2

我正在使用 Tapestry5 和 apache shiro 来保证安全。我坚持从数据库表中验证用户。

在这个函数 doGetAuthenticationInfo() 中我们不需要设置 Subject 吗?

SimpleAuthenticationInfo 的用途是什么?

package com.kids.crm.services;

import java.util.HashSet;
import java.util.Set;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AccountException;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.SimpleByteSource;
import org.apache.tapestry5.ioc.annotations.Inject;
import org.springframework.beans.factory.annotation.Autowired;

import com.kids.crm.dao.DatabaseDao;
import com.kids.crm.dao.UserAccountDao;
import com.kids.crm.dao.impl.UserAccountDaoImpl;
import com.kids.crm.db.Role;
import com.kids.crm.db.UserAccount;


public class UserRealm extends AuthorizingRealm {
        @Inject UserAccountDao userAccountDao;
        public UserRealm() {
                setName("localaccounts");
                setAuthenticationTokenClass(UsernamePasswordToken.class);
        }

        private UserAccount findByUsername(String userName) {
                return (UserAccount) userAccountDao.getUserByUserName(userName);
        }

        @Override
        protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
                //Subject currentUser = SecurityUtils.getSubject();
                UsernamePasswordToken upToken = (UsernamePasswordToken) token;

                        String username = upToken.getUsername();
                        upToken.setRememberMe(true);
                        // Null username is invalid
                        if (username == null) { throw new AccountException("Null usernames are not allowed by this realm."); }
                        UserAccount user = findByUsername(username);

                return new SimpleAuthenticationInfo(username, user.getEncodedPassword(), new SimpleByteSource(user.getPasswordSalt()), getName());
        }

}
4

1 回答 1

4

没有比Shiro 的 javadoc更好的答案来源了。doGetAuthenticationInfo() 返回一个 AuthenticationInfo。SimpleAuthenticationInfo 是 AuthenticationInfo 的实现。正如 javadoc 所说,主题“代表单个应用程序用户的状态和安全操作”,所以不,我们不在这里设置主题,但框架会为每个请求重复设置它。(简单)AuthenticationInfo的目的是表示“仅与身份验证/登录过程相关的主题(又名用户)存储的帐户信息”。领域的职责是创建一个 AuthenticationInfo(如果找到用户),然后 CredentialsMatcher 将 AuthenticationToken 与 AuthenticationInfo 进行比较,以确定给定的凭据是否有效。

您没有解释您是如何“被卡住”的,但假设您的 findByUsername() 返回了适当的 UserAccount,您可能没有配置正确的 CredentialsMatcher。也许您需要为您的领域设置一个 HashedCredentialsMatcher

于 2011-12-29T16:22:09.030 回答