【初探shiro】简单分析shiro源码

1.从最基本的继承关系开始

AuthorizingRealm-->AuthenticatingRealm-->CachingRealm-->Realm

1.1. Realm接口

我们来看看官方的定义

A Realm is a security component that can access application-specific security entities such as users, roles, and permissions to determine authentication and authorization operations.

可以知道Realm可以访问特定于应用程序的安全实体(如用户、角色和权限来确定身份验证和授权操作。其中主要的方法是getAuthenticationInfo()，主要涉及用户信息验证的。由AuthenticatingRealm#getAuthenticationInfo()方法实现。

1.2. CachingRealm抽象类

A very basic abstract extension point for the Realm interface that provides caching support for subclasses.

It also provides a convenience method, getAvailablePrincipal(PrincipalCollection), which is useful across all realm subclasses for obtaining a realm-specific principal/identity.

可以知道CachingRealm提供缓存功能，其中getAvailablePrincipal()可以获取子类的principal对象。

1.2.1. getAvailablePrincipal代码

protected Object getAvailablePrincipal(PrincipalCollection principals) {
	Object primary = null;
	if (!CollectionUtils.isEmpty(principals)) {
		//获取这个realm的主体
		Collection thisPrincipals = principals.fromRealm(getName());
		if (!CollectionUtils.isEmpty(thisPrincipals)) {
			primary = thisPrincipals.iterator().next();
		} else {
			//no principals attributed to this particular realm.  Fall back to the 'master' primary:
			primary = principals.getPrimaryPrincipal();
		}
	}

	return primary;
}

1.3. AuthenticatingRealm抽象类

官方定义：

A top-level abstract implementation of the Realm interface that only implements authentication support (log-in) operations and leaves authorization (access control) behavior to subclasses.

可以知道主要是验证Realm接口，实现登录的身份严重以及子类的访问控制。同时他还对研发验证缓存，以减轻任何后端数据源的持续负载。

先从实现了Realm接口的getAuthenticationInfo()方法着手

public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
	//获取与指定的AuthenticationToken参数对应的任何缓存的AuthenticationInfo
	AuthenticationInfo info = getCachedAuthenticationInfo(token);
	if (info == null) {
		//otherwise not cached, perform the lookup:
		info = doGetAuthenticationInfo(token);
		log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info);
		if (token != null && info != null) {
			cacheAuthenticationInfoIfPossible(token, info);
		}
	} else {
		log.debug("Using cached authentication info [{}] to perform credentials matching.", info);
	}

	if (info != null) {
		//确保提交的AuthenticationToken的凭据使用credentialsMatcher与预期的AuthenticationInfo凭据匹配。
		//这意味着始终验证凭据以进行身份验证尝试
		assertCredentialsMatch(token, info);
	} else {
		log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}].  Returning null.", token);
	}

	return info;
}

 

• doGetAuthenticationInfo()方法

protected abstract AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException;

获取认证信息方法，抽象方法供子类实现

 

1.4. AuthenticatingRealm抽象类

An AuthorizingRealm extends the AuthenticatingRealm's capabilities by adding Authorization (access control) support.

This implementation will perform all role and permission checks automatically (and subclasses do not have to write this logic) as long as the getAuthorizationInfo(PrincipalCollection) method returns an AuthorizationInfo. 

可以知道此类通过添加授权（访问控制）来支持扩展AuthenticatingRealm的功能。和AuthenticatingRealm很像，只是扩展了一下，就不多做赘述了。