详解shrio的认证(登录)过程

作者:超人不会飞 时间:2022-12-26 02:27:47 

shrio是一个比较轻量级的安全框架,主要的作用是在后端承担认证和授权的工作。今天就讲一下shrio进行认证的一个过程。
首先先介绍一下在认证过程中的几个关键的对象:

  • Subject:主体

访问系统的用户,主体可以是用户、程序等,进行认证的都称为主体;

  • Principal:身份信息

是主体(subject)进行身份认证的标识,标识必须具有唯一性,如用户名、手机号、邮箱地址等,一个主体可以有多个身份,但是必须有一个主身份(Primary Principal)。

  • credential:凭证信息

是只有主体自己知道的安全信息,如密码、证书等。
接着我们就进入认证的具体过程:
首先是从前端的登录表单中接收到用户输入的token(username + password):


@RequestMapping("/login")
public String login(@RequestBody Map user){
 Subject subject = SecurityUtils.getSubject();
 UsernamePasswordToken usernamePasswordToken = new UsernamePasswordToken(user.get("email").toString(), user.get("password").toString());
  try {
     subject.login(usernamePasswordToken);
  } catch (UnknownAccountException e) {
     return "邮箱不存在!";
  } catch (AuthenticationException e) {
     return "账号或密码错误!";
  }
   return "登录成功!";
 }

这里的usernamePasswordToken(以下简称token)就是用户名和密码的一个结合对象,然后调用subject的login方法将token传入开始认证过程。
接着会发现subject的login方法调用的其实是securityManager的login方法:


Subject subject = securityManager.login(this, token);

再往下看securityManager的login方法内部:


public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException {
 AuthenticationInfo info;
  try {
     info = authenticate(token);
  } catch (AuthenticationException ae) {
     try {
       onFailedLogin(token, ae, subject);
  } catch (Exception e) {
       if (log.isInfoEnabled()) {
         log.info("onFailedLogin method threw an " +
             "exception. Logging and propagating original AuthenticationException.", e);
  }
     }
     throw ae; //propagate
  }
   Subject loggedIn = createSubject(token, info, subject);
  onSuccessfulLogin(token, info, loggedIn);
  return loggedIn;
}

上面代码的关键在于:


info = authenticate(token);

即将token传入authenticate方法中得到一个AuthenticationInfo类型的认证信息。
以下是authenticate方法的具体内容:


public final AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {
 if (token == null) {
   throw new IllegalArgumentException("Method argument (authentication token) cannot be null.");
 }
 log.trace("Authentication attempt received for token [{}]", token);
 AuthenticationInfo info;
 try {
   info = doAuthenticate(token);
 if (info == null) {
     String msg = "No account information found for authentication token [" + token + "] by this " +
         "Authenticator instance. Please check that it is configured correctly.";
 throw new AuthenticationException(msg);
 }
 } catch (Throwable t) {
   AuthenticationException ae = null;
 if (t instanceof AuthenticationException) {
     ae = (AuthenticationException) t;
 }
   if (ae == null) {
     //Exception thrown was not an expected AuthenticationException. Therefore it is probably a little more
 //severe or unexpected. So, wrap in an AuthenticationException, log to warn, and propagate: String msg = "Authentication failed for token submission [" + token + "]. Possible unexpected " +
         "error? (Typical or expected login exceptions should extend from AuthenticationException).";
 ae = new AuthenticationException(msg, t);
 if (log.isWarnEnabled())
       log.warn(msg, t);
 }
   try {
     notifyFailure(token, ae);
 } catch (Throwable t2) {
     if (log.isWarnEnabled()) {
       String msg = "Unable to send notification for failed authentication attempt - listener error?. " +
           "Please check your AuthenticationListener implementation(s). Logging sending exception " +
           "and propagating original AuthenticationException instead...";
 log.warn(msg, t2);
 }
   }
   throw ae;
 }
 log.debug("Authentication successful for token [{}]. Returned account [{}]", token, info);
 notifySuccess(token, info);
 return info;
}

首先就是判断token是否为空,不为空再将token传入doAuthenticate方法中:


protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {
 assertRealmsConfigured();
 Collection<Realm> realms = getRealms();
 if (realms.size() == 1) {
   return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);
 } else {
   return doMultiRealmAuthentication(realms, authenticationToken);
 }
}

这一步是判断是有单个Reaml验证还是多个Reaml验证,单个就执行doSingleRealmAuthentication()方法,多个就执行doMultiRealmAuthentication()方法。
一般情况下是单个验证:


protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) {
 if (!realm.supports(token)) {
   String msg = "Realm [" + realm + "] does not support authentication token [" +
       token + "]. Please ensure that the appropriate Realm implementation is " +
       "configured correctly or that the realm accepts AuthenticationTokens of this type.";
   throw new UnsupportedTokenException(msg);
 }
 AuthenticationInfo info = realm.getAuthenticationInfo(token);
 if (info == null) {
   String msg = "Realm [" + realm + "] was unable to find account data for the " +
       "submitted AuthenticationToken [" + token + "].";
   throw new UnknownAccountException(msg);
 }
 return info;
}

