Foreword
This chapter explains Shiro login authentication of source code analysis and login authentication policy
method
A, Shiro login authentication source parsing
1. Subject of the method of authentication token login
2. Subject class is actually just an interface token he will be entrusted to complete the verification by implementing SecurityManager class DelegatingSubject
3. The SecurityManager as the "heart" of the interface, there is a lot of work to help achieve the class, above the actual login method is verified by calling authenticate method DefaultSecurityManager
4. authenticate method is performed by the parent class AuthenticatingSecurityManager
Where it has an authenticator attribute, which is validator friends:
5. Authenticator doAuthenticate method is by default implementation to complete verification ModularRealmAuthenticator
6. doAuthenticate Realms method used to obtain, to the token data and realm are compared (verified), if a single realm directly compared. If multiple realms will need to be verified by AuthenticationStrategy (validation policies).
Two, Shiro login authentication strategy
1 Overview
In Shiro in a total of three verification policy, used to verify the conditions under multi realms.
AllSuccessfulStrategy | If all are met |
AtLeastOneSuccessfulStrategy | Meet at least one case of |
FirstSuccessfulStrategy | Where at least one met, to stop subsequent verification Realm |
The default authentication policy is AtLeastOneSuccessfulStrategy
2. Verify coding
1) We set two realm (IniRealm, JdbcRealm)
Profiles make the following changes:
[main]
dataSource = com.mchange.v2.c3p0.ComboPooledDataSource
dataSource.driverClass = oracle.jdbc.driver.OracleDriver
dataSource.jdbcUrl = jdbc:oracle:thin:@localhost:1521:orcl
dataSource.user = scott
dataSource.password = tiger
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
iniRealm = cn.edu.ccut.test.MyRealm
# $相当于spring的依赖注入
jdbcRealm.dataSource = $dataSource
authenticationStrategy = org.apache.shiro.authc.pam.AllSuccessfulStrategy
securityManager.authenticator.authenticationStrategy = $authenticationStrategy
securityManager.realms = $jdbcRealm,$iniRealm
MyRealm is IniRealm my custom code is as follows:
package cn.edu.ccut.test;
import org.apache.shiro.realm.text.IniRealm;
/**
* @Auther:jwang
* @Date:2019/5/10
* @Description:cn.edu.ccut.test
* @Version 1.0
**/
public class MyRealm extends IniRealm {
public MyRealm(){
this.setResourcePath("classpath:user.ini");
}
}
He used a user.ini, user.ini used to configure the user name and password:
JdbcRealm was before we learned that no change:
This time our strategy is AllSuccessfulStrategy, that is, all conditions must be met realm, we enter 1234 and verified by zhangsan,
sa sa and the validation fails :
2) Here we change the strategy FirstSuccessfulStrategy
At this time, the input lisi and 5678 can also verify success, not to say FirstSuccessfulStrategy is the first Realm success to be successful! This is particularly important!
3) Finally, we tried the default policy AtLeastOneSuccessfulStrategy
We still use lisi and 5678 Login:
Sa sa login and use: