 09:25:47 发布
最新推荐文章于 2024-07-21 09:25:47 发布
阅读量2.4k 收藏 1
点赞数
分类专栏: Java
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/unix21/article/details/50895424
版权

接上一篇 Shiro源码学习之一

3.subject.login



进入login

public void login(AuthenticationToken token) throws AuthenticationException {
        clearRunAsIdentitiesInternal();
        Subject subject = securityManager.login(this, token);

        PrincipalCollection principals;

        String host = null;

        if (subject instanceof DelegatingSubject) {
            DelegatingSubject delegating = (DelegatingSubject) subject;
            //we have to do this in case there are assumed identities - we don't want to lose the 'real' principals:
            principals = delegating.principals;
            host = delegating.host;
        } else {
            principals = subject.getPrincipals();
        }

        if (principals == null || principals.isEmpty()) {
            String msg = "Principals returned from securityManager.login( token ) returned a null or " +
                    "empty value.  This value must be non null and populated with one or more elements.";
            throw new IllegalStateException(msg);
        }
        this.principals = principals;
        this.authenticated = true;
        if (token instanceof HostAuthenticationToken) {
            host = ((HostAuthenticationToken) token).getHost();
        }
        if (host != null) {
            this.host = host;
        }
        Session session = subject.getSession(false);
        if (session != null) {
            this.session = decorate(session);
        } else {
            this.session = null;
        }
    }

private void clearRunAsIdentitiesInternal() {
        //try/catch added for SHIRO-298
        try {
            clearRunAsIdentities();
        } catch (SessionException se) {
            log.debug("Encountered session exception trying to clear 'runAs' identities during logout.  This " +
                    "can generally safely be ignored.", se);
        }
    }

private void clearRunAsIdentities() {
        Session session = getSession(false);
        if (session != null) {
            session.removeAttribute(RUN_AS_PRINCIPALS_SESSION_KEY);
        }
    }


Session接口 
public interface Session {
Serializable getId();
...


第一次直接return null

public Session getSession(boolean create) {
...
if (this.session == null && create) {
...
SessionContext sessionContext = createSessionContext();
            Session session = this.securityManager.start(sessionContext);
            this.session = decorate(session);
        }
        return this.session;

回到clearRunAsIdentitiesInternal



回到login



securityManager是DelegatingSubject声明的protected transient SecurityManager无序序列化



java的transient关键字为我们提供了便利,你只需要实现Serilizable接口,将不需要序列化的属性前添加关键字transient,序列化对象的时候,这个属性就不会序列化到指定的目的地中。

java transient简介


进入public Subject login(Subject subject, AuthenticationToken token)



进入public AuthenticationInfo authenticate(AuthenticationToken token)

public AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {
        return this.authenticator.authenticate(token);
    }


进入public final AuthenticationInfo authenticate(AuthenticationToken token)

public final AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {

        if (token == null) {
            throw new IllegalArgumentException("Method argumet (authentication token) cannot be null.");
        }

        log.trace("Authentication attempt received for token [{}]", token);

        AuthenticationInfo info;
        try {
            info = doAuthenticate(token);
            if (info == null) {
                String msg = "No account information found for authentication token [" + token + "] by this " +
                        "Authenticator instance.  Please check that it is configured correctly.";
                throw new AuthenticationException(msg);
            }
        } catch (Throwable t) {
            AuthenticationException ae = null;
            if (t instanceof AuthenticationException) {
                ae = (AuthenticationException) t;
            }
            if (ae == null) {
                //Exception thrown was not an expected AuthenticationException.  Therefore it is probably a little more
                //severe or unexpected.  So, wrap in an AuthenticationException, log to warn, and propagate:
                String msg = "Authentication failed for token submission [" + token + "].  Possible unexpected " +
                        "error? (Typical or expected login exceptions should extend from AuthenticationException).";
                ae = new AuthenticationException(msg, t);
            }
            try {
                notifyFailure(token, ae);
            } catch (Throwable t2) {
                if (log.isWarnEnabled()) {
                    String msg = "Unable to send notification for failed authentication attempt - listener error?.  " +
                            "Please check your AuthenticationListener implementation(s).  Logging sending exception " +
                            "and propagating original AuthenticationException instead...";
                    log.warn(msg, t2);
                }
            }


            throw ae;
        }

        log.debug("Authentication successful for token [{}].  Returned account [{}]", token, info);

        notifySuccess(token, info);

        return info;
    }



进入protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken)


protected void assertRealmsConfigured() throws IllegalStateException {



IllegalStateException异常:


protected Collection<Realm> getRealms() {
        return this.realms;
    }


回到doAuthenticate



进入doSingleRealmAuthentication




进入getCachedAuthenticationInfo


getAvailableAuthenticationCache返回null



回到getCachedAuthenticationInfo返回info是null

回到getAuthenticationInfo


进入doGetAuthenticationInfo



进入getUser用到了lock与unlock

USERS_LOCK.readLock().lock();
        try {
            return this.users.get(username);
        } finally {
            USERS_LOCK.readLock().unlock();
        }



