|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object org.apache.shiro.authc.AbstractAuthenticator org.apache.shiro.authc.pam.ModularRealmAuthenticator
public class ModularRealmAuthenticator
A ModularRealmAuthenticator
delgates account lookups to a pluggable (modular) collection of
Realm
s. This enables PAM (Pluggable Authentication Module) behavior in Shiro.
In addition to authorization duties, a Shiro Realm can also be thought of a PAM 'module'.
Realm
s as you see fit. Common realms are those based on accessing
LDAP, relational databases, file systems, etc.
If only one realm is configured (this is often the case for most applications), authentication success is naturally
only dependent upon invoking this one Realm's
Realm.getAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken)
method.
But if two or more realms are configured, PAM behavior is implemented by iterating over the collection of realms
and interacting with each over the course of the authentication attempt. As this is more complicated, this
authenticator allows customized behavior for interpreting what happens when interacting with multiple realms - for
example, you might require all realms to be successful during the attempt, or perhaps only at least one must be
successful, or some other interpretation. This customized behavior can be performed via the use of a
AuthenticationStrategy
, which
you can inject as a property of this class.
The strategy object provides callback methods that allow you to
determine what constitutes a success or failure in a multi-realm (PAM) scenario. And because this only makes sense
in a mult-realm scenario, the strategy object is only utilized when more than one Realm is configured.
As most multi-realm applications require at least one Realm authenticates successfully, the default
implementation is the AtLeastOneSuccessfulStrategy
.
setRealms(java.util.Collection)
,
AtLeastOneSuccessfulStrategy
,
AllSuccessfulStrategy
,
FirstSuccessfulStrategy
Constructor Summary | |
---|---|
ModularRealmAuthenticator()
Default no-argument constructor which enables an
AtLeastOneSuccessfulStrategy by default. |
Method Summary | |
---|---|
protected void |
assertRealmsConfigured()
|
protected AuthenticationInfo |
doAuthenticate(AuthenticationToken authenticationToken)
Attempts to authenticate the given token by iterating over the internal collection of Realm s. |
protected AuthenticationInfo |
doMultiRealmAuthentication(Collection<Realm> realms,
AuthenticationToken token)
Performs the multi-realm authentication attempt by calling back to a AuthenticationStrategy object
as each realm is consulted for AuthenticationInfo for the specified token . |
protected AuthenticationInfo |
doSingleRealmAuthentication(Realm realm,
AuthenticationToken token)
Performs the authentication attempt by interacting with the single configured realm, which is significantly simpler than performing multi-realm logic. |
AuthenticationStrategy |
getAuthenticationStrategy()
Returns the AuthenticationStrategy utilized by this modular authenticator during a multi-realm
log-in attempt. |
protected Collection<Realm> |
getRealms()
Returns the realm(s) used by this Authenticator during an authentication attempt. |
void |
onLogout(PrincipalCollection principals)
First calls super.onLogout(principals) to ensure a logout notification is issued, and for each
wrapped Realm that implements the LogoutAware interface, calls
((LogoutAware)realm).onLogout(principals) to allow each realm the opportunity to perform
logout/cleanup operations during an user-logout. |
void |
setAuthenticationStrategy(AuthenticationStrategy authenticationStrategy)
Allows overriding the default AuthenticationStrategy utilized during multi-realm log-in attempts. |
void |
setRealms(Collection<Realm> realms)
Sets all realms used by this Authenticator, providing PAM (Pluggable Authentication Module) configuration. |
Methods inherited from class org.apache.shiro.authc.AbstractAuthenticator |
---|
authenticate, getAuthenticationListeners, notifyFailure, notifyLogout, notifySuccess, setAuthenticationListeners |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
---|
public ModularRealmAuthenticator()
enables
an
AtLeastOneSuccessfulStrategy
by default.
Method Detail |
---|
public void setRealms(Collection<Realm> realms)
realms
- the realms to consult during authentication attempts.protected Collection<Realm> getRealms()
Authenticator
during an authentication attempt.
Authenticator
during an authentication attempt.public AuthenticationStrategy getAuthenticationStrategy()
AuthenticationStrategy
utilized by this modular authenticator during a multi-realm
log-in attempt. This object is only used when two or more Realms are configured.
Unless overridden by
the setAuthenticationStrategy(AuthenticationStrategy)
method, the default implementation
is the AtLeastOneSuccessfulStrategy
.
AuthenticationStrategy
utilized by this modular authenticator during a log-in attempt.public void setAuthenticationStrategy(AuthenticationStrategy authenticationStrategy)
AuthenticationStrategy
utilized during multi-realm log-in attempts.
This object is only used when two or more Realms are configured.
authenticationStrategy
- the strategy implementation to use during log-in attempts.protected void assertRealmsConfigured() throws IllegalStateException
IllegalStateException
protected AuthenticationInfo doSingleRealmAuthentication(Realm realm, AuthenticationToken token)
realm
- the realm to consult for AuthenticationInfo.token
- the submitted AuthenticationToken representing the subject's (user's) log-in principals and credentials.
token
protected AuthenticationInfo doMultiRealmAuthentication(Collection<Realm> realms, AuthenticationToken token)
AuthenticationStrategy
object
as each realm is consulted for AuthenticationInfo
for the specified token
.
realms
- the multiple realms configured on this Authenticator instance.token
- the submitted AuthenticationToken representing the subject's (user's) log-in principals and credentials.
protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException
Realm
s. For each realm, first the Realm.supports(org.apache.shiro.authc.AuthenticationToken)
method will be called to determine if the realm supports the authenticationToken
method argument.
If a realm does support
the token, its Realm.getAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken)
method will be called. If the realm returns a non-null account, the token will be
considered authenticated for that realm and the account data recorded. If the realm returns null
,
the next realm will be consulted. If no realms support the token or all supporting realms return null,
an AuthenticationException
will be thrown to indicate that the user could not be authenticated.
After all realms have been consulted, the information from each realm is aggregated into a single
AuthenticationInfo
object and returned.
doAuthenticate
in class AbstractAuthenticator
authenticationToken
- the token containing the authentication principal and credentials for the
user being authenticated.
IllegalStateException
- if no realms have been configured at the time this method is invoked
AuthenticationException
- if the user could not be authenticated or the user is denied authentication
for the given principal and credentials.public void onLogout(PrincipalCollection principals)
super.onLogout(principals)
to ensure a logout notification is issued, and for each
wrapped Realm
that implements the LogoutAware
interface, calls
((LogoutAware)realm).onLogout(principals)
to allow each realm the opportunity to perform
logout/cleanup operations during an user-logout.
Shiro's Realm implementations all implement the LogoutAware
interface by default and can be
overridden for realm-specific logout logic.
onLogout
in interface LogoutAware
onLogout
in class AbstractAuthenticator
principals
- the application-specific Subject/user identifier.
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |