shiro在未配置自定义的CredentialsMatcher密码验证器时,真正对用户名密码进行认证的方法是:
package org.apache.shiro.authc.AbstractAuthenticator.authenticate(AuthenticationToken token)下的doAuthenticate(token)方法,进入此方法:
protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {
assertRealmsConfigured();
Collection<Realm> realms = getRealms();
if (realms.size() == 1) {
return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);
} else {
return doMultiRealmAuthentication(realms, authenticationToken);
}
}
可以看到,assertRealmsConfigured()方法作用是判断是否存在realm,如果没有,直接抛出realm配置异常:msg = "Configuration error: No realms have been configured! One or more realms must be " +"present to execute an authentication attempt."
而realm就是在securityManager.setRealm(authRealm())时配置的自定义认证规则
如果存在realm,即通过doSingleRealmAuthentication(realms.iterator().next(), authenticationToken)或者doMultiRealmAuthentication(realms, authenticationToken)(当配置了多个realm时)对用户名密码进行验证,验证成功,返回认证成功的info,失败则抛出异常
