/** * Returns any available {@link Cache} instance to use for authentication caching. This functions as follows: * <ol> * <li>If an {@link #setAuthenticationCache(org.apache.shiro.cache.Cache) authenticationCache} has been explicitly * configured (it is not null), it is returned.</li> * <li>If there is no {@link #getAuthenticationCache() authenticationCache} configured: * <ol> * <li>If authentication caching is {@link #isAuthenticationCachingEnabled() enabled}, any available * {@link #getCacheManager() cacheManager} will be consulted to obtain an available authentication cache. * </li> * <li>If authentication caching is disabled, this implementation does nothing.</li> * </ol> * </li> * </ol> * * @return any available {@link Cache} instance to use for authentication caching. */ private Cache<Object, AuthenticationInfo> getAvailableAuthenticationCache() { Cache<Object, AuthenticationInfo> cache = getAuthenticationCache(); boolean authcCachingEnabled = isAuthenticationCachingEnabled(); if (cache == null && authcCachingEnabled) { cache = getAuthenticationCacheLazy(); } return cache; }
public AuthenticatingRealm(CacheManager cacheManager, CredentialsMatcher matcher) { authenticationTokenClass = UsernamePasswordToken.class; //retain backwards compatibility for Shiro 1.1 and earlier. Setting to true by default will probably cause //unexpected results for existing applications: this.authenticationCachingEnabled = false; int instanceNumber = INSTANCE_COUNT.getAndIncrement(); this.authenticationCacheName = getClass().getName() + DEFAULT_AUTHORIZATION_CACHE_SUFFIX; if (instanceNumber > 0) { this.authenticationCacheName = this.authenticationCacheName + "." + instanceNumber; } if (cacheManager != null) { setCacheManager(cacheManager); } if (matcher != null) { setCredentialsMatcher(matcher); } }
AuthenticationInfo info = getCachedAuthenticationInfo(token); if (info == null) { info = doGetAuthenticationInfo(token); log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info); if (token != null && info != null) { cacheAuthenticationInfoIfPossible(token, info); assertCredentialsMatch(token, info); } else { log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}]. Returning null.", token);
/** * Caches the specified info if authentication caching * {@link #isAuthenticationCachingEnabled(org.apache.shiro.authc.AuthenticationToken, org.apache.shiro.authc.AuthenticationInfo) isEnabled} * for the specific token/info pair and a cache instance is available to be used. * * @param token the authentication token submitted which resulted in a successful authentication attempt. * @param info the AuthenticationInfo to cache as a result of the successful authentication attempt. * @since 1.2 */ private void cacheAuthenticationInfoIfPossible(AuthenticationToken token, AuthenticationInfo info) { if (!isAuthenticationCachingEnabled(token, info)) { log.debug("AuthenticationInfo caching is disabled for info [{}]. Submitted token: [{}].", info, token); //return quietly, caching is disabled for this token/info pair: return; } Cache<Object, AuthenticationInfo> cache = getAvailableAuthenticationCache(); if (cache != null) { Object key = getAuthenticationCacheKey(token); cache.put(key, info); log.trace("Cached AuthenticationInfo for continued authentication. key=[{}], value=[{}].", key, info); } }
private static Cache<Object, AuthenticationInfo> getAuthenticationCacheLazy(AuthenticatingRealm realm) { if (realm.getAuthenticationCache() == null) { log.trace("No authenticationCache instance set. Checking for a cacheManager..."); CacheManager cacheManager = realm.getCacheManager(); if (cacheManager != null) { String cacheName = realm.getAuthenticationCacheName(); log.debug("CacheManager [{}] configured. Building authentication cache '{}'", cacheManager, cacheName); realm.setAuthenticationCache(cacheManager.getCache(cacheName)); } } return realm.getAuthenticationCache(); }
private static Cache<Object, AuthenticationInfo> getAuthenticationCache(AuthenticatingRealm realm) { AuthenticatingRealm authenticatingRealm = realm; Cache<Object, AuthenticationInfo> cache = authenticatingRealm.getAuthenticationCache(); boolean authcCachingEnabled = authenticatingRealm.isAuthenticationCachingEnabled(); if (cache == null && authcCachingEnabled) { cache = getAuthenticationCacheLazy(authenticatingRealm); } return cache; }
public AuthenticatingRealm(CredentialsMatcher matcher) { setCredentialsMatcher(matcher); }
