从realm中获取所有需要的用户,角色,权限
从Subject开始,
The term <em>principal</em> is just a fancy security term for any identifying attribute(s) of an application
user, such as a username, or user id, or public key, or anything else you might use in your application to
identify a user.
打开boolean isPermitted(Permission permission)到达DelegatingSubject
public boolean isPermitted(Permission permission) {
return hasPrincipals() && securityManager.isPermitted(getPrincipals(), permission);
}
是securityManager在工作
打开isPermitted,到达AuthorizingSecurityManager
public boolean isPermitted(PrincipalCollection principals, Permission permission) {
return this.authorizer.isPermitted(principals, permission);
}
此处是插曲,插曲开始=========================================================
AuthorizingSecurityManager是什么?
Shiro support of a {@link SecurityManager} class hierarchy that delegates all
authorization (access control) operations to a wrapped {@link Authorizer Authorizer} instance. That is,
this class implements all the <tt>Authorizer</tt> methods in the {@link SecurityManager SecurityManager}
interface, but in reality, those methods are merely passthrough calls to the underlying ‘real‘
<tt>Authorizer</tt> instance.
先要找authorizer:
public abstract class AuthorizingSecurityManager extends AuthenticatingSecurityManager {
/**
* The wrapped instance to which all of this <tt>SecurityManager</tt> authorization calls are delegated.
*/
private Authorizer authorizer;
/**
* Default no-arg constructor that initializes an internal default
* {@link org.apache.shiro.authz.ModularRealmAuthorizer ModularRealmAuthorizer}.
*/
public AuthorizingSecurityManager() {
super();
this.authorizer = new ModularRealmAuthorizer();
}
/**
* Returns the underlying wrapped <tt>Authorizer</tt> instance to which this <tt>SecurityManager</tt>
* implementation delegates all of its authorization calls.
*
* @return the wrapped <tt>Authorizer</tt> used by this <tt>SecurityManager</tt> implementation.
*/
public Authorizer getAuthorizer() {
return authorizer;
}
/**
* Sets the underlying <tt>Authorizer</tt> instance to which this <tt>SecurityManager</tt> implementation will
* delegate all of its authorization calls.
*
* @param authorizer the <tt>Authorizer</tt> this <tt>SecurityManager</tt> should wrap and delegate all of its
* authorization calls to.
*/
public void setAuthorizer(Authorizer authorizer) {
if (authorizer == null) {
String msg = "Authorizer argument cannot be null.";
throw new IllegalArgumentException(msg);
}
this.authorizer = authorizer;
}
找到了,原来AuthorizingSecurityManager中的authorizer是new ModularRealmAuthorizer()
插曲结束=========================================================
打开this.authorizer.isPermitted(principals, permission)
看到:
知道authorizer是new ModularRealmAuthorizer(),所以点开ModularRealmAuthorizer看到:
public boolean isPermitted(PrincipalCollection principals, Permission permission) {
assertRealmsConfigured();
for (Realm realm : getRealms()) {
if (!(realm instanceof Authorizer)) continue;
if (((Authorizer) realm).isPermitted(principals, permission)) {
return true;
}
}
return false;
}
这里出现了Realm
打开getRealms()到达了ModularRealmAuthorizer,神奇:
public ModularRealmAuthorizer(Collection<Realm> realms) {
setRealms(realms);
}
看到在ModularRealmAuthorizer的构造器中注入了realm,
原来AuthorizingSecurityManager在初始化的时候,已经把realm注入到属性authorizer中了就是ModularRealmAuthorizer中了
接下来打开(Authorizer) realm).isPermitted(principals, permission)
应该选择AuthorizingRealm,打开:
public boolean isPermitted(PrincipalCollection principals, Permission permission) {
AuthorizationInfo info = getAuthorizationInfo(principals);
return isPermitted(permission, info);
}
打开getAuthorizationInfo(principals)
protected AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals) {
if (principals == null) {
return null;
}
AuthorizationInfo info = null;
if (log.isTraceEnabled()) {
log.trace("Retrieving AuthorizationInfo for principals [" + principals + "]");
}
Cache<Object, AuthorizationInfo> cache = getAvailableAuthorizationCache();
if (cache != null) {
if (log.isTraceEnabled()) {
log.trace("Attempting to retrieve the AuthorizationInfo from cache.");
}
Object key = getAuthorizationCacheKey(principals);
info = cache.get(key);
if (log.isTraceEnabled()) {
if (info == null) {
log.trace("No AuthorizationInfo found in cache for principals [" + principals + "]");
} else {
log.trace("AuthorizationInfo found in cache for principals [" + principals + "]");
}
}
}
if (info == null) {
// Call template method if the info was not found in a cache
info = doGetAuthorizationInfo(principals);
// If the info is not null and the cache has been created, then cache the authorization info.
if (info != null && cache != null) {
if (log.isTraceEnabled()) {
log.trace("Caching authorization info for principals: [" + principals + "].");
}
Object key = getAuthorizationCacheKey(principals);
cache.put(key, info);
}
}
return info;
}
首次登录,缓存是空的,所以应该看info==null的部分,打开doGetAuthorizationInfo(principals)
走到头了,到这授权就走到头了
看到它是AuthenticatingRealm的子类,所以具有父类的所有方法,
所以授权是用的这个类的方法doGetAuthorizationInfo(PrincipalCollection principals)
所以继承这个类,重写这个方法就可以自定义自己的授权了
AuthorizingSecurityManager的继承关系:
有这些方法:
