Implementation of the authentication process based on SPRINGMVC (Subject.login (token))

Authentication is the process of verifying a user's identity. During the authentication process, the user is required to submit entity information (principals) and credential information (Credentials) to verify that the user is legitimate. The most common "entity/credential" combination is the "username/password" combination.

First, the certification process

1. Collect Entity/credential information

Usernamepasswordtoken token =   new Usernamepasswordtoken (username, password);
 Token.setrememberme (TRUE);

Usernamepasswordtoken supports the most common user name/password authentication mechanism. At the same time, because it implements the Remembermeauthenticationtoken interface, we can use the token setting "

Remember Me "function. However, "remembered" and "certified" are different: remembered users are simply non-anonymous users, and you can get user information through Subject.getprincipals ().   But it is not a certified user, and you still need to resubmit the authentication information when you access the functionality that requires authentication. This difference can refer to the Taobao station, the site will default to remember the logged in users, re-visit the site, for non-sensitive page features, the page will display the remembered user information, but when you visit the website account information, you still need to re-login authentication.

2. Submit Entity/Credential information

Subject CurrentUser = Securityutils.getsubject ();   
Currentuser.login (token);

After collecting the entity/credential information, we can get the current user through the Securityutils tool class, and then submit the authentication by calling the login method.

3. Certification

If we customize the realm implementation, as in the example that follows me, I've customized the Shirodbrealm class, when executing Currentuser.login (token), Shirodbrealm.dogetauthorizationinfo () will be performed first to certify

/**       * Verify that the currently logged on subject       
* @see tested: In this example, the method is invoked  
in the * Logincontroller.login () method when the Subject.login () is executed. 
   protected AuthenticationInfo   dogetauthenticationinfo (Authenticationtokenauthctoken)  throws authenticationexception {
    //Get token based on username and password// 
    actually this authctoken is from Logincontroller inside Currentuser.login (token) Passed
    Usernamepasswordtoken token =  (Usernamepasswordtoken) Authctoken;
    Querying user information from the database
    Useruser = Userservice.getbyaccount (Token.getusername ());
   if (user! = null) {
    //There is no need to compare pairs here, the logical Shiro of the pair will do,
   //We simply return a token-related validation message
     returnnew Simpleauthenticationinfo (  user.getaccount (),
                                  User.getpassword (), GetName ());
    else {
    //does not return the Simpleauthenticationinfo object corresponding to the login user name,
    //will throw a Unknownaccountexception exception in the Logincontroller
       return null; 
   }
}

4, authentication processing

try {
         currentuser.login (token);
} catch (unknownaccountexception UAE) {
      ...
} catch ( Incorrectcredentialsexception ice) { 
      ...   
} catch (Lockedaccountexception lae) {
      ...   
} catch (excessive Attemptsexception Eae) {
     ...} catch    your own ...     
} catch (Authenticationexception ae) {
        //unexpec Ted error?     

If the login method executes and does not throw any exception information, then the user authentication is considered passed.   Securityutils.getsubject () can then be called anywhere in the application to obtain the user instance passed to the current authentication, using subject.isauthenticated () to determine whether the user is authenticated and returns TRUE. Conversely, if an exception is thrown during the execution of the login method, the authentication will be considered unsuccessful. Shiro has a rich layer of distinct exception classes to describe the reasons for authentication failures, such as code examples.

Second, the logout operation

The logout operation can delete your login information by calling Subject.logout (), such as:

Currentuser.logout ();

Removes all identifying information

and invalidates their session too.