0%

Shiro源码解析之Authenticator

发表于 2019-10-22 更新于 2019-10-28 分类于 Java ， Shiro

了解 Authenticator

Authenticator 用来进行身份认证，它的继承图以及继承者的方法如下：

理解 Authenticator

1. `AbstractAuthenticator` | `authencate(token)`

// line 167
/**
 * Implementation of the {@link Authenticator} interface that functions in the following manner:
 * <ol>
 * <li>Calls template {@link #doAuthenticate doAuthenticate} method for subclass execution of the actual
 * authentication behavior.</li>
 * <li>If an {@code AuthenticationException} is thrown during {@code doAuthenticate},
 * {@link #notifyFailure(AuthenticationToken, AuthenticationException) notify} any registered
 * {@link AuthenticationListener AuthenticationListener}s of the exception and then propagate the exception
 * for the caller to handle.</li>
 * <li>If no exception is thrown (indicating a successful login),
 * {@link #notifySuccess(AuthenticationToken, AuthenticationInfo) notify} any registered
 * {@link AuthenticationListener AuthenticationListener}s of the successful attempt.</li>
 * <li>Return the {@code AuthenticationInfo}</li>
 * </ol>
 *
 * @param token the submitted token representing the subject's (user's) login principals and credentials.
 * @return the AuthenticationInfo referencing the authenticated user's account data.
 * @throws AuthenticationException if there is any problem during the authentication process - see the
 *                                 interface's JavaDoc for a more detailed explanation.
 */
public final AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {

    if (token == null) {
        throw new IllegalArgumentException("Method argument (authentication token) cannot be null.");
    }

    log.trace("Authentication attempt received for token [{}]", token);

    AuthenticationInfo info;
    try {
        info = doAuthenticate(token);
        if (info == null) {
            String msg = "No account information found for authentication token [" + token + "] by this " +
                    "Authenticator instance.  Please check that it is configured correctly.";
            throw new AuthenticationException(msg);
        }
    } catch (Throwable t) {
        AuthenticationException ae = null;
        if (t instanceof AuthenticationException) {
            ae = (AuthenticationException) t;
        }
        if (ae == null) {
            //Exception thrown was not an expected AuthenticationException.  Therefore it is probably a little more
            //severe or unexpected.  So, wrap in an AuthenticationException, log to warn, and propagate:
            String msg = "Authentication failed for token submission [" + token + "].  Possible unexpected " +
                    "error? (Typical or expected login exceptions should extend from AuthenticationException).";
            ae = new AuthenticationException(msg, t);
            if (log.isWarnEnabled())
                log.warn(msg, t);
        }
        try {
            notifyFailure(token, ae);
        } catch (Throwable t2) {
            if (log.isWarnEnabled()) {
                String msg = "Unable to send notification for failed authentication attempt - listener error?.  " +
                        "Please check your AuthenticationListener implementation(s).  Logging sending exception " +
                        "and propagating original AuthenticationException instead...";
                log.warn(msg, t2);
            }
        }


        throw ae;
    }

    log.debug("Authentication successful for token [{}].  Returned account [{}]", token, info);

    notifySuccess(token, info);

    return info;
}

代码很多，有用的只有 doAuthencate(token) 这句。

2. ModularRealmAuthenticator | `doAuthencate(token)`

// line 164
/**
 * Performs the authentication attempt by interacting with the single configured realm, which is significantly
 * simpler than performing multi-realm logic.
 *
 * @param realm the realm to consult for AuthenticationInfo.
 * @param token the submitted AuthenticationToken representing the subject's (user's) log-in principals and credentials.
 * @return the AuthenticationInfo associated with the user account corresponding to the specified {@code token}
 */
protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) {
    if (!realm.supports(token)) {
        String msg = "Realm [" + realm + "] does not support authentication token [" +
                token + "].  Please ensure that the appropriate Realm implementation is " +
                "configured correctly or that the realm accepts AuthenticationTokens of this type.";
        throw new UnsupportedTokenException(msg);
    }
    // 使用 realm.getAuthenticationInfo(token) 校验并获取 authenticationInfo 
    AuthenticationInfo info = realm.getAuthenticationInfo(token);
    if (info == null) {
        String msg = "Realm [" + realm + "] was unable to find account data for the " +
                "submitted AuthenticationToken [" + token + "].";
        throw new UnknownAccountException(msg);
    }
    return info;
}

