


获取SecurityManager 并绑定给SecurityUtils

  • 通过xml配置
<bean id="myShiroRealm" class="com.wechat.ztsoft.shiro.realm.MyRealm">
        <property name="credentialsMatcher" ref="credentialsMatcher"/>
        <property name="authorizationCachingEnabled" value="true"/>
        <property name="authorizationCacheName" value="authorizationCache"/>
<bean id="securityManager"
    <property name="realm" ref="myShiroRealm"/>
    <property name="sessionManager" ref="sessionManager" />
    <property name="cacheManager" ref="cacheManger" />
<!-- 相当于调用SecurityUtils.setSecurityManager(securityManager) -->
    <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
        <property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
        <property name="arguments" ref="securityManager"/>


  • 获取Subject,SecurityUtils.getSubject
public static Subject getSubject() {
      Subject subject = ThreadContext.getSubject();
      if (subject == null) {
          subject = (new Subject.Builder()).buildSubject();
      return subject;
  • 函数内第一行函数,通过线程本地变量绑定Subject到当前线程;具体参见ThreadContext类,其定义了一个静态线程本地变量:
private static final ThreadLocal<Map<Object, Object>> resources = new InheritableThreadLocalMap<Map<Object, Object>>();
  • 调用其getSubjec函数,最终调用该类内的静态函数getValue:
public static Object get(Object key) {
        if (log.isTraceEnabled()) {
            String msg = "get() - in thread [" + Thread.currentThread().getName() + "]";

        Object value = getValue(key);
        if ((value != null) && log.isTraceEnabled()) {
            String msg = "Retrieved value of type [" + value.getClass().getName() + "] for key [" +
                    key + "] " + "bound to thread [" + Thread.currentThread().getName() + "]";
        return value;
private static Object getValue(Object key) {
        return resources.get().get(key);
  • 其调用了ThreadLocal变量,然后获取其Map类型的值,然后从中获取该Key对应的对象。
subject = (new Subject.Builder()).buildSubject();
  • 调用绑定的securityManager对象创建subject,
public Subject buildSubject() {
           return this.securityManager.createSubject(this.subjectContext);
  • 绑定的SecurityManager实现类为DefaultWebSecurityManager,故调用其实现的createSubject方法创建

public DefaultWebSecurityManager() {
((DefaultSubjectDAO) this.subjectDAO).setSessionStorageEvaluator(new DefaultWebSessionStorageEvaluator());
this.sessionMode = HTTP_SESSION_MODE;
setSubjectFactory(new DefaultWebSubjectFactory());
setRememberMeManager(new CookieRememberMeManager());
setSessionManager(new ServletContainerSessionManager());

- DefaultWebSecurityManager类调用其父类DefaultSecurityManager实现的createSubject

protected Subject createSubject(AuthenticationToken token, AuthenticationInfo info, Subject existing) {
SubjectContext context = createSubjectContext();
if (existing != null) {
return createSubject(context);

- 最终调用DefaultSecurityManager的createSubject(SubjectContext subjectContext)方法

public Subject createSubject(SubjectContext subjectContext) {
//create a copy so we don't modify the argument's backing map:
SubjectContext context = copy(subjectContext);
context = ensureSecurityManager(context);
context = resolveSession(context);
context = resolvePrincipals(context);
/ /此处为关键
Subject subject = doCreateSubject(context);
return subject;

- 关键创建代码调用了doCreateSubject方法

protected Subject doCreateSubject(SubjectContext context) {
return getSubjectFactory().createSubject(context);

- 其调用了前面设置的DefaultWebSubjectFactory工程类的createSubject方法,其返回了一个Subject的实现类WebDelegatingSubject的对象

public Subject createSubject(SubjectContext context) {
if (!(context instanceof WebSubjectContext)) {
return super.createSubject(context);
WebSubjectContext wsc = (WebSubjectContext) context;
SecurityManager securityManager = wsc.resolveSecurityManager();
Session session = wsc.resolveSession();
boolean sessionEnabled = wsc.isSessionCreationEnabled();
PrincipalCollection principals = wsc.resolvePrincipals();
boolean authenticated = wsc.resolveAuthenticated();
String host = wsc.resolveHost();
ServletRequest request = wsc.resolveServletRequest();
ServletResponse response = wsc.resolveServletResponse();

    return new WebDelegatingSubject(principals, authenticated, host, session, sessionEnabled,
            request, response, securityManager);

