shiro Authenticator
The authenticator is responsible for verification, which is the process of verifying the identity of the user. A common example of this process is the familiar "user/password" combination. When most users log in to the software system, they usually provide their own username (party) and a password (certificate) that supports them. If the password (or password representation) stored in the system matches the one provided by the user, they are considered to be authenticated. For the detailed mechanism, see Shiro Authentication Principle
Entrance
public interface Authenticator {
AuthenticationInfo authenticate(AuthenticationToken var1) throws AuthenticationException;
}
If the authentication succeeds, it will return AuthenticationInfo authentication information; this information contains the identity and credentials; if the authentication fails, the corresponding AuthenticationException implementation will be thrown.
Certification conditions
In shiro, the user needs to provide principals and credentials to shiro so that the application can verify the user's identity. The most common combination of principals and credentials is username/password.
principals
Identity, that is, the identification attribute of the subject, can be anything, such as user name, mailbox, etc., and it can be unique. A principal can have multiple principals, but there is only one Primary principals, usually username/password/mobile phone number.
credentials
Proof/certificate, that is, the security value that only the subject knows, such as password/digital certificate, etc.
Authentication strategy
1. FirstSuccessfulStrategy: As long as one Realm is successfully verified, only the authentication information of the first Realm is returned, and the others are ignored;
2. AtLeastOneSuccessfulStrategy: As long as one Realm is successfully verified, it is different from FirstSuccessfulStrategy, which returns all authentication information for successful Realm authentication;
3. AllSuccessfulStrategy: All Realm verifications are successful only if they are successful, and all Realm authentication information is returned. If one fails, it will fail.
The SecurityManager interface inherits Authenticator, and there is also a ModularRealmAuthenticator implementation, which delegates to multiple Realms for authentication, and uses the AtLeastOneSuccessfulStrategy strategy by default.
Simple authentication
//shiro.ini
[users]
zhangsan=123
//test.java
@Test
public void testHelloworld() {
//1, get the SecurityManager factory, here use the Ini configuration file to initialize the SecurityManager
Factory factory = new IniSecurityManagerFactory("classpath:shiro .ini");
//2, get the SecurityManager instance and bind it to SecurityUtils
org.apache.shiro.mgt.SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);
//3, get Subject and create user Name/password authentication Token (ie user identity/credentials)
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken("zhangsan", "123");
try {
//4. Login, that is, authentication
subject.login(token);
} catch (AuthenticationException e) {
//5, authentication failed
}
Assert.assertEquals(true, subject.isAuthenticated()); //Assert that the user has logged in
//6, exit
subject.logout();
}
1. First create a SecurityManager factory through new IniSecurityManagerFactory and specify an ini configuration file;
2. Then get the SecurityManager and bind it to SecurityUtils. This is a global setting, and you can set it once;
3. Get the Subject through SecurityUtils, which will be automatically bound to the current thread; if you need to unbind at the end of the request in the web environment; then get the Token for authentication, such as username/password;
4. Call the subject.login method to log in, and it will automatically delegate to the SecurityManager.login method to log in;
5. If authentication fails, please capture AuthenticationException or its subclasses, such as: DisabledAccountException (disabled account), LockedAccountException (locked account), UnknownAccountException (wrong account), ExcessiveAttemptsException (too many login failures), IncorrectCredentialsException ( Incorrect credentials), ExpiredCredentialsException (expired credentials), etc., please check their inheritance relationship for details; for the error message display on the page, it is better to use "username/password error" instead of "username error"/"password error" , To prevent some malicious users from illegally scanning the account database;
6. Finally, you can call subject.logout to exit, and it will automatically delegate to the SecurityManager.logout method to exit.
to sum up
Authenticator is the real identity verifier, the core identity authentication entry point in Shiro API, where you can customize your own implementation;
Authenticator may delegate to the corresponding AuthenticationStrategy for multi-Realm authentication. By default, ModularRealmAuthenticator will call AuthenticationStrategy for multi-Realm authentication;
Authenticator will pass the corresponding token to Realm and obtain authentication information from Realm. If it does not return/throw an exception, it means that authentication has failed. Multiple Realms can be configured here, and they will be accessed in the corresponding order and strategy.