/** * Checks to see if the authenticationCache class attribute is null, and if so, attempts to acquire one from * any configured {@link #getCacheManager() cacheManager}. If one is acquired, it is set as the class attribute. * The class attribute is then returned. * * @return an available cache instance to be used for authentication caching or {@code null} if one is not available. * @since 1.2 */ private Cache<Object, AuthenticationInfo> getAuthenticationCacheLazy() { if (this.authenticationCache == null) { log.trace("No authenticationCache instance set. Checking for a cacheManager..."); CacheManager cacheManager = getCacheManager(); if (cacheManager != null) { String cacheName = getAuthenticationCacheName(); log.debug("CacheManager [{}] configured. Building authentication cache '{}'", cacheManager, cacheName); this.authenticationCache = cacheManager.getCache(cacheName); } } return this.authenticationCache; }
@Override protected void assertCredentialsMatch(AuthenticationToken authcToken, AuthenticationInfo info) throws AuthenticationException { final LoginAuthenticationInfo kapuaInfo = (LoginAuthenticationInfo) info; super.assertCredentialsMatch(authcToken, info); final Subject currentSubject = SecurityUtils.getSubject(); Session session = currentSubject.getSession(); session.setAttribute("scopeId", kapuaInfo.getUser().getScopeId()); session.setAttribute("userId", kapuaInfo.getUser().getId()); }
/** * Looks up registered {@link AuthenticatingRealm}s, and clears their authc caches if they have it set. */ private void clearAuthcRealmCaches() { // NOTE: we don't need to iterate all the Sec Managers, they use the same Realms, so one is fine. Collection<Realm> realms = realmSecurityManager.getRealms(); if (realms != null) { for (Realm realm : realms) { if (realm instanceof AuthenticatingRealm) { Cache<Object, AuthenticationInfo> cache = ((AuthenticatingRealm) realm).getAuthenticationCache(); if (cache != null) { log.debug("Clearing cache: {}", cache); cache.clear(); } } } } }
public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { AuthenticationInfo info = doGetAuthenticationInfo(token); if (info == null) { if (log.isDebugEnabled()) { String msg = "No authentication information found for submitted authentication token [" + token + "]. " + "Returning null."; log.debug(msg); } return null; } CredentialsMatcher cm = getCredentialsMatcher(); if (cm != null) { if (!cm.doCredentialsMatch(token, info)) { String msg = "The credentials provided for account [" + token + "] did not match the expected credentials."; throw new IncorrectCredentialsException(msg); } } else { throw new AuthenticationException("A CredentialsMatcher must be configured in order to verify " + "credentials during authentication. If you do not wish for credentials to be examined, you " + "can configure an " + AllowAllCredentialsMatcher.class.getName() + " instance."); } return info; }
@Override protected void doStop() throws Exception { eventManager.unregister(this); configuration = null; // reset shiro caches Collection<Realm> realms = realmSecurityManager.getRealms(); if (realms != null) { for (Realm realm : realms) { if (realm instanceof AuthenticatingRealm) { ((AuthenticatingRealm) realm).setAuthenticationCache(null); } if (realm instanceof AuthorizingRealm) { ((AuthorizingRealm) realm).setAuthorizationCache(null); } } } }
/** * Convenience implementation that returns * <tt>getAuthenticationTokenClass().isAssignableFrom( token.getClass() );</tt>. Can be overridden * by subclasses for more complex token checking. * <p>Most configurations will only need to set a different class via * {@link #setAuthenticationTokenClass}, as opposed to overriding this method. * * @param token the token being submitted for authentication. * @return true if this authentication realm can process the submitted token instance of the class, false otherwise. */ public boolean supports(AuthenticationToken token) { return token != null && getAuthenticationTokenClass().isAssignableFrom(token.getClass()); }
/** * Returns {@code true} if authentication caching should be utilized based on the specified * {@link AuthenticationToken} and/or {@link AuthenticationInfo}, {@code false} otherwise. * <p/> * The default implementation simply delegates to {@link #isAuthenticationCachingEnabled()}, the general-case * authentication caching setting. Subclasses can override this to turn on or off caching at runtime * based on the specific submitted runtime values. * * @param token the submitted authentication token * @param info the {@code AuthenticationInfo} acquired from data source lookup via * {@link #doGetAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken)} * @return {@code true} if authentication caching should be utilized based on the specified * {@link AuthenticationToken} and/or {@link AuthenticationInfo}, {@code false} otherwise. * @since 1.2 */ protected boolean isAuthenticationCachingEnabled(AuthenticationToken token, AuthenticationInfo info) { return isAuthenticationCachingEnabled(); }
