public abstract class AuthenticatingRealm extends CachingRealm implements Initializable
authenticationCachingEnabled
= true
(and configuring Shiro with a CacheManager
of course), but NOTE:
ONLY enable authentication caching if either of the following is true for your realm implementation:
doGetAuthenticationInfo
implementation returns AuthenticationInfo
instances where the
credentials
are securely obfuscated and NOT
plaintext (raw) credentials. For example,
if your realm references accounts with passwords, that the AuthenticationInfo
's
credentials
are safely hashed and salted or otherwise
fully encrypted.doGetAuthenticationInfo
implementation returns AuthenticationInfo
instances where the
credentials
are plaintext (raw) AND the
cache region storing the AuthenticationInfo
instances WILL NOT overflow to disk and WILL NOT transmit cache
entries over an unprotected (non TLS/SSL) network (as might be the case with a networked/distributed enterprise cache).
This should be the case even in private/trusted/corporate networks.cache.put(cacheKey, subclassAuthenticationInfoInstance);Enabling authentication caching is ONLY safe to do if the above two scenarios apply. It is NOT safe to enable under any other scenario. When possible, always represent and store credentials in a safe form (hash+salt or encrypted) to eliminate plaintext visibility.
getAuthenticationCacheKey(org.apache.shiro.authc.AuthenticationToken)
and
getAuthenticationCacheKey(org.apache.shiro.subject.PrincipalCollection)
methods return the exact same value.
The default implementations of these methods expect that the
AuthenticationToken.getPrincipal()
(what the user submits during login) and
getAvailablePrincipal
(what is returned
by the realm after account lookup) return
the same exact value. For example, the user submitted username is also the primary account identifier.
However, if your application uses, say, a username for end-user login, but returns a primary key ID as the
primary principal after authentication, then you will need to override either
getAuthenticationCacheKey(token)
or
getAuthenticationCacheKey(principals)
(or both) to ensure that the same cache key can be used for either object.
This guarantees that the same cache key used to cache the data during authentication (derived from the
AuthenticationToken
) will be used to remove the cached data during logout (derived from the
PrincipalCollection
).
getAuthenticationCacheKey(org.apache.shiro.authc.AuthenticationToken)
and
getAuthenticationCacheKey(org.apache.shiro.subject.PrincipalCollection)
are not identical, cached
authentication data removal is at the mercy of your cache provider settings. For example, often cache
implementations will evict cache entries based on a timeToIdle or timeToLive (TTL) value.
If this lazy eviction capability of the cache product is not sufficient and you want discrete behavior
(highly recommended for authentication data), ensure that the return values from those two methods are identical in
the subclass implementation.Constructor and Description |
---|
AuthenticatingRealm() |
AuthenticatingRealm(CacheManager cacheManager) |
AuthenticatingRealm(CacheManager cacheManager,
CredentialsMatcher matcher) |
AuthenticatingRealm(CredentialsMatcher matcher) |
Modifier and Type | Method and Description |
---|---|
protected void |
afterCacheManagerSet()
This implementation attempts to acquire an authentication cache if one is not already configured.
|
protected void |
assertCredentialsMatch(AuthenticationToken token,
AuthenticationInfo info)
Asserts that the submitted
AuthenticationToken 's credentials match the stored account
AuthenticationInfo 's credentials, and if not, throws an AuthenticationException . |
protected void |
clearCachedAuthenticationInfo(PrincipalCollection principals)
Clears out the AuthenticationInfo cache entry for the specified account.
|
protected void |
doClearCache(PrincipalCollection principals)
This implementation clears out any cached authentication data by calling
clearCachedAuthenticationInfo(org.apache.shiro.subject.PrincipalCollection) . |
protected abstract AuthenticationInfo |
doGetAuthenticationInfo(AuthenticationToken token)
Retrieves authentication data from an implementation-specific datasource (RDBMS, LDAP, etc) for the given
authentication token.
|
Cache<Object,AuthenticationInfo> |
getAuthenticationCache()
Returns a
Cache instance to use for authentication caching, or null if no cache has been
set. |
protected Object |
getAuthenticationCacheKey(AuthenticationToken token)
Returns the key under which
AuthenticationInfo instances are cached if authentication caching is enabled. |
protected Object |
getAuthenticationCacheKey(PrincipalCollection principals)
Returns the key under which
AuthenticationInfo instances are cached if authentication caching is enabled. |
String |
getAuthenticationCacheName()
Returns the name of a
Cache to lookup from any available cacheManager if
a cache is not explicitly configured via setAuthenticationCache(org.apache.shiro.cache.Cache) . |
AuthenticationInfo |
getAuthenticationInfo(AuthenticationToken token)
This implementation functions as follows:
It attempts to acquire any cached
AuthenticationInfo corresponding to the specified
AuthenticationToken argument. |
Class |
getAuthenticationTokenClass()
Returns the authenticationToken class supported by this realm.
|
CredentialsMatcher |
getCredentialsMatcher()
Returns the
CredentialsMatcher used during an authentication attempt to verify submitted
credentials with those stored in the system. |
void |
init()
Initializes this realm and potentially enables an authentication cache, depending on configuration.
|
boolean |
isAuthenticationCachingEnabled()
Returns
true if authentication caching should be utilized if a CacheManager has been
configured , false otherwise. |
protected boolean |
isAuthenticationCachingEnabled(AuthenticationToken token,
AuthenticationInfo info)
Returns
true if authentication caching should be utilized based on the specified
AuthenticationToken and/or AuthenticationInfo , false otherwise. |
protected void |
onInit()
Template method for subclasses to implement any initialization logic.
|
void |
setAuthenticationCache(Cache<Object,AuthenticationInfo> authenticationCache)
Sets an explicit
Cache instance to use for authentication caching. |
void |
setAuthenticationCacheName(String authenticationCacheName)
Sets the name of a
Cache to lookup from any available cacheManager if
a cache is not explicitly configured via setAuthenticationCache(org.apache.shiro.cache.Cache) . |
void |
setAuthenticationCachingEnabled(boolean authenticationCachingEnabled)
Sets whether or not authentication caching should be utilized if a
CacheManager has been
configured , false otherwise. |
void |
setAuthenticationTokenClass(Class<? extends AuthenticationToken> authenticationTokenClass)
Sets the authenticationToken class supported by this realm.
|
void |
setCredentialsMatcher(CredentialsMatcher credentialsMatcher)
Sets the CrendialsMatcher used during an authentication attempt to verify submitted credentials with those
stored in the system.
|
void |
setName(String name)
Sets the (preferably application unique) name for this component.
|
boolean |
supports(AuthenticationToken token)
Convenience implementation that returns
getAuthenticationTokenClass().isAssignableFrom( token.getClass() );.
|
clearCache, getAvailablePrincipal, getCacheManager, getName, isCachingEnabled, onLogout, setCacheManager, setCachingEnabled
public AuthenticatingRealm()
public AuthenticatingRealm(CacheManager cacheManager)
public AuthenticatingRealm(CredentialsMatcher matcher)
public AuthenticatingRealm(CacheManager cacheManager, CredentialsMatcher matcher)
public CredentialsMatcher getCredentialsMatcher()
CredentialsMatcher
used during an authentication attempt to verify submitted
credentials with those stored in the system.
Unless overridden by the setCredentialsMatcher
method, the default
value is a SimpleCredentialsMatcher
instance.
CredentialsMatcher
used during an authentication attempt to verify submitted
credentials with those stored in the system.public void setCredentialsMatcher(CredentialsMatcher credentialsMatcher)
Unless overridden by this method, the default value is a
SimpleCredentialsMatcher
instance.
credentialsMatcher
- the matcher to use.public Class getAuthenticationTokenClass()
The default value is UsernamePasswordToken.class
, since
about 90% of realms use username/password authentication, regardless of their protocol (e.g. over jdbc, ldap,
kerberos, http, etc).
If subclasses haven't already overridden the Realm.supports(AuthenticationToken)
method,
they must set a new class
if they won't support
UsernamePasswordToken authentication token submissions.
setAuthenticationTokenClass(java.lang.Class<? extends org.apache.shiro.authc.AuthenticationToken>)
public void setAuthenticationTokenClass(Class<? extends AuthenticationToken> authenticationTokenClass)
Unless overridden by this method, the default value is
UsernamePasswordToken.class
to support the majority of applications.
authenticationTokenClass
- the class of authentication token instances supported by this realm.getAuthenticationTokenClass() for more explanation.
public void setAuthenticationCache(Cache<Object,AuthenticationInfo> authenticationCache)
Cache
instance to use for authentication caching. If not set and authentication
caching is enabled
, any available
cacheManager
will be used to acquire the cache instance if available.
WARNING: Only set this property if safe caching conditions apply, as documented at the top
of this page in the class-level JavaDoc.authenticationCache
- an explicit Cache
instance to use for authentication caching or
null
if the cache should possibly be obtained another way.isAuthenticationCachingEnabled()
public Cache<Object,AuthenticationInfo> getAuthenticationCache()
Cache
instance to use for authentication caching, or null
if no cache has been
set.Cache
instance to use for authentication caching, or null
if no cache has been
set.setAuthenticationCache(org.apache.shiro.cache.Cache)
,
isAuthenticationCachingEnabled()
public String getAuthenticationCacheName()
Cache
to lookup from any available cacheManager
if
a cache is not explicitly configured via setAuthenticationCache(org.apache.shiro.cache.Cache)
.
This name will only be used to look up a cache if authentication caching is
enabled
.
WARNING: Only set this property if safe caching conditions apply, as documented at the top
of this page in the class-level JavaDoc.Cache
to lookup from any available cacheManager
if
a cache is not explicitly configured via setAuthenticationCache(org.apache.shiro.cache.Cache)
.isAuthenticationCachingEnabled()
public void setAuthenticationCacheName(String authenticationCacheName)
Cache
to lookup from any available cacheManager
if
a cache is not explicitly configured via setAuthenticationCache(org.apache.shiro.cache.Cache)
.
This name will only be used to look up a cache if authentication caching is
enabled
.authenticationCacheName
- the name of a Cache
to lookup from any available
cacheManager
if a cache is not explicitly configured
via setAuthenticationCache(org.apache.shiro.cache.Cache)
.isAuthenticationCachingEnabled()
public boolean isAuthenticationCachingEnabled()
true
if authentication caching should be utilized if a CacheManager
has been
configured
, false
otherwise.
The default value is true
.true
if authentication caching should be utilized, false
otherwise.public void setAuthenticationCachingEnabled(boolean authenticationCachingEnabled)
CacheManager
has been
configured
, false
otherwise.
The default value is false
to retain backwards compatibility with Shiro 1.1 and earlier.
WARNING: Only set this property to true
if safe caching conditions apply, as documented at the top
of this page in the class-level JavaDoc.authenticationCachingEnabled
- the value to setpublic void setName(String name)
Nameable
setName
in interface Nameable
setName
in class CachingRealm
name
- the preferably application unique name for this component.public boolean supports(AuthenticationToken token)
Most configurations will only need to set a different class via
setAuthenticationTokenClass(java.lang.Class<? extends org.apache.shiro.authc.AuthenticationToken>)
, as opposed to overriding this method.
public final void init()
cache
property has been set, it will be
used to cache the AuthenticationInfo objects returned from getAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken)
method invocations.
All future calls to getAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken)
will attempt to use this cache first
to alleviate any potentially unnecessary calls to an underlying data store.cache
property has not been set,
the cacheManager
property will be checked.
If a cacheManager
has been set, it will be used to eagerly acquire an authentication
cache
, and this cache which will be used as specified in #1.(org.apache.shiro.cache.Cache) authenticationCache
or cacheManager
properties are set, caching will not be utilized and authentication look-ups will be delegated to
subclass implementations for each authentication attempt.onInit()
is to allow subclasses to perform any init behavior desired.init
in interface Initializable
protected void onInit()
init()
.protected void afterCacheManagerSet()
afterCacheManagerSet
in class CachingRealm
protected boolean isAuthenticationCachingEnabled(AuthenticationToken token, AuthenticationInfo info)
true
if authentication caching should be utilized based on the specified
AuthenticationToken
and/or AuthenticationInfo
, false
otherwise.
