1. Implement Statelessauthcfilter: Intercept all stateless requests(1) isaccessallowed (): After interception, enter the method first. Direct return false, referred to onaccessdenied processing authentication and login logic. (Reason 1) (2) refer to abstract class Accesscontrolfilter rewrite two onaccessdenied methods. First get Mappedvalue processing authentication, authentication if passed then call another onaccessdenied processing login logic. (Omit onaccessdenied two implementations of code snippets here) (3) in the onaccessdenied () that handles the login logic. Gets the sequence, token, params, and digest (summary) generated by the above three keys for the client transport. (4) Generate Statelesstoken. Statelesstoken inherits from Shiro's Authenticationtoken, extending some attributes such as username (token), sequence (timestamp), clientdigest (client-generated digest), params (except for parameters other than summaries). (5) Entrust to realm for login verification. (6) Custom function Onloginfail, which returns the appropriate JSON prompts for the user login failure based on the incoming error type. In the following cases, call Onloginfail and return false. Situation one: sequence, token, digest one is empty. (Incomplete parameters) case two: The current timestamp minus sequence, the time difference exceeds a certain period. (possibly replay attack) scenario three: The delegate logs on to realm and throws an exception. (Logon failures for various reasons)
2. Realize Statelessrealm(1) Override the Dogetauthenticationinfo method (verify identity). First, get to the Statelesstoken set in Statelessautncfilter, its properties sequence, token, params, clientdigest. Second, find the token object in the database based on the token string (generated when the user logs in with an account password from the mobile side, including the token string, the unique key, the current user, and the validity period). Again, generate the key with secret based on the same rules as the front end. Then, a message digest of the client parameters is generated on the server side. Finally, verify the identity. (2) Rewrite the Dogetauthorizationinfo method (authentication).
3, configuration Applicationcontext-shiro.xml(1) Configure Statelessrealm to close the cache. (2) Configure the SecurityManager to configure the Statelessrelam in its Realms property. (2) Configure the Statelessauthcfilter and configure the stateless filter in the filterchaindefinitions.
Description:1, Statelessauthcfitler each request needs to log in, must enter the onaccessdenied processing login logic. If the authentication is processed in the isaccessallowed (), the pass does not enter the onaccessdenied, does not pass into the onaccessdenied, does not reach the "stateless[customer]" role limit effect.
Stateless (stateless) Web application mechanism
