追踪Subject的login(AuthenticationToken token)方法,其调用的为DelegatingSubject类的login方法,DelegatingSubject实现了Subject接口,DelegatingSubject#login如下:
1 public void login(AuthenticationToken token) throws AuthenticationException {
2 clearRunAsIdentitiesInternal();
3 Subject subject = securityManager.login(this, token);
4
5 PrincipalCollection principals;
6
7 String host = null;
8
9 if (subject instanceof DelegatingSubject) {
10 DelegatingSubject delegating = (DelegatingSubject) subject;
11 //we have to do this in case there are assumed identities - we don't want to lose the 'real' principals:
12 principals = delegating.principals;
13 host = delegating.host;
14 } else {
15 principals = subject.getPrincipals();
16 }
17
18 if (principals == null || principals.isEmpty()) {
19 String msg = "Principals returned from securityManager.login( token ) returned a null or " +
20 "empty value. This value must be non null and populated with one or more elements.";
21 throw new IllegalStateException(msg);
22 }
23 this.principals = principals;
24 this.authenticated = true;
25 if (token instanceof HostAuthenticationToken) {
26 host = ((HostAuthenticationToken) token).getHost();
27 }
28 if (host != null) {
29 this.host = host;
30 }
31 Session session = subject.getSession(false);
32 if (session != null) {
33 this.session = decorate(session);
34 } else {
35 this.session = null;
36 }
37 }
在上面代码的第三行:Subject subject = securityManager.login(this, token); 注意到其调用了SecurityManager的login方法,SecurityManager为接口,实际上调用的其实现类DefaultSecurityManager的login方法,方法如下:
1 public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException {
2 AuthenticationInfo info;
3 try {
4 info = authenticate(token);
5 } catch (AuthenticationException ae) {
6 try {
7 onFailedLogin(token, ae, subject);
8 } catch (Exception e) {
9 if (log.isInfoEnabled()) {
10 log.info("onFailedLogin method threw an " +
11 "exception. Logging and propagating original AuthenticationException.", e);
12 }
13 }
14 throw ae; //propagate
15 }
16
17 Subject loggedIn = createSubject(token, info, subject);
18
19 onSuccessfulLogin(token, info, loggedIn);
20
21 return loggedIn;
22 }
在上面代码第四行:info = authenticate(token); 继续跟踪,发现authenticate(AuthenticationToken token);方法为DefaultSecurityManager的父类AuthenticatingSecurityManager的方法,AuthenticatingSecurityManager#authenticate方法如下:
1 public AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {
2 return this.authenticator.authenticate(token);
3 }
authenticator为Authenticator接口,继续跟踪,AbstractAuthenticator抽象类实现了Authenticator接口,接下来继续查看AbstractAuthenticator#authenticate(token);方法:
1 public final AuthenticationInfo authenticate(AuthenticationToken token) throws AuthenticationException {
2
3 if (token == null) {
4 throw new IllegalArgumentException("Method argument (authentication token) cannot be null.");
5 }
6
7 log.trace("Authentication attempt received for token [{}]", token);
8
9 AuthenticationInfo info;
10 try {
11 info = doAuthenticate(token);
12 if (info == null) {
13 String msg = "No account information found for authentication token [" + token + "] by this " +
14 "Authenticator instance. Please check that it is configured correctly.";
15 throw new AuthenticationException(msg);
16 }
17 } catch (Throwable t) {
18 AuthenticationException ae = null;
19 if (t instanceof AuthenticationException) {
20 ae = (AuthenticationException) t;
21 }
22 if (ae == null) {
23 //Exception thrown was not an expected AuthenticationException. Therefore it is probably a little more
24 //severe or unexpected. So, wrap in an AuthenticationException, log to warn, and propagate:
25 String msg = "Authentication failed for token submission [" + token + "]. Possible unexpected " +
26 "error? (Typical or expected login exceptions should extend from AuthenticationException).";
27 ae = new AuthenticationException(msg, t);
28 if (log.isWarnEnabled())
29 log.warn(msg, t);
30 }
31 try {
32 notifyFailure(token, ae);
33 } catch (Throwable t2) {
34 if (log.isWarnEnabled()) {
35 String msg = "Unable to send notification for failed authentication attempt - listener error?. " +
36 "Please check your AuthenticationListener implementation(s). Logging sending exception " +
37 "and propagating original AuthenticationException instead...";
38 log.warn(msg, t2);
39 }
40 }
41 throw ae;
42 }
43
44 log.debug("Authentication successful for token [{}]. Returned account [{}]", token, info);
45
46 notifySuccess(token, info);
47
48 return info;
49 }
上面代码第11行:info = doAuthenticate(token); 这个方法为ModularRealmAuthticator类中的方法,因为ModularRealmAuthticator继承了AbstractAuthenticator抽象类。另外,要注意第12行-第16行,如果info==null,就会抛出异常。ModularRealmAuthticator的doAuthenticate(token);方法如下:
1 protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {
2 assertRealmsConfigured();
3 Collection<Realm> realms = getRealms();
4 if (realms.size() == 1) {
5 return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);
6 } else {
7 return doMultiRealmAuthentication(realms, authenticationToken);
8 }
9 }
这里,我们关注上面第五行代码:doSingleRealmAuthentication(realms.iterator().next(), authenticationToken); else语句中的doMultiRealmAuthentication(realms, authenticationToken);类似。跟踪到doSingleRealmAuthentication方法如下:
1 protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token) {
2 if (!realm.supports(token)) {
3 String msg = "Realm [" + realm + "] does not support authentication token [" +
4 token + "]. Please ensure that the appropriate Realm implementation is " +
5 "configured correctly or that the realm accepts AuthenticationTokens of this type.";
6 throw new UnsupportedTokenException(msg);
7 }
8 AuthenticationInfo info = realm.getAuthenticationInfo(token);
9 if (info == null) {
10 String msg = "Realm [" + realm + "] was unable to find account data for the " +
11 "submitted AuthenticationToken [" + token + "].";
12 throw new UnknownAccountException(msg);
13 }
14 return info;
15 }
上面代码第八行:AuthenticationInfo info = realm.getAuthenticationInfo(token); realm为Realm接口,实际上调用的是其实现类AuthenticatingRealm中的getAuthenticationInfo方法,方法如下:
1 public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
2
3 AuthenticationInfo info = getCachedAuthenticationInfo(token);
4 if (info == null) {
5 //otherwise not cached, perform the lookup:
6 info = doGetAuthenticationInfo(token);
7 log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info);
8 if (token != null && info != null) {
9 cacheAuthenticationInfoIfPossible(token, info);
10 }
11 } else {
12 log.debug("Using cached authentication info [{}] to perform credentials matching.", info);
13 }
14
15 if (info != null) {
16 assertCredentialsMatch(token, info);
17 } else {
18 log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}]. Returning null.", token);
19 }
20 return info;
21 }
上面代码第三行:AuthenticationInfo info = getCachedAuthenticationInfo(token);从缓存中获取认证信息,如果未获取到,则调用第六行的doGetAuthenticationInfo(token); 方法获取认证信息。继续跟踪,发现有几个类实现了该方法,如下图所示:
最后,附上SecurityManager和Realm等的类关系图:
Realm:
SecurityManager:
Authenticator:
