三、验证
- 看这一小节之前,请先看前面那一节,本节后面会附上地址。
1、subject咋来的
我们可以看下官方给的登录流程的图片。我们可以很简单的看到shiro的核心是Security Manager。所有的核心操作都在里面,而Subject可以说是使用shiro的入口。
在shiroFilter进行处理的时候,会创建一个subject对象。
image
由于我们看的是web项目,所以这一块subject的实例化的真实类型是org.apache.shiro.web.subject.WebSubject,这是一个接口。接下来我们跟踪一下代码。
由上一节我们知道,shiro的入口是org.apache.shiro.web.servlet.AbstractShiroFilter这个类里面的doFilterInternal这个方法。里面就对subject进行了初始化。
final Subject subject = createSubject(request, response);
protected WebSubject createSubject(ServletRequest request, ServletResponse response) {
return new WebSubject.Builder(getSecurityManager(), request, response).buildWebSubject();
}
由于WebSubject是一个接口,shiro这里是采用直接实例化一个叫Builder的内部类进行构造WebSubject对象的。
public WebSubject buildWebSubject() {
//此处调用父类的方法进行构造subject。
Subject subject = super.buildSubject();
if (!(subject instanceof WebSubject)) {
String msg = "Subject implementation returned from the SecurityManager was not a " +
WebSubject.class.getName() + " implementation. Please ensure a Web-enabled SecurityManager " +
"has been configured and made available to this builder.";
throw new IllegalStateException(msg);
}
return (WebSubject) subject;
}
//父类的方法
public Subject buildSubject() {
return this.securityManager.createSubject(this.subjectContext);
}
我们可以看到,subject的创建工作还是由我们的securityManager完成的。securityManager又是一个接口啊!不怕,我们来看下面一张图。
mark
有木有一种豁然开朗的感觉?反正我是有的,从这个图就可以看到,我们如果不自定义securityManager的话,并且是一个web项目的话,我们就需要实例化最下面那个默认的管理器,即org.apache.shiro.web.mgt.DefaultWebSecurityManager。我在项目中也是这么干的,如果不是web项目的话,直接用org.apache.shiro.mgt.DefaultSecurityManager就足够了,当然他们的都不是final类,我们可以根据自己项目的需求进行扩展。
在DefaultWebSecurityManager中并没有重载createSubject这个方法,其真正的实现是在DefaultSecurityManager中,看到这可能会有点疑问,如果是父类实现了这个方法的话,怎么能得到WebSubject的实例呢?还没看源码之前我是很疑惑的!那么直接上源码吧。
public Subject createSubject(SubjectContext subjectContext) {
//create a copy so we don't modify the argument's backing map:
SubjectContext context = copy(subjectContext);
//ensure that the context has a SecurityManager instance, and if not, add one:
context = ensureSecurityManager(context);
//Resolve an associated Session (usually based on a referenced session ID), and place it in the context before
//sending to the SubjectFactory. The SubjectFactory should not need to know how to acquire sessions as the
//process is often environment specific - better to shield the SF from these details:
context = resolveSession(context);
//Similarly, the SubjectFactory should not require any concept of RememberMe - translate that here first
//if possible before handing off to the SubjectFactory:
context = resolvePrincipals(context);
//重点在这里哦
Subject subject = doCreateSubject(context);
//save this subject for future reference if necessary:
//(this is needed here in case rememberMe principals were resolved and they need to be stored in the
//session, so we don't constantly rehydrate the rememberMe PrincipalCollection on every operation).
//Added in 1.2:
save(subject);
return subject;
}
protected Subject doCreateSubject(SubjectContext context) {
return getSubjectFactory().createSubject(context);
}
//此处的工厂类是在DefaultSecurityManager或者DefaultWebSecurityManager的构造方法中进行创建的。
public SubjectFactory getSubjectFactory() {
return subjectFactory;
}
//这里贴出DefaultSecurityManager的构造方法
public DefaultSecurityManager() {
super();
this.subjectFactory = new DefaultSubjectFactory();
this.subjectDAO = new DefaultSubjectDAO();
}
//这里贴出DefaultWebSecurityManager的构造方法
public DefaultWebSecurityManager() {
super();
((DefaultSubjectDAO) this.subjectDAO).setSessionStorageEvaluator(new DefaultWebSessionStorageEvaluator());
this.sessionMode = HTTP_SESSION_MODE;
setSubjectFactory(new DefaultWebSubjectFactory());
setRememberMeManager(new CookieRememberMeManager());
setSessionManager(new ServletContainerSessionManager());
}
至此我们可以看到是由org.apache.shiro.web.mgt.DefaultWebSubjectFactory这个类进行创建WebSubject对象,如果不是web应用则由org.apache.shiro.mgt.DefaultSubjectFactory进行创建。下面我们就可以看到关键方法了!见证奇迹的时刻到了!