- 接下来将新建的subject,绑定到线程变量中,具体方法如下:

public static void bind(Subject subject) {
if (subject != null) {
put(SUBJECT_KEY, subject);
public static void put(Object key, Object value) {
if (key == null) {
throw new IllegalArgumentException("key cannot be null");

    if (value == null) {
    resources.get().put(key, value);

    if (log.isTraceEnabled()) {
        String msg = "Bound value of type [" + value.getClass().getName() + "] for key [" +
                key + "] to thread " + "[" + Thread.currentThread().getName() + "]";
- 创建用户凭证

UsernamePasswordToken token = new UsernamePasswordToken("wang", "123456");

### 执行登录验证
-  调用Subject.login(token ),实际调用WebDelegatingSubject的login方法,WebDelegatingSubject未覆盖login方法,调用其父类的,即DelegatingSubject的login方法:

public void login(AuthenticationToken token) throws AuthenticationException {
Subject subject = securityManager.login(this, token);

    PrincipalCollection principals;

    String host = null;

    if (subject instanceof DelegatingSubject) {
        DelegatingSubject delegating = (DelegatingSubject) subject;
        //we have to do this in case there are assumed identities - we don't want to lose the 'real' principals:
        principals = delegating.principals;
        host =;
    } else {
        principals = subject.getPrincipals();

    if (principals == null || principals.isEmpty()) {
        String msg = "Principals returned from securityManager.login( token ) returned a null or " +
                "empty value.  This value must be non null and populated with one or more elements.";
        throw new IllegalStateException(msg);
    this.principals = principals;
    this.authenticated = true;
    if (token instanceof HostAuthenticationToken) {
        host = ((HostAuthenticationToken) token).getHost();
    if (host != null) { = host;
    Session session = subject.getSession(false);
    if (session != null) {
        this.session = decorate(session);
    } else {
        this.session = null;

- 其委托给SecurityManager执行login

public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException {
AuthenticationInfo info;
try {
info = authenticate(token);
} catch (AuthenticationException ae) {
try {
onFailedLogin(token, ae, subject);
} catch (Exception e) {
if (log.isInfoEnabled()) {"onFailedLogin method threw an " +
"exception. Logging and propagating original AuthenticationException.", e);
throw ae; //propagate

    Subject loggedIn = createSubject(token, info, subject);

    onSuccessfulLogin(token, info, loggedIn);

    return loggedIn;

- 调用了父类AuthenticatingSecurityManager的authenticate方法;回去看XML配置模块,我们配置实现获取认证信息和授权信息的Realm,设置完成后调用afterRealmsSet方法,AuthenticatingSecurityManager覆盖了该方法,如下

protected void afterRealmsSet() {
if (this.authenticator instanceof ModularRealmAuthenticator) {
((ModularRealmAuthenticator) this.authenticator).setRealms(getRealms());

- 将Realm赋值给实际Authenticator,AuthenticatingSecurityManager中的Authenticator为ModularRealmAuthenticator实现类,发现Authenticator的子类AbstractAuthenticator实现了authenticate方法,并把实际执行代码用占位符doAuthenticate留待子类去实现,我们进入ModularRealmAuthenticator查看其doAuthenticate方法

protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {
Collection<Realm> realms = getRealms();
if (realms.size() == 1) {
return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);
} else {
return doMultiRealmAuthentication(realms, authenticationToken);

- 可以看到分位一个或多个Realm两张情况,我们以一个Realm为例分析

protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) {
if (!realm.supports(token)) {
String msg = "Realm [" + realm + "] does not support authentication token [" +
token + "]. Please ensure that the appropriate Realm implementation is " +
"configured correctly or that the realm accepts AuthenticationTokens of this type.";
throw new UnsupportedTokenException(msg);
//关键代码 通过realm获取认证信息,此处我们自己实现realm,根据逻返回认证信息类,如SimpleAuthenticationInfo
AuthenticationInfo info = realm.getAuthenticationInfo(token);
if (info == null) {
String msg = "Realm [" + realm + "] was unable to find account data for the " +
"submitted AuthenticationToken [" + token + "].";
throw new UnknownAccountException(msg);
return info;

