shiro学习笔记-Subject#login(token)实现过程

本博文所有的代码均为shiro官网(http://shiro.apache.org/)中shiro 1.3.2版本中的源码。

追踪Subject的login(AuthenticationToken token)方法,其调用的为DelegatingSubject类的login方法,DelegatingSubject实现了Subject接口,DelegatingSubject#login如下:

 1 public void login(AuthenticationToken token) throws AuthenticationException {
 2     clearRunAsIdentitiesInternal();
 3     Subject subject = securityManager.login(this, token);
 4 
 5     PrincipalCollection principals;
 6 
 7     String host = null;
 8 
 9     if (subject instanceof DelegatingSubject) {
10         DelegatingSubject delegating = (DelegatingSubject) subject;
11         //we have to do this in case there are assumed identities - we don't want to lose the 'real' principals:
12         principals = delegating.principals;
13         host = delegating.host;
14     } else {
15         principals = subject.getPrincipals();
16     }
17 
18     if (principals == null || principals.isEmpty()) {
19         String msg = "Principals returned from securityManager.login( token ) returned a null or " +
20                 "empty value.  This value must be non null and populated with one or more elements.";
21         throw new IllegalStateException(msg);
22     }
23     this.principals = principals;
24     this.authenticated = true;
25     if (token instanceof HostAuthenticationToken) {
26         host = ((HostAuthenticationToken) token).getHost();
27     }
28     if (host != null) {
29         this.host = host;
30     }
31     Session session = subject.getSession(false);
32     if (session != null) {
33         this.session = decorate(session);
34     } else {
35         this.session = null;
36     }
37 }

在上面代码的第三行:Subject subject = securityManager.login(this, token); 注意到其调用了SecurityManager的login方法,SecurityManager为接口,实际上调用的其实现类DefaultSecurityManager的login方法,方法如下:

 1 public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException {
 2     AuthenticationInfo info;
 3     try {
 4         info = authenticate(token);
 5     } catch (AuthenticationException ae) {
 6         try {
 7             onFailedLogin(token, ae, subject);
 8         } catch (Exception e) {
 9             if (log.isInfoEnabled()) {
10                 log.info("onFailedLogin method threw an " +
11                         "exception.  Logging and propagating original AuthenticationException.", e);
12             }
13         }
14         throw ae; //propagate
15     }
16 
17     Subject loggedIn = createSubject(token, info, subject);
18 
19     onSuccessfulLogin(token, info, loggedIn);
20 
21     return loggedIn;
22 }

在上面代码第四行:info = authenticate(token); 继续跟踪,发现authenticate(AuthenticationToken token);方法为DefaultSecurityManager的父类AuthenticatingSecurityManager的方法,AuthenticatingSecurityManager#authenticate方法如下:

1 public AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {
2     return this.authenticator.authenticate(token);
3 }

authenticator为Authenticator接口,继续跟踪,AbstractAuthenticator抽象类实现了Authenticator接口,接下来继续查看AbstractAuthenticator#authenticate(token);方法:

