tapestry shiro安全认证

Question

我使用Tapestry5和apache shiro来保证安全性。我被数据库表中的用户身份验证卡住了。

在这个函数doGetAuthenticationInfo()中，我们不需要设置主题吗？

SimpleAuthenticationInfo的用途是什么？

package com.kids.crm.services;

import java.util.HashSet;
import java.util.Set;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AccountException;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.SimpleByteSource;
import org.apache.tapestry5.ioc.annotations.Inject;
import org.springframework.beans.factory.annotation.Autowired;

import com.kids.crm.dao.DatabaseDao;
import com.kids.crm.dao.UserAccountDao;
import com.kids.crm.dao.impl.UserAccountDaoImpl;
import com.kids.crm.db.Role;
import com.kids.crm.db.UserAccount;


public class UserRealm extends AuthorizingRealm {
        @Inject UserAccountDao userAccountDao;
        public UserRealm() {
                setName("localaccounts");
                setAuthenticationTokenClass(UsernamePasswordToken.class);
        }

        private UserAccount findByUsername(String userName) {
                return (UserAccount) userAccountDao.getUserByUserName(userName);
        }

        @Override
        protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
                //Subject currentUser = SecurityUtils.getSubject();
                UsernamePasswordToken upToken = (UsernamePasswordToken) token;

                        String username = upToken.getUsername();
                        upToken.setRememberMe(true);
                        // Null username is invalid
                        if (username == null) { throw new AccountException("Null usernames are not allowed by this realm."); }
                        UserAccount user = findByUsername(username);

                return new SimpleAuthenticationInfo(username, user.getEncodedPassword(), new SimpleByteSource(user.getPasswordSalt()), getName());
        }

} 

Answer 1

没有比Shiro's javadoc更好的答案来源了。doGetAuthenticationInfo()返回一个AuthenticationInfo。SimpleAuthenticationInfo是AuthenticationInfo的实现。正如Subject所说的，javadoc“代表单个应用程序用户的状态和安全操作”，所以不，我们不在这里设置主题，但是框架会为每个请求重复设置它。(简单的)AuthenticationInfo的目的是表示“仅与身份验证/登录过程相关的主体(也就是用户)存储的帐户信息”。领域的职责是创建一个AuthenticationInfo (如果找到用户)，然后CredentialsMatcher将AuthenticationToken与AuthenticationInfo进行比较，以确定给定的凭据是否有效。

您没有解释您是如何“卡住”的，但是假设您的findByUsername()返回了一个适当的UserAccount，那么您可能没有配置正确的CredentialsMatcher。也许你需要使用set a HashedCredentialsMatcher to your realm。