The default implementation simply delegates to isAuthenticationCachingEnabled()
, the general-case
authentication caching setting. Subclasses can override this to turn on or off caching at runtime
based on the specific submitted runtime values.token
- the submitted authentication tokeninfo
- the AuthenticationInfo
acquired from data source lookup via
doGetAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken)
true
if authentication caching should be utilized based on the specified
AuthenticationToken
and/or AuthenticationInfo
, false
otherwise.public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException
AuthenticationInfo
corresponding to the specified
AuthenticationToken
argument. If a cached value is found, it will be used for credentials matching,
alleviating the need to perform any lookups with a data source.AuthenticationInfo
found, delegate to the
doGetAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken)
method to perform the actual
lookup. If authentication caching is enabled and possible, any returned info object will be
cached
to be used in future authentication attempts.null
is returned to
indicate an account cannot be found.AuthenticationInfo
's credentials using the
credentialsMatcher
. This means that credentials are always verified
for an authentication attempt.getAuthenticationInfo
in interface Realm
token
- the submitted account principal and credentials.token
, or null
if no
AuthenticationInfo could be found.AuthenticationException
- if authentication failed.protected void assertCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) throws AuthenticationException
AuthenticationToken
's credentials match the stored account
AuthenticationInfo
's credentials, and if not, throws an AuthenticationException
.token
- the submitted authentication tokeninfo
- the AuthenticationInfo corresponding to the given token
AuthenticationException
- if the token's credentials do not match the stored account credentials.protected Object getAuthenticationCacheKey(AuthenticationToken token)
AuthenticationInfo
instances are cached if authentication caching is enabled.
This implementation defaults to returning the token's
principal
, which is usually a username in
most applications.
AuthenticationInfo
on logout, you
must ensure the getAuthenticationCacheKey(org.apache.shiro.subject.PrincipalCollection)
method returns
the same value as this method.token
- the authentication token for which any successful authentication will be cached.AuthenticationInfo
after a successful authentication.protected Object getAuthenticationCacheKey(PrincipalCollection principals)
AuthenticationInfo
instances are cached if authentication caching is enabled.
This implementation delegates to
CachingRealm.getAvailablePrincipal(org.apache.shiro.subject.PrincipalCollection)
, which returns the primary principal
associated with this particular Realm.
AuthenticationInfo
on logout, you
must ensure that this method returns the same value as the
getAuthenticationCacheKey(org.apache.shiro.authc.AuthenticationToken)
method!principals
- the principals of the account for which to set or remove cached AuthenticationInfo
.AuthenticationInfo
instances.protected void doClearCache(PrincipalCollection principals)
clearCachedAuthenticationInfo(org.apache.shiro.subject.PrincipalCollection)
.
If overriding in a subclass, be sure to call super.doClearCache
to ensure this behavior is maintained.doClearCache
in class CachingRealm
principals
- principals the principals of the account for which to clear any cached data.protected void clearCachedAuthenticationInfo(PrincipalCollection principals)
doGetAuthenticationInfo
, and the
resulting return value will be cached before being returned so it can be reused for later authentications.
If you wish to clear out all associated cached data (and not just authentication data), use the
CachingRealm.clearCache(org.apache.shiro.subject.PrincipalCollection)
method instead (which will in turn call this
method by default).principals
- the principals of the account for which to clear the cached AuthorizationInfo.CachingRealm.clearCache(org.apache.shiro.subject.PrincipalCollection)
protected abstract AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException
null
return value means that no account could be associated with the specified token.token
- the authentication token containing the user's principal and credentials.AuthenticationInfo
object containing account data resulting from the
authentication ONLY if the lookup is successful (i.e. account exists and is valid, etc.)AuthenticationException
- if there is an error acquiring data or performing
realm-specific authentication logic for the specified tokenCopyright © 2004-2016 The Apache Software Foundation. All Rights Reserved.