 1 public final AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {
 2 
 3     if (token == null) {
 4         throw new IllegalArgumentException("Method argument (authentication token) cannot be null.");
 5     }
 6 
 7     log.trace("Authentication attempt received for token [{}]", token);
 8 
 9     AuthenticationInfo info;
10     try {
11         info = doAuthenticate(token);
12         if (info == null) {
13             String msg = "No account information found for authentication token [" + token + "] by this " +
14                     "Authenticator instance.  Please check that it is configured correctly.";
15             throw new AuthenticationException(msg);
16         }
17     } catch (Throwable t) {
18         AuthenticationException ae = null;
19         if (t instanceof AuthenticationException) {
20             ae = (AuthenticationException) t;
21         }
22         if (ae == null) {
23             //Exception thrown was not an expected AuthenticationException.  Therefore it is probably a little more
24             //severe or unexpected.  So, wrap in an AuthenticationException, log to warn, and propagate:
25             String msg = "Authentication failed for token submission [" + token + "].  Possible unexpected " +
26                     "error? (Typical or expected login exceptions should extend from AuthenticationException).";
27             ae = new AuthenticationException(msg, t);
28             if (log.isWarnEnabled())
29                 log.warn(msg, t);
30         }
31         try {
32             notifyFailure(token, ae);
33         } catch (Throwable t2) {
34             if (log.isWarnEnabled()) {
35                 String msg = "Unable to send notification for failed authentication attempt - listener error?.  " +
36                         "Please check your AuthenticationListener implementation(s).  Logging sending exception " +
37                         "and propagating original AuthenticationException instead...";
38                 log.warn(msg, t2);
39             }
40         }
41         throw ae;
42     }
43 
44     log.debug("Authentication successful for token [{}].  Returned account [{}]", token, info);
45 
46     notifySuccess(token, info);
47 
48     return info;
49 }

上面代码第11行:info = doAuthenticate(token); 这个方法为ModularRealmAuthticator类中的方法,因为ModularRealmAuthticator继承了AbstractAuthenticator抽象类。另外,要注意第12行-第16行,如果info==null,就会抛出异常。ModularRealmAuthticator的doAuthenticate(token);方法如下:

1 protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {
2     assertRealmsConfigured();
3     Collection<Realm> realms = getRealms();
4     if (realms.size() == 1) {
5         return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);
6     } else {
7         return doMultiRealmAuthentication(realms, authenticationToken);
8     }
9 }

这里,我们关注上面第五行代码:doSingleRealmAuthentication(realms.iterator().next(), authenticationToken); else语句中的doMultiRealmAuthentication(realms, authenticationToken);类似。跟踪到doSingleRealmAuthentication方法如下:

 1 protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) {
 2     if (!realm.supports(token)) {
 3         String msg = "Realm [" + realm + "] does not support authentication token [" +
 4                 token + "].  Please ensure that the appropriate Realm implementation is " +
 5                 "configured correctly or that the realm accepts AuthenticationTokens of this type.";
 6         throw new UnsupportedTokenException(msg);
 7     }
 8     AuthenticationInfo info = realm.getAuthenticationInfo(token);
 9     if (info == null) {
10         String msg = "Realm [" + realm + "] was unable to find account data for the " +
11                 "submitted AuthenticationToken [" + token + "].";
12         throw new UnknownAccountException(msg);
13     }
14     return info;
15 }

上面代码第八行:AuthenticationInfo info = realm.getAuthenticationInfo(token); realm为Realm接口,实际上调用的是其实现类AuthenticatingRealm中的getAuthenticationInfo方法,方法如下:

 1 public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
 2 
 3     AuthenticationInfo info = getCachedAuthenticationInfo(token);
 4     if (info == null) {
 5         //otherwise not cached, perform the lookup:
 6         info = doGetAuthenticationInfo(token);
 7         log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info);
 8         if (token != null && info != null) {
 9             cacheAuthenticationInfoIfPossible(token, info);
10         }
11     } else {
12         log.debug("Using cached authentication info [{}] to perform credentials matching.", info);
13     }
14 
15     if (info != null) {
16         assertCredentialsMatch(token, info);
17     } else {
18         log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}].  Returning null.", token);
19     }
20     return info;
21 }

上面代码第三行:AuthenticationInfo info = getCachedAuthenticationInfo(token);从缓存中获取认证信息,如果未获取到,则调用第六行的doGetAuthenticationInfo(token); 方法获取认证信息。继续跟踪,发现有几个类实现了该方法,如下图所示:

最后,附上SecurityManager和Realm等的类关系图:

Realm:

SecurityManager:

Authenticator:

posted @ 2017-02-24 00:45  chunfulandu  阅读(25647)  评论(0编辑  收藏  举报