The process of shiro authentication and authorization
(1) Certification
1, first go here to get the username and password from the page
public abstract class AuthenticatingFilter extends AuthenticationFilter
AuthenticationToken token = this.createToken(request, response);
public class MyAuthenticationFilter extends FormAuthenticationFilter
protected org.apache.shiro.authc.AuthenticationToken createToken(ServletRequest servletRequest, ServletResponse servletResponse) {
String username = getUsername(servletRequest);
String password = getPassword(servletRequest);
String captchaId = getCaptchaId(servletRequest);
String captcha = getCaptcha(servletRequest);
boolean rememberMe = isRememberMe(servletRequest);
String host = getHost(servletRequest);
String validateCode = (String)((HttpServletRequest) servletRequest).getSession().getAttribute("validateCode");;
return new AuthenticationToken( username, password,
captchaId, captcha, validateCode,
rememberMe, host) ;
}
2, and then enter the database here to obtain user information, and comprehensively compare and authenticate the two
public class ShiroDbRealm extends AuthorizingRealm
doGetAuthenticationInfo
UsernamePasswordToken token1 = (UsernamePasswordToken) token;
FinancialSalesUser userDetails=null;
try {
userDetails = this.financialSalesUserFacade.selectByUserName(token1.getUsername());
} catch (Exception notFound) {
return null;
}
AuthenticationInfo authcInfo = new SimpleAuthenticationInfo(userDetails, userDetails.getPassWord(),getName());
(2) Authorization:
Permission control is another way
ChainDefinitionSectionMetaSource
All role permission information
public class ShiroDbRealm extends AuthorizingRealm
doGetAuthorizationInfo This user's authorization role information
For details, refer to the previous blog jar package
Notice
The session.stop() in onLoginSuccess in MyAuthenticationFilter needs to be commented out, otherwise the onLoginSuccess will be used to log in with the framework and then clear the session will report an error