/**
 * Performs the multi-realm authentication attempt by calling back to a {@link AuthenticationStrategy} object
 * as each realm is consulted for {@code AuthenticationInfo} for the specified {@code token}.
 *
 * @param realms the multiple realms configured on this Authenticator instance.
 * @param token  the submitted AuthenticationToken representing the subject's (user's) log-in principals and credentials.
 * @return an aggregated AuthenticationInfo instance representing account data across all the successfully
 *         consulted realms.
 */
protected AuthenticationInfo doMultiRealmAuthentication(Collection<Realm> realms, AuthenticationToken token) {

    AuthenticationStrategy strategy = getAuthenticationStrategy();

    AuthenticationInfo aggregate = strategy.beforeAllAttempts(realms, token);

    if (log.isTraceEnabled()) {
        log.trace("Iterating through {} realms for PAM authentication", realms.size());
    }

    for (Realm realm : realms) {

        aggregate = strategy.beforeAttempt(realm, token, aggregate);

        if (realm.supports(token)) {

            log.trace("Attempting to authenticate token [{}] using realm [{}]", token, realm);

            AuthenticationInfo info = null;
            Throwable t = null;
            try {
                info = realm.getAuthenticationInfo(token);
            } catch (Throwable throwable) {
                t = throwable;
                if (log.isDebugEnabled()) {
                    String msg = "Realm [" + realm + "] threw an exception during a multi-realm authentication attempt:";
                    log.debug(msg, t);
                }
            }

            aggregate = strategy.afterAttempt(realm, token, info, aggregate, t);

        } else {
            log.debug("Realm [{}] does not support token {}.  Skipping realm.", realm, token);
        }
    }

    aggregate = strategy.afterAllAttempts(token, aggregate);

    return aggregate;
}


/**
 * Attempts to authenticate the given token by iterating over the internal collection of
 * {@link Realm}s.  For each realm, first the {@link Realm#supports(org.apache.shiro.authc.AuthenticationToken)}
 * method will be called to determine if the realm supports the {@code authenticationToken} method argument.
 * <p/>
 * If a realm does support
 * the token, its {@link Realm#getAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken)}
 * method will be called.  If the realm returns a non-null account, the token will be
 * considered authenticated for that realm and the account data recorded.  If the realm returns {@code null},
 * the next realm will be consulted.  If no realms support the token or all supporting realms return null,
 * an {@link AuthenticationException} will be thrown to indicate that the user could not be authenticated.
 * <p/>
 * After all realms have been consulted, the information from each realm is aggregated into a single
 * {@link AuthenticationInfo} object and returned.
 *
 * @param authenticationToken the token containing the authentication principal and credentials for the
 *                            user being authenticated.
 * @return account information attributed to the authenticated user.
 * @throws IllegalStateException   if no realms have been configured at the time this method is invoked
 * @throws AuthenticationException if the user could not be authenticated or the user is denied authentication
 *                                 for the given principal and credentials.
 */
protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {
    // 判断是否配置了realms，否的话抛出异常
    assertRealmsConfigured();
    Collection<Realm> realms = getRealms();
    // 判断是单realm还是多realm，分别调用不同的方法处理
    if (realms.size() == 1) {
        return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);
    } else {
        return doMultiRealmAuthentication(realms, authenticationToken);
    }
}

先来看 doSingleRealmAuthentication(realm)，它内部直接调用了 realm.getAuthenticationInfo(token)

3. AbstractAuthenticator | `notifySuccess()`

/**
     * Notifies any registered {@link AuthenticationListener AuthenticationListener}s that
     * authentication was successful for the specified {@code token} which resulted in the specified
     * {@code info}.  This implementation merely iterates over the internal {@code listeners} collection and
     * calls {@link AuthenticationListener#onSuccess(AuthenticationToken, AuthenticationInfo) onSuccess}
     * for each.
     *
     * @param token the submitted {@code AuthenticationToken} that resulted in a successful authentication.
     * @param info  the returned {@code AuthenticationInfo} resulting from the successful authentication.
     */
    protected void notifySuccess(AuthenticationToken token, AuthenticationInfo info) {
        for (AuthenticationListener listener : this.listeners) {
            listener.onSuccess(token, info);
        }
    }

小结

如果是单 realm ，则直接调用 realm 的 getAuthenticationInfo()
如果是多 realm ，则使用 AuthenticationStrategy 对象来调用 realm 的 getAuthenticationInfo() 方法