//DefaultWebSubjectFactory中的方法,DefaultSubjectFactory中的方法结构上是没有多大差别的,其实例化的是DelegatingSubject这个对象
public Subject createSubject(SubjectContext context) {
//判断是不是WebSubjectContext
if (!(context instanceof WebSubjectContext)) {
return super.createSubject(context);
}
//获取初始化数据,这里几不一一介绍了。
WebSubjectContext wsc = (WebSubjectContext) context;
SecurityManager securityManager = wsc.resolveSecurityManager();
Session session = wsc.resolveSession();
boolean sessionEnabled = wsc.isSessionCreationEnabled();
PrincipalCollection principals = wsc.resolvePrincipals();
boolean authenticated = wsc.resolveAuthenticated();
String host = wsc.resolveHost();
ServletRequest request = wsc.resolveServletRequest();
ServletResponse response = wsc.resolveServletResponse();
return new WebDelegatingSubject(principals, authenticated, host, session, sessionEnabled,
request, response, securityManager);
}
2、从登陆开始
shiro的登陆很简单,总体上只需要三步,
- 获取Subject:
SecurityUtils.getSubject() - 构建Token。例如:
org.apache.shiro.authc.UsernamePasswordToken - 登陆。
subject.login(token)
SecurityUtils有兴趣的可以自己去研究,大致上就是,在subject创建的时候就会缓存到ThreadLocal中,需要的时候拿出来。
接下来我们从登陆开始,来看看他是怎么干活的。
直接上代码。
public void login(AuthenticationToken token) throws AuthenticationException {
clearRunAsIdentitiesInternal();
//这是主要处理方法
Subject subject = securityManager.login(this, token);
PrincipalCollection principals;
String host = null;
if (subject instanceof DelegatingSubject) {
DelegatingSubject delegating = (DelegatingSubject) subject;
//we have to do this in case there are assumed identities - we don't want to lose the 'real' principals:
principals = delegating.principals;
host = delegating.host;
} else {
principals = subject.getPrincipals();
}
if (principals == null || principals.isEmpty()) {
String msg = "Principals returned from securityManager.login( token ) returned a null or " +
"empty value. This value must be non null and populated with one or more elements.";
throw new IllegalStateException(msg);
}
this.principals = principals;
this.authenticated = true;
if (token instanceof HostAuthenticationToken) {
host = ((HostAuthenticationToken) token).getHost();
}
if (host != null) {
this.host = host;
}
Session session = subject.getSession(false);
if (session != null) {
this.session = decorate(session);
} else {
this.session = null;
}
}
我们可以很清楚地看到真正执行登录的是:securityManager.login(this, token);,
继续上源码。
public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException {
AuthenticationInfo info;
try {
//如果登录成功会返回AuthenticationInfo
//如果失败则会抛出异常
info = authenticate(token);
} catch (AuthenticationException ae) {
try {
//失败的处理
onFailedLogin(token, ae, subject);
} catch (Exception e) {
if (log.isInfoEnabled()) {
log.info("onFailedLogin method threw an " +
"exception. Logging and propagating original AuthenticationException.", e);
}
}
//继续向上抛出
throw ae; //propagate
}
//重新构造Subject
Subject loggedIn = createSubject(token, info, subject);
///登录成功的后续处理
onSuccessfulLogin(token, info, loggedIn);
return loggedIn;
}
public AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {
//交给认证器进行认证,此处认证器是在构造方法中进行初始化的,默认构造器的构造的类是:org.apache.shiro.authc.pam.ModularRealmAuthenticator,我们也可以自己继进行实现,并注入到securityManager中
return this.authenticator.authenticate(token);
}
先看下面的图吧。
mark
这里的Authenticator有多个实现类,但是authenticate这个方法的实现是在org.apache.shiro.authc.AbstractAuthenticator和org.apache.shiro.mgt.AuthenticatingSecurityManager,但是后者他仅仅是调用他注入的Authenticator的实现,到最后还是回到前者执行的代码,这里直接贴出前者的代码。
public final AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {
if (token == null) {
throw new IllegalArgumentException("Method argument (authentication token) cannot be null.");
}
log.trace("Authentication attempt received for token [{}]", token);
AuthenticationInfo info;
try {
// 交由doAuthenticate进行处理
info = doAuthenticate(token);
if (info == null) {
