Principle of Shiro Authentication filter

Last Update:2018-07-26 Source: Internet

Author: User

Tags abstract

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Under normal circumstances, if we are just simple username, password login, then we do authentication as long as the configuration of the default authentication filter is good,

As follows:

1 configuration file Configuration login authentication

<bean id= "Shirofilter" 
   class= "Org.apache.shiro.spring.web.ShiroFilterFactoryBean" > 
   <property Name= "SecurityManager" ref= "SecurityManager"/> 
   <property name= "loginurl" 
      value= "http://casserver/ Login?service=http://casclient/shiro-cas "/> 
   <property name=" Successurl " 
   value="/welcome.do "/> <property name= "Unauthorizedurl" value= "/403.do"/> <property 
   name= "Filterchaindefinitions" > 
      <value> 
         /logout.do*=anon 
         /casticketerror.do*=anon 
          
         # Permission Configuration Example
         /security/account/view.do= Authc,perms[security_account_view] 
          
         /** = authc 
      </value> 
   </property>

The Shiro filter is not defined in the following configuration, so it is the default filter, for example:

Shiro built -in Filterchain

Filter Name	Class
Anon	Org.apache.shiro.web.filter.authc.AnonymousFilter
Authc	Org.apache.shiro.web.filter.authc.FormAuthenticationFilter
Authcbasic	Org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter
Perms	Org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter
Port	Org.apache.shiro.web.filter.authz.PortFilter
Rest	Org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter
Roles	Org.apache.shiro.web.filter.authz.RolesAuthorizationFilter
Ssl	Org.apache.shiro.web.filter.authz.SslFilter
User	Org.apache.shiro.web.filter.authc.UserFilter

When the corresponding URL is accessed, there will be a corresponding filter to perform the filter,

For example Formauthenticationfilter This class inherits the Authenticatingfilter abstract class,

There is a method in the abstract class:

Exception {
    Authenticationtoken token = createtoken (request, response);
     null) {
        +
                "must is created in order to execute a login attempt.";
         illegalstateexception (msg);
    }
     {
        Subject Subject = getsubject (request, response);
        Subject.login (token);
         onloginsuccess (token, subject, request, response);
     (authenticationexception e) {
        onloginfailure (token, E, request, response);
    }
}

When you need to formauthenticationfilter this filter for authentication or permission filtering, you will first go to this method, create tokens, and then get subject to execute the login method, as shown in the code, if successful, will execute The Onloginsuccess method of the Formauthenticationfilter class fails to execute the Onloginfailure method.

Each time you request a new URL that requires authentication, you need to go to this method to filter it.

For example: Access to the/login method is filtered, and the Onloginsuccess method is redirected to the/login method execution.

Exception {
       //login successful, remove the check code from session session
       = Subject.getsession ();
       Session.removeattribute (captcha_session);

       Trigger Execution authentication Method
       securitymanager.issessionuseradminrole ();
    (redirecttosavedrequest) {
      return superonloginsuccess (token, subject, request , response);
    {
      webutils.issueredirect (request, Response, Getsuccessurl ());
      return False;
   }
}

Another way to achieve authentication:

You can also not configure/login =AUTHC

Instead, the token is created and executed within the/login corresponding controller method.

Subject Subject = getsubject (request, response);
        Subject.login (token);

Then the execution subject.isauthenticated () is judged.

Subject.login (token); Executing the internal logic will go to Authorizingrealm for authentication and return the authentication results. Of course, you can also configure multiple realms.

Authorizationfilter {

    //todo-complete JavaDoc

    @SuppressWarnings ({"unchecked"})
      IOException {

        Subject Subject = getsubject (request, response);
        String[] Rolesarray = (string[]) Mappedvalue;

        || Rolesarray.  = = 0) {
            //no roles specified, so nothing to check-allow access.
            return True;
        }

        set<string> roles = Collectionutils.asset (Rolesarray);
         subject.hasallroles (roles);
    }

}

When Role[sad] is configured in the configuration file, it is called to the

Isaccessallowed method, you can see the sad character into the conversion, and then determine whether the current user has this role.

Execution Hasallroles will eventually call

Authorizingrealm The authorization judgment and returns the authorization result. Of course, you can also configure multiple realms.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More