shiro之AuthenticationStrategy
2019独角兽企业重金招聘Python工程师标准>>>
AuthenticationStrategy
When two or more realms are configured for an application, the ModularRealmAuthenticator
relies on an internal AuthenticationStrategy
component to determine the conditions for which an authentication attempt succeeds or fails.
For example, if only one Realm authenticates an AuthenticationToken
successfully, but all others fail, is the authentication attempt considered successful? Or must all Realms authenticate successfully for the overall attempt to be considered successful? Or, if a Realm authenticates successfully, is it necessary to consult other Realms further? An AuthenticationStrategy
makes the appropriate decision based on an application’s needs.
An AuthenticationStrategy is a stateless component that is consulted 4 times during an authentication attempt (any necessary state required for these 4 interactions will be given as method arguments):
- before any of the Realms are invoked
- immediately before an individual Realm’s
getAuthenticationInfo
method is called - immediately after an an individual Realm’s
getAuthenticationInfo
method is called - after all of the Realms have been invoked
Also an AuthenticationStrategy
is responsible for aggregating the results from each successful Realm and ‘bundling’ them into a single AuthenticationInfo
representation. This final aggregate AuthenticationInfo
instance is what is returned by the Authenticator
instance and is what Shiro uses to represent the Subject
’s final identity (aka Principals).
Subject Identity 'View'
If you use more than one Realm in your application to acquire account data from multiple data sources, the AuthenticationStrategy
is ultimately responsible for the final 'merged' view of the Subject's identity that is seen by the application.
Shiro has 3 concrete AuthenticationStrategy
implementations:
AuthenticationStrategy class
|
Description |
---|---|
AtLeastOneSuccessfulStrategy
|
If one (or more) Realms authenticate successfully, the overall attempt is considered successful. If none authenticate succesfully, the attempt fails. |
FirstSuccessfulStrategy
|
Only the information returned from the first successfully authenticated Realm will be used. All further Realms will be ignored. If none authenticate successfully, the attempt fails. |
AllSuccessfulStrategy
|
All configured Realms must authenticate successfully for the overall attempt to be considered successful. If any one does not authenticate successfully, the attempt fails. |
The ModularRealmAuthenticator
defaults to the AtLeastOneSuccessfulStrategy
implementation, as this is the most commonly desired strategy. However, you could configure a different strategy if you wanted:
[main]
...
authcStrategy = org.apache.shiro.authc.pam.FirstSuccessfulStrategysecurityManager.authenticator.authenticationStrategy = $authcStrategy...
Custom AuthenticationStrategy
If you wanted to create your own AuthenticationStrategy
implementation yourself, you could use the org.apache.shiro.authc.pam.AbstractAuthenticationStrategy
as a starting point. The AbstractAuthenticationStrategy
class automatically implements the 'bundling'/aggregation behavior of merging the results from each Realm into a single AuthenticationInfo
instance.
Realm Authentication Order
It is very important to point out that the ModularRealmAuthenticator
will interact with Realm instances in iteration order.
The ModularRealmAuthenticator
has access to the Realm
instances configured on the SecurityManager
. When performing an authentication attempt, it will iterate over that collection, and for each Realm
that supports the submitted AuthenticationToken
, invoke the Realm’s getAuthenticationInfo
method.
Implicit Ordering
When using Shiro’s INI configuration format, you should configure Realms in the order you want them to process an AuthenticationToken
. For example, in shiro.ini
, Realms will be consulted in the order in which they are defined in the INI file. That is, for the following shiro.ini
example:
blahRealm = com.company.blah.Realm
...
fooRealm = com.company.foo.Realm
...
barRealm = com.company.another.Realm
The SecurityManager
will be configured with those three realms, and during an authentication attempt, blahRealm
, fooRealm
, and barRealm
will be invoked in that order.
This has basically the same effect as if the following line were defined:
securityManager.realms = $blahRealm, $fooRealm, $barRealm
Using this approach, you don’t need to set the securityManager's
realms
property - every realm defined will automatically be added to the realms
property.
Explicit Ordering
If you want to explicitly define the order in which the realms will be interacted with, regardless of how they are defined, you can set the securityManager’s realms
property as an explicit collection property. For example, if using the definition above, but you wanted the blahRealm
to be consulted last instead of first:
blahRealm = com.company.blah.Realm
...
fooRealm = com.company.foo.Realm
...
barRealm = com.company.another.RealmsecurityManager.realms = $fooRealm, $barRealm, $blahRealm
...
