Process analysis
First call the login method for authentication According to the configuration file of applicationContext.xml , query the authenticator ModularRealmAuthenticator and execute the authentication method doAuthenticate in ModularRealmAuthenticator . First , determine whether it is a single realm verification or a multi- realm verification (multiple realm is configured here ) Then execute doMultiRealmAuthentication (if it is a single realm , execute doSingleRealmAuthentication ) First load the authentication authentication strategy (here we configure AtLeastOneSuccessfulStrategy ) Then start the for loop for all realms , here first verify supportToken ( three methods implemented in our custom realms ) [ Key ] getAuthenticationInfo(token) gets the user information we loaded from the database, here we will pass in the token parameter That is, the username and password ( token ) passed in from the front desk interface. At this time, the user information of the front desk and the database is obtained, and then the password comparison starts. 1 function doMultiRealmAuthentication 2 for (Realm realm : realms) { 3 aggregate = strategy.beforeAttempt( realm, token, aggregate); 4 if (realm.supports(token)) { 5 AuthenticationInfo info = realm.getAuthenticationInfo(token); 6 } 7 } Among them, line 5 performs password comparison HashedCredentialsMatcher doCredentialsMatch ( token , info ) Procedure: realm.getAuthenticationInfo(token); (this procedure involves caching the cache ) AuthenticatingRealm.getAuthenticationInfo ( token )First query the account information corresponding to this token from the cache If it is found to be enabled directly, otherwise execute custom info = doGetAuthenticationInfo(token); get account information from the database Then cache the found token and account information Then execute assertCredentialsMatch(token, info); first create a CredentialsMatcher password matcher, doCredentialsMatch(token, info); execute HashedCredentialsMatcher.doCredentialsMatch to start password comparison
Other important notes:
shiro url matching pattern: ? : Match a character, such as: /admin1, but cannot match /admin,/admin/ * : Match 0 or more characters, such as: /admin,/admin123, but cannot match admin/a **: matches multiple paths, such as: /admin,admin/a/b Shiro user authentication process 1. Get the current Subject. Call SecurityUtils.getSubject(); 2. Test whether the current user has been authenticated . That is, whether it has been logged in. Calling Subject 's isAuthenticated() 3. If not authenticated , encapsulate the username and password as a UsernamePasswordToken object 1). Create a form page 2). Submit the request to the SpringMVC Handler (the above three steps are all done in the handler ) 3). Get the user name and password . 4. Execute login : call the login(AuthenticationToken) method of the Subject . 5. Customize the method of Realm , get the corresponding record from the database, and return it to Shiro. 1). Actually need to inherit the org.apache.shiro.realm.AuthenticatingRealm class 2). Implement the doGetAuthenticationInfo(AuthenticationToken) method . 6. The comparison of the password is completed by shiro . Password comparison : password comparison through the credentialsMatcher property of AuthenticatingRealm ! 1. How to encrypt a string to MD5 2. Replace the credentialsMatcher property of the current Realm . Use the HashedCredentialsMatcher object directly and set the encryption algorithm . 1. Authorization needs to inherit the AuthorizingRealm class and implement its doGetAuthorizationInfo method 2. The AuthorizingRealm class inherits from AuthenticatingRealm, but does not implement doGetAuthenticationInfo in AuthenticatingRealm, so authentication and authorization only need to inherit AuthorizingRealm . Implement his two abstract methods at the same time . 1. Why use MD5 salt encryption : 2. How to do it : 1). When creating a SimpleAuthenticationInfo object from the return value of the doGetAuthenticationInfo method , you need to use the SimpleAuthenticationInfo(principal, credentials, credentialsSalt, realmName) constructor 2). Use ByteSource.Util.bytes() to calculate the salt value . 3). The salt value needs to be unique : generally use a random string or user id 4). Use new SimpleHash(hashAlgorithmName, credentials, salt, hashIterations); to calculate the value of the encrypted password with the salt value .