参考:Java中锁的应用之-Lock



public boolean isCredentialsExpired() {
        return credentialsExpired;
    }
account.isCredentialsExpired()返回flase

doGetAuthenticationInfo返回account


回到getAuthenticationInfo

cacheAuthenticationInfoIfPossible

private void cacheAuthenticationInfoIfPossible(AuthenticationToken token, AuthenticationInfo info) {
        if (!isAuthenticationCachingEnabled(token, info)) {
            log.debug("AuthenticationInfo caching is disabled for info [{}].  Submitted token: [{}].", info, token);
            //return quietly, caching is disabled for this token/info pair:
            return;
        }

        Cache<Object, AuthenticationInfo> cache = getAvailableAuthenticationCache();
        if (cache != null) {
            Object key = getAuthenticationCacheKey(token);
            cache.put(key, info);
            log.trace("Cached AuthenticationInfo for continued authentication.  key=[{}], value=[{}].", key, info);
        }
    }
回到getAuthenticationInfo

进入assertCredentialsMatch

进入doCredentialsMatch

进入protected boolean equals(Object tokenCredentials, Object accountCredentials)

顺便提到一点public static boolean equals(byte[] a, byte[] a2)已经是java.util的class Arrays了

public static boolean equals(byte[] a, byte[] a2) {
        if (a==a2)
            return true;
        if (a==null || a2==null)
            return false;

        int length = a.length;
        if (a2.length != length)
            return false;

        for (int i=0; i<length; i++)
            if (a[i] != a2[i])
                return false;

        return true;
    }

回到getAuthenticationInfo


回到doSingleRealmAuthentication


回到protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken)


回到public final AuthenticationInfo authenticate(AuthenticationToken token)


代码走到notifySuccess(token, info);



protected void notifySuccess(AuthenticationToken token, AuthenticationInfo info)因为listeners的size=0所以直接跳出此方法



回到public final AuthenticationInfo authenticate(AuthenticationToken token)


回到public AuthenticationInfo authenticate(AuthenticationToken token)



回到public Subject login(Subject subject, AuthenticationToken token)


进入protected Subject createSubject(AuthenticationToken token, AuthenticationInfo info, Subject existing)


进入public Subject createSubject(SubjectContext subjectContext)


protected SubjectContext copy(SubjectContext subjectContext) {
        return new DefaultSubjectContext(subjectContext);
    }

public DefaultSubjectContext(SubjectContext ctx) {
        super(ctx);
    }


运行到this.backingMap.putAll(map);


回到public Subject createSubject(SubjectContext subjectContext)


protected SubjectContext ensureSecurityManager(SubjectContext context)


回到public Subject createSubject(SubjectContext subjectContext)


进入protected SubjectContext resolveSession(SubjectContext context)


protected SessionKey getSessionKey(SubjectContext context) {
        Serializable sessionId = context.getSessionId();
        if (sessionId != null) {
            return new DefaultSessionKey(sessionId);
        }
        return null;
    }
Serializable sessionId =null直接返回。

回到protected SubjectContext resolveSession(SubjectContext context)


又回到public Subject createSubject(SubjectContext subjectContext)



进入protected SubjectContext resolvePrincipals(SubjectContext context)由于principals不为空直接返回了


 @SuppressWarnings({"unchecked"})
    protected SubjectContext resolvePrincipals(SubjectContext context) {

        PrincipalCollection principals = context.resolvePrincipals();

        if (CollectionUtils.isEmpty(principals)) {
            log.trace("No identity (PrincipalCollection) found in the context.  Looking for a remembered identity.");

            principals = getRememberedIdentity(context);

            if (!CollectionUtils.isEmpty(principals)) {
                log.debug("Found remembered PrincipalCollection.  Adding to the context to be used " +
                        "for subject construction by the SubjectFactory.");

                context.setPrincipals(principals);
				} else {
                log.trace("No remembered identity found.  Returning original context.");
            }
        }

        return context;
    }


又回到public Subject createSubject(SubjectContext subjectContext) 


protected Subject doCreateSubject(SubjectContext context) {
        return getSubjectFactory().createSubject(context);
    }
public SubjectFactory getSubjectFactory() {
        return subjectFactory;
    }


