Java-Shiro(四):Shiro Realm讲解(一)Realm介绍
Realm简介
Realm:英文意思‘域’,在Shiro框架中,简单理解它存储(读取配置、读取数据库、读取内存中)用户信息,并且它充当了Shiro与应用安全数据间的“桥梁”(“连接器”),当对某个用户执行认证(登录)和授权(用户用有的角色、资源,或者说访问控制)验证时,Shiro会从应用配置的Realm中查找用户以及权限信息。
从它的在Shiro矿建中所起的作用来讲,Realm相当于是一个安全相关的DAO:它封装了数据源的连接细节,并在需要时将相关数据提供给Shiro。当配置Shiro时,你必须指定一个Realm(当然允许配置多个,指定多Realm验证策略,多个Realm来工作),用于认证、授权。
按照Realm中用户和权限信息存储方式不同,在Shiro框架内部定义了以下Realm:
1)IniRealm:将用户、角色信息配置到*.ini文件中,使用IniRealm加载数据信息,提供认证、授权功能;
2)PropertiesRealm:将用户、角色信息配置到*.properties文件中,使用PropertiesRealm加载数据信息,提供认证、授权功能;
3)jdbcRealm:将用户、角色信息配置到关系型数据库总,外部可以指定DataSource信息,默认内部包含了认证、授权SQL,默认数据库表:users、user_roles、roles_permissions;
4)*Ldap*/ActiveDirectory*:LDAP目录服务是由目录数据库和一套访问协议组成的系统,其实就是把用户、角色信息存储到这样的一个Ad系统,通过Ldap/Jndi/等方式连接读取数据,至于shiro功能与上边3种一致。
5)自定义Realm:上图中MyRealm就是我自定义的一个Realm,如果缺省的Realm不能满足需求时,我们还可以自定义数据源自己的Realm实现。
Realm功能
Realm主要负责的功能包含以下:
通过上边Realm类结构图,可以看出IniRealm、PropertiesRealm、JdbcRealm等的最上层父类是 AuthorizingRealm,而它又继承了AuthenticatingRealm,我们查看类中定义:
AuthenticatingRealm.java中唯一抽象方法:(该方法提供身份认证使用,具体可以参考缺省Realm的实现)
protected abstract AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException;
AuthorizingRealm.java中唯一抽象方法:(该方法给认证通过的用户赋值权限、资源使用,具体可以参考缺省Realm的实现)
protected abstract AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals);
1)身份认证:调用Realm#getAuthenticationinfo()方法,验证用户输入的账户和密码(内部调用Realm#doGetAuthenticationInfo()方法进行用户认证),并返回与Realm数据对比验证结果相关信息;查看AuthenticationRealm#getAuthenticationInfo()源码:
public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { AuthenticationInfo info = getCachedAuthenticationInfo(token);
if (info == null) {
//otherwise not cached, perform the lookup:
info = doGetAuthenticationInfo(token);
log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info);
if (token != null && info != null) {
cacheAuthenticationInfoIfPossible(token, info);
}
} else {
log.debug("Using cached authentication info [{}] to perform credentials matching.", info);
}
if (info != null) {
assertCredentialsMatch(token, info);
} else {
log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}]. Returning null.", token);
}
return info;
}
2)权限、资源获取:调用Realm#getAuthorizationinfo()方法,获取指定身份的权限(内部调用Realm#doGetAuthorizationInfo()方法进行制定身份的权限),并返回相关信息;查看AuthorizingRealm#getAuthorizationInfo()源码:
protected AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals) { if (principals == null) {
return null;
}
AuthorizationInfo info = null;
if (log.isTraceEnabled()) {
log.trace("Retrieving AuthorizationInfo for principals [" + principals + "]");
}
Cache<Object, AuthorizationInfo> cache = getAvailableAuthorizationCache();
if (cache != null) {
if (log.isTraceEnabled()) {
log.trace("Attempting to retrieve the AuthorizationInfo from cache.");
}
Object key = getAuthorizationCacheKey(principals);
info = cache.get(key);
if (log.isTraceEnabled()) {
if (info == null) {
log.trace("No AuthorizationInfo found in cache for principals [" + principals + "]");
} else {
log.trace("AuthorizationInfo found in cache for principals [" + principals + "]");
}
}
}
if (info == null) {
// Call template method if the info was not found in a cache
info = doGetAuthorizationInfo(principals);
// If the info is not null and the cache has been created, then cache the authorization info.
if (info != null && cache != null) {
if (log.isTraceEnabled()) {
log.trace("Caching authorization info for principals: [" + principals + "].");
}
Object key = getAuthorizationCacheKey(principals);
cache.put(key, info);
}
}
return info;
}
3)判定Token是否支持:调用Realm#supports()方法,验证是否支持令牌(Token)。
备注:Token在Shiro中包含几种类型:HostAuthenticationToken(主机验证令牌),UsernamePasswordToken(账户密码验证令牌),RememberMeAuthenticationToken(记录上次登录用户Token)。
什么时候调用Realm#getAuthenticationinfo()、什么时候调用 Realm#getAuthorizationinfo()?
