文档章节

Shiro源码分析之认证原理

Lucare
 Lucare
发布于 2018/07/22 00:31
字数 1172
阅读 8
收藏 0

登录操作一般都是我们触发的:

Subject subject = SecurityUtils.getSubject();
AuthenticationToken authenticationToken = new ...
subject.login(authenticationToken);

Subject的登录将委托给SecurityManager,SecurityManager的login方法实际上是产生了一个新的Subject,然后将相关属性赋予当前调用者Subject:

public void login(AuthenticationToken token) throws AuthenticationException {
    clearRunAsIdentitiesInternal();
    Subject subject = securityManager.login(this, token);

    PrincipalCollection principals;

    String host = null;

    if (subject instanceof DelegatingSubject) {
        DelegatingSubject delegating = (DelegatingSubject) subject;
        //we have to do this in case there are assumed identities - we don't want to lose the 'real' principals:
        principals = delegating.principals;
        host = delegating.host;
    } else {
        principals = subject.getPrincipals();
    }

    if (principals == null || principals.isEmpty()) {
        String msg = "Principals returned from securityManager.login( token ) returned a null or " +
                "empty value.  This value must be non null and populated with one or more elements.";
        throw new IllegalStateException(msg);
    }
    this.principals = principals;
    this.authenticated = true;
    if (token instanceof HostAuthenticationToken) {
        host = ((HostAuthenticationToken) token).getHost();
    }
    if (host != null) {
        this.host = host;
    }
    Session session = subject.getSession(false);
    if (session != null) {
        this.session = decorate(session);
    } else {
        this.session = null;
    }
}

DefaultSecurityManager实现了login方法:

public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException {
    AuthenticationInfo info;
    try {
        info = authenticate(token);
    } catch (AuthenticationException ae) {
        try {
            onFailedLogin(token, ae, subject);
        } catch (Exception e) {
            if (log.isInfoEnabled()) {
                log.info("onFailedLogin method threw an " +
                        "exception.  Logging and propagating original AuthenticationException.", e);
            }
        }
        throw ae; //propagate
    }

    Subject loggedIn = createSubject(token, info, subject);

    onSuccessfulLogin(token, info, loggedIn);

    return loggedIn;
}

image

父类AuthenticatingSecurityManager实现authenticate方法:

public abstract class AuthenticatingSecurityManager extends RealmSecurityManager {

    private Authenticator authenticator;

    public AuthenticatingSecurityManager() {
        super();
        this.authenticator = new ModularRealmAuthenticator();
    }

    public AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {
        return this.authenticator.authenticate(token);
    }
    
    //......
}

利用一个ModularRealmAuthenticator类型的authenticator来实现:

protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {
    assertRealmsConfigured();
    Collection<Realm> realms = getRealms();
    if (realms.size() == 1) {
        return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);
    } else {
        return doMultiRealmAuthentication(realms, authenticationToken);
    }
}

然后根据realms集合是单个还是多个分别处理,最终无非是这样:

AuthenticationInfo info = realm.getAuthenticationInfo(token);

父类AuthenticatingRealm的getAuthenticationInfo方法实现了info的获取和身份的校验,仅仅调用自己实现的realm的doGetAuthenticationInfo方法,初步验证后构造一个SimpleAuthenticationInfo:

SimplePrincipalCollection principalCollection = new SimplePrincipalCollection(principals, this.getName());
return new SimpleAuthenticationInfo(principalCollection, authenticationInfo.getCredentials());

AuthenticatingRealm的getAuthenticationInfo方法逻辑如下:

首先去缓存找info:

AuthenticationInfo info = getCachedAuthenticationInfo(token);

缓存没有则调用子类实现的方法:

info = doGetAuthenticationInfo(token);

info不为null的时候就要验证了(这里还可以加密验证):

assertCredentialsMatch(token, info);

两次创建Subject

进入AbstractShiroFilter的时候,会默认创建一个Subject,这个是在Subject接口中的内部类实现的,但是同样也是调用了DefaultSecurityManager中的createSubject方法:

public Subject createSubject(SubjectContext subjectContext) {
    //create a copy so we don't modify the argument's backing map:
    SubjectContext context = copy(subjectContext);

    //ensure that the context has a SecurityManager instance, and if not, add one:
    context = ensureSecurityManager(context);

    //Resolve an associated Session (usually based on a referenced session ID), and place it in the context before
    //sending to the SubjectFactory.  The SubjectFactory should not need to know how to acquire sessions as the
    //process is often environment specific - better to shield the SF from these details:
    context = resolveSession(context);

    //Similarly, the SubjectFactory should not require any concept of RememberMe - translate that here first
    //if possible before handing off to the SubjectFactory:
    context = resolvePrincipals(context);

    Subject subject = doCreateSubject(context);

    //save this subject for future reference if necessary:
    //(this is needed here in case rememberMe principals were resolved and they need to be stored in the
    //session, so we don't constantly rehydrate the rememberMe PrincipalCollection on every operation).
    //Added in 1.2:
    save(subject);

    return subject;
}

初次进入shiroFilter,会创建一个Subject,这个Subject没有验证通过,保留了三个属性:request,response,securityManager。

当我们调用subject.login的时候,我们在DefaultSecurityManager中为subjectContext设置了相关属性:

protected Subject createSubject(AuthenticationToken token, AuthenticationInfo info, Subject existing) {
    SubjectContext context = createSubjectContext();
    context.setAuthenticated(true);
    context.setAuthenticationToken(token);
    context.setAuthenticationInfo(info);
    if (existing != null) {
        context.setSubject(existing);
    }
    // 这个方法的具体实现在上面
    return createSubject(context);
}

一个save方法为我们构造了session:

save(subject);

