本博文所有的代码均为shiro官网(http://shiro.apache.org/)中shiro 1.3.2版本中的源码。
追踪Subject的login(AuthenticationToken token)方法,其调用的为DelegatingSubject类的login方法,DelegatingSubject实现了Subject接口,DelegatingSubject#login如下:
1 public void login(AuthenticationToken token) throws AuthenticationException { 2 clearRunAsIdentitiesInternal(); 3 Subject subject = securityManager.login(this, token); 4 5 PrincipalCollection principals; 6 7 String host = null; 8 9 if (subject instanceof DelegatingSubject) { 10 DelegatingSubject delegating = (DelegatingSubject) subject; 11 //we have to do this in case there are assumed identities - we don't want to lose the 'real' principals: 12 principals = delegating.principals; 13 host = delegating.host; 14 } else { 15 principals = subject.getPrincipals(); 16 } 17 18 if (principals == null || principals.isEmpty()) { 19 String msg = "Principals returned from securityManager.login( token ) returned a null or " + 20 "empty value. This value must be non null and populated with one or more elements."; 21 throw new IllegalStateException(msg); 22 } 23 this.principals = principals; 24 this.authenticated = true; 25 if (token instanceof HostAuthenticationToken) { 26 host = ((HostAuthenticationToken) token).getHost(); 27 } 28 if (host != null) { 29 this.host = host; 30 } 31 Session session = subject.getSession(false); 32 if (session != null) { 33 this.session = decorate(session); 34 } else { 35 this.session = null; 36 } 37 }
在上面代码的第三行:Subject subject = securityManager.login(this, token); 注意到其调用了SecurityManager的login方法,SecurityManager为接口,实际上调用的其实现类DefaultSecurityManager的login方法,方法如下:
1 public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException { 2 AuthenticationInfo info; 3 try { 4 info = authenticate(token); 5 } catch (AuthenticationException ae) { 6 try { 7 onFailedLogin(token, ae, subject); 8 } catch (Exception e) { 9 if (log.isInfoEnabled()) { 10 log.info("onFailedLogin method threw an " + 11 "exception. Logging and propagating original AuthenticationException.", e); 12 } 13 } 14 throw ae; //propagate 15 } 16 17 Subject loggedIn = createSubject(token, info, subject); 18 19 onSuccessfulLogin(token, info, loggedIn); 20 21 return loggedIn; 22 }
在上面代码第四行:info = authenticate(token); 继续跟踪,发现authenticate(AuthenticationToken token);方法为DefaultSecurityManager的父类AuthenticatingSecurityManager的方法,AuthenticatingSecurityManager#authenticate方法如下:
1 public AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException { 2 return this.authenticator.authenticate(token); 3 }
authenticator为Authenticator接口,继续跟踪,AbstractAuthenticator抽象类实现了Authenticator接口,接下来继续查看AbstractAuthenticator#authenticate(token);方法:
1 public final AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException { 2 3 if (token == null) { 4 throw new IllegalArgumentException("Method argument (authentication token) cannot be null."); 5 } 6 7 log.trace("Authentication attempt received for token [{}]", token); 8 9 AuthenticationInfo info; 10 try { 11 info = doAuthenticate(token); 12 if (info == null) { 13 String msg = "No account information found for authentication token [" + token + "] by this " + 14 "Authenticator instance. Please check that it is configured correctly."; 15 throw new AuthenticationException(msg); 16 } 17 } catch (Throwable t) { 18 AuthenticationException ae = null; 19 if (t instanceof AuthenticationException) { 20 ae = (AuthenticationException) t; 21 } 22 if (ae == null) { 23 //Exception thrown was not an expected AuthenticationException. Therefore it is probably a little more 24 //severe or unexpected. So, wrap in an AuthenticationException, log to warn, and propagate: 25 String msg = "Authentication failed for token submission [" + token + "]. Possible unexpected " + 26 "error? (Typical or expected login exceptions should extend from AuthenticationException)."; 27 ae = new AuthenticationException(msg, t); 28 if (log.isWarnEnabled()) 29 log.warn(msg, t); 30 } 31 try { 32 notifyFailure(token, ae); 33 } catch (Throwable t2) { 34 if (log.isWarnEnabled()) { 35 String msg = "Unable to send notification for failed authentication attempt - listener error?. " + 36 "Please check your AuthenticationListener implementation(s). Logging sending exception " + 37 "and propagating original AuthenticationException instead..."; 38 log.warn(msg, t2); 39 } 40 } 41 throw ae; 42 } 43 44 log.debug("Authentication successful for token [{}]. Returned account [{}]", token, info); 45 46 notifySuccess(token, info); 47 48 return info; 49 }
上面代码第11行:info = doAuthenticate(token); 这个方法为ModularRealmAuthticator类中的方法,因为ModularRealmAuthticator继承了AbstractAuthenticator抽象类。另外,要注意第12行-第16行,如果info==null,就会抛出异常。ModularRealmAuthticator的doAuthenticate(token);方法如下:
1 protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException { 2 assertRealmsConfigured(); 3 Collection<Realm> realms = getRealms(); 4 if (realms.size() == 1) { 5 return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken); 6 } else { 7 return doMultiRealmAuthentication(realms, authenticationToken); 8 } 9 }
这里,我们关注上面第五行代码:doSingleRealmAuthentication(realms.iterator().next(), authenticationToken); else语句中的doMultiRealmAuthentication(realms, authenticationToken);类似。跟踪到doSingleRealmAuthentication方法如下:
1 protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) { 2 if (!realm.supports(token)) { 3 String msg = "Realm [" + realm + "] does not support authentication token [" + 4 token + "]. Please ensure that the appropriate Realm implementation is " + 5 "configured correctly or that the realm accepts AuthenticationTokens of this type."; 6 throw new UnsupportedTokenException(msg); 7 } 8 AuthenticationInfo info = realm.getAuthenticationInfo(token); 9 if (info == null) { 10 String msg = "Realm [" + realm + "] was unable to find account data for the " + 11 "submitted AuthenticationToken [" + token + "]."; 12 throw new UnknownAccountException(msg); 13 } 14 return info; 15 }
上面代码第八行:AuthenticationInfo info = realm.getAuthenticationInfo(token); realm为Realm接口,实际上调用的是其实现类AuthenticatingRealm中的getAuthenticationInfo方法,方法如下:
1 public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { 2 3 AuthenticationInfo info = getCachedAuthenticationInfo(token); 4 if (info == null) { 5 //otherwise not cached, perform the lookup: 6 info = doGetAuthenticationInfo(token); 7 log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info); 8 if (token != null && info != null) { 9 cacheAuthenticationInfoIfPossible(token, info); 10 } 11 } else { 12 log.debug("Using cached authentication info [{}] to perform credentials matching.", info); 13 } 14 15 if (info != null) { 16 assertCredentialsMatch(token, info); 17 } else { 18 log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}]. Returning null.", token); 19 } 20 return info; 21 }
上面代码第三行:AuthenticationInfo info = getCachedAuthenticationInfo(token);从缓存中获取认证信息,如果未获取到,则调用第六行的doGetAuthenticationInfo(token); 方法获取认证信息。继续跟踪,发现有几个类实现了该方法,如下图所示:
最后,附上SecurityManager和Realm等的类关系图:
Realm:
SecurityManager:
Authenticator:
