Shiro's understanding (2014-11-06 15:13:14)
Label: Stock classification: java
Shiro learning: The
general function is authentication, authorization, encryption, session management
1. SecurityManager
All web-based applications are managed with DefaultWebSecurityManager , it mainly provides the following functions
Authentication (authentication)
1. The authentication of the web application FormAuthenticationFilter interceptor
in the web application is realized by the FormAuthenticationFilter interceptor to
analyze the corresponding source code:
the execution method of the entire interceptor is encapsulated in AdviceFilter.doFilterInternal
It calls the following three methods:
boolean continueChain = preHandle(request, response); //Whether to continue executing subsequent interceptor chain operations
if (continueChain) {
executeChain(request, response, chain);//Continue to execute the operations behind the interceptor
} postHandle(request, response);//The operation preHandle call
after the interceptor is executed
onPreHandle(request, response, pathConfig)
{
return isAccessAllowed(request, response, mappedValue) || onAccessDenied(request, response, mappedValue);
}
isAccessAllowed(request, response, mappedValue)//Whether access is allowed
in AuthenticatingFilter.isAccessAllowed Implemented as follows:
Subject subject = getSubject(request, response);
return subject.isAuthenticated() || (!isLoginRequest(request, response) && isPermissive(mappedValue));
//As long as the current user has been authenticated, return true directly,
if isAccessAllowed returns false, then the system executes onAccessDenied
FormAuthenticationFilter.onAccessDenied to implement the corresponding method
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
if (isLoginRequest(request, response)) //Determine whether the request is a login request
{
if (isLoginSubmission(request, response)) //Determine whether the request is a post method
{
if (log.isTraceEnabled()) {
log.trace(" Login submission detected. Attempting to execute login.");
}
return executeLogin(request, response);//Execute login verification
} else //If it is the get method, it will return true and jump to the login page
{
if (log.isTraceEnabled ()) {
log.trace("Login page view.");
}
//allow them to see the login page ;)
return true;
}
}
//If you visit a non-login page, jump to the login page
else {
if (log.isTraceEnabled()) {
log.trace("Attempting to access a path which requires authentication. Forwarding to the " +
"Authentication url [" + getLoginUrl() + "]");
}
saveRequestAndRedirectToLogin(request, response);
return false;
}
}
//executeLogin executes the real login
protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception {
AuthenticationToken token = createToken (request, response); //Create user's identity and credentials
if (token == null) {
String msg = "createToken method implementation returned null. A valid non-null AuthenticationToken " +
"must be created in order to execute a login attempt.";
throw new IllegalStateException(msg);
}
try {
Subject subject = getSubject(request, response);
subject.login(token); //Execute shiro's login operation
return onLoginSuccess(token, subject, request, response);//Login successful
} catch (AuthenticationException e) {
return onLoginFailure( token, e, request, response);//Login failure
}
}
The specific implementation of login success and login failure in FormAuthenticationFilter
protected boolean onLoginSuccess(AuthenticationToken token, Subject subject,
ServletRequest request, ServletResponse response) throws Exception {
issueSuccessRedirect(request, response); //Redirect directly to the success page
//we handled the success redirect directly, prevent the chain from continuing:
return false; //No more operations after the filter chain
}
protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e,
ServletRequest request, ServletResponse response) {
setFailureAttribute(request, e); //Login failed, set the exception information to continue to execute the filter The operation behind the chain
//login failed, let request continue back to the login page:
return true;
}
SessionManager (session management)
DefaultWebSecurityManager-->sessionManager
has the following specific implementations
1. ServletContainerSessionManager (default)
ServletContainerSessionManager uses the session provided by the web container for management, so by default, the DefaultWebSecurityManager is used to manage the session and directly use the session of the web container
There is no difference.
The session object managed by ServletContainerSessionManager is org.apache.shiro.web.session.HttpServletSession, which encapsulates the operation of javax.servlet.http.HttpSession.
2. DefaultWebSessionManager
The session manager defaults to sessionDAO = new MemorySessionDAO();
It is based on the current memory to manage the session, and does not use the session of the web container; this method will cause problems in the cluster environment. For example, if you access different machines in the same session, some machines may have session values. , some do not exist
unless the web server is configured as ip_hosts
This sessionManager can be used to achieve session sharing of multiple machines through distributed cache. The following configuration can be used.
CacheManage (cache management)
Realm uses cache
. There are two places to use cache in Realm.
1. Authentication cache
first judge getAuthenticationCache() Whether it is empty, if not set, judge authenticationCachingEnabled=true&&cachingEnabled=true If both are true
, take out the cache with name=authenticationCacheName from the set cacheManager.
That is to say, if you want to use the authentication cache, there are two ways to set
one in Realm. It is by setting cacheManager
and then setting authenticationCacheName (authentication cache name) authenticationCachingEnabled=true, cachingEnabled=true
or directly setting
public void setAuthenticationCache(Cache authenticationCache)
2. Authorization cache
first judges getAuthorizationCache() if it is not set, judges authorizationCachingEnabled=true&&cachingEnabled=true if both true
Then take out the cache with name=authorizationCacheName from the set cacheManager.
That is to say, if you want to use the authorization cache, there are two ways to set it in Realm.
One is to set the cacheManager
and then set the authorizationCacheName (authorization cache name), authorizationCachingEnabled=true, cachingEnabled =true
or directly set
public void setAuthorizationCache(Cache authorizationCache)
There are many variable values that need to be set. By default in Realm,
authorizationCachingEnabled=true (whether the cache can be authorized)
authenticationCachingEnabled=false (whether the cache can be authenticated)
cachingEnabled=true (whether it can be cached)
At present, the authentication cache function cannot be used, and the corresponding object cannot be serialized when the cache is serialized; and generally do not use the authentication cache to avoid changing the password and fail to take effect in time
. The authorization cache can be valid during the session, and the authorization is retrieved from the
SessionManager after the session expires. The purpose of using the cache
here is to manage the cache of the system session. For example, if the system wants to use memcached to manage the session, it can be configured here.
Shiro's understanding of rewriting filters
Guess you like
Origin http://43.154.161.224:23101/article/api/json?id=326185274&siteId=291194637
Ranking