820 lines
25 KiB
Plaintext
820 lines
25 KiB
Plaintext
@startuml token-structure
|
|
!include ./class-settings.puml
|
|
|
|
interface AuthenticationToken {
|
|
+ Object getPrincipal()
|
|
+ Object getCredentials()
|
|
}
|
|
|
|
interface HostAuthenticationToken {
|
|
+ String getHost()
|
|
}
|
|
|
|
interface RememberMeAuthenticationToken {
|
|
+ boolean isRememberMe()
|
|
}
|
|
|
|
class UsernamePasswordToken {
|
|
- String username
|
|
- char[] password
|
|
- boolean rememberMe
|
|
- String host
|
|
+ void clear()
|
|
}
|
|
|
|
class BearerToken {
|
|
- String token
|
|
- String host
|
|
}
|
|
|
|
HostAuthenticationToken --|> AuthenticationToken
|
|
RememberMeAuthenticationToken --|> AuthenticationToken
|
|
UsernamePasswordToken ..|> HostAuthenticationToken
|
|
UsernamePasswordToken ..|> RememberMeAuthenticationToken
|
|
BearerToken ..|> HostAuthenticationToken
|
|
@enduml
|
|
|
|
@startuml subject-structure
|
|
!include ./class-settings.puml
|
|
|
|
interface Subject {
|
|
+ Object getPrincipal()
|
|
+ PrincipalCollection getPrincipals()
|
|
+ boolean isPermitted(String)
|
|
+ boolean isPermitted(Permission)
|
|
+ boolean[] isPermitted(String...)
|
|
+ boolean{} isPermitted(List<Permission>)
|
|
+ boolean isPermittedAll(String...)
|
|
+ boolean isPermittedAll(Collection<Permission>)
|
|
+ void checkPermission(String)
|
|
+ void checkPermission(Permission)
|
|
+ void checkPermissions(String...)
|
|
+ void checkPermissions(Collection<Permission>)
|
|
+ boolean hasRole(String roleIdentifier)
|
|
+ boolean hasRoles(List<String>)
|
|
+ boolean hasAllRoles(Collection<String>)
|
|
+ void checkRole(String)
|
|
+ void checkRoles(Collection<String>)
|
|
+ void checkRoles(String...)
|
|
+ void login(AuthenticationToken)
|
|
+ boolean isAuthenticated()
|
|
+ boolean isRemembered()
|
|
+ Session getSession()
|
|
+ Session getSession(boolean)
|
|
+ void logout()
|
|
+ <V> V execute(Callable<V>)
|
|
+ void execute(Runnable)
|
|
+ <V> Callable<V> associateWith(Callable<V>)
|
|
+ Runnable associateWith(Runnable)
|
|
+ void runAs(PrincipalCollection)
|
|
+ boolean isRunAs()
|
|
+ PrincipalCollection getPreviousPrincipals()
|
|
+ PrincipalCollection releaseRunAs()
|
|
}
|
|
|
|
interface PrincipalCollection {
|
|
+ Object getPrimaryPrincipal()
|
|
+ <T> T oneByType(Class<T>)
|
|
+ <T> Collection<T> byType(Class<T>)
|
|
+ List asList()
|
|
+ Set asSet()
|
|
+ Collection fromRealm(String)
|
|
+ Set<String> getRealmNames()
|
|
+ boolean isEmpty()
|
|
}
|
|
|
|
interface MutablePrincipalCollection {
|
|
+ void add(Object, String)
|
|
+ void addAll(Collection, String)
|
|
+ void addAll(PrincipalCollection)
|
|
+ void clear()
|
|
}
|
|
|
|
class SimplePrincipalCollection
|
|
|
|
interface PrincipalMap {
|
|
+ Map<String, Object> getRealmPrincipals(String)
|
|
+ Map<String, Object> setRealmPrincipals(String, Map<String, Object>)
|
|
+ Object setRealmPrincipal(String, String, Object)
|
|
+ Object getRealmPrincipal(String, String)
|
|
+ Object removeRealmPrincipal(String, String)
|
|
}
|
|
|
|
class SimplePrincipalMap
|
|
|
|
interface SubjectContext {
|
|
+ SecurityManager getSecurityManager()
|
|
+ void setSecurityManager(SecurityManager)
|
|
+ SecurityManager resolveSecurityManager()
|
|
+ Serializable getSessionId()
|
|
+ void setSessionId(Serializable)
|
|
+ Subject getSubject()
|
|
+ void setSubject(Subject subject)
