I. Introduction
This article is based on the previous article to introduce how [Shiro] SimpleAuthenticationInfo verifies passwords .
2. Custom ShiroRealm class
After exploring in the previous article, this time we will find out doGetAuthorizationInfo
the method directly; let's look back at ShiroRealm, which inherits AuthorizingRealm
3. AuthorizingRealm class
Into the AuthorizingRealm, doGetAuthorizationInfo
you can locate getAuthorizationInfo(PrincipalCollection principals)
the method by find search
1、PrincipalCollection
In getAuthorizationInfo(PrincipalCollection principals)
the method, there is PrincipalCollection
an object here. I haven't studied where this came from (probably passed from the bottom layer).
But when writing [Shiro] How SimpleAuthenticationInfo verifies passwords , I noticed that during doGetAuthenticationInfo
authentication, the new SimpleAuthenticationInfo object is assigned a PrincipalCollection
value. Finally, according to the function, class, and big guess, the AuthorizingRealm class getAuthorizationInfo(PrincipalCollection principals)
is PrincipalCollection principals
created by SimpleAuthenticationInfo object.
2. The blue box part in the AuthorizingRealm class
Putting AuthorizingRealm and AuthenticatingRealm together, you can find that getAuthorizationInfo
the medium and large red frame of AuthorizingRealm getAuthenticationInfo
is similar to the medium and large blue frame of AuthenticatingRealm.
The purpose of this code is to check whether there is a cache, and intend to find the user's authentication information or authorization information from the cache.
Let's take a look at the small red box and the small blue box inside, and click to see them respectively; the return of the small red box is the object of the PrincipalCollection class principals
; the return of the small blue box is Username
[token.getPrincipal()].
Then use principals
or Username
go to the cache to find out the corresponding AuthorizationInfo
(authorization information) or AuthenticationInfo
(authentication information)
3. Who is the info of doGetAuthorizationInfo(principals) for?
This part is the authorization of @Override in ShiroRealm, and finally returns the authorization information info.
There is a doubt here: this info is returned, who is it for?
Let's look at the programmatic authorization method, mainly using the Subject object in Shiro.
Subject subject = UserUtils.getSubject();
subject.isAuthenticated(); // 是否身份验证授权通过
subject.isPermitted(permission); // 验证权限字符串
subject.isPermittedAll(permissions); // 验证权限字符串全部通过
subject.hasRole(roleIdentifier); // 验证是否有角色权限
There are several methods to call here, let's take a subject.isPermitted(permission);
look at the Subject interface.
Go in and look at its implementation class DelegatingSubject, and look at securityManager.isPermitted(getPrincipals(), permission)
the methods in it. (SecurityManager appeared)
After entering AuthorizingRealm to see isPermitted
the method, you can see that getAuthorizationInfo(principals)
the method was finally used to return info.
In order, the last execution of isPermitted gets perm
the permissions of the user in the database and the permissions defined by the interface permission
, and passes if the perm contains permission.