shrio 是一个比较轻量级的安全框架,主要的作用是在后端承担 认证 和授权的工作。今天就讲一下shrio进行认证的一个过程。
首先先介绍一下在认证过程中的几个关键的对象:
访问系统的用户,主体可以是用户、程序等,进行认证的都称为主体;
Principal:身份信息是主体(subject)进行身份认证的标识,标识必须具有唯一性,如用户名、手机号、邮箱地址等,一个主体可以有多个身份,但是必须有一个主身份(Primary Principal)。
credential:凭证信息
是只有主体自己知道的安全信息,如密码、证书等。
接着我们就进入认证的具体过程:
首先是从前端的 登录 表单中接收到用户输入的token(username + password):
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
@RequestMapping ( "/login" ) public String login( @RequestBody Map user){ Subject subject = SecurityUtils.getSubject(); UsernamePasswordToken usernamePasswordToken = new UsernamePasswordToken(user.get( "email" ).toString(), user.get( "password" ).toString()); try { subject.login(usernamePasswordToken); } catch (UnknownAccountException e) { return "邮箱不存在!" ; } catch (AuthenticationException e) { return "账号或密码错误!" ; } return "登录成功!" ; } |
这里的usernamePasswordToken(以下简称token)就是用户名和密码的一个结合对象,然后调用subject的login方法将token传入开始认证过程。
接着会发现subject的login方法调用的其实是securityManager的login方法:
|
1 |
Subject subject = securityManager.login( this , token); |
再往下看securityManager的login方法内部:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException { AuthenticationInfo info; try { info = authenticate(token); } catch (AuthenticationException ae) { try { onFailedLogin(token, ae, subject); } catch (Exception e) { if (log.isInfoEnabled()) { log.info( "onFailedLogin method threw an " + "exception. Logging and propagating original AuthenticationException." , e); } } throw ae; //propagate } Subject loggedIn = createSubject(token, info, subject); onSuccessfulLogin(token, info, loggedIn); return loggedIn; } |
上面代码的关键在于:
|
1 |
info = authenticate(token); |
即将token传入authenticate方法中得到一个AuthenticationInfo类型的认证信息。
以下是authenticate方法的具体内容:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
public final AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException { if (token == null ) { throw new IllegalArgumentException( "Method argument (authentication token) cannot be null." ); } log.trace( "Authentication attempt received for token [{}]" , token); AuthenticationInfo info; try { info = doAuthenticate(token); if (info == null ) { String msg = "No account information found for authentication token [" + token + "] by this " + "Authenticator instance. Please check that it is configured correctly." ; throw new AuthenticationException(msg); } } catch (Throwable t) { AuthenticationException ae = null ; if (t instanceof AuthenticationException) { ae = (AuthenticationException) t; } if (ae == null ) { //Exception thrown was not an expected AuthenticationException. Therefore it is probably a little more //severe or unexpected. So, wrap in an AuthenticationException, log to warn, and propagate: String msg = "Authentication failed for token submission [" + token + "]. Possible unexpected " + "error? (Typical or expected login exceptions should extend from AuthenticationException)." ; ae = new AuthenticationException(msg, t); if (log.isWarnEnabled()) log.warn(msg, t); } try { notifyFailure(token, ae); } catch (Throwable t2) { if (log.isWarnEnabled()) { String msg = "Unable to send notification for failed authentication attempt - listener error?. " + "Please check your AuthenticationListener implementation(s). Logging sending exception " + "and propagating original AuthenticationException instead..." ; log.warn(msg, t2); } } throw ae; } log.debug( "Authentication successful for token [{}]. Returned account [{}]" , token, info); notifySuccess(token, info); return info; } |
首先就是判断token是否为空,不为空再将token传入doAuthenticate方法中:
|
1 2 3 4 5 6 7 8 9 |
protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException { assertRealmsConfigured(); Collection<Realm> realms = getRealms(); if (realms.size() == 1 ) { return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken); } else { return doMultiRealmAuthentication(realms, authenticationToken); } } |
这一步是判断是有单个Reaml验证还是多个Reaml验证,单个就执行doSingleRealmAuthentication()方法,多个就执行doMultiRealmAuthentication()方法。
一般情况下是单个验证:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) { if (!realm.supports(token)) { String msg = "Realm [" + realm + "] does not support authentication token [" + token + "]. Please ensure that the appropriate Realm implementation is " + "configured correctly or that the realm accepts AuthenticationTokens of this type." ; throw new UnsupportedTokenException(msg); } AuthenticationInfo info = realm.getAuthenticationInfo(token); if (info == null ) { String msg = "Realm [" + realm + "] was unable to find account data for the " + "submitted AuthenticationToken [" + token + "]." ; throw new UnknownAccountException(msg); } return info; } |
这一步中首先判断是否支持Realm,只有支持Realm才调用realm.getAuthenticationInfo(token)获取info。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { AuthenticationInfo info = getCachedAuthenticationInfo(token); if (info == null ) { //otherwise not cached, perform the lookup: info = doGetAuthenticationInfo(token); log.debug( "Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo" , info); if (token != null && info != null ) { cacheAuthenticationInfoIfPossible(token, info); } } else { log.debug( "Using cached authentication info [{}] to perform credentials matching." , info); } if (info != null ) { assertCredentialsMatch(token, info); } else { log.debug( "No AuthenticationInfo found for submitted AuthenticationToken [{}]. Returning null." , token); } return info; } |
首先查看Cache中是否有该token的info,如果有,则直接从Cache中去即可。如果是第一次登录,则Cache中不会有该token的info,需要调用doGetAuthenticationInfo(token)方法获取,并将结果加入到Cache中,方便下次使用。而这里调用的doGetAuthenticationInfo()方法就是我们在自己重写的方法,具体的内容是自定义了对拿到的这个token的一个处理的过程:
|
1 2 3 4 5 6 7 8 9 |
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { if (authenticationToken.getPrincipal() == null ) return null ; String email = authenticationToken.getPrincipal().toString(); User user = userService.findByEmail(email); if (user == null ) return null ; else return new SimpleAuthenticationInfo(email, user.getPassword(), getName()); } |
这其中进行了几步判断:首先是判断传入的用户名是否为空,在判断传入的用户名在本地的数据库中是否存在,不存在则返回一个用户名不存在的Exception。以上两部通过之后生成一个包括传入用户名和密码的info,注意此时关于用户名的验证已经完成,接下来进入对密码的验证。
将这一步得到的info返回给getAuthenticationInfo方法中的
|
1 |
assertCredentialsMatch(token, info); |
此时的info是正确的用户名和密码的信息,token是输入的用户名和密码的信息,经过前面步骤的验证过程,用户名此时已经是真是存在的了,这一步就是验证输入的用户名和密码的对应关系是否正确。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
protected void assertCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) throws AuthenticationException { CredentialsMatcher cm = getCredentialsMatcher(); if (cm != null ) { if (!cm.doCredentialsMatch(token, info)) { //not successful - throw an exception to indicate this: String msg = "Submitted credentials for token [" + token + "] did not match the expected credentials." ; throw new IncorrectCredentialsException(msg); } } else { throw new AuthenticationException( "A CredentialsMatcher must be configured in order to verify " + "credentials during authentication. If you do not wish for credentials to be examined, you " + "can configure an " + AllowAllCredentialsMatcher. class .getName() + " instance." ); } } |
上面步骤就是验证token中的密码的和info中的密码是否对应的代码。这一步验证完成之后,整个shrio认证的过程就结束了。
以上就是详解shrio的认证(登录)过程的详细内容,更多关于shrio的认证(登录)过程的资料请关注其它相关文章!
原文链接:https://segmentfault测试数据/a/1190000039142428
查看更多关于详解shrio的认证(登录)过程的详细内容...