/** * Asserts that the submitted {@code AuthenticationToken}'s credentials match the stored account * {@code AuthenticationInfo}'s credentials, and if not, throws an {@link AuthenticationException}. * * @param token the submitted authentication token * @param info the AuthenticationInfo corresponding to the given {@code token} * @throws AuthenticationException if the token's credentials do not match the stored account credentials. */ protected void assertCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) throws AuthenticationException { CredentialsMatcher cm = getCredentialsMatcher(); if (cm != null) { if (!cm.doCredentialsMatch(token, info)) { //not successful - throw an exception to indicate this: String msg = "Submitted credentials for token [" + token + "] did not match the expected credentials."; throw new IncorrectCredentialsException(msg); } } else { throw new AuthenticationException("A CredentialsMatcher must be configured in order to verify " + "credentials during authentication. If you do not wish for credentials to be examined, you " + "can configure an " + AllowAllCredentialsMatcher.class.getName() + " instance."); } }
@Bean(name = "mainRealm") @ConditionalOnMissingBean(name = "mainRealm") @DependsOn(value = {"lifecycleBeanPostProcessor", "credentialsMatcher"}) @ConditionalOnProperty(prefix = "shiro.realm.jdbc", name = "enabled", matchIfMissing = true) public Realm realm(CredentialsMatcher credentialsMatcher) { Class<?> realmClass = properties.getRealmClass(); Realm realm = (Realm) BeanUtils.instantiate(realmClass); if (realm instanceof AuthenticatingRealm) { ((AuthenticatingRealm) realm).setCredentialsMatcher(credentialsMatcher); } return realm; }
/** * Checks to see if the authenticationCache class attribute is null, and if so, attempts to acquire one from * any configured {@link #getCacheManager() cacheManager}. If one is acquired, it is set as the class attribute. * The class attribute is then returned. * * @return an available cache instance to be used for authentication caching or {@code null} if one is not available. * @since 1.2 */ private Cache<Object, AuthenticationInfo> getAuthenticationCacheLazy() { if (this.authenticationCache == null) { log.trace("No authenticationCache instance set. Checking for a cacheManager..."); CacheManager cacheManager = getCacheManager(); if (cacheManager != null) { String cacheName = getAuthenticationCacheName(); log.debug("CacheManager [{}] configured. Building authentication cache '{}'", cacheManager, cacheName); this.authenticationCache = cacheManager.getCache(cacheName); } } return this.authenticationCache; }
/** * Caches the specified info if authentication caching * {@link #isAuthenticationCachingEnabled(org.apache.shiro.authc.AuthenticationToken, org.apache.shiro.authc.AuthenticationInfo) isEnabled} * for the specific token/info pair and a cache instance is available to be used. * * @param token the authentication token submitted which resulted in a successful authentication attempt. * @param info the AuthenticationInfo to cache as a result of the successful authentication attempt. * @since 1.2 */ private void cacheAuthenticationInfoIfPossible(AuthenticationToken token, AuthenticationInfo info) { if (!isAuthenticationCachingEnabled(token, info)) { log.debug("AuthenticationInfo caching is disabled for info [{}]. Submitted token: [{}].", info, token); //return quietly, caching is disabled for this token/info pair: return; } Cache<Object, AuthenticationInfo> cache = getAvailableAuthenticationCache(); if (cache != null) { Object key = getAuthenticationCacheKey(token); cache.put(key, info); log.trace("Cached AuthenticationInfo for continued authentication. key=[{}], value=[{}].", key, info); } }
@Override protected void assertCredentialsMatch(AuthenticationToken authcToken, AuthenticationInfo info) throws AuthenticationException { final LoginAuthenticationInfo kapuaInfo = (LoginAuthenticationInfo) info; super.assertCredentialsMatch(authcToken, info); final Subject currentSubject = SecurityUtils.getSubject(); Session session = currentSubject.getSession(); session.setAttribute("scopeId", kapuaInfo.getUser().getScopeId()); session.setAttribute("userId", kapuaInfo.getUser().getId()); }
@Override public void clearAuthCache() { for ( Realm realm : realms ) { if ( realm instanceof AuthenticatingRealm ) { Cache<Object,AuthenticationInfo> cache = ((AuthenticatingRealm) realm).getAuthenticationCache(); if ( cache != null ) { cache.clear(); } } if ( realm instanceof AuthorizingRealm ) { Cache<Object,AuthorizationInfo> cache = ((AuthorizingRealm) realm).getAuthorizationCache(); if ( cache != null ) { cache.clear(); } } } }