String msg = "No account information found for authentication token [" + token + "] by this " +
"Authenticator instance. Please check that it is configured correctly.";
throw new AuthenticationException(msg);
}
} catch (Throwable t) {
AuthenticationException ae = null;
if (t instanceof AuthenticationException) {
ae = (AuthenticationException) t;
}
if (ae == null) {
//Exception thrown was not an expected AuthenticationException. Therefore it is probably a little more
//severe or unexpected. So, wrap in an AuthenticationException, log to warn, and propagate:
String msg = "Authentication failed for token submission [" + token + "]. Possible unexpected " +
"error? (Typical or expected login exceptions should extend from AuthenticationException).";
ae = new AuthenticationException(msg, t);
if (log.isWarnEnabled())
log.warn(msg, t);
}
try {
notifyFailure(token, ae);
} catch (Throwable t2) {
if (log.isWarnEnabled()) {
String msg = "Unable to send notification for failed authentication attempt - listener error?. " +
"Please check your AuthenticationListener implementation(s). Logging sending exception " +
"and propagating original AuthenticationException instead...";
log.warn(msg, t2);
}
}
throw ae;
}
log.debug("Authentication successful for token [{}]. Returned account [{}]", token, info);
notifySuccess(token, info);
return info;
}
//这是一个抽象方法,此处贴的是`org.apache.shiro.authc.pam.ModularRealmAuthenticator`这一子类的实现
protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {
assertRealmsConfigured();
//此处的realm就是我们注入的realm了,这是一个集合,此处判断集合是不是一个
Collection<Realm> realms = getRealms();
if (realms.size() == 1) {
return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);
} else {
return doMultiRealmAuthentication(realms, authenticationToken);
}
}
protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) {
if (!realm.supports(token)) {
String msg = "Realm [" + realm + "] does not support authentication token [" +
token + "]. Please ensure that the appropriate Realm implementation is " +
"configured correctly or that the realm accepts AuthenticationTokens of this type.";
throw new UnsupportedTokenException(msg);
}
AuthenticationInfo info = realm.getAuthenticationInfo(token);
if (info == null) {
String msg = "Realm [" + realm + "] was unable to find account data for the " +
"submitted AuthenticationToken [" + token + "].";
throw new UnknownAccountException(msg);
}
return info;
}
此处我只贴出单个realm的处理源码,多个realms的有兴趣的留给大家去研究吧,不过还是说下思路吧,这边既然是多个realm了,那么就是遍历每一个realm,并分别执行realm的getAuthenticationInfo并获取AuthenticationInfo,有点不同的是,在获取AuthenticationInfo之后要将多个AuthenticationInfo合并成一个,shiro这一块有一个merge方法,大家有兴趣可以找找,算是留下点东西给你探索吧(其实是我不想写了)。
我们继续看getAuthenticationInfo
public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
//从缓存中获取
AuthenticationInfo info = getCachedAuthenticationInfo(token);
if (info == null) {
//otherwise not cached, perform the lookup:
//核心
info = doGetAuthenticationInfo(token);
log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info);
//缓存info
if (token != null && info != null) {
cacheAuthenticationInfoIfPossible(token, info);
}
} else {
log.debug("Using cached authentication info [{}] to perform credentials matching.", info);
}
if (info != null) {
assertCredentialsMatch(token, info);
} else {
log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}]. Returning null.", token);
}
return info;
}
接下来看看我实现的一个realm里面的doGetAuthenticationInfo方法的实现,在实际项目使用中也可以这样。
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String principal = token.getPrincipal().toString();
User u = userService.loadByPrincipal(principal);
if (u == null) {
throw new UnknownAccountException();
}
SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(u, u.getPassword(),
ByteSource.Util.bytes(u.getEmail()), this.getName());
return authenticationInfo;
}