这一步中首先判断是否支持Realm,只有支持Realm才调用realm.getAuthenticationInfo(token)获取info。


public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
 AuthenticationInfo info = getCachedAuthenticationInfo(token);
 if (info == null) {
   //otherwise not cached, perform the lookup:
   info = doGetAuthenticationInfo(token);
   log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info);
   if (token != null && info != null) {
     cacheAuthenticationInfoIfPossible(token, info);
   }
 } else {
   log.debug("Using cached authentication info [{}] to perform credentials matching.", info);
 }
 if (info != null) {
   assertCredentialsMatch(token, info);
 } else {
   log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}]. Returning null.", token);
 }
 return info;
}

首先查看Cache中是否有该token的info,如果有,则直接从Cache中去即可。如果是第一次登录,则Cache中不会有该token的info,需要调用doGetAuthenticationInfo(token)方法获取,并将结果加入到Cache中,方便下次使用。而这里调用的doGetAuthenticationInfo()方法就是我们在自己重写的方法,具体的内容是自定义了对拿到的这个token的一个处理的过程:


protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
 if (authenticationToken.getPrincipal() == null)
   return null;
 String email = authenticationToken.getPrincipal().toString();
 User user = userService.findByEmail(email);
 if (user == null)
   return null;
 else return new SimpleAuthenticationInfo(email, user.getPassword(), getName());
}

这其中进行了几步判断:首先是判断传入的用户名是否为空,在判断传入的用户名在本地的数据库中是否存在,不存在则返回一个用户名不存在的Exception。以上两部通过之后生成一个包括传入用户名和密码的info,注意此时关于用户名的验证已经完成,接下来进入对密码的验证。
将这一步得到的info返回给getAuthenticationInfo方法中的


assertCredentialsMatch(token, info);

此时的info是正确的用户名和密码的信息,token是输入的用户名和密码的信息,经过前面步骤的验证过程,用户名此时已经是真是存在的了,这一步就是验证输入的用户名和密码的对应关系是否正确。


protected void assertCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) throws AuthenticationException {
 CredentialsMatcher cm = getCredentialsMatcher();
 if (cm != null) {
   if (!cm.doCredentialsMatch(token, info)) {
     //not successful - throw an exception to indicate this:
     String msg = "Submitted credentials for token [" + token + "] did not match the expected credentials.";
     throw new IncorrectCredentialsException(msg);
   }
 }
 else {
   throw new AuthenticationException("A CredentialsMatcher must be configured in order to verify " +
       "credentials during authentication. If you do not wish for credentials to be examined, you " +
       "can configure an " + AllowAllCredentialsMatcher.class.getName() + " instance.");
 }
}

上面步骤就是验证token中的密码的和info中的密码是否对应的代码。这一步验证完成之后,整个shrio认证的过程就结束了。

来源:https://segmentfault.com/a/1190000039142428

标签:shrio,认证,登录
0
投稿

猜你喜欢

  • java连接sql server 2008数据库代码

    2023-05-27 10:40:01
  • Android ViewPager无限循环实现底部小圆点动态滑动

    2022-03-21 11:04:28
  • 详解spring cloud eureka注册中心

    2023-11-10 17:54:10
  • Java操作Excel的示例详解

    2021-07-08 00:56:56
  • Unity 实现给物体替换材质球

    2023-06-28 05:28:24
  • 教你快速搭建sona服务及idea使用sona的方法

    2023-11-20 05:22:53
  • Android后台线程和UI线程通讯实例

    2023-04-20 23:01:19
  • springboot日期转换器实现实例解析

    2023-01-31 13:16:45
  • Java AtomicInteger类使用方法实例讲解

    2023-01-18 16:22:49
  • Android控件Tween动画(补间动画)实现方法示例

    2021-12-31 17:46:39
  • 深入了解C++智能指针的使用

    2023-04-07 01:41:46
  • SpringBoot搭配AOP实现自定义注解

    2022-04-07 01:21:59
  • 在winform下实现左右布局多窗口界面的方法

    2023-02-23 11:31:51
  • SpringBoot整合screw实现数据库文档自动生成的示例代码

    2023-11-29 05:30:15
  • Java ynchronized重量级锁的核心原理详解

    2022-06-22 17:24:30
  • android实现注册页面开发

    2023-09-09 14:37:12
  • c# winform时钟的实现代码

    2023-04-05 07:40:53
  • 如何使用BeanUtils.copyProperties进行对象之间的属性赋值

    2023-10-17 19:01:40
  • SpringBoot+Dubbo+Zookeeper实现简单分布式开发的应用详解

    2022-03-02 00:47:40
  • Spring声明式事务和@Aspect的拦截顺序问题的解决

    2023-07-18 12:10:46
  • asp之家 软件编程 m.aspxhome.com