从realm中获取所有需要的用户,角色,权限
从Subject开始,
The term <em>principal</em> is just a fancy security term for any identifying attribute(s) of an application
user, such as a username, or user id, or public key, or anything else you might use in your application to
identify a user.
打开boolean isPermitted(Permission permission)到达DelegatingSubject
public boolean isPermitted(Permission permission) { return hasPrincipals() && securityManager.isPermitted(getPrincipals(), permission); }
是securityManager在工作
打开isPermitted,到达AuthorizingSecurityManager
public boolean isPermitted(PrincipalCollection principals, Permission permission) { return this.authorizer.isPermitted(principals, permission); }
此处是插曲,插曲开始=========================================================
AuthorizingSecurityManager是什么?
Shiro support of a {@link SecurityManager} class hierarchy that delegates all
authorization (access control) operations to a wrapped {@link Authorizer Authorizer} instance. That is,
this class implements all the <tt>Authorizer</tt> methods in the {@link SecurityManager SecurityManager}
interface, but in reality, those methods are merely passthrough calls to the underlying 'real'
<tt>Authorizer</tt> instance.
先要找authorizer:
public abstract class AuthorizingSecurityManager extends AuthenticatingSecurityManager { /** * The wrapped instance to which all of this <tt>SecurityManager</tt> authorization calls are delegated. */ private Authorizer authorizer; /** * Default no-arg constructor that initializes an internal default * {@link org.apache.shiro.authz.ModularRealmAuthorizer ModularRealmAuthorizer}. */ public AuthorizingSecurityManager() { super(); this.authorizer = new ModularRealmAuthorizer(); } /** * Returns the underlying wrapped <tt>Authorizer</tt> instance to which this <tt>SecurityManager</tt> * implementation delegates all of its authorization calls. * * @return the wrapped <tt>Authorizer</tt> used by this <tt>SecurityManager</tt> implementation. */ public Authorizer getAuthorizer() { return authorizer; } /** * Sets the underlying <tt>Authorizer</tt> instance to which this <tt>SecurityManager</tt> implementation will * delegate all of its authorization calls. * * @param authorizer the <tt>Authorizer</tt> this <tt>SecurityManager</tt> should wrap and delegate all of its * authorization calls to. */ public void setAuthorizer(Authorizer authorizer) { if (authorizer == null) { String msg = "Authorizer argument cannot be null."; throw new IllegalArgumentException(msg); } this.authorizer = authorizer; }
找到了,原来AuthorizingSecurityManager中的authorizer是new ModularRealmAuthorizer()
插曲结束=========================================================
打开this.authorizer.isPermitted(principals, permission)
看到:
知道authorizer是new ModularRealmAuthorizer(),所以点开ModularRealmAuthorizer看到:
public boolean isPermitted(PrincipalCollection principals, Permission permission) { assertRealmsConfigured(); for (Realm realm : getRealms()) { if (!(realm instanceof Authorizer)) continue; if (((Authorizer) realm).isPermitted(principals, permission)) { return true; } } return false; }
这里出现了Realm
打开getRealms()到达了ModularRealmAuthorizer,神奇:
public ModularRealmAuthorizer(Collection<Realm> realms) { setRealms(realms); }
看到在ModularRealmAuthorizer的构造器中注入了realm,
原来AuthorizingSecurityManager在初始化的时候,已经把realm注入到属性authorizer中了就是ModularRealmAuthorizer中了
接下来打开(Authorizer) realm).isPermitted(principals, permission)
应该选择AuthorizingRealm,打开:
public boolean isPermitted(PrincipalCollection principals, Permission permission) { AuthorizationInfo info = getAuthorizationInfo(principals); return isPermitted(permission, info); }
打开getAuthorizationInfo(principals)
protected AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals) { if (principals == null) { return null; } AuthorizationInfo info = null; if (log.isTraceEnabled()) { log.trace("Retrieving AuthorizationInfo for principals [" + principals + "]"); } Cache<Object, AuthorizationInfo> cache = getAvailableAuthorizationCache(); if (cache != null) { if (log.isTraceEnabled()) { log.trace("Attempting to retrieve the AuthorizationInfo from cache."); } Object key = getAuthorizationCacheKey(principals); info = cache.get(key); if (log.isTraceEnabled()) { if (info == null) { log.trace("No AuthorizationInfo found in cache for principals [" + principals + "]"); } else { log.trace("AuthorizationInfo found in cache for principals [" + principals + "]"); } } } if (info == null) { // Call template method if the info was not found in a cache info = doGetAuthorizationInfo(principals); // If the info is not null and the cache has been created, then cache the authorization info. if (info != null && cache != null) { if (log.isTraceEnabled()) { log.trace("Caching authorization info for principals: [" + principals + "]."); } Object key = getAuthorizationCacheKey(principals); cache.put(key, info); } } return info; }
首次登录,缓存是空的,所以应该看info==null的部分,打开doGetAuthorizationInfo(principals)
走到头了,到这授权就走到头了
看到它是AuthenticatingRealm的子类,所以具有父类的所有方法,
所以授权是用的这个类的方法doGetAuthorizationInfo(PrincipalCollection principals)
所以继承这个类,重写这个方法就可以自定义自己的授权了
AuthorizingSecurityManager的继承关系:
有这些方法:
