I. Introduction
This article is based on the previous article to introduce how [Shiro] SimpleAuthenticationInfo verifies passwords .
2. Custom ShiroRealm class
After exploring in the previous article, this time we will find out doGetAuthorizationInfothe method directly; let's look back at ShiroRealm, which inherits AuthorizingRealm
3. AuthorizingRealm class
Into the AuthorizingRealm, doGetAuthorizationInfoyou can locate getAuthorizationInfo(PrincipalCollection principals)the method by find search
1、PrincipalCollection
In getAuthorizationInfo(PrincipalCollection principals)the method, there is PrincipalCollectionan object here. I haven't studied where this came from (probably passed from the bottom layer).
But when writing [Shiro] How SimpleAuthenticationInfo verifies passwords , I noticed that during doGetAuthenticationInfoauthentication, the new SimpleAuthenticationInfo object is assigned a PrincipalCollectionvalue. Finally, according to the function, class, and big guess, the AuthorizingRealm class getAuthorizationInfo(PrincipalCollection principals)is PrincipalCollection principalscreated by SimpleAuthenticationInfo object.
2. The blue box part in the AuthorizingRealm class
Putting AuthorizingRealm and AuthenticatingRealm together, you can find that getAuthorizationInfothe medium and large red frame of AuthorizingRealm getAuthenticationInfois similar to the medium and large blue frame of AuthenticatingRealm.
The purpose of this code is to check whether there is a cache, and intend to find the user's authentication information or authorization information from the cache.
Let's take a look at the small red box and the small blue box inside, and click to see them respectively; the return of the small red box is the object of the PrincipalCollection class principals; the return of the small blue box is Username[token.getPrincipal()].
Then use principalsor Usernamego to the cache to find out the corresponding AuthorizationInfo(authorization information) or AuthenticationInfo(authentication information)
3. Who is the info of doGetAuthorizationInfo(principals) for?
This part is the authorization of @Override in ShiroRealm, and finally returns the authorization information info.
There is a doubt here: this info is returned, who is it for?
Let's look at the programmatic authorization method, mainly using the Subject object in Shiro.
Subject subject = UserUtils.getSubject();
subject.isAuthenticated(); // 是否身份验证授权通过
subject.isPermitted(permission); // 验证权限字符串
subject.isPermittedAll(permissions); // 验证权限字符串全部通过
subject.hasRole(roleIdentifier); // 验证是否有角色权限
There are several methods to call here, let's take a subject.isPermitted(permission);look at the Subject interface.
Go in and look at its implementation class DelegatingSubject, and look at securityManager.isPermitted(getPrincipals(), permission)the methods in it. (SecurityManager appeared)
After entering AuthorizingRealm to see isPermittedthe method, you can see that getAuthorizationInfo(principals)the method was finally used to return info. 
In order, the last execution of isPermitted gets permthe permissions of the user in the database and the permissions defined by the interface permission, and passes if the perm contains permission.
4. Summary diagram
