Shulou(Shulou.com)06/02 Report--

This article introduces the relevant knowledge of "the login process of Shiro and the brief introduction of Realm". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

What is the login process like?

First, let's take a look at a login flowchart in the official shiro documentation:

With reference to this figure, we have to go through the following steps to log in:

The application code calls the Subject.login method, passing the created AuthenticationToken instance (that is, UsernamePasswordToken in the example above) that contains the end user's Principals (identity) and Credentials (credentials).

The Subject instance, usually the SecurityManager of the DelegatingSubject (or subclass) delegating the application, starts the real validation work by calling securityManager.login (token) (you can see the break point in the login method of the DelegatingSubject class).

SubjectManager, as part of a basic "umbrella", receives token and simply delegates to an internal Authenticator instance by calling authenticator.authenticate (token). This is typically a ModularRealmAuthenticator instance that supports the coordination of one or more Realm instances in authentication. ModularRealmAuthenticator essentially provides the PAM-style paradigm for Apache Shiro (where each Realm is a 'module' in PAM terminology).

If more than one Realm,ModularRealmAuthenticator instance is configured in the application, the configured AuthenticationStrategy will be used to start the Multi-Realm authentication attempt. Before, during, and after the authentication call to Realms, AuthenticationStrategy is called to enable it to react to the results of each Realm. If only a single Realm is configured, it will be called directly because there is no need to use AuthenticationStrategy for a single Realm application.

Each configured Realm is used to help see if it supports the submitted AuthenticationToken. If so, the getAuthenticationInfo method that supports Realm will be called along with the submitted token.

OK, through the above introduction, I believe that friends have a certain understanding of the whole login process, and partners can verify the five steps mentioned above by breaking points. Well, in the above five steps, friends see that a Realm has undertaken a very important part of the work, so what exactly is this Realm? next, let's take a closer look.

What is Realm?

As explained in the Realm documentation, Realms acts as a "bridge" or "connector" between Shiro and your application's security data. When it actually interacts with security-related data such as user accounts used to perform authentication (login) and authorization (access control), Shiro looks for many of these things in one or more Realm configured for the application. In this sense, a Realm is essentially a secure DAO: it encapsulates the connection details of the data source, making the relevant data required by the Shiro available. When configuring Shiro, you must specify at least one Realm for authentication and / or authorization. SecurityManager may be configured with multiple Realms, but at least one is required. Shiro provides ready-to-use Realms to connect to secure data sources (that is, directories), such as LDAP, relational databases (JDBC), text configuration sources such as INI and property files, and more. You can insert your own Realm implementation to represent custom data sources if Realm does not meet your needs by default.

After reading the explanation above, there may still be friends in the clouds, so let's take a simple case to see what kind of role Realm plays. Note that the case in this paper is completed on the basis of the above case. First, customize a MyRealm, which is as follows:

Public class MyRealm implements Realm {

Public String getName () {

Return "MyRealm"

}

Public boolean supports (AuthenticationToken token) {

Return token instanceof UsernamePasswordToken

}

Public AuthenticationInfo getAuthenticationInfo (AuthenticationToken token) throws AuthenticationException {

String password = new String (char []) token.getCredentials ()

String username = token.getPrincipal () .toString ()

If (! "sang" .equals (username)) {

Throw new UnknownAccountException ("user does not exist")

}

If (! "123" .equals (password)) {

Throw new IncorrectCredentialsException ("incorrect password")

}

Return new SimpleAuthenticationInfo (username, password, getName ())

}

}

Custom Realm implements the Realm interface, in which there are three methods, the first getName method is used to obtain the name of the current Realm, and the second supports method is used to determine the token supported by this realm. Here I assume that the value only supports token of UsernamePasswordToken type, and the third getAuthenticationInfo method performs login logic judgment, taking the user name and password from the token, etc., of course, I omitted the database operation here. When there is a problem with login verification, you can just throw an exception, and the exception thrown here will be caught in the login execution. (note that since the MyRealm I defined here implements the Realm interface, the user name and password here need to be manually judged by me. I will introduce other writing methods in the following article).

OK, it is not enough to create the MyRealm. We also need to make a simple configuration to make the MyRealm take effect, comment out everything in the shiro.ini file, and add the following two lines:

MyRealm= org.sang.MyRealm

SecurityManager.realms=$MyRealm

This is the end of the "login process of Shiro and a brief introduction to Realm". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.