这个session是根据我们的principals(放在登录成功返回的那个AuthenticationInfo中)构造的。

下一次进入的时候,依然是:

final Subject subject = createSubject(request, response);

但是下面的方法为我们找回了session,通过request.getSession(false)就可以取到。

context = resolveSession(context);

有了session后其他的东西都可以恢复,这样就可以识别并维持一个subject的状态,即使每次都重新创建了Subject对象。

具体是在DefaultWebSubjectFactory这个方法里恢复的,并且通过构造器赋值给下一个新的subject了:

public Subject createSubject(SubjectContext context) {
    if (!(context instanceof WebSubjectContext)) {
        return super.createSubject(context);
    }
    WebSubjectContext wsc = (WebSubjectContext) context;
    SecurityManager securityManager = wsc.resolveSecurityManager();
    Session session = wsc.resolveSession();
    boolean sessionEnabled = wsc.isSessionCreationEnabled();
    PrincipalCollection principals = wsc.resolvePrincipals();
    boolean authenticated = wsc.resolveAuthenticated();
    String host = wsc.resolveHost();
    ServletRequest request = wsc.resolveServletRequest();
    ServletResponse response = wsc.resolveServletResponse();

    return new WebDelegatingSubject(principals, authenticated, host, session, sessionEnabled,
            request, response, securityManager);
}

举两个例子:

PrincipalCollection principals = wsc.resolvePrincipals();
-> principals = (PrincipalCollection) session.getAttribute(PRINCIPALS_SESSION_KEY);

boolean authenticated = wsc.resolveAuthenticated();
-> Session session = resolveSession();
if (session != null) {
    Boolean sessionAuthc = (Boolean) session.getAttribute(AUTHENTICATED_SESSION_KEY);
    authc = sessionAuthc != null && sessionAuthc;
}

通过上面两个方法就恢复了Subject的两个属性,其实都是存放在session中。

其实只要你使用了Shiro,不管你是否登录,核心过滤器都会为我们构造Subject实例,当我们主动调用subject.login方法时,会间接调用我们自己实现的realm的doGetAuthenticationInfo,根据我们在数据库中获取的信息(存放在info中)和调用login方法时传递的AuthenticationToken中的信息对比。

当info为null或者抛出了AuthenticationException异常,都视为登录失败。

© 著作权归作者所有

Lucare

Lucare

粉丝 6
博文 11
码字总数 11404
作品 0
深圳
程序员
私信 提问
Shiro源码分析-初始化-SecurityManager

开涛的《跟我学Shiro》系列已即将完成,该系列囊括了shiro的绝大部分实用功能,并且在讲解如何用的过程中,也添加了其内部实现的原理。开涛主要以Shiro的使用者为角度,所以其原理部分是穿插...

Dead_knight
2014/04/08
2K
0
ShiroFilterFactoryBean源码及阻截原理深入分析

ShiroFilterFactoryBean源码及拦截原理深入分析 本篇文章篇幅比较长,但是细看下去相信对学习Shiro应该会有帮助。好了,闲话不多说,直接进入正题: Shiro提供了与Web集成的支持,其通过一个...

HelloRookie
2016/10/09
75
0
shiro认证授权流程源码分析

源码分析shiro认证授权流程 1. shiro介绍 Apache Shiro是一个强大易用的Java安全框架,提供了认证、授权、加密和会话管理等功能: 认证 - 用户身份识别,常被称为用户“登录”; 授权 - 访问...

bitree1
2017/06/24
0
0
ShiroFilterFactoryBean源码及拦截原理深入分析

本篇文章篇幅比较长,但是细看下去相信对学习Shiro应该会有帮助。好了,闲话不多说,直接进入正题: Shiro提供了与Web集成的支持,其通过一个入口来拦截需要安全控制的URL,然后进行相应的控...

Geek-Tom
2016/08/23
143
0
Shiro源码分析-初始化-Realm

在上一篇介绍SecurityManager的初始化过程中,也有realm的粗略介绍。 realm的概念在安全领域随处可见: 各种中间件的realm、spring security的realm、shiro的realm。。。如下: tomcat的rea...

Dead_knight
2014/04/08
2.3K
0

没有更多内容

加载失败,请刷新页面

加载更多

Error和Exception

1.Error类和Exception类都是继承Throwable类 2.Error(错误)是系统中的错误,程序员是不能改变的和处理的,是在程序编译时出现的错误,只能通过修改程序才能修正。一般是指与虚拟机相关的问...

大瑞清_liurq
15分钟前
4
0
8086汇编基础 start 程序入口标签的示例

    IDE : Masm for Windows 集成实验环境 2015     OS : Windows 10 x64 typesetting : Markdown    blog : my.oschina.net/zhichengjiu    gitee : gitee.com/zhichengjiu   ......

志成就
20分钟前
3
0
uni app 零基础小白到项目实战2

<template> <scroll-view v-for="(card, index) in list" :key="index"> <view v-for =(item, itemIndex) in card"> {{item.value}}</view> </scroll-view></template> GraceUi va......

达达前端小酒馆
21分钟前
3
0
http keep-alive 解释

本文转载于:专业的前端网站➜http keep-alive 解释 1、概念 keep-alive示例: keep-alive模式(又称持久连接、连接重用)时,keep-alive功能使客户端到服务器端的连接持续有效,当出现对服务...

前端老手
26分钟前
3
0
groovy爬虫实例——历史上的今天

最近做了一个历史上今天的爬虫程序,跟历史天气数据源一致,数据量比较小,几十秒就爬完了。中间遇到一些问题,一起分享出来供大家参考。本项目源码和相关数据已经上传到了github,有兴趣的朋...

八音弦
36分钟前
3
0

没有更多内容

加载失败,请刷新页面

加载更多

返回顶部
顶部