-  回过头看需要我们自己实现的Realm子类,继承AuthorizingRealm,其继承自AuthenticatingRealm,实现doGetAuthorizationInfo及doGetAuthenticationInfo函数

public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

    AuthenticationInfo info = getCachedAuthenticationInfo(token);
    if (info == null) {
        //otherwise not cached, perform the lookup:
        info = doGetAuthenticationInfo(token);
        log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info);
        if (token != null && info != null) {
            cacheAuthenticationInfoIfPossible(token, info);
    } else {
        log.debug("Using cached authentication info [{}] to perform credentials matching.", info);

    if (info != null) {
        assertCredentialsMatch(token, info);
    } else {
        log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}].  Returning null.", token);

    return info;

protected void assertCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) throws AuthenticationException {
CredentialsMatcher cm = getCredentialsMatcher();
if (cm != null) {
if (!cm.doCredentialsMatch(token, info)) {
//not successful - throw an exception to indicate this:
String msg = "Submitted credentials for token [" + token + "] did not match the expected credentials.";
throw new IncorrectCredentialsException(msg);
} else {
throw new AuthenticationException("A CredentialsMatcher must be configured in order to verify " +
"credentials during authentication. If you do not wish for credentials to be examined, you " +
"can configure an " + AllowAllCredentialsMatcher.class.getName() + " instance.");

-  贴出我自己的验证器,带防止多次试探密码的功能
public class RetryLimitHashedCredentialsMatcher extends HashedCredentialsMatcher {

    private Cache<String, AtomicInteger> passwordRetryCache;

    public RetryLimitHashedCredentialsMatcher(CacheManager cacheManager) {
        passwordRetryCache = cacheManager.getCache("passwordRetryCache");

    public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
        String username = (String)token.getPrincipal();
        //retry count + 1
        AtomicInteger retryCount = passwordRetryCache.get(username);
        if(retryCount == null) {
            retryCount = new AtomicInteger(0);
            passwordRetryCache.put(username, retryCount);
        if(retryCount.incrementAndGet() > 8) {
            //if retry count > 5 throw
            throw new ExcessiveAttemptsException();

        boolean matches = super.doCredentialsMatch(token, info);
        if(matches) {
            //clear retry count
        return matches;

- 回头看assertCredentialsMatch函数,校验失败后,抛出IncorrectCredentialsException异常,然后AuthenticatingSecurityManager的login抛该异常,登录失败

  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 221,548评论 6 515
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 94,497评论 3 399
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 167,990评论 0 360
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 59,618评论 1 296
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 68,618评论 6 397
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 52,246评论 1 308
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 40,819评论 3 421
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 39,725评论 0 276
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 46,268评论 1 320
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 38,356评论 3 340
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 40,488评论 1 352
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 36,181评论 5 350
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 41,862评论 3 333
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 32,331评论 0 24
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 33,445评论 1 272
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 48,897评论 3 376
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 45,500评论 2 359


  • Spring Cloud为开发人员提供了快速构建分布式系统中一些常见模式的工具(例如配置管理,服务发现,断路器,智...
    卡卡罗2017阅读 134,696评论 18 139
  • 文章转载自:
    wangzaiplus阅读 3,401评论 0 3
  • *以下仅是部分关键代码 应用程序根据用户的身份和凭证(principals和credentials)来构造出Aut...
    抓兔子的猫阅读 2,546评论 0 0
  • 天未黑湖蓝不见白鸽飞起一片片黄沙发如黑瀑白皙的手为异乡铺上绿被 透明的泉水彩光折叠霓虹灯熄灭远处昏黄的窗漆红的门内...
    插班生君阅读 144评论 2 2
  • 我走过的路不多 因总在其中徘徊、又徘徊 有时打赤脚疾走 有时醉酒 总觉得这些陌生已经看透 也就不必再心存念想 在遇...
    羊念阅读 181评论 0 0