Java-Shiro(四):Shiro Realm讲解(一)Realm介绍

java

Realm简介

Realm:英文意思‘域’,在Shiro框架中,简单理解它存储(读取配置、读取数据库、读取内存中)用户信息,并且它充当了Shiro与应用安全数据间的“桥梁”(“连接器”),当对某个用户执行认证(登录)和授权(用户用有的角色、资源,或者说访问控制)验证时,Shiro会从应用配置的Realm中查找用户以及权限信息。

从它的在Shiro矿建中所起的作用来讲,Realm相当于是一个安全相关的DAO:它封装了数据源的连接细节,并在需要时将相关数据提供给Shiro。当配置Shiro时,你必须指定一个Realm(当然允许配置多个,指定多Realm验证策略,多个Realm来工作),用于认证、授权。

按照Realm中用户和权限信息存储方式不同,在Shiro框架内部定义了以下Realm:

1)IniRealm:将用户、角色信息配置到*.ini文件中,使用IniRealm加载数据信息,提供认证、授权功能;

2)PropertiesRealm:将用户、角色信息配置到*.properties文件中,使用PropertiesRealm加载数据信息,提供认证、授权功能;

3)jdbcRealm:将用户、角色信息配置到关系型数据库总,外部可以指定DataSource信息,默认内部包含了认证、授权SQL,默认数据库表:users、user_roles、roles_permissions;

4)*Ldap*/ActiveDirectory*:LDAP目录服务是由目录数据库和一套访问协议组成的系统,其实就是把用户、角色信息存储到这样的一个Ad系统,通过Ldap/Jndi/等方式连接读取数据,至于shiro功能与上边3种一致。

5)自定义Realm:上图中MyRealm就是我自定义的一个Realm,如果缺省的Realm不能满足需求时,我们还可以自定义数据源自己的Realm实现。

Realm功能

Realm主要负责的功能包含以下:

通过上边Realm类结构图,可以看出IniRealm、PropertiesRealm、JdbcRealm等的最上层父类是 AuthorizingRealm,而它又继承了AuthenticatingRealm,我们查看类中定义:

AuthenticatingRealm.java中唯一抽象方法:(该方法提供身份认证使用,具体可以参考缺省Realm的实现)

protected abstract AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException;

AuthorizingRealm.java中唯一抽象方法:(该方法给认证通过的用户赋值权限、资源使用,具体可以参考缺省Realm的实现)

protected abstract AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals);

1)身份认证:调用Realm#getAuthenticationinfo()方法,验证用户输入的账户和密码(内部调用Realm#doGetAuthenticationInfo()方法进行用户认证),并返回与Realm数据对比验证结果相关信息;查看AuthenticationRealm#getAuthenticationInfo()源码:

    public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

AuthenticationInfo info = getCachedAuthenticationInfo(token);

if (info == null) {

//otherwise not cached, perform the lookup:

info = doGetAuthenticationInfo(token);

log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info);

if (token != null && info != null) {

cacheAuthenticationInfoIfPossible(token, info);

}

} else {

log.debug("Using cached authentication info [{}] to perform credentials matching.", info);

}

if (info != null) {

assertCredentialsMatch(token, info);

} else {

log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}]. Returning null.", token);

}

return info;

}

2)权限、资源获取:调用Realm#getAuthorizationinfo()方法,获取指定身份的权限(内部调用Realm#doGetAuthorizationInfo()方法进行制定身份的权限),并返回相关信息;查看AuthorizingRealm#getAuthorizationInfo()源码:

    protected AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals) {

if (principals == null) {

return null;

}

AuthorizationInfo info = null;

if (log.isTraceEnabled()) {

log.trace("Retrieving AuthorizationInfo for principals [" + principals + "]");

}

Cache<Object, AuthorizationInfo> cache = getAvailableAuthorizationCache();

if (cache != null) {

if (log.isTraceEnabled()) {

log.trace("Attempting to retrieve the AuthorizationInfo from cache.");

}

Object key = getAuthorizationCacheKey(principals);

info = cache.get(key);

if (log.isTraceEnabled()) {

if (info == null) {

log.trace("No AuthorizationInfo found in cache for principals [" + principals + "]");

} else {

log.trace("AuthorizationInfo found in cache for principals [" + principals + "]");

}

}

}

if (info == null) {

// Call template method if the info was not found in a cache

info = doGetAuthorizationInfo(principals);

// If the info is not null and the cache has been created, then cache the authorization info.

if (info != null && cache != null) {

if (log.isTraceEnabled()) {

log.trace("Caching authorization info for principals: [" + principals + "].");

}

Object key = getAuthorizationCacheKey(principals);

cache.put(key, info);

}

}

return info;

}

3)判定Token是否支持:调用Realm#supports()方法,验证是否支持令牌(Token)。

备注:Token在Shiro中包含几种类型:HostAuthenticationToken(主机验证令牌),UsernamePasswordToken(账户密码验证令牌),RememberMeAuthenticationToken(记录上次登录用户Token)。

什么时候调用Realm#getAuthenticationinfo()、什么时候调用 Realm#getAuthorizationinfo()?

