tapestry shiro安全认证

时间:2011-12-28 15:43:51

标签: tapestry shiro

我正在使用Tapestry5和apache shiro来保证安全。 我无法从数据库表中验证用户。

在这个函数中,doGetAuthenticationInfo()不需要设置主题吗?

SimpleAuthenticationInfo的目的是什么?

package com.kids.crm.services;

import java.util.HashSet;
import java.util.Set;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AccountException;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.SimpleByteSource;
import org.apache.tapestry5.ioc.annotations.Inject;
import org.springframework.beans.factory.annotation.Autowired;

import com.kids.crm.dao.DatabaseDao;
import com.kids.crm.dao.UserAccountDao;
import com.kids.crm.dao.impl.UserAccountDaoImpl;
import com.kids.crm.db.Role;
import com.kids.crm.db.UserAccount;


public class UserRealm extends AuthorizingRealm {
        @Inject UserAccountDao userAccountDao;
        public UserRealm() {
                setName("localaccounts");
                setAuthenticationTokenClass(UsernamePasswordToken.class);
        }

        private UserAccount findByUsername(String userName) {
                return (UserAccount) userAccountDao.getUserByUserName(userName);
        }

        @Override
        protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
                //Subject currentUser = SecurityUtils.getSubject();
                UsernamePasswordToken upToken = (UsernamePasswordToken) token;

                        String username = upToken.getUsername();
                        upToken.setRememberMe(true);
                        // Null username is invalid
                        if (username == null) { throw new AccountException("Null usernames are not allowed by this realm."); }
                        UserAccount user = findByUsername(username);

                return new SimpleAuthenticationInfo(username, user.getEncodedPassword(), new SimpleByteSource(user.getPasswordSalt()), getName());
        }

}

1 个答案:

答案 0 :(得分:4)

没有比Shiro's javadoc更好的答案来源。 doGetAuthenticationInfo()返回AuthenticationInfo。 SimpleAuthenticationInfo是AuthenticationInfo的一个实现。 Subject“表示单个应用程序用户的状态和安全操作”,如javadoc所述,所以不,我们不在此处设置主题,但框架会为每个请求重复设置它。 (简单)AuthenticationInfo的目的是表示“仅与认证/登录过程相关的主题(也称为用户)存储的帐户信息”。领域的责任是创建AuthenticationInfo(如果找到用户),然后CredentialsMatcher将AuthenticationToken与AuthenticationInfo进行比较,以确定给定的凭据是否有效。

您没有解释“卡住”的方式,但假设您的findByUsername()返回适当的UserAccount,您可能没有配置正确的CredentialsMatcher。也许你需要set a HashedCredentialsMatcher to your realm

相关问题
最新问题