shiro全域性設定
1.獲取securitymanager工廠,讀取ini檔案
factoryfactory =new inisecuritymanage***ctory(configfile);
2.通過ini初始化例項,將配置好的的realm注入securitymanager例項
org.apache.shiro.mgt.securitymanager securitymanager = factory.getinstance();
private securitymanager createsecuritymanager(ini ini, section mainsection)
}return securitymanager;
}返回securitymanager例項
3.繫結給securityutils
securityutils.setsecuritymanager(securitymanager);
4.通過 securityutils 得到 subject,其會自動繫結到當前執行緒;threadcontext.bind(subject);
subject subject = securityutils.getsubject();
5. 應用**通過 subject 來進行認證和授權
認證:
**呼叫
usernamepasswordtoken token = new usernamepasswordtoken("zhang", "123");
1.subject.login(token);
呼叫delegatingsubject的login(authenticationtoken token)方法進行認證
2.subject subject = this.securitymanager.login(this, token);
因為subject不真正執行認證邏輯,又委託給 securitymanager;
3.info = this.authenticate(token);
呼叫defaultsecuritymanager的login(subject subject, authenticationtoken token)方法,
4.this.authenticator.authenticate(token);
呼叫authenticatingsecuritymanager的authenticate(authenticationtoken token)方法
5.info = this.doauthenticate(token);
securitymanager 不負責真正的身份驗證邏輯;它會委託給 authenticator 進行身份驗證;
呼叫abstractauthenticator的authenticate(authenticationtoken token)
6.authenticator 才是真正的身份驗證者,預設呼叫modularrealmauthenticator的doauthenticate(authenticationtoken authenticationtoken)方法,
在這個方法裡,判斷是多realm認證,還是單realm認證
protected authenticationinfo doauthenticate(authenticationtoken authenticationtoken) throws authenticationexception
7.authenticator 會把相應的 token 傳入 realm
realm.getauthenticationinfo(token)
如果是單realm
1.this.dosinglerealmauthentication((realm)realms.iterator().next(), authenticationtoken)
2.呼叫dosinglerealmauthentication(realm realm, authenticationtoken token)
3.authenticationinfo info = realm.getauthenticationinfo(token);
如果是多realm
authenticator 可能會委託給相應的 authenticationstrategy 進行多 realm 身份驗證
呼叫domultirealmauthentication(collectionrealms, authenticationtoken token)
1.authenticationinfo aggregate = strategy.beforeallattempts(realms, token);
2.iterator i$ = realms.iterator();
3.while(i$.hasnext())
5.aggregate = strategy.afterallattempts(token, aggregate);
8.從 realm 獲取身份驗證資訊
呼叫自定義realm的dogetauthenticationinfo(authenticationtoken token)方法,獲取reaml認證需要的資訊
realm裡面是真正的驗證邏輯
Shiro三(身份認證)
subject的驗證過程可以分解為三個步驟 1.生成subject提交的主體和憑證usernamepasswordtoken token new usernamepasswordtoken username,password token.setrememberme true shiro並不關心如何獲...
Shiro編寫身份認證 簡單版
controller 中的登入介面login login public string login string username,string userpassword catch authenticationexception e 步驟 username userpassword 判空非法等操作 ...
Shiro 認證和授權流程實現
新增shiro框架依賴 org.apache.shiro shiro spring 1.3.2 configuration bean securitymanager public defaultwebsecuritymanager newdefaultwebsecuritymanager bean ...