1、首先调用 Subject.isPermitted*/hasRole* 接口,其会委托给SecurityManager。SecurityManager 接着会委托给 Authorizer;
Authorizer是真正的授权者,如果调用如isPermitted(“user:view”),其首先会通过• PermissionResolver 把字符串转换成相应的 Permission 实例;
DelegatingSubject public boolean hasRole(String roleIdentifier) { return hasPrincipals() && securityManager.hasRole(getPrincipals(), roleIdentifier); }
2、SecurityManager 接着会委托给 Authorizer;
this.authorizer = new ModularRealmAuthorizer();
public boolean hasRole(PrincipalCollection principals, String roleIdentifier) { return this.authorizer.hasRole(principals, roleIdentifier); }
3、ModularRealmAuthorizer 进行多 Realm 匹配流程
1)首先检查相应的 Realm 是否实现了实现了Authorizer;
2)如果实现了 Authorizer,那么接着调用其相应的isPermitted*/hasRole* 接口进行匹配
3)如果有一个Realm匹配那么将返回 true,否则返回 false。
public boolean hasRole(PrincipalCollection principals, String roleIdentifier) { assertRealmsConfigured(); for (Realm realm : getRealms()) { if (!(realm instanceof Authorizer)) continue; if (((Authorizer) realm).hasRole(principals, roleIdentifier)) { return true; } } return false; }
4、AuthorizingRealm中根据用户名去数据源中获取角色/权限,并进行判断
public boolean hasRole(PrincipalCollection principal, String roleIdentifier) { AuthorizationInfo info = getAuthorizationInfo(principal); return hasRole(roleIdentifier, info); } protected boolean hasRole(String roleIdentifier, AuthorizationInfo info) { return info != null && info.getRoles() != null && info.getRoles().contains(roleIdentifier); }