|
|
+ PrincipalCollection getPrincipals()
|
|
+ PrincipalCollection resolvePrincipals()
|
|
+ void setPrincipals(PrincipalCollection)
|
|
+ Session getSession()
|
|
+ void setSession(Session)
|
|
+ Session resolveSession()
|
|
+ boolean isAuthenticated()
|
|
+ void setAuthenticated(boolean)
|
|
+ boolean isSessionCreationEnabled()
|
|
+ void setSessionCreationEnabled(boolean)
|
|
+ boolean resolveAuthenticated()
|
|
+ AuthenticationInfo getAuthenticationInfo()
|
|
+ void setAuthenticationInfo()
|
|
+ AuthenticationToken getAuthenticationToken()
|
|
+ void setAuthenticationToken(AuthenticationToken)
|
|
+ String getHost()
|
|
+ void setHost(String)
|
|
+ String resolveHost()
|
|
}
|
|
|
|
PrincipalCollection -* Subject
|
|
MutablePrincipalCollection --|> PrincipalCollection
|
|
MutablePrincipalCollection <|. SimplePrincipalCollection
|
|
PrincipalCollection <|-- PrincipalMap
|
|
PrincipalMap <|. SimplePrincipalMap
|
|
Subject -* SubjectContext
|
|
PrincipalCollection -* SubjectContext
|
|
Session --* SubjectContext
|
|
SubjectContext *-- AuthenticaitonInfo
|
|
SubjectContext *-- AuthenticaitonToken
|
|
@enduml
|
|
|
|
@startuml securitymanager-structure
|
|
!include ./class-settings.puml
|
|
|
|
interface SecurityManager {
|
|
+ Subject login(Subject, AuthenticationToken)
|
|
+ void logout(Subject)
|
|
+ Subject createSubject(SubjectContext)
|
|
}
|
|
|
|
interface Authorizer {
|
|
+ boolean isPermitted(PrincipalCollection, String)
|
|
+ boolean isPermitted(PrincipalCollection, Permission)
|
|
+ boolean[] isPermitted(PrincipalCollection, String...)
|
|
+ boolean[] isPermitted(PrincipalCollection, List<Permission>)
|
|
+ boolean isPermittedAll(PrincipalCollection, String...)
|
|
+ boolean isPermittedAll(PrincipalCollection, Collection<Permission>...)
|
|
+ void checkPermission(PrincipalCollection, String)
|
|
+ void checkPermission(PrincipalCollection, Permission)
|
|
+ void checkPermissions(PrincipalCollection, String...)
|
|
+ void checkPermissions(PrincipalCollection, Collection<Permission>)
|
|
+ boolean hasRole(PrincipalCollection, String)
|
|
+ boolean[] hasRoles(PrincipalCollection, List<String>)
|
|
+ boolean hasAllRoles(PrincipalCollection, Collection<String>)
|
|
+ void checkRole(PrincipalCollection, String)
|
|
+ void checkRoles(PrincipalCollection, Collection<String>)
|
|
+ void checkRoles(PrincipalCollection, String...)
|
|
}
|
|
|
|
interface Authenticator {
|
|
+ AuthenticaionInfo authenticate(AuthenticationToken)
|
|
}
|
|
|
|
interface SessionManager {
|
|
+ Session start(SessionContext)
|
|
+ Session getSession(SessionKey)
|
|
}
|
|
|
|
interface SessionKey {
|
|
+ Serializable getSessionId()
|
|
}
|
|
|
|
interface SessionContext {
|
|
+ void setHost(String)
|
|
+ String getHost()
|
|
+ Serializable getSessionId()
|
|
+ void setSessionId(Serializable)
|
|
}
|
|
|
|
abstract class CachingSecurityManager {
|
|
- CacheManager cacheManager
|
|
- EventBus eventBus
|
|
# void afterCacheManagerSet()
|
|
# void applyEventBusToCacheManager()
|
|
# void afterEventBusSet()
|
|
+ void destroy()
|
|
}
|
|
|
|
interface CacheManagerAware {
|
|
+ void setCacheManager(CacheManager)
|
|
}
|
|
|
|
interface EventBusAware {
|
|
+ void setEventBus(EventBus)
|
|
}
|
|
|
|
interface CacheManager {
|
|
+ <K, V> Cache<K, V> getCache(String)
|
|
}
|
|
|
|
interface Cache<K, V> {
|
|
+ V get(K)
