shiro认证授权的过程

shiro认证授权的过程

（一）认证

1,首先走这里从页面获取用户名，密码

public abstract class AuthenticatingFilter extends AuthenticationFilter

  AuthenticationToken token = this.createToken(request, response);

public class MyAuthenticationFilter extends FormAuthenticationFilter

protected org.apache.shiro.authc.AuthenticationToken createToken(ServletRequest servletRequest, ServletResponse servletResponse) {

String username = getUsername(servletRequest);

String password = getPassword(servletRequest);

String captchaId = getCaptchaId(servletRequest);

String captcha = getCaptcha(servletRequest);

boolean rememberMe = isRememberMe(servletRequest);

String host = getHost(servletRequest);

String validateCode = (String)((HttpServletRequest) servletRequest).getSession().getAttribute("validateCode");;

return new AuthenticationToken( username,  password,

captchaId,  captcha,  validateCode,

rememberMe,  host) ;

}

2，然后这里进入数据库获取用户信息，两者综合对比认证

public class ShiroDbRealm extends AuthorizingRealm 

doGetAuthenticationInfo

UsernamePasswordToken token1 = (UsernamePasswordToken) token;

FinancialSalesUser userDetails=null;

                try {

                    userDetails = this.financialSalesUserFacade.selectByUserName(token1.getUsername());

                } catch (Exception notFound) {

                    return null;

                }

AuthenticationInfo authcInfo = new SimpleAuthenticationInfo(userDetails, userDetails.getPassWord(),getName());

（二）授权：

权限控制就是其他的方法

ChainDefinitionSectionMetaSource

所有角色权限信息

public class ShiroDbRealm extends AuthorizingRealm

doGetAuthorizationInfo  本用户权限角色信息

详细参考往期博客jar包

  注意

MyAuthenticationFilter中onLoginSuccess中的session.stop();需要注掉，否则用框架的登陆走了onLoginSuccess然后又清了session会报错