DefaultSecurityManager
DefaultSecurityManager主要實現了SecurityManager的行為login()、logout()、createSubject()
UsernamePasswordToken token = new UsernamePasswordToken("username", "password");
Subject currentUser = SecurityUtils.getSubject();
currentUser.login(token);
DelegatingSubject的login()
Subject執行認證操作(成功為Subject設置會員信息) --> SecurityManager執行認證操作(成功創建Subject) --> Realm執行認證操作(認證及匹配邏輯、將認證信息加入緩存)
public void login(AuthenticationToken token) throws AuthenticationException { clearRunAsIdentitiesInternal(); Subject subject = securityManager.login(this, token); PrincipalCollection principals; String host = null; if (subject instanceof DelegatingSubject) { DelegatingSubject delegating = (DelegatingSubject) subject; //we have to do this in case there are assumed identities - we don't want to lose the 'real' principals: principals = delegating.principals; host = delegating.host; } else { principals = subject.getPrincipals(); } if (principals == null || principals.isEmpty()) { String msg = "Principals returned from securityManager.login( token ) returned a null or " + "empty value. This value must be non null and populated with one or more elements."; throw new IllegalStateException(msg); } this.principals = principals; this.authenticated = true; if (token instanceof HostAuthenticationToken) { host = ((HostAuthenticationToken) token).getHost(); } if (host != null) { this.host = host; } Session session = subject.getSession(false); if (session != null) { this.session = decorate(session); } else { this.session = null; } }
DefaultSecurityManager的login()方法
public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException { AuthenticationInfo info; try {
// DefaultSecurityManager繼承了AuthenticatingSecurityManager // AuthenticatingSecurityManager使用自己的Authenticator認證器進行會員信息認證,后文詳解#1
info = authenticate(token); } catch (AuthenticationException ae) { try { onFailedLogin(token, ae, subject); } catch (Exception e) { if (log.isInfoEnabled()) { log.info("onFailedLogin method threw an " + "exception. Logging and propagating original AuthenticationException.", e); } } throw ae; //propagate } // 創建Subject,后文詳解#2 Subject loggedIn = createSubject(token, info, subject); // 啟用了記住我功能時起作用 onSuccessfulLogin(token, info, loggedIn); return loggedIn; }
書接前文#1
AuthenticatingSecurityManager使用自己的Authenticator認證器進行會員信息認證
public AuthenticatingSecurityManager() { super(); this.authenticator = new ModularRealmAuthenticator(); } public AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException { return this.authenticator.authenticate(token); }
AbstractAuthenticator的公共認證邏輯,相同的行為抽取到父類了
public final AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException { if (token == null) { throw new IllegalArgumentException("Method argument (authentication token) cannot be null."); } log.trace("Authentication attempt received for token [{}]", token); AuthenticationInfo info; try {
// 具體的行為抽象出來了,ModularRealmAuthenticator負責具體實現 info = doAuthenticate(token); if (info == null) { String msg = "No account information found for authentication token [" + token + "] by this " + "Authenticator instance. Please check that it is configured correctly."; throw new AuthenticationException(msg); } } catch (Throwable t) { AuthenticationException ae = null; if (t instanceof AuthenticationException) { ae = (AuthenticationException) t; } if (ae == null) { //Exception thrown was not an expected AuthenticationException. Therefore it is probably a little more //severe or unexpected. So, wrap in an AuthenticationException, log to warn, and propagate: String msg = "Authentication failed for token submission [" + token + "]. Possible unexpected " + "error? (Typical or expected login exceptions should extend from AuthenticationException)."; ae = new AuthenticationException(msg, t); if (log.isWarnEnabled()) log.warn(msg, t); } try { notifyFailure(token, ae); } catch (Throwable t2) { if (log.isWarnEnabled()) { String msg = "Unable to send notification for failed authentication attempt - listener error?. " + "Please check your AuthenticationListener implementation(s). Logging sending exception " + "and propagating original AuthenticationException instead..."; log.warn(msg, t2); } } throw ae; } log.debug("Authentication successful for token [{}]. Returned account [{}]", token, info); // 如果有AuthenticationListener的實現類起作用 notifySuccess(token, info); return info; }