|
|
+ V put(K, V)
|
|
+ V remove(K)
|
|
+ void clear()
|
|
+ int size()
|
|
+ Set<K> keys()
|
|
+ Collection<V> values()
|
|
}
|
|
|
|
interface EventBus {
|
|
+ void publish(Object)
|
|
+ void register(Object)
|
|
+ void unregister(Object)
|
|
}
|
|
|
|
abstract class RealmSecurityManager {
|
|
- Collection<Realm> realms;
|
|
+ void setRealms(Collection<Realm>)
|
|
# void afterRealmsSet()
|
|
# void afterCacheManagerSet()
|
|
# void afterEventBusSet()
|
|
# void applyCacheManagerToRealms()
|
|
# void applyEventBusToRealms()
|
|
}
|
|
|
|
abstract class AuthenticatingSecurityManager {
|
|
- Authenticator authenticator
|
|
+ AuthenticationInfo authenticate(AuthenticationToken)
|
|
}
|
|
|
|
abstract class AuthorizingSecurityManager {
|
|
- Authorizer authorizer
|
|
--代理方法--
|
|
代理所有Authorizer中的方法
|
|
}
|
|
|
|
abstract class SessionSecurityManager {
|
|
- SessionManager sessionManager
|
|
# void applyCacheManagerToSessionManager()
|
|
# void applyEventBusToSessionManager()
|
|
+ Session start(SessionContext)
|
|
}
|
|
|
|
class DefaultSecurityManager {
|
|
# RememberMeManager rememberMeManager
|
|
# SubjectDAO subjectDAO
|
|
# SubjectFactory subjectFactory
|
|
# Subject createSubject(AuthenticationToken, AuthenticationInfo, Subject)
|
|
# void bind(Subject)
|
|
# void rememberMeSuccessfulLogin(AuthenticationToken, AuthenticationInfo, Subject)
|
|
# void rememberMeFailedLogin(AuthenticationToken, AuthenticationException, Subject)
|
|
# void rememberMeLogout(Subject)
|
|
+ Subject login(Subject, AuthenticationToken)
|
|
# void onSuccessfulLogin(AuthenticationToken, AuthenticationInfo, Subject)
|
|
# void onFailedLogin(AuthenticationToken, AuthenticationException, Subject)
|
|
# void beforeLogout(Subject)
|
|
# SubjectContext copy(SubjectContext)
|
|
+ Subject createSubject(SubjectContext)
|
|
# Subject doCreateSubject(SubjectContext)
|
|
# void save(Subject)
|
|
# void delete(Subject)
|
|
# SubjectContext ensureSecurityManager(SubjectContext)
|
|
# SubjectContext resolveSession(SubjectContext)
|
|
# Session resolveContextSession(SubjectContext)
|
|
# SessionKey getSessionKey(SubjectContext)
|
|
-{static} boolean isEmpty(PrincipalCollection)
|
|
# SubjectContext resolvePrincipals(SubjectContext)
|
|
# SessionContext createSessionContext(SubjectContext)
|
|
+ void logout(Subject)
|
|
# void stopSession(Subject)
|
|
# void unbind(Subject)
|
|
# PrincipalCollection getRememberedIdentity(SubjectContext)
|
|
}
|
|
|
|
interface RememberMeManager {
|
|
+ PrincipalCollection getRememberedPrincipals(SubjectContext)
|
|
+ void forgetIdentity(SubjectContext)
|
|
+ void onSuccessfulLogin(Subject, AuthenitcationToken, AuthenticationInfo)
|
|
+ void onFailedLogin(Subject, AuthenticationToken, AuthenticationException)
|
|
+ void onLogout(Subject)
|
|
}
|
|
|
|
abstract class AbstractRememberMeManager {
|
|
- Serializer<PrincipalCollection> serializer
|
|
- CipherService cipherService
|
|
- byte[] encryptionCipherKey
|
|
- byte[] decryptionCipherKey
|
|
#{abstract} void forgetIdentity(Subject)
|
|
# boolean isRememberMe(AuthenticationToken)
|
|
+ void rememberIdentity(Subject, AuthenticationToken, AuthenticationInfo)
|
|
# PrincipalCollection getIdentityToRemember(Subject, AuthenticationInfo)
|
|
# void rememberIdentity(Subject, PrincipalCollection)
|
|
# byte[] convertPrincipalsToBytes(PrincipalCollection)
|