Realm iniRealm = new IniRealm("classpath:shiroAuthorizer.ini"); DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager(iniRealm);
SecurityUtils.setSecurityManager(defaultSecurityManager);
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken("zhangsan", "123");
// 调用 Realm#getAuthenticationinfo()
subject.login(token);
System.out.println("是否认证通过:" + subject.isAuthenticated());
// 调用 Realm#getAuthorizationinfo()
System.out.println("是否授权admin角色:" + subject.hasRole("admin"));
System.out.println("是否拥有user:update资源:" + subject.isPermitted("user:update"));
System.out.println("是否拥有user:delete资源:" + subject.isPermitted("user:delete"));
System.out.println("是否拥有user:create资源:" + subject.isPermitted("user:create"));
subject.logout();
System.out.println("是否认证通过:" + subject.isAuthenticated());
System.out.println("是否授权admin角色:" + subject.hasRole("admin"));
System.out.println("是否拥有user:update资源:" + subject.isPermitted("user:update"));
System.out.println("是否拥有user:delete资源:" + subject.isPermitted("user:delete"));
System.out.println("是否拥有user:create资源:" + subject.isPermitted("user:create"));
1)什么时候调用身份认证(Realm#getAuthenticationinfo())
从Subject#login()代码进行跟踪,寻找Subject#login()底层调用的代码如下:
DelegatingSubject#login()方法调用-》DefaultSecurityManager#login(),内部调用-》AbstractAuthenticator#authenticate()方法,内部调用-》ModularRealmAuthenticator#doAuthenticate()方法,该方法源码如下:
/*** Subject#login最终底层调用的方法就是该方法
*/
protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {
assertRealmsConfigured();
Collection<Realm> realms = getRealms();
if (realms.size() == 1) {
return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);
} else {
return doMultiRealmAuthentication(realms, authenticationToken);
}
}
/**
* 单个Realm配置时,调用该法
*/
protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) {
if (!realm.supports(token)) {
String msg = "Realm [" + realm + "] does not support authentication token [" +
token + "]. Please ensure that the appropriate Realm implementation is " +
"configured correctly or that the realm accepts AuthenticationTokens of this type.";
throw new UnsupportedTokenException(msg);
}
AuthenticationInfo info = realm.getAuthenticationInfo(token);
if (info == null) {
String msg = "Realm [" + realm + "] was unable to find account data for the " +
"submitted AuthenticationToken [" + token + "].";
throw new UnknownAccountException(msg);
}
return info;
}
/**
* 多个Realm配置时,调用该方法
*/
protected AuthenticationInfo doMultiRealmAuthentication(Collection<Realm> realms, AuthenticationToken token) {
AuthenticationStrategy strategy = getAuthenticationStrategy();
AuthenticationInfo aggregate = strategy.beforeAllAttempts(realms, token);
if (log.isTraceEnabled()) {
log.trace("Iterating through {} realms for PAM authentication", realms.size());
}
for (Realm realm : realms) {
aggregate = strategy.beforeAttempt(realm, token, aggregate);
if (realm.supports(token)) {
log.trace("Attempting to authenticate token [{}] using realm [{}]", token, realm);
AuthenticationInfo info = null;
Throwable t = null;
try {
info = realm.getAuthenticationInfo(token);
} catch (Throwable throwable) {
t = throwable;
if (log.isDebugEnabled()) {
String msg = "Realm [" + realm + "] threw an exception during a multi-realm authentication attempt:";
log.debug(msg, t);
}
}
aggregate = strategy.afterAttempt(realm, token, info, aggregate, t);
} else {
log.debug("Realm [{}] does not support token {}. Skipping realm.", realm, token);
}
}
aggregate = strategy.afterAllAttempts(token, aggregate);
return aggregate;
}
备注:
1)由于Subject是一个接口类型,因此上边代码找的是 DelegatingSubject.java类中的代码;
2)Subject的类结构图:
2)什么时候调用授权( Realm#getAuthorizationinfo())
从调用Subject#isPermitted()源码可以看出内部调用了Subject#getAuthorizationInfo()方法:
public boolean isPermitted(PrincipalCollection principals, Permission permission) { AuthorizationInfo info = getAuthorizationInfo(principals);
return isPermitted(permission, info);
}
从调用Subject#hasRole()源码可以看出内部调用了Subject#getAuthorizationInfo()方法:
public boolean hasRole(PrincipalCollection principal, String roleIdentifier) { AuthorizationInfo info = getAuthorizationInfo(principal);
return hasRole(roleIdentifier, info);
}
不过,getAuthorizationInfo 的执行调用方式包括上面的总共有三个:
1)subject.hasRole(“admin”) 或 subject.isPermitted(“admin”):自己去调用这个是否有什么角色或者是否有什么权限的时候;
2)@RequiresRoles(“admin”) :在Controller方法上加注解的时候;
3)<@shiro.hasPermission name = “admin”>html code</@shiro.hasPermission>:在页面上加shiro标签的时候,即进这个页面的时候扫描到有这个标签的时候。
明。
参考资料:
《Shiro 中的 Realm》
《SSM整合shiro实现多用户表多Realm统一登录认证(大章附代码)》
不错的视屏教程,很实用:
https://www.bilibili.com/video/av22573274/?p=13
https://www.bilibili.com/video/av74805893?p=18 (针对java proj/springmvc整合/分布式用法都有系列讲解,值得推荐)
文章实战:https://blog.csdn.net/bieleyang/article/category/7140250
以上是 Java-Shiro(四):Shiro Realm讲解(一)Realm介绍 的全部内容, 来源链接: utcz.com/z/393219.html