ModularRealmAuthenticator具體實現認證行為
protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException { assertRealmsConfigured(); Collection<Realm> realms = getRealms(); if (realms.size() == 1) {
// 單領域認證 return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken); } else { return doMultiRealmAuthentication(realms, authenticationToken); } }
單領域認證
protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) { if (!realm.supports(token)) { String msg = "Realm [" + realm + "] does not support authentication token [" + token + "]. Please ensure that the appropriate Realm implementation is " + "configured correctly or that the realm accepts AuthenticationTokens of this type."; throw new UnsupportedTokenException(msg); }
// 獲得認證信息的公共行為抽取出來到父類 AuthenticationInfo info = realm.getAuthenticationInfo(token); if (info == null) { String msg = "Realm [" + realm + "] was unable to find account data for the " + "submitted AuthenticationToken [" + token + "]."; throw new UnknownAccountException(msg); } return info; }
AuthenticatingRealm獲得認證信息的公共行為抽取出來到父類
public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { // 開啟緩存功能起作用 AuthenticationInfo info = getCachedAuthenticationInfo(token); if (info == null) { // 具體的認證行為抽象出來讓程序員去繼承AuthenticatingRealm具體實現 info = doGetAuthenticationInfo(token); log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info); if (token != null && info != null) { cacheAuthenticationInfoIfPossible(token, info); } } else { log.debug("Using cached authentication info [{}] to perform credentials matching.", info); } if (info != null) {
// token的登錄信息和數據庫查詢出的會員信息進行比較,后文詳解#3 assertCredentialsMatch(token, info); } else { log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}]. Returning null.", token); } return info; }
程序員根據業務自定義的認證領域
package com.wjz.demo; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.realm.AuthenticatingRealm; public class CustomRealm extends AuthenticatingRealm { @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { return new SimpleAuthenticationInfo("wjz", "123", getName()); } }
書接前文#2
SecurityManager的createSubject()
protected Subject createSubject(AuthenticationToken token, AuthenticationInfo info, Subject existing) { SubjectContext context = createSubjectContext(); context.setAuthenticated(true);
// 設置會員的登錄信息UsernamePasswordToken(username, password)類 context.setAuthenticationToken(token);
// 設置認證成功的會員信息SimpleAuthenticationInfo(principal, password, username)類 context.setAuthenticationInfo(info); if (existing != null) { context.setSubject(existing); } return createSubject(context); }
公共邏輯抽取出來
public Subject createSubject(SubjectContext subjectContext) { // 創建一個備份對象 SubjectContext context = copy(subjectContext); // 確保有安全管理器 context = ensureSecurityManager(context); //Resolve an associated Session (usually based on a referenced session ID), and place it in the context before //sending to the SubjectFactory. The SubjectFactory should not need to know how to acquire sessions as the //process is often environment specific - better to shield the SF from these details: context = resolveSession(context); // 如果有必要的話從remeberme中獲得會員信息 context = resolvePrincipals(context); // 使用SubjectFactory創建Subject Subject subject = doCreateSubject(context); //save this subject for future reference if necessary: //(this is needed here in case rememberMe principals were resolved and they need to be stored in the //session, so we don't constantly rehydrate the rememberMe PrincipalCollection on every operation). //Added in 1.2: save(subject); return subject; }
使用SubjectFactory(DefaultWebSubjectFactory)創建Subject(WebDelegatingSubject)
protected Subject doCreateSubject(SubjectContext context) { return getSubjectFactory().createSubject(context); }
public Subject createSubject(SubjectContext context) { if (!(context instanceof WebSubjectContext)) { return super.createSubject(context); } WebSubjectContext wsc = (WebSubjectContext) context; SecurityManager securityManager = wsc.resolveSecurityManager(); Session session = wsc.resolveSession(); boolean sessionEnabled = wsc.isSessionCreationEnabled(); PrincipalCollection principals = wsc.resolvePrincipals(); boolean authenticated = wsc.resolveAuthenticated(); String host = wsc.resolveHost(); ServletRequest request = wsc.resolveServletRequest(); ServletResponse response = wsc.resolveServletResponse(); return new WebDelegatingSubject(principals, authenticated, host, session, sessionEnabled, request, response, securityManager); }
