在前面分析的基础上我们来继续看下认证的过程
1.DelegatingSubject类中的login 方法
public void login(AuthenticationToken token) throws AuthenticationException { clearRunAsIdentities(); // 进入login Subject subject = securityManager.login(this, token); // 省略 ThreadContext.bind(this); }
2.DefaultSecurityManager类的login方法
public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException { AuthenticationInfo info; try { // 认证的方法 进入 info = authenticate(token); } catch (AuthenticationException ae) { try { onFailedLogin(token, ae, subject); } catch (Exception e) { if (log.isInfoEnabled()) { log.info("onFailedLogin method threw an " + "exception. Logging and propagating original AuthenticationException.", e); } } throw ae; //propagate } // 认证成功后创建subject对象 Subject loggedIn = createSubject(token, info, subject); // 绑定对象,创建session bind(loggedIn); onSuccessfulLogin(token, info, loggedIn); return loggedIn; }
3.AuthenticatingSecurityManager类中authenticate方法
public AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException { return this.authenticator.authenticate(token); }
4.AbstractAuthenticator类中的authenticate方法
public final AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException { // 省略些不重要的代码 AuthenticationInfo info; try { // 认证的方法 info = doAuthenticate(token); // 如果为空抛认证失败异常 if (info == null) { String msg = "No account information found for authentication token [" + token + "] by this " + "Authenticator instance. Please check that it is configured correctly."; throw new AuthenticationException(msg); } } catch (Throwable t) { AuthenticationException ae = null; if (t instanceof AuthenticationException) { ae = (AuthenticationException) t; } if (ae == null) { //Exception thrown was not an expected AuthenticationException. Therefore it is probably a little more //severe or unexpected. So, wrap in an AuthenticationException, log to warn, and propagate: String msg = "Authentication failed for token submission [" + token + "]. Possible unexpected " + "error? (Typical or expected login exceptions should extend from AuthenticationException)."; ae = new AuthenticationException(msg, t); } try { notifyFailure(token, ae); } catch (Throwable t2) { if (log.isWarnEnabled()) { String msg = "Unable to send notification for failed authentication attempt - listener error?. " + "Please check your AuthenticationListener implementation(s). Logging sending exception " + "and propagating original AuthenticationException instead..."; log.warn(msg, t2); } } throw ae; } log.debug("Authentication successful for token [{}]. Returned account [{}]", token, info); // 通知认证成功 notifySuccess(token, info); return info; }
5.ModularRealmAuthenticator类中的doAuthenticate方法
protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException { assertRealmsConfigured(); Collection<Realm> realms = getRealms(); if (realms.size() == 1) { // 本案例是单realm所以执行此方法 return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken); } else { return doMultiRealmAuthentication(realms, authenticationToken); } }
doSingleRealmAuthentication方法
protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) { if (!realm.supports(token)) { String msg = "Realm [" + realm + "] does not support authentication token [" + token + "]. Please ensure that the appropriate Realm implementation is " + "configured correctly or that the realm accepts AuthenticationTokens of this type."; throw new UnsupportedTokenException(msg); } // 核心代码 认证 AuthenticationInfo info = realm.getAuthenticationInfo(token); if (info == null) { String msg = "Realm [" + realm + "] was unable to find account data for the " + "submitted AuthenticationToken [" + token + "]."; throw new UnknownAccountException(msg); } return info; }
6.AuthenticatingRealm类中的getAuthenticationInfo方法
public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { // 账号认证的核心方法 AuthenticationInfo info = doGetAuthenticationInfo(token); if (info == null) { if (log.isDebugEnabled()) { String msg = "No authentication information found for submitted authentication token [" + token + "]. " + "Returning null."; log.debug(msg); } return null; } // 获取匹配器 CredentialsMatcher cm = getCredentialsMatcher(); if (cm != null) { // 账号验证没有问题就进行秘密验证 if (!cm.doCredentialsMatch(token, info)) { String msg = "The credentials provided for account [" + token + "] did not match the expected credentials."; throw new IncorrectCredentialsException(msg); } } else { throw new AuthenticationException("A CredentialsMatcher must be configured in order to verify " + "credentials during authentication. If you do not wish for credentials to be examined, you " + "can configure an " + AllowAllCredentialsMatcher.class.getName() + " instance."); } return info; }
7.SimpleAccountRealm类中执行doGetAuthenticationInfo方法
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { // 获取token中的账号 UsernamePasswordToken upToken = (UsernamePasswordToken) token; // 根据token的账号从IniRealm中获取信息 SimpleAccount account = getUser(upToken.getUsername()); // 账号存在 if (account != null) { // 账号被锁定 if (account.isLocked()) { throw new LockedAccountException("Account [" + account + "] is locked."); } // 账号过期 if (account.isCredentialsExpired()) { String msg = "The credentials for account [" + account + "] are expired"; throw new ExpiredCredentialsException(msg); } } // 返回账号 账号不存在null 否则账号存在 return account; }
8.CredentialsMatcher中密码验证
public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) { Object tokenCredentials = getCredentials(token); Object accountCredentials = getCredentials(info); // 验证密码是否匹配 return equals(tokenCredentials, accountCredentials); }
至此整个过程结束