进入public Subject createSubject(SubjectContext context)

public DelegatingSubject(PrincipalCollection principals, boolean authenticated, String host,Session session, boolean sessionCreationEnabled, SecurityManager securityManager)


回到createSubject,回到doCreateSubject,最后回到public Subject createSubject(SubjectContext subjectContext)


protected void save(Subject subject) {
        this.subjectDAO.save(subject);
    }

protected void saveToSession(Subject subject) {
        //performs merge logic, only updating the Subject's session if it does not match the current state:
        mergePrincipals(subject);
        mergeAuthenticationState(subject);
    }
protected void mergePrincipals(Subject subject) {
        //merge PrincipalCollection state:

        PrincipalCollection currentPrincipals = null;

        //SHIRO-380: added if/else block - need to retain original (source) principals
        //This technique (reflection) is only temporary - a proper long term solution needs to be found,
        //but this technique allowed an immediate fix that is API point-version forwards and backwards compatible
        //
        //A more comprehensive review / cleaning of runAs should be performed for Shiro 1.3 / 2.0 +
        if (subject.isRunAs() && subject instanceof DelegatingSubject) {
            try {
                Field field = DelegatingSubject.class.getDeclaredField("principals");
                field.setAccessible(true);
                currentPrincipals = (PrincipalCollection)field.get(subject);
            } catch (Exception e) {
                throw new IllegalStateException("Unable to access DelegatingSubject principals property.", e);
            }
        }
        if (currentPrincipals == null || currentPrincipals.isEmpty()) {
            currentPrincipals = subject.getPrincipals();
        }

        Session session = subject.getSession(false);

        if (session == null) {
            if (!CollectionUtils.isEmpty(currentPrincipals)) {
                session = subject.getSession();
                session.setAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY, currentPrincipals);
            }
            //otherwise no session and no principals - nothing to save
        } else {
            PrincipalCollection existingPrincipals =
                    (PrincipalCollection) session.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY);

            if (CollectionUtils.isEmpty(currentPrincipals)) {
                if (!CollectionUtils.isEmpty(existingPrincipals)) {
                    session.removeAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY);
                }
                //otherwise both are null or empty - no need to update the session
            } else {
                if (!currentPrincipals.equals(existingPrincipals)) {
                    session.setAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY, currentPrincipals);
                }
                //otherwise they're the same - no need to update the session
            }
        }
    }
protected void mergeAuthenticationState(Subject subject) {

        Session session = subject.getSession(false);

        if (session == null) {
            if (subject.isAuthenticated()) {
                session = subject.getSession();
                session.setAttribute(DefaultSubjectContext.AUTHENTICATED_SESSION_KEY, Boolean.TRUE);
            }
            //otherwise no session and not authenticated - nothing to save
        } else {
            Boolean existingAuthc = (Boolean) session.getAttribute(DefaultSubjectContext.AUTHENTICATED_SESSION_KEY);

            if (subject.isAuthenticated()) {
                if (existingAuthc == null || !existingAuthc) {
                    session.setAttribute(DefaultSubjectContext.AUTHENTICATED_SESSION_KEY, Boolean.TRUE);
                }
                //otherwise authc state matches - no need to update the session
            } else {
                if (existingAuthc != null) {
                    //existing doesn't match the current state - remove it:
                    session.removeAttribute(DefaultSubjectContext.AUTHENTICATED_SESSION_KEY);
                }
                //otherwise not in the session and not authenticated - no need to update the session
            }
        }
    }
public void setAttribute(Object attributeKey, Object value) 




private Session lookupSession(SessionKey key) throws SessionException {
        if (key == null) {
            throw new NullPointerException("SessionKey argument cannot be null.");
        }
        return doGetSession(key);
    }


protected void validate(Session session, SessionKey key) throws InvalidSessionException {
        try {
            doValidate(session);
        } catch (ExpiredSessionException ese) {
            onExpiration(session, ese, key);
            throw ese;
        } catch (InvalidSessionException ise) {
            onInvalidation(session, ise, key);
            throw ise;
        }
    }
protected void doValidate(Session session) throws InvalidSessionException {
        if (session instanceof ValidatingSession) {
            ((ValidatingSession) session).validate();
        } else {
            String msg = "The " + getClass().getName() + " implementation only supports validating " +
                    "Session implementations of the " + ValidatingSession.class.getName() + " interface.  " +
                    "Please either implement this interface in your session implementation or override the " +
                    AbstractValidatingSessionManager.class.getName() + ".doValidate(Session) method to perform validation.";
            throw new IllegalStateException(msg);
        }
    }