DelegatingSubject執行login的邏輯
public void login(AuthenticationToken token) throws AuthenticationException { clearRunAsIdentitiesInternal();
// 調用了上面的一整套邏輯,以下是為Subject設置信息 Subject subject = securityManager.login(this, token); PrincipalCollection principals; String host = null; if (subject instanceof DelegatingSubject) { DelegatingSubject delegating = (DelegatingSubject) subject; //we have to do this in case there are assumed identities - we don't want to lose the 'real' principals: principals = delegating.principals; host = delegating.host; } else { principals = subject.getPrincipals(); } if (principals == null || principals.isEmpty()) { String msg = "Principals returned from securityManager.login( token ) returned a null or " + "empty value. This value must be non null and populated with one or more elements."; throw new IllegalStateException(msg); } this.principals = principals; this.authenticated = true; if (token instanceof HostAuthenticationToken) { host = ((HostAuthenticationToken) token).getHost(); } if (host != null) { this.host = host; } Session session = subject.getSession(false); if (session != null) { this.session = decorate(session); } else { this.session = null; } }
書接前文#3
獲得憑證匹配器(SimpleCredentialsMatcher)進行匹配
protected void assertCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) throws AuthenticationException { CredentialsMatcher cm = getCredentialsMatcher(); if (cm != null) {
// 執行匹配動作 if (!cm.doCredentialsMatch(token, info)) { //not successful - throw an exception to indicate this: String msg = "Submitted credentials for token [" + token + "] did not match the expected credentials."; throw new IncorrectCredentialsException(msg); } } else { throw new AuthenticationException("A CredentialsMatcher must be configured in order to verify " + "credentials during authentication. If you do not wish for credentials to be examined, you " + "can configure an " + AllowAllCredentialsMatcher.class.getName() + " instance."); } }
public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) { Object tokenCredentials = getCredentials(token); Object accountCredentials = getCredentials(info); return equals(tokenCredentials, accountCredentials); }
SecurityManager的logout()
Subject執行退出操作(清空會員信息) --> SecurityManager執行退出操作(記住我退出、清空session) --> Realm執行退出操作(清空緩存如認證信息、授權信息)
Subject currentUser = SecurityUtils.getSubject();
currentUser.logout();
DelegatingSubject的logout行為,此為公共行為
public void logout() { try { clearRunAsIdentitiesInternal();
// 核心退出功能 this.securityManager.logout(this); } finally {
// 將以下Subject的信息置為null this.session = null; this.principals = null; this.authenticated = false; //Don't set securityManager to null here - the Subject can still be //used, it is just considered anonymous at this point. The SecurityManager instance is //necessary if the subject would log in again or acquire a new session. This is in response to //https://issues.apache.org/jira/browse/JSEC-22 //this.securityManager = null; } }
安全管理器的公共退出邏輯
public void logout(Subject subject) { if (subject == null) { throw new IllegalArgumentException("Subject method argument cannot be null."); } // 記住我退出,也就是清瀏覽器cookie beforeLogout(subject); PrincipalCollection principals = subject.getPrincipals(); if (principals != null && !principals.isEmpty()) { if (log.isDebugEnabled()) { log.debug("Logging out subject with primary principal {}", principals.getPrimaryPrincipal()); } Authenticator authc = getAuthenticator(); if (authc instanceof LogoutAware) {
// 認證器執行退出操作,后文詳解#4 ((LogoutAware) authc).onLogout(principals); } } try {
// 清空shiro的session delete(subject); } catch (Exception e) { if (log.isDebugEnabled()) { String msg = "Unable to cleanly unbind Subject. Ignoring (logging out)."; log.debug(msg, e); } } finally { try { stopSession(subject); } catch (Exception e) { if (log.isDebugEnabled()) { String msg = "Unable to cleanly stop Session for Subject [" + subject.getPrincipal() + "] " + "Ignoring (logging out)."; log.debug(msg, e); } } } }
書接前文#4
public void onLogout(PrincipalCollection principals) {
// 如果有AuthenticationListener執行監聽行為 super.onLogout(principals); Collection<Realm> realms = getRealms(); if (!CollectionUtils.isEmpty(realms)) { for (Realm realm : realms) { if (realm instanceof LogoutAware) {
// 領域執行退出行為 ((LogoutAware) realm).onLogout(principals); } } } }