shiro认证授权的过程
(一)认证
1,首先走这里从页面获取用户名,密码
public abstract class AuthenticatingFilter extends AuthenticationFilter
AuthenticationToken token = this.createToken(request, response);
public class MyAuthenticationFilter extends FormAuthenticationFilter
protected org.apache.shiro.authc.AuthenticationToken createToken(ServletRequest servletRequest, ServletResponse servletResponse) {
String username = getUsername(servletRequest);
String password = getPassword(servletRequest);
String captchaId = getCaptchaId(servletRequest);
String captcha = getCaptcha(servletRequest);
boolean rememberMe = isRememberMe(servletRequest);
String host = getHost(servletRequest);
String validateCode = (String)((HttpServletRequest) servletRequest).getSession().getAttribute("validateCode");;
return new AuthenticationToken( username, password,
captchaId, captcha, validateCode,
rememberMe, host) ;
}
2,然后这里进入数据库获取用户信息,两者综合对比认证
public class ShiroDbRealm extends AuthorizingRealm
doGetAuthenticationInfo
UsernamePasswordToken token1 = (UsernamePasswordToken) token;
FinancialSalesUser userDetails=null;
try {
userDetails = this.financialSalesUserFacade.selectByUserName(token1.getUsername());
} catch (Exception notFound) {
return null;
}
AuthenticationInfo authcInfo = new SimpleAuthenticationInfo(userDetails, userDetails.getPassWord(),getName());
(二)授权:
权限控制就是其他的方法
ChainDefinitionSectionMetaSource
所有角色权限信息
public class ShiroDbRealm extends AuthorizingRealm
doGetAuthorizationInfo 本用户权限角色信息
详细参考往期博客jar包
注意
MyAuthenticationFilter中onLoginSuccess中的session.stop();需要注掉,否则用框架的登陆走了onLoginSuccess然后又清了session会报错