Get all the required users, roles, permissions from Realm
Starting from subject,
The term <em>principal</em> was just a fancy security term for any identifying attribute (s) of an application
User, such as a username, or user ID, or public key, or anything else you might the use of your application to
Identify a user.
Turn on the Boolean ispermitted (Permission Permission) to reach Delegatingsubject
Public Boolean ispermitted (Permission Permission) { return hasprincipals () && Securitymanager.ispermitted (Getprincipals (), permission); }
It's securitymanager at work.
Open ispermitted, Reach Authorizingsecuritymanager
Public Boolean ispermitted (principalcollection principals, Permission Permission) { return This . authorizer. ispermitted (principals, permission); }
Here is the episode, the episode Begins =========================================================
What is Authorizingsecuritymanager?
Shiro support of a {@link SecurityManager} class hierarchy-Delegates All
Authorization (access control) operations to a wrapped {@link authorizer authorizer} instance. That's,
This class implements all the <tt>Authorizer</tt> methods in the {@link SecurityManager SecurityManager}
interface, but in reality, those methods is merely passthrough calls to the underlying ' real '
<tt>Authorizer</tt> instance.
To find Authorizer first:
Public Abstract classAuthorizingsecuritymanagerextendsAuthenticatingsecuritymanager {/*** The wrapped instance to which all of this <tt>SecurityManager</tt> authorization calls is delegate D.*/ PrivateAuthorizer Authorizer; /*** Default No-arg constructor that initializes an internal default * {@linkOrg.apache.shiro.authz.ModularRealmAuthorizer Modularrealmauthorizer}. */ PublicAuthorizingsecuritymanager () {Super(); This.authorizer = new Modularrealmauthorizer (); } /*** Returns The underlying wrapped <tt>Authorizer</tt> instance to which this <tt>securitymanager </tt> * Implementation delegates all of its authorization calls. * * @returnThe wrapped <tt>Authorizer</tt> used by this <tt>SecurityManager</tt> implementation. */ PublicAuthorizer Getauthorizer () {returnAuthorizer; } /*** Sets the underlying <tt>Authorizer</tt> instance to which this <tt>SecurityManager</tt> Implementation would * delegate all of its authorization calls. * * @paramAuthorizer The <tt>Authorizer</tt> this <tt>SecurityManager</tt> should wrap and delegate All of it * authorization calls to. */ Public voidSetauthorizer (Authorizer authorizer) {if(Authorizer = =NULL) {String msg= "Authorizer argument cannot be null."; Throw Newillegalargumentexception (msg); } This. Authorizer =Authorizer; }
Found, the original Authorizingsecuritymanager in the Authorizer is New Modularrealmauthorizer ()
Episode Over =========================================================
Open this. Authorizer. Ispermitted(principals, permission)
See:
Know Authorizer is new Modularrealmauthorizer (), so point open modularrealmauthorizer see:
Public Booleanispermitted (principalcollection principals, Permission Permission) {assertrealmsconfigured (); for(Realm Realm:getrealms ()) {if(! (RealminstanceofAuthorizer))Continue; if((authorizer) realm). ispermitted (principals, permission)) {return true; } } return false; }
There's a realm here.
Open Getrealms () reached the Modularrealmauthorizer, magical:
Public Modularrealmauthorizer (collection<realm> Realms) { setrealms (realms); }
To see that the realm was injected into the Modularrealmauthorizer's constructor,
The original Authorizingsecuritymanager at the time of initialization, has already injected realm into the attribute Authorizer is modularrealmauthorizer in the
Next Open (authorizer) realm). ispermitted (principals, permission)
You should choose Authorizingrealm, open:
Public Boolean ispermitted (principalcollection principals, Permission Permission) { = Getauthorizationinfo ( principals); return ispermitted (permission, info); }
Open Getauthorizationinfo (principals)
protectedauthorizationinfo Getauthorizationinfo (principalcollection principals) {if(Principals = =NULL) { return NULL; } authorizationinfo Info=NULL; if(log.istraceenabled ()) {Log.trace ("Retrieving Authorizationinfo for Principals [" + Principals + "]"); } Cache<object, authorizationinfo> cache =Getavailableauthorizationcache (); if(Cache! =NULL) { if(log.istraceenabled ()) {Log.trace ("Attempting to retrieve the Authorizationinfo from the cache."); } Object Key=Getauthorizationcachekey (principals); Info=Cache.get (key); if(log.istraceenabled ()) {if(Info = =NULL) {Log.trace ("No Authorizationinfo found in the cache for principals [" + Principals + "]"); } Else{log.trace ("Authorizationinfo found in the cache for principals [" + Principals + "]"); } } } if(Info = =NULL) { //Call Template Method if the info is not found in a cache info = dogetauthorizationinfo (principals); //If the info is not null and the cache have been created, then cache the authorization info. if(Info! =NULL&& Cache! =NULL) { if(log.istraceenabled ()) {Log.trace ("Caching Authorization info for principals: [" + Principals + "]."); } Object Key=Getauthorizationcachekey (principals); Cache.put (key, info); } } returninfo; }
The first time you log in, the cache is empty, so you should look at the Info==null section and open Dogetauthorizationinfo (principals)
It's the end of the road.
See that it is a subclass of Authenticatingrealm, so all methods of the parent class are
So authorization is used for this class of methods Dogetauthorizationinfo (PrincipalCollection principals)
So inherit this class and override this method to customize your own authorization.
Authorizingsecuritymanager's inheritance Relationship:
There are these methods:
Shiro authorization of source code analysis