Shiro登录身份认证(从SecurityUtils.getSubject().login(token))到Realm的doGetAuthenticationInfo

ssm框架下,controller接收到登录请求交给Service并开始处理流程:

1.Service的login方法:

@Service
public class SysUserServiceImpl implements SysUserService {
    @Autowired
    SysUserMapper mapper;
 
    @Override
    public LoginResult login(SysUser sysUser) {
        LoginResult loginResult = new LoginResult();
        try {    
            List<SysUser> sysUsers = mapper.selectByExample(sysUser.getUsername());
            BackUserToken backUserToken=new BackUserToken(sysUser.getUsername(), sysUser.getPwd(),sysUsers);
            SecurityUtils.getSubject().login(backUserToken);
            loginResult.setStatus(RespMSG.STATUS_SUCCESS);
            loginResult.setMsg(RespMSG.MSG_SUCCESS);
            loginResult.setSysUser(sysUsers.get(0));
            return loginResult;
        } catch (UnknownAccountException e) {
            loginResult.setStatus(RespMSG.STATUS_NON_EXISTENT);
            loginResult.setMsg(RespMSG.MSG_NON_EXISTENT);
            return loginResult;
        } catch (AccountException e) {
            e.printStackTrace();
//            loginResult.setStatus(RespMSG.);
//            loginResult.setMsg(RespMSG.MSG_NON_EXISTENT);
//            return loginResult;
        } catch (DeadlineException e) {
            loginResult.setStatus(RespMSG.STATUS_OVERDUE);
            loginResult.setMsg(RespMSG.MSG_OVERDUE);
            return loginResult;
        } catch (AccountRepeatException e) {
            loginResult.setStatus(RespMSG.STATUS_REPETITION);
            loginResult.setMsg(RespMSG.MSG_REPETITION);
            return loginResult;
        } catch (IncorrectCredentialsException e) {
            loginResult.setStatus(RespMSG.STATUS_WRONG_PWD);
            loginResult.setMsg(RespMSG.MSG_WRONG_PWD);
            return loginResult;
        }
        loginResult.setMsg(RespMSG.MSG_UNKNOW);
        loginResult.setStatus(RespMSG.STATUS_UNKNOW);
        return loginResult;
    }
 
}

BackUserToken集成了UsernamePasswordToken,主要是构造参数多了一个List<SysUser>.因为我需要在service中将登录用户的详细
信息返回给客户端,同时将登录用户的信息传递给Realm进行登录验证。
关键方法是:

SecurityUtils.getSubject().login(backUserToken);
其具体实现是:

2.DelegatingSubject implements Subject

public class DelegatingSubject implements Subject {
   public void login(AuthenticationToken token) throws AuthenticationException {
        ...
        Subject subject = this.securityManager.login(this, token);
        ...
    }
}

token继续传递:

3.DefaultSecurityManager

public class DefaultSecurityManager extends SessionsSecurityManager {
 
    public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException {
        ...
            info = this.authenticate(token);
    ...
        return loggedIn;
    }
   
}

向下继续

4.AuthenticatingSecurityManager

public abstract class AuthenticatingSecurityManager extends RealmSecurityManager {
 
    public AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {
        return this.authenticator.authenticate(token);
    }
 
}

继续向下

5.AbstractAuthenticator

public abstract class AbstractAuthenticator implements Authenticator, LogoutAware {
 
    public final AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {
        ...
        info = this.doAuthenticate(token);
        ...
        return info;
        }
    }
 
}

6.ModularRealmAuthenticator

public class ModularRealmAuthenticator extends AbstractAuthenticator {
 
    protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {
        this.assertRealmsConfigured();
        Collection<Realm> realms = this.getRealms();
        return realms.size() == 1 ? this.doSingleRealmAuthentication((Realm)realms.iterator().next(), authenticationToken) : this.doMultiRealmAuthentication(realms, authenticationToken);
    }
 
}

还是在ModularRealmAuthenticator中

protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) {
          ...
            AuthenticationInfo info = realm.getAuthenticationInfo(token);
          ...
       
    }

继续

7.AuthenticatingRealm

public abstract class AuthenticatingRealm extends CachingRealm implements Initializable {
 
    public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
        ...
        info = this.doGetAuthenticationInfo(token);
        ...
        return info;
    }
 
}

然后进入最后一步,在继承了AuthorizingRealm的自定义的realm中进行处理。

8.自定义realm举例

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) {
        BackUserToken token = (BackUserToken) authenticationToken;
        List<SysUser> sysUsers = token.getUser();
        if (sysUsers == null || sysUsers.size() == 0) {
            throw new UnknownAccountException();
        }
        if (sysUsers.size() > 1) {
            //用户重复
            throw new AccountRepeatException();
        }
        if (用户已过期) {
            if (sysUsers.get(0).getIsAbleDate() == null||sysUsers.get(0).getIsAbleDate().getTime() < new Date().getTime()) {
                //用户过期(自定义异常)
                throw new DeadlineException();
            }
        }
        SysUser sysUser = sysUsers.get(0);
        SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(
                sysUser,
                sysUser.getPwd(),
                getName() 
        );
        return authenticationInfo;
 
    }
©著作权归作者所有,转载或内容合作请联系作者
平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。

推荐阅读更多精彩内容