回到public void setAttribute(SessionKey sessionKey, Object attributeKey, Object value)


protected void onChange(Session session) {
        sessionDAO.update(session);
    }
public void update(Session session) throws UnknownSessionException {
        storeSession(session.getId(), session);
    }

这已经是系统级的代码了java.util.concurrent

参考:HashMap和ConcurrentHashMap研究

回到protected void mergeAuthenticationState(Subject subject)


回到saveToSession

回到public Subject save(Subject subject)


回到protected void save(Subject subject)


回到public Subject createSubject(SubjectContext subjectContext)


回到protected Subject createSubject(AuthenticationToken token, AuthenticationInfo info, Subject existing)


回到public Subject login(Subject subject, AuthenticationToken token) 


进入protected void onSuccessfulLogin(AuthenticationToken token, AuthenticationInfo info, Subject subject)


进入protected void rememberMeSuccessfulLogin(AuthenticationToken token, AuthenticationInfo info, Subject subject)

RememberMeManager rmm =null直接返回了


又回到public Subject login(Subject subject, AuthenticationToken token)


回到外层public void login(AuthenticationToken token)


继续往下


进入protected Session decorate(Session session)


进入private StoppingAwareProxiedSession(Session target, DelegatingSubject owningSubject)


回到public void login(AuthenticationToken token)


终于回到最外层调用代码



4.subject.getPrincipal()

logger.info("登录成功!Hello " + subject.getPrincipal());
public Object getPrincipal() {
        return getPrimaryPrincipal(getPrincipals());
    }


5.subject.logout();

public void logout() {
        try {
            clearRunAsIdentitiesInternal();
            this.securityManager.logout(this);
        } finally {
            this.session = null;
            this.principals = null;
            this.authenticated = false;
            //Don't set securityManager to null here - the Subject can still be
            //used, it is just considered anonymous at this point.  The SecurityManager instance is
            //necessary if the subject would log in again or acquire a new session.  This is in response to
            //https://issues.apache.org/jira/browse/JSEC-22
            //this.securityManager = null;
        }
    }
private void clearRunAsIdentitiesInternal() {
        //try/catch added for SHIRO-298
        try {
            clearRunAsIdentities();
        } catch (SessionException se) {
            log.debug("Encountered session exception trying to clear 'runAs' identities during logout.  This " +
                    "can generally safely be ignored.", se);
        }
    }
private void clearRunAsIdentities() {
        Session session = getSession(false);
        if (session != null) {
            session.removeAttribute(RUN_AS_PRINCIPALS_SESSION_KEY);
        }
    }
public Object removeAttribute(Object key) throws InvalidSessionException {
        return delegate.removeAttribute(key);
    }
public Object removeAttribute(Object attributeKey) throws InvalidSessionException {
        return sessionManager.removeAttribute(this.key, attributeKey);
    }