Explicit Realm Inclusion
When you explicitly configure the securityManager.realms
property, only the referenced realms will be configured on the SecurityManager
. This means you could define 5 realms in INI, but only actually use 3 if 3 are referenced for the realms
property. This is different than implicit realm ordering where all available realms will be used.
转载于:https://my.oschina.net/projerry/blog/995839
shiro之AuthenticationStrategy相关推荐
- Shiro系列-Authenticator和AuthenticationStrategy是什么
导语 之前的博客中分享了关于身份认证以及Realm的内容其中提到了一个比较关键的类,AuthenticationInfo也就是认证信息的类.怎么样去获取到这个身份 认证的信息类呢? 文章目录 Au ...
- 基于shiro的权限设计
shiro介绍 Apache shiro是一个权限控制框架,它将安全认证抽取出来,实现用户身份认证,权限授权,加密,会话管理等功能,是一个通用的安全认证框架,而且还可以用于分布式集群.功能如下 1.验 ...
- shiro(2)-架构与配置
认证就是用户确认身份的过程,确认登录的用户身份能够操作的内容. 使用shiro认证分为以下几个步骤: 1,得到主体的认证和凭据. // let's login the current user so ...
- shiro多realm验证之——shiro实现不同身份使用不同Realm进行验证(转)
转自: http://blog.csdn.net/xiangwanpeng/article/details/54802509 (使用特定的realm实现特定的验证) 假设现在有这样一种需求:存在两张表 ...
- shiro系列二、身份验证和授权
一.身份验证 先来看看身份验证的流程 流程如下: 1.首先调用Subject.login(token)进行登录,其会自动委托给Security Manager,调用之前必须通过SecurityUtil ...
- shiro配置参考(一)
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns:xsi="http://ww ...
- Shiro 权限框架使用总结
我们首先了解下什么是shiro ,Shiro 是 JAVA 世界中新近出现的权限框架,较之 JAAS 和 Spring Security,Shiro 在保持强大功能的同时,还在简单性和灵活性方面拥有巨 ...
- SSM整合Shiro 身份验证及密码加密简单实现
1.导入maven的相关依赖 <!-- shiro --><dependency><groupId>org.apache.shiro</groupId> ...
- shiro 没有注销再登录_Shiro 详细介绍 068
1 什么是Shiro Apache Shiro是一个强大易用的Java安全框架,提供了认证.授权.加密和 会话管理等功能. 对于任何一个应用程序,Shiro都可以提供全面的安全管理服务.其不仅可 以用 ...
最新文章
- android+mysql+server+error_Lost connection to MySQL server during query错误 | 学步园
- [转载]一个游戏程序员的学习资料
- 下载 infoq 网站视频
- 2019-03-18-算法-进化(反转链表)
- 都客仿站系列教程四:javascript入门
- linux下多线程的创建与等待详解 【转载】
- Flex全局错误处理/Global Error Handling in AIR 2.0 and Flash 10.1
- c++ stl模糊查找【找到key对应的值,找不到时返回最接近key的两个值】
- 苹果电脑安装java_如何在苹果电脑上安装JAVA开发工具
- DB2数据库v10.5安装过程
- Java泛型入门篇: 泛型类、泛型接口以及泛型方法
- 【AI视野·今日NLP 自然语言处理论文速览 第六期】Fri, 11 Jun 2021
- echarts中环形图加边框
- 分享一个返利系统源码,前端uni+后端php开发的影票返利系统源码
- Hadoop实战第2版 - 电子书下载(高清版PDF格式+EPUB格式)
- 别特么的鼓吹“副业刚需”了
- 读《虚幻引擎程序设计浅析》笔记
- linux系统制作qcow2,制作centos的qcow2格式镜像
- java如何使截取字符串_java中如何截取字符串中的指定一部分
- 抖音直播汽车资讯资质怎么认证报白,抖音怎么直播二手车
热门文章
- 拖着3个箱子,跨越太平洋,求学美帝 那一年我19岁
- 深入分析 java 8 编程语言规范:Threads and Locks
- Valgrind使用【转】
- 006-spring cloud gateway-GatewayAutoConfiguration核心配置-GatewayProperties初始化加载、Route初始化加载...
- Facebook为其全球75%的用户推出反模仿工具
- 20个纯css3写的logo
- 【.Net Micro Framework PortingKit - 03】调试初步:点亮LED灯
- 云网融合 — 应用场景
- 启用 SR-IOV 解决 Neutron 网络 I/O 性能瓶颈
- Simulink仿真教程5---仿真参数设置和示波器的使用