Saiku登录源码追踪呀~
>>首先我们需要debug跟踪saiku登录执行的源码信息
saiku源码的debug方式上一篇博客已有说明,这里简单介绍一下
在saiku启动脚本中添加如下命令: (windows下: start-saiku.bat)
set CATALINA_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,address=8787,server=y,suspend=n (后面可能还会有一些JVM参数信息)
使用Eclipse打开saiku源码 -- > Eclipse工具栏中的 Run --> Debug configurations --> Remote Java Application --> 选中对应的源码项目(saiku-web),远程访问saiku的ip,以及脚本中指定监听的端口 (address) 8787 --> Debug
在浏览器中根据saiku地址信息访问saiku,输入用户名以及密码信息登录,Eclipse则会进入对应的debug阶段。
>>源码追踪
1.首先会调用 saiku-web项目 org.saiku.web.rest.resources 包下的 SessionResource中的登录方法
sessionService.login(res,username,password)
/**
* Saiku Session Endpoints
*/
@Component
@Path("/saiku/session")
public class SessionResource {
/*此处省略其他代码信息*/
private ISessionService sessionService;
/**
* Login to Saiku
* @summary Login
* @param req Servlet request
* @param username Username
* @param password Password
* @return A 200 response
*/
@POST
@Consumes("application/x-www-form-urlencoded")
public Response login(
@Context HttpServletRequest req,
@FormParam("username") String username,
@FormParam("password") String password)
{
try {
sessionService.login(req, username, password);
return Response.ok().build();
}
catch (Exception e) {
log.debug("Error logging in:" + username, e);
return Response.status(Status.INTERNAL_SERVER_ERROR).entity(e.getLocalizedMessage()).build();
}
}
}
2.进入org.saiku.web.service 包下的 SessionService类中的 sessionService.login(res,username,password)方法
进行认证的方法主要是: authenticate(req, username, password);
package org.saiku.web.service; /*此处省略了导入相关包信息*/
public class SessionService implements ISessionService { /**此处省略其他代码*/ /* (non-Javadoc) * @see org.saiku.web.service.ISessionService#login(javax.servlet.http.HttpServletRequest, java.lang.String, java.lang.String) */ public Map<String, Object> login(HttpServletRequest req, String username, String password ) throws LicenseException { Object sl = null; String notice = null; HttpSession session = ((HttpServletRequest)req).getSession(true); session.getId(); sessionRepo.setSession(session); try { sl = l.getLicense(); } catch (Exception e) { log.debug("Could not process license", e); throw new LicenseException("Error fetching license. Get a free license from http://licensing.meteorite.bi. You can upload it at /upload.html"); } if (sl != null) { try { l.validateLicense(); } catch (RepositoryException | IOException | ClassNotFoundException e) { log.debug("Repository Exception, couldn't get license", e); throw new LicenseException("Error fetching license. Please check your logs."); } try { if (l.getLicense() instanceof SaikuLicense2) { if (authenticationManager != null) { authenticate(req, username, password); } if (SecurityContextHolder.getContext() != null && SecurityContextHolder.getContext().getAuthentication() != null) { Authentication auth = SecurityContextHolder.getContext().getAuthentication(); if (authorisationPredicate.isAuthorised(auth)) { Object p = auth.getPrincipal(); createSession(auth, username, password); return sessionHolder.get(p); } else { log.info(username + " failed authorisation. Rejecting login"); throw new RuntimeException("Authorisation failed for: " + username); } } return new HashMap<>(); } } catch (IOException | ClassNotFoundException | RepositoryException e) { log.debug("Repository Exception, couldn't get license", e); throw new LicenseException("Error fetching license. Please check your logs."); } } return null; } }
3.继续进入SessionService的 authenticate (req,username,password)方法进行认证
主要认证: Authentication authentication = this.authenticationManager.authenticate(token);
/* (non-Javadoc)
* @see org.saiku.web.service.ISessionService#authenticate(javax.servlet.http.HttpServletRequest, java.lang.String, java.lang.String)
*/
public void authenticate(HttpServletRequest req, String username, String password) {
try {
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, password);
token.setDetails(new WebAuthenticationDetails(req));
Authentication authentication = this.authenticationManager.authenticate(token);
log.debug("Logging in with [{}]", authentication.getPrincipal());
SecurityContextHolder.getContext().setAuthentication(authentication);
}
catch (BadCredentialsException bd) {
throw new RuntimeException("Authentication failed for: " + username, bd);
}
}
4.转入spring-security认证框架中的 org.springframework.security.authentication包下的ProviderManager类中的 this.authenticationManager.authenticate(token)方法
主要认证: result = provider.authenticate(authentication);
/**
* Attempts to authenticate the passed {@link Authentication} object.
* <p>
* The list of {@link AuthenticationProvider}s will be successively tried until an
* <code>AuthenticationProvider</code> indicates it is capable of authenticating the
* type of <code>Authentication</code> object passed. Authentication will then be
* attempted with that <code>AuthenticationProvider</code>.