调用系统级的remove方法。



unix21
关注
专栏目录
Shiro学习笔记(三)
MingoRun的博客
09-27 357
   JavaSE环境下实现用户登录认证 1、代码示例: package com.shiro.exercies; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.IncorrectCreden...
Shiro源码学习之一
编程的本质是数学问题
03-15 1757
1.lock与unlock if (account.isLocked()) { throw new LockedAccountException("Account [" + account + "] is locked."); } 参考:Java中锁的应用之-Lock
sourcetree安装遇到的各种坑
热门推荐
li_bing_的专栏
06-05 3万+
安装 SourceTree 时,需要使用atlassian授权,多数会卡到这一步,网上给出的办法跳过 atlassian账号 授权方法安装之后,转到用户本地文件夹下的 SourceTree 目录,没有则新建:%LocalAppData%\Atlassian\SourceTree\或者C:\Users\(你的用户名)\AppData\Local\Atlassian\SourceTree  一般App...
Shiro 入门教程 - Shiro 授予身份和切换身份
最新发布
smart_an的专栏
07-21 707
作者简介:大家好,我是哥,前中兴通讯、美团架构师,现某互联网公司联系qq:184480602,加我进群,大家一起学习,一起进步,一起对抗互联网寒冬学习必须往深处挖,挖的越深,基础越扎实!
Shiro
weixin_30487701的博客
09-28 245
Shiro简介 SpringMVC整合ShiroShiro是一个强大易用的Java安全框架,提供了认证、授权、加密和会话管理等功能。 Authentication:身份认证/登录,验证用户是不是拥有相应的身份; Authorization:授权,即权限验证,验证某个已认证的用户是否拥有某个权限;即判断用户是否能做事情,常见的如:验证某个用户是否拥有某个角色。或者细粒度的验证某个...
shiro源码分析
weixin_30679823的博客
09-12 408
CachingEnabled单独设置有效 setAuthenticationCachingEnabled或者setAuthorizationCachingEnabled会将CachingEnabled重置为true public void setAuthenticationCachingEnabled(boolean authenticationCachingEnab...
shiro——认证原理(源码流程)
dgh112233的博客
08-27 1186
目录 1. Subject 的本质 1.1 login( token ) 登录 1.1.1this.clearRunAsIdentitiesInternal() 解析 ——1 1.1.2this.securityManager.login(this, token) 解析 ——2 1. Subject 的本质 一般我们用下面的语句进行登录认证,没有抛出异常就是验证成功。 S...
shiro 源码浅析
qq_34597894的博客
07-08 470
1简介 : Shiro是用JAVA 写轻量级权限认证安全框架 ; 拥有对 session 封装缓存,记住 cookie 用户安全密码加密认证,权限校验等特性。 2 我对源码的见解: PS : 流程概述 据我了解核心是FilterChain (过滤器链) 因为没有合适的DEMO 所以我用 也就是shiro 源码自带的DEMO 和自带的DEMO 代码演示一遍流程,虽然...
Spring Boot学习Shiro源码
01-27
Spring Boot学习Shiro源码学习狂神说,自己手动书写,可以实现正常所需的功能】 Spring Boot学习Shiro源码学习狂神说,自己手动书写,可以实现正常所需的功能】 Spring Boot学习Shiro源码学习狂神说,...
shiro源码
01-14
3. **源码学习价值**: - **源码分析**:通过阅读Shiro源码,可以理解其内部的工作机制,包括如何进行身份验证、授权以及会话管理,有助于定制化开发和性能优化。 - **设计模式**:Shiro源码中大量运用了设计...
我的shiro源码.zip
10-09
在这个"我的shiro源码.zip"压缩包中,包含的是一个整合了Spring(SSM框架的一部分)、Spring MVC和Mybatis的Shiro源代码示例。这个示例项目对于学习如何在实际开发中应用Shiro非常有帮助,因为源代码中有详细的注解...
shiro学习源码与资料
02-24
这个压缩包包含的资源是关于Shiro学习源码和课件,适合对Java安全有兴趣或者正在学习Shiro的开发者。 首先,我们来深入理解Shiro的核心概念: 1. **身份认证(Authentication)**:这是验证用户身份的过程。...
异常流和程序流
来啊 快活啊
09-02 2776
研究了下Shiro源码,发现里面用了大量的异常去控制程序流程。 鉴权的方法,具体看注释//鉴权处理的方法,这个方法会将鉴权过程中出现的异常抛出来 protected abstract AuthenticationInfo doAuthenticate(AuthenticationToken token) throws AuthenticationException;已Mo
shiro源码(二)——login方法源码解读
敲代码的小小酥的博客
12-31 3414
一、shiro认证流程源码 使用shiro框架做登录,只需调用subject的login方法即可,代码如下: public AjaxResult ajaxLogin(String username, String password, Boolean rememberMe) { UsernamePasswordToken token = new UsernamePasswordToken(username, password, rememberMe); Subject
shiro 登录流程
jtf19901223的博客
11-08 344
登录过滤器 AuthenticatingFilter protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception { // 从request参数中创建token, AuthenticationToken token = createToken(request, response); if (token == null) {
shiro-根据JSESSIONID获取用户信息和判断是否登陆
会写Bug的攻城狮
04-11 831
shiro-根据JSESSIONID获取用户信息和判断是否登陆
shiro登录过程
w6400409的博客
07-27 275
接触和使用shiro还是有好大一段时间,可惜并没有搞明白其实的原理和机制。因为工作中使用的框架都封装好了,so......并没有去研究。 原来一直猜想的是shiro可以直接连接数据库,验证用户名和密码。但是又没在实体类中找到有什么特殊的标记注解之类的。 就有点好奇了,于是趁这两天工作不是那么紧张了,就跟了下源码。 如有不对,请留言指正。蟹蟹! 红色部分是主要代码; Use
Shiro源码入门与实战剖析
Shiro源码分析是一系列针对Apache Shiro安全框架的深入研究,适合希望学习和理解Shiro内部工作机制的开发者。本文档以入门级教程入手,结合实际编程示例,逐步剖析框架的工作流程和核心组件。 首先,Shiro框架的...
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值