        Realm iniRealm = new IniRealm("classpath:shiroAuthorizer.ini");

DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager(iniRealm);

SecurityUtils.setSecurityManager(defaultSecurityManager);

Subject subject = SecurityUtils.getSubject();

UsernamePasswordToken token = new UsernamePasswordToken("zhangsan", "123");

// 调用 Realm#getAuthenticationinfo()

subject.login(token);

System.out.println("是否认证通过:" + subject.isAuthenticated());

// 调用 Realm#getAuthorizationinfo()

System.out.println("是否授权admin角色:" + subject.hasRole("admin"));

System.out.println("是否拥有user:update资源:" + subject.isPermitted("user:update"));

System.out.println("是否拥有user:delete资源:" + subject.isPermitted("user:delete"));

System.out.println("是否拥有user:create资源:" + subject.isPermitted("user:create"));

subject.logout();

System.out.println("是否认证通过:" + subject.isAuthenticated());

System.out.println("是否授权admin角色:" + subject.hasRole("admin"));

System.out.println("是否拥有user:update资源:" + subject.isPermitted("user:update"));

System.out.println("是否拥有user:delete资源:" + subject.isPermitted("user:delete"));

System.out.println("是否拥有user:create资源:" + subject.isPermitted("user:create"));

1)什么时候调用身份认证(Realm#getAuthenticationinfo())

从Subject#login()代码进行跟踪,寻找Subject#login()底层调用的代码如下:

DelegatingSubject#login()方法调用-》DefaultSecurityManager#login(),内部调用-》AbstractAuthenticator#authenticate()方法,内部调用-》ModularRealmAuthenticator#doAuthenticate()方法,该方法源码如下:

    /**

* Subject#login最终底层调用的方法就是该方法

*/

protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {

assertRealmsConfigured();

Collection<Realm> realms = getRealms();

if (realms.size() == 1) {

return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);

} else {

return doMultiRealmAuthentication(realms, authenticationToken);

}

}

/**

* 单个Realm配置时,调用该法

*/

protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) {

if (!realm.supports(token)) {

String msg = "Realm [" + realm + "] does not support authentication token [" +

token + "]. Please ensure that the appropriate Realm implementation is " +

"configured correctly or that the realm accepts AuthenticationTokens of this type.";

throw new UnsupportedTokenException(msg);

}

AuthenticationInfo info = realm.getAuthenticationInfo(token);

if (info == null) {

String msg = "Realm [" + realm + "] was unable to find account data for the " +

"submitted AuthenticationToken [" + token + "].";

throw new UnknownAccountException(msg);

}

return info;

}

/**

* 多个Realm配置时,调用该方法

*/

protected AuthenticationInfo doMultiRealmAuthentication(Collection<Realm> realms, AuthenticationToken token) {

AuthenticationStrategy strategy = getAuthenticationStrategy();

AuthenticationInfo aggregate = strategy.beforeAllAttempts(realms, token);

if (log.isTraceEnabled()) {

log.trace("Iterating through {} realms for PAM authentication", realms.size());

}

for (Realm realm : realms) {

aggregate = strategy.beforeAttempt(realm, token, aggregate);

if (realm.supports(token)) {

log.trace("Attempting to authenticate token [{}] using realm [{}]", token, realm);

AuthenticationInfo info = null;

Throwable t = null;

try {

info = realm.getAuthenticationInfo(token);

} catch (Throwable throwable) {

t = throwable;

if (log.isDebugEnabled()) {

String msg = "Realm [" + realm + "] threw an exception during a multi-realm authentication attempt:";

log.debug(msg, t);

}

}

aggregate = strategy.afterAttempt(realm, token, info, aggregate, t);

} else {

log.debug("Realm [{}] does not support token {}. Skipping realm.", realm, token);

}

}

aggregate = strategy.afterAllAttempts(token, aggregate);

return aggregate;

}

备注:

1)由于Subject是一个接口类型,因此上边代码找的是 DelegatingSubject.java类中的代码;

2)Subject的类结构图:

2)什么时候调用授权( Realm#getAuthorizationinfo())

从调用Subject#isPermitted()源码可以看出内部调用了Subject#getAuthorizationInfo()方法:

    public boolean isPermitted(PrincipalCollection principals, Permission permission) {

AuthorizationInfo info = getAuthorizationInfo(principals);

return isPermitted(permission, info);

}

从调用Subject#hasRole()源码可以看出内部调用了Subject#getAuthorizationInfo()方法:

    public boolean hasRole(PrincipalCollection principal, String roleIdentifier) {

AuthorizationInfo info = getAuthorizationInfo(principal);

return hasRole(roleIdentifier, info);

}

不过,getAuthorizationInfo 的执行调用方式包括上面的总共有三个:

1)subject.hasRole(“admin”) 或 subject.isPermitted(“admin”):自己去调用这个是否有什么角色或者是否有什么权限的时候;
2)@RequiresRoles(“admin”) :在Controller方法上加注解的时候;
3)<@shiro.hasPermission name = “admin”>html code</@shiro.hasPermission>:在页面上加shiro标签的时候,即进这个页面的时候扫描到有这个标签的时候。
明。

参考资料:

《Shiro 中的 Realm》

《SSM整合shiro实现多用户表多Realm统一登录认证(大章附代码)》

不错的视屏教程,很实用:

https://www.bilibili.com/video/av22573274/?p=13

https://www.bilibili.com/video/av74805893?p=18 (针对java proj/springmvc整合/分布式用法都有系列讲解,值得推荐)

文章实战:https://blog.csdn.net/bieleyang/article/category/7140250

以上是 Java-Shiro(四):Shiro Realm讲解(一)Realm介绍 的全部内容, 来源链接: utcz.com/z/393219.html

回到顶部