|
#{abstract} void rememberSerializedIdentity(Subject, byte[])
|
|
+ PrincipalCollection getRememberedPrincipals(SubjectContext)
|
|
#{abstract} byte[] getRememberedSerializedIdentity(SubjectContext)
|
|
# PrincipalCollection convertBytesToPrincipals(byte[], SubjectContext)
|
|
# PrincipalCollection onRememberedPrincipalFailure(RuntimeException, SubjectContext)
|
|
# byte[] encrypt(byte[])
|
|
# byte[] decrypt(byte[])
|
|
# byte[] serialize(PrincipalCollection)
|
|
# PrincipalCollection deserialize(byte[])
|
|
+ void onFailedLogin(Subject, AuthenticationToken, AuthenticationException)
|
|
+ void onLogout(Subject)
|
|
}
|
|
|
|
Authorizer <|-- SecurityManager
|
|
Authenticator <|-- SecurityManager
|
|
SessionManager <|-- SecurityManager
|
|
SessionKey --* SessionManager
|
|
SessionContext --* SessionManager
|
|
SecurityManager <|.. CachingSecurityManager
|
|
CacheManagerAware <|.. CachingSecurityManager
|
|
EventBusAware <|.. CachingSecurityManager
|
|
CacheManagerAware *-- CacheManager
|
|
CacheManager *-- Cache
|
|
EventBus -* EventBusAware
|
|
CachingSecurityManager <|-- RealmSecurityManager
|
|
RealmSecurityManager <|-- AuthenticatingSecurityManager
|
|
AuthenticatingSecurityManager <|-- AuthorizingSecurityManager
|
|
AuthorizingSecurityManager <|-- SessionSecurityManager
|
|
SessionSecurityManager <|-- DefaultSecurityManager
|
|
RememberMeManager --* DefaultSecurityManager
|
|
AbstractRememberMeManager ..|> RememberMeManager
|
|
@enduml
|
|
|
|
@startuml authenticator-structure
|
|
!include ./class-settings.puml
|
|
|
|
interface Authenticator {
|
|
+ AuthenticaionInfo authenticate(AuthenticationToken)
|
|
}
|
|
|
|
interface AuthenticationInfo {
|
|
+ PrincipalCollection getPrincipals()
|
|
+ Object getCredentials()
|
|
}
|
|
|
|
abstract class AbstractAuthenticator {
|
|
- Collection<AuthenticationListener> listeners
|
|
# void notifySuccess(AuthenticationToken, AuthenticationInfo)
|
|
# void notifyFailure(AuthenticationToken, AuthenticationException)
|
|
# void notifyLogout(PrincipalCollection)
|
|
+ void onLogout(PrincipalCollection)
|
|
+ AuthenticationInfo authenticate(AuthenticationToken)
|
|
#{abstract} AuthenticationInfo doAuthenticate(AuthenticationToken)
|
|
}
|
|
|
|
class ModularRealmAuthenticator {
|
|
- Collection<Realm> realms
|
|
- AuthenticationStrategy authenticationStrategy
|
|
# void assertRealmsConfigured()
|
|
# AuthenticationInfo doSingleRealmAuthentication(Realm, AuthenticationToken)
|
|
# AuthenticationInfo doMultiRealmAuthentication(Collection<Realm>, AuthenticationToken)
|
|
}
|
|
|
|
interface AuthenticationStrategy {
|
|
+ AuthenticationInfo beforeAllAttempts(Collection<? extends Realm>, AuthenticationToken)
|
|
+ AuthenticationInfo beforeAttempt(Realm, AuthenticationToken, AuthenticationInfo)
|
|
+ AuthenticationInfo afterAttempt(Realm, AuthenticationToken, AuthenticationInfo, AuthenticationInfo)
|
|
+ AuthenticationInfo afterAllAttempts(AuthenticationToken, AuthenticationInfo)
|
|
}
|
|
|
|
abstract class AbstractAuthenticationStrategy {
|
|
# AuthenticationInfo merge(AuthenticationInfo, AuthenticationInfo
|
|
}
|
|
|
|
class FirstSuccessfulStrategy {
|
|
- boolean stopAfterFirstSuccess
|
|
}
|
|
|
|
AuthenticationInfo --* Authenticator
|
|
AbstractAuthenticator ..|> Authenticator
|
|
ModularRealmAuthenticator --|> AbstractAuthenticator
|
|
AuthenticationStrategy --* ModularRealmAuthenticator
|
|
AbstractAuthenticationStrategy ..|> AuthenticationStrategy
|
|
AllSuccessfulStrategy --|> AbstractAuthenticationStrategy
|
|
AtLeastOneSuccessfulStrategy --|> AbstractAuthenticationStrategy
|
|
FirstSuccessfulStrategy --|> AbstractAuthenticationStrategy
|
|
@enduml
|
|
|
|
@startuml realm-structure
|
|
!include ./class-settings.puml
|
|
|
|
interface Realm {
|
|
+ String getName()
|
|
+ boolean supports(AuthenticaitonToken)
|
|
+ AuthenticationInfo getAuthenticationInfo(AuthenticationToken)
|
|
}
|
|
|
|
interface LogoutAware {
|
|
+ void onLogout(PrincipalCollection)
|
|
}
|
|
|
|
abstract class CachingRealm {
|
|
- String name
|
|
- boolean cachingEnabled
|
|
- CacheManager cacheManager
|
|
# void afterCacheManagerSet()
|
|
-{static} boolean isEmpty(PrincipalCollection)
|
|
# void clearCache(PrincipalCollection)
|
|
# void doClearCache(PrincipalCollection)
|
|
# Object getAvailiablePrincipal(PrincipalCollection)
|
|
}
|
|
|
|
abstract class AuthenticatingRealm {
|
|
- CreadentialMatcher credentialsMatcher
|
|
- Cache<Object, AuthenticationInfo> uthenticationCache
|
|
- boolean authenticationCachingEnabled
|
|
- String authenticationCacheName
|
|
- Class<? extends AuthenticaitonToken> authenticationTokenClass
|
|
+ void init()
|
|
# void onInit()
|
|
- Cache<Object, AuthenticationInfo> getAuthenticationacheLazy()
|
|
- AuthenticationInfo getCachedAuthenticaitonInfo(AuthenticationToken)
|
|
- void cacheAuthenticaitonInfoIfPossible(AuthenticationToken, AuthenticationInfo)
|
|
+ AuthenticationInfo getAuthenticationInfo(AuthenticationToken)
|
|
# void assertredentialsMatch(AuthenticationToken, AuthenticationInfo)
|
|
# Object getAuthenticationCacheKey(AuthenticationToken)
|
|
# Object getAuthenticationCacheKey(PrincipalCollection)
|
|
# void clearCachedAuthenticationInfo(PrincipalCollection)
|
|
#{abstract} AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken)
|
|
}
|
|
|
|
interface PermissionResolverAware {
|
|
+ void setPermissionResolver(PermissionResolver)
|
|
}
|
|
|
|
interface RolePermissionResolverAware {
|
|
+ void setRolePermisisonResolver(RolePermisisonResolver)
|
|
}
|
|
|
|
interface Authorizer
|
|
|
|
abstract class AuthorizingRealm {
|
|
- boolean authorizationCachingEnabled
|
|
- Cache<Object, AuthorizationInfo> authorizationCache
|
|
- String authorizationCacheName
|
|
- PermissionResolver permissionResolver
|
|
- RolePermissionResolver permissionRoleResolver
|
|
}
|
|
|
|
enum SaltStyle {
|
|
NO_SALT
|
|
CRYPT
|
|
COLUMN
|
|
EXTERNAL
|
|
}
|
|
|
|
class JdbcRealm {
|
|
# DataSource dataSource
|
|
# String authenticationQuery
|
|
# String userRolesQuery
|
|
# String permissionsQuery
|
|
# boolean permissionsLookupEnabled
|
|
# SaltStyle saltStyle
|
|
# boolean saltIsBase64Encoded
|
|
- String[] getPasswordForUser(Connection, String)
|
|
# Set<String> getRoleNamesForUser(Connection, String)
|
|
# Set<String> getPermissions(Connection, String, Collection<String>)
|
|
# String getSaltForUser(String)
|
|
}
|
|
|
|
class SimpleAccountRealm {
|
|
# Map<String, SimpleAccount> users
|
|
# Map<String, SimpleRole> roles
|
|
# ReadWriteLock USERS_LOCK
|
|
# ReadWriteLock ROLES_LOCK
|
|
# SimpleAccount getUser(String)
|
|
+ boolean accountExists(String)
|
|
+ void addAccount(String, String)
|
|
+ void addAccount(String, String, String...)
|
|
# String getUsername(SimpleAccount)
|
|
# String getUsername(PrincipalCollection)
|
|
# void add(SimpleAccount)
|
|
# SimpleRole getRole(String)
|
|
+ boolean roleExists(String)
|
|
# void addRole(String)
|
|
# void add(SimpleRole)
|
|
#{static} Set<String> toSet(String, String)
|
|
}
|
|
|
|
class SimpleAccount {
|
|
- SimpleAuthenticationInfo authcInfo
|
|
- SimpleAuthorizationInfo authzInfo
|
|
- boolean locked
|
|
- boolean credentialsExpired
|
|
}
|
|
|
|
interface MergableAuthenticationInfo {
|
|
+ void merge(AuthenticationInfo)
|
|
}
|
|
|
|
interface Account
|
|
interface AuthenticationInfo
|
|
interface AuthorizationInfo
|
|
|
|
class SimpleRole {
|
|
# String name
|
|
# Set<Permission> permissions
|
|
+ void add(Permission)
|
|
+ void addAll(Collection<Permisison>)
|
|
+ boolean isPermitted(Permisison)
|
|
}
|
|
|
|
CachingRealm ..|> Realm
|
|
CachingRealm ..|> LogoutAware
|
|
AuthenticatingRealm --|> CachingRealm
|
|
AuthorizingRealm --|> AuthenticatingRealm
|
|
AuthorizingRealm .|> Authorizer
|
|
AuthorizingRealm ..|> PermissionResolverAware
|
|
AuthorizingRealm ..|> RolePermissionResolverAware
|
|
SimpleAccountRealm --|> AuthorizingRealm
|
|
JdbcRealm --|> AuthorizingRealm
|
|
SaltStyle -+ JdbcRealm
|
|
SimpleAccount --* SimpleAccountRealm
|
|
SimpleRole --* SimpleAccountRealm
|
|
Account <|.. SimpleAccount
|
|
MergableAuthenticationInfo <|.. SimpleAccount
|
|
AuthenticationInfo <|-- Account
|
|
AuthenticationInfo <|-- MergableAuthenticationInfo
|
|
AuthorizationInfo <|-- Account
|
|
@enduml
|
|
|
|
@startuml shiro-filter-structure
|
|
!include ./class-settings.puml
|
|
|
|
class BearerHttpAuthenticationFilter {
|
|
# AuthenticationToken createBearerToken(String, ServletRequest)
|
|
}
|
|
|
|
class BasicHttpAuthenticaitonFilter
|
|
|
|
abstract class HttpAuthenticationFilter {
|
|
- String applicationName
|
|
- String authcScheme
|
|
- String authzScheme
|
|
# Set<String> httpMethodsFromOptions(String[])
|
|
# boolean isLoginAttempt(ServletRequest, ServletResponse)
|
|
# boolean isLoginAttempt(String)
|
|
# String getAuthzHeader(ServletRequest)
|
|
# boolean sendChallenge(ServletRequest, ServletResponse)
|
|
# String[] getPrincipalsAndCredentials(String, ServletRequest)
|
|
# String[] getPrincipalsAndCredentials(String, String)
|
|
}
|
|
|
|
abstract class AuthenticatingFilter {
|
|
# boolean executeLogin(ServletRequest, ServletResponse)
|
|
# AuthenticationToken createToken(ServletRequest, ServletResponse)
|
|
# AuthenticationToken createToken(String, String, ServletRequest, ServletResponse)
|
|
# AuthenticationToken createToken(String, String, boolean, String)
|
|
# boolean onLoginSuccess(AuthenticationToken, Subject, ServletRequest, ServletResponse)
|
|
# boolean onLoginFailure(AuthenticationToken, AuthenticationException, ServletRequest, ServletResponse)
|
|
# String getHost(ServletRequest)
|
|
# boolean isRememberMe(ServletRequest)
|
|
# boolean isPermissive(Object)
|
|
}
|
|
|
|
abstract class AuthenticationFilter {
|
|
- String successUrl
|
|
# void isssueSuccessRedirect(ServletRequest, ServletResponse)
|
|
}
|
|
|
|
abstract class AccessControlFilter {
|
|
- String loginUrl
|
|
# Subject getSubject(ServletRequest, ServletResponse)
|
|
# boolean isAccessAllowed(ServletRequest, ServletResponse, Object)
|
|
# boolean onAccessDenied(ServletRequest, ServletResponse, Object)
|
|
# boolean onAccessDenied(ServletRequest, ServletResponse)
|
|
# boolean isLoginRequest(ServletRequest, ServletResponse)
|
|
# void saveRequestAndRedirectToLogin(ServletRequest, ServletResponse)
|
|
# void saveRequest(ServletRequest)
|
|
# void redirectToLogin(ServletRequest, ServletResponse)
|
|
}
|
|
|
|
abstract class PathMatchingFilter {
|
|
# PatternMatcher pathMatcher
|
|
# Map<String, Object> appliedPaths
|
|
# String getPathWithinApplication(ServletRequest)
|
|
# boolean pathsMatch(String, ServletRequest)
|
|
# boolean pathsMatch(String, String)
|
|
- boolean isFilterChainContinued(ServletRequest, ServletResponse, String, Object)
|
|
# boolean onPreHandle(ServletRequest, ServletResponse, Object)
|
|
# boolean isEnabled(ServletRequest, ServletResponse, String, Object)
|
|
}
|
|
|
|
interface PathConfigProcessor {
|
|
+ Filter processPathConfig(String, String)
|
|
}
|
|
|
|
abstract class AdviceFilter {
|
|
# boolean preHandle(ServletRequest, ServletResponse)
|
|
# void postHandle(ServletRequest, ServletResponse)
|
|
+ void afterCompletion(ServletRequest, ServletResponse, Exception)
|
|
# void executeChain(ServletRequest, ServletResponse, FilterChain)
|
|
# void cleanup(ServletRequest, ServletResponse)
|
|
}
|
|
|
|
abstract class OncePerRequestFilter {
|
|
- boolean enabled
|
|
# boolean isEnabled(ServletRequest, ServletResponse)
|
|
# String getAlreadyFilterAttributeName()
|
|
# void doFilterInternal(ServletRequest, ServletResponse, FilterChain)
|
|
}
|
|
|
|
abstract class NameableFilter {
|
|
# String name
|
|
}
|
|
|
|
abstract class AbstractFilter {
|
|
# FilterConfig filterConfig
|
|
# String getInitParam(String)
|
|
# void onFilterConfigSet()
|
|
}
|
|
|
|
class ServletContextSupport {
|
|
- ServletContext servletContext
|
|
# String getContextInitParam(String)
|
|
- ServletContext getRequiredServletContext()
|
|
# void setContenxtAttribute(String, Object)
|
|
# Object getContextAttribute(String)
|
|
# void removeContextAttribute(String)
|
|
}
|
|
|
|
interface Filter <<javax.web>> {
|
|
+ void init(FilterConfig)
|
|
+ void doFilter(ServletRequest, ServletResponse, FilterChain)
|
|
+ void destroy()
|
|
}
|
|
|
|
interface Nameable {
|
|
+ void setName(String name)
|
|
}
|
|
|
|
class FormAuthenticationFilter {
|
|
- String usernameParam
|
|
- String passwordParam
|
|
- String rememberMeParam
|
|
- String failureKeyAttribute
|
|
# boolean isLoginSubmission(ServletRequest, ServletResponse)
|
|
# void setFailureAttributes(ServletRequest, AuthenticationException)
|
|
- String getUsername(ServletRequest)
|
|
- String getPassword(ServletRequest)
|
|
}
|
|
|
|
class LogoutFilter {
|
|
- String redirectUrl
|
|
- boolean postOnlyLogout
|
|
# Subject getSubject(ServletRequest, ServletResponse)
|
|
# void issueRedirect(ServletRequest, ServletResponse)
|
|
# String getRedirectUrl(ServletRequest, ServletResponse)
|
|
# boolean onLogoutRequestNotAPost(ServletRequest, ServletResponse)
|
|
}
|
|
|
|
class PassThruAuthentcationFilter
|
|
|
|
class UserFilter
|
|
|
|
abstract class AuthorizationFilter {
|
|
- String unauthorizedUrl
|
|
}
|
|
|
|
class HostFilter {
|
|
+ Map<String, String> authorizedIps
|
|
+ Map<String, String> deniedIps
|
|
+ Map<String, String> authorizedHostnames
|
|
+ Map<String, String> deniedHostnames
|
|
+ void setAuthorizedHosts(String)
|
|
+ void setDeniedHosts(String)
|
|
# boolean isIpv4Candidate(String)
|
|
}
|
|
|
|
class HttpMethodPermissionFilter {
|
|
- Map<String, String> httpMethodActions
|
|
# String getHttpMethodAction(ServletRequest)
|
|
# String getHttpMethodAction(String)
|
|
# String[] buildPermissions(HttpServletRequest, String[], String)
|
|
# String[] buildPermissions(String[], String)
|
|
}
|
|
|
|
class IpFilter {
|
|
- List<IpAddressMatcher> deniedIpMatchers
|
|
- List<IpAddressMatcher> authorizedIpMatchers
|
|
- IpSource ipSource
|
|
+ void setAuthorizedips(String)
|
|
+ void setDeniedIps(String)
|
|
+ void setIpSource(IpSource)
|
|
+ String getHostFromRequest(ServletRequest)
|
|
}
|
|
|
|
class PermissionAuthorizationFilter
|
|
|
|
class PortFilter {
|
|
- int port
|
|
# int toPort(Object)
|
|
# String getScheme(String, int)
|
|
}
|
|
|
|
class RolesAuthorizationFilter
|
|
|
|
class SslFilter {
|
|
- HSTS hsts
|
|
}
|
|
|
|
abstract class AbstractShiroFilter {
|
|
- WebSecurityManager securityManager
|
|
- FilterChainResolver filterChainResolver
|
|
- boolean staticSecurityManagerEnabled
|
|
- void applyStaticSecurityManagerEnabledConfig()
|
|
+ void init()
|
|
- void ensureSecurityManager()
|
|
# WebSecurityManager createDefaultSecurityManager()
|
|
# boolean isHttpSession()
|
|
# ServletRequest wrapServletRequest(HttpServletRequest)
|
|
# ServletRequest prepareServletRequest(ServletRequest, ServletResponse, FilterChain)
|
|
# ServletResponse wrapServletResponse(HttpServletResponse, ShiroHttpServletRequest)
|
|
# ServletResponse prepareServletResponss(ServletRequest, ServletResponse, FilterChain)
|
|
# WebSubject createSubject(ServletRequest, ServletResponse)
|
|
# void updateSessionLastAccessTime(ServletRequest, ServletResponse)
|
|
# FilterChain getExecutableChain(ServletRequest, ServletResponse, FilterChain)
|
|
# void executeChain(ServletRequest, ServletResponse, FilterChain)
|
|
}
|
|
|
|
class ShiroFilter
|
|
|
|
BearerHttpAuthenticationFilter --|> HttpAuthenticationFilter
|
|
BasicHttpAuthenticaitonFilter --|> HttpAuthenticationFilter
|
|
PortFilter <|- SslFilter
|
|
HttpAuthenticationFilter --|> AuthenticatingFilter
|
|
FormAuthenticationFilter --|> AuthenticatingFilter
|
|
AuthenticatingFilter --|> AuthenticationFilter
|
|
PassThruAuthentcationFilter -|> AuthenticationFilter
|
|
HttpMethodPermissionFilter --|> PermissionAuthorizationFilter
|
|
IpFilter --|> AuthorizationFilter
|
|
AuthorizationFilter <|- PortFilter
|
|
AuthorizationFilter <|-- RolesAuthorizationFilter
|
|
PermissionAuthorizationFilter --|> AuthorizationFilter
|
|
HostFilter --|> AuthorizationFilter
|
|
AuthenticationFilter --|> AccessControlFilter
|
|
UserFilter --|> AccessControlFilter
|
|
AuthorizationFilter --|> AccessControlFilter
|
|
AccessControlFilter --|> PathMatchingFilter
|
|
AnonymousFilter --|> PathMatchingFilter
|
|
NoSessionCreationFilter -|> PathMatchingFilter
|
|
PathMatchingFilter -|> AdviceFilter
|
|
AdviceFilter <|- LogoutFilter
|
|
PathMatchingFilter ..|> PathConfigProcessor
|
|
ShiroFilter --|> AbstractShiroFilter
|
|
AdviceFilter --|> OncePerRequestFilter
|
|
OncePerRequestFilter <|-- AbstractShiroFilter
|
|
OncePerRequestFilter --|> NameableFilter
|
|
AbstractFilter <|-- NameableFilter
|
|
NameableFilter ..|> Nameable
|
|
ServletContextSupport <|- AbstractFilter
|
|
AbstractFilter ..|> Filter
|
|
@enduml
|
|
|
|
@startuml shiro-authc-flow
|
|
!include ./activity-settings.puml
|
|
|
|
start
|
|
:用户提交Web请求;
|
|
if (用户请求是登录请求) then (是)
|
|
partition Controller {
|
|
:取得用户名及密码;
|
|
:构建相应的AuthenticationToken;
|
|
}
|
|
else (否)
|
|
partition Filter {
|
|
:解析用户请求中提供的认证信息;
|
|
:解析认证信息构建AuthenticationToken;
|
|
}
|
|
endif
|
|
:使用SecurityUtils获取Subject实例;
|
|
note right
|
|
所有的登录步骤都将存在于
|
|
Controller的登录处理方法
|
|
和Filter的executeLogin()
|
|
方法中。
|
|
end note
|
|
:使用Subject对AuthenticationToken进行登录验证;
|
|
partition SecurityManager {
|
|
:使用Authenticator处理AuthenticationToken;
|
|
repeat
|
|
:Authenticator从Realm列表中获取一个Realm;
|
|
:使用Realm对AuthenticationToken进行验证;
|
|
if (Realm支持处理AuthenticationToken) then (支持)
|
|
:从AuthenticationToken中获取Principal;
|
|
:从用户信息存储中利用Principal获取完整的用户信息;
|
|
:使用用户信息构建AuthenticationInfo;
|
|
else (不支持)
|
|
endif
|
|
repeat while (所有Realm都循环过了) is (否) not (是)
|
|
:根据返回的AuthenticationInfo设置Subject;
|
|
}
|
|
:获取保存在Subject中的AuthorizationInfo;
|
|
:对比用户业务所需的权限;
|
|
if (用户拥有所需的权限) then (是)
|
|
:继续用户业务功能的执行;
|
|
else (否)
|
|
:阻止用户业务功能的执行;
|
|
endif
|
|
stop
|
|
|
|
@enduml
|