* <p>
* If more than one <code>AuthenticationProvider</code> supports the passed
* <code>Authentication</code> object, only the first
* <code>AuthenticationProvider</code> tried will determine the result. No subsequent
* <code>AuthenticationProvider</code>s will be tried.
*
* @param authentication the authentication request object.
*
* @return a fully authenticated object including credentials.
*
* @throws AuthenticationException if authentication fails.
*/
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
Class<? extends Authentication> toTest = authentication.getClass();
AuthenticationException lastException = null;
Authentication result = null;
boolean debug = logger.isDebugEnabled();
for (AuthenticationProvider provider : getProviders()) {
if (!provider.supports(toTest)) {
continue;
}
if (debug) {
logger.debug("Authentication attempt using "
+ provider.getClass().getName());
}
try {
result = provider.authenticate(authentication);
if (result != null) {
copyDetails(authentication, result);
break;
}
}
catch (AccountStatusException e) {
prepareException(e, authentication);
// SEC-546: Avoid polling additional providers if auth failure is due to
// invalid account status
throw e;
}
catch (InternalAuthenticationServiceException e) {
prepareException(e, authentication);
throw e;
}
catch (AuthenticationException e) {
lastException = e;
}
}
if (result == null && parent != null) {
// Allow the parent to try.
try {
result = parent.authenticate(authentication);
}
catch (ProviderNotFoundException e) {
// ignore as we will throw below if no other exception occurred prior to
// calling parent and the parent
// may throw ProviderNotFound even though a provider in the child already
// handled the request
}
catch (AuthenticationException e) {
lastException = e;
}
}
if (result != null) {
if (eraseCredentialsAfterAuthentication
&& (result instanceof CredentialsContainer)) {
// Authentication is complete. Remove credentials and other secret data
// from authentication
((CredentialsContainer) result).eraseCredentials();
}
eventPublisher.publishAuthenticationSuccess(result);
return result;
}
// Parent was null, or didn't authenticate (or throw an exception).
if (lastException == null) {
lastException = new ProviderNotFoundException(messages.getMessage(
"ProviderManager.providerNotFound",
new Object[] { toTest.getName() },
"No AuthenticationProvider found for {0}"));
}
prepareException(lastException, authentication);
throw lastException;
}
5.转入 org.springframework.security.authentication.dao包下的 AbstractUserDetailsAuthenticationProvider类中的 result = provider.authenticate(authentication);
关于密码的校验主要是:additionalAuthenticationChecks(user,(UsernamePasswordAuthenticationToken) authentication);
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
Assert.isInstanceOf(UsernamePasswordAuthenticationToken.class, authentication,
messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.onlySupports",
"Only UsernamePasswordAuthenticationToken is supported"));
// Determine username
String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED"
: authentication.getName();
boolean cacheWasUsed = true;
UserDetails user = this.userCache.getUserFromCache(username);
if (user == null) {
cacheWasUsed = false;
try {
user = retrieveUser(username,
(UsernamePasswordAuthenticationToken) authentication);
}
catch (UsernameNotFoundException notFound) {
logger.debug("User '" + username + "' not found");
if (hideUserNotFoundExceptions) {
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials",
"Bad credentials"));
}
else {
throw notFound;
}
}
Assert.notNull(user,
"retrieveUser returned null - a violation of the interface contract");
}
try {
preAuthenticationChecks.check(user);
additionalAuthenticationChecks(user,
(UsernamePasswordAuthenticationToken) authentication);
}
catch (AuthenticationException exception) {
if (cacheWasUsed) {
// There was a problem, so try again after checking
// we're using latest data (i.e. not from the cache)
cacheWasUsed = false;
user = retrieveUser(username,
(UsernamePasswordAuthenticationToken) authentication);
preAuthenticationChecks.check(user);
additionalAuthenticationChecks(user,
(UsernamePasswordAuthenticationToken) authentication);
}
else {
throw exception;
}
}
6.org.springframework.security.authentication.dao包下的 DaoAuthenticationProvider 类中 additionalAuthenticationChecks(user,(UsernamePasswordAuthenticationToken) authentication)方法如下
校验密码的主要方法: passwordEncoder.isPasswordValid(userDetails.getPassword(), presentedPassword,salt)
@SuppressWarnings("deprecation")
protected void additionalAuthenticationChecks(UserDetails userDetails,
UsernamePasswordAuthenticationToken authentication)
throws AuthenticationException {
Object salt = null;
if (this.saltSource != null) {
salt = this.saltSource.getSalt(userDetails);
}
if (authentication.getCredentials() == null) {
logger.debug("Authentication failed: no credentials provided");
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials",
"Bad credentials"));
}
if (!passwordEncoder.isPasswordValid(userDetails.getPassword(),
presentedPassword, salt)) {
logger.debug("Authentication failed: password does not match stored value");
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials",
"Bad credentials"));
}
}
好了,关于saiku登录源码就追踪到这里啦~ ,到这里我们就知道怎么更改saiku对密码校验的逻辑信息啦~
posted on
