Default no-argument constructor which {@link #setAuthenticationStrategy(AuthenticationStrategy) enables} an {@link hunt.shiro.authc.pam.AtLeastOneSuccessfulStrategy} by default.
Used by the internal {@link #doAuthenticate} implementation to ensure that the {@code realms} property has been set. The default implementation ensures the property is not null and not empty.
Attempts to authenticate the given token by iterating over the internal collection of {@link Realm}s. For each realm, first the {@link Realm#supports(hunt.shiro.authc.AuthenticationToken)} method will be called to determine if the realm supports the {@code authenticationToken} method argument. <p/> If a realm does support the token, its {@link Realm#getAuthenticationInfo(hunt.shiro.authc.AuthenticationToken)} method will be called. If the realm returns a non-null account, the token will be considered authenticated for that realm and the account data recorded. If the realm returns {@code null}, the next realm will be consulted. If no realms support the token or all supporting realms return null, an {@link AuthenticationException} will be thrown to indicate that the user could not be authenticated. <p/> After all realms have been consulted, the information from each realm is aggregated into a single {@link AuthenticationInfo} object and returned.
Performs the multi-realm authentication attempt by calling back to a {@link AuthenticationStrategy} object as each realm is consulted for {@code AuthenticationInfo} for the specified {@code token}.
Performs the authentication attempt by interacting with the single configured realm, which is significantly simpler than performing multi-realm logic.
Returns the {@code AuthenticationStrategy} utilized by this modular authenticator during a multi-realm log-in attempt. This object is only used when two or more Realms are configured. <p/> Unless overridden by the {@link #setAuthenticationStrategy(AuthenticationStrategy)} method, the default implementation is the {@link hunt.shiro.authc.pam.AtLeastOneSuccessfulStrategy}.
Returns the realm(s) used by this {@code Authenticator} during an authentication attempt.
First calls <code>super.onLogout(principals)</code> to ensure a logout notification is issued, and for each wrapped {@code Realm} that implements the {@link LogoutAware LogoutAware} interface, calls <code>((LogoutAware)realm).onLogout(principals)</code> to allow each realm the opportunity to perform logout/cleanup operations during an user-logout. <p/> Shiro's Realm implementations all implement the {@code LogoutAware} interface by default and can be overridden for realm-specific logout logic.
Allows overriding the default {@code AuthenticationStrategy} utilized during multi-realm log-in attempts. This object is only used when two or more Realms are configured.
Sets all realms used by this Authenticator, providing PAM (Pluggable Authentication Module) configuration.
Sets the {@link AuthenticationListener AuthenticationListener}s that should be notified during authentication attempts.
Returns the {@link AuthenticationListener AuthenticationListener}s that should be notified during authentication attempts.
Notifies any registered {@link AuthenticationListener AuthenticationListener}s that authentication was successful for the specified {@code token} which resulted in the specified {@code info}. This implementation merely iterates over the internal {@code listeners} collection and calls {@link AuthenticationListener#onSuccess(AuthenticationToken, AuthenticationInfo) onSuccess} for each.
Notifies any registered {@link AuthenticationListener AuthenticationListener}s that authentication failed for the specified {@code token} which resulted in the specified {@code ae} exception. This implementation merely iterates over the internal {@code listeners} collection and calls {@link AuthenticationListener#onFailure(AuthenticationToken, AuthenticationException) onFailure} for each.
Notifies any registered {@link AuthenticationListener AuthenticationListener}s that a {@code Subject} has logged-out. This implementation merely iterates over the internal {@code listeners} collection and calls {@link AuthenticationListener#onLogout(hunt.shiro.subject.PrincipalCollection) onLogout} for each.
This implementation merely calls {@link #notifyLogout(hunt.shiro.subject.PrincipalCollection) notifyLogout} to allow any registered listeners to react to the logout.
Implementation of the {@link Authenticator} interface that functions in the following manner: <ol> <li>Calls template {@link #doAuthenticate doAuthenticate} method for subclass execution of the actual authentication behavior.</li> <li>If an {@code AuthenticationException} is thrown during {@code doAuthenticate}, {@link #notifyFailure(AuthenticationToken, AuthenticationException) notify} any registered {@link AuthenticationListener AuthenticationListener}s of the exception and then propagate the exception for the caller to handle.</li> <li>If no exception is thrown (indicating a successful login), {@link #notifySuccess(AuthenticationToken, AuthenticationInfo) notify} any registered {@link AuthenticationListener AuthenticationListener}s of the successful attempt.</li> <li>Return the {@code AuthenticationInfo}</li> </ol>
Template design pattern hook for subclasses to implement specific authentication behavior. <p/> Common behavior for most authentication attempts is encapsulated in the {@link #authenticate} method and that method invokes this one for custom behavior. <p/> <b>N.B.</b> Subclasses <em>should</em> throw some kind of {@code AuthenticationException} if there is a problem during authentication instead of returning {@code null}. A {@code null} return value indicates a configuration or programming error, since {@code AuthenticationException}s should indicate any expected problem (such as an unknown account or username, or invalid password, etc).
A {@code ModularRealmAuthenticator} delegates account lookups to a pluggable (modular) collection of {@link Realm}s. This enables PAM (Pluggable Authentication Module) behavior in Shiro. In addition to authorization duties, a Shiro Realm can also be thought of a PAM 'module'. <p/> Using this Authenticator allows you to "plug-in" your own {@code Realm}s as you see fit. Common realms are those based on accessing LDAP, relational databases, file systems, etc. <p/> If only one realm is configured (this is often the case for most applications), authentication success is naturally only dependent upon invoking this one Realm's {@link Realm#getAuthenticationInfo(hunt.shiro.authc.AuthenticationToken)} method. <p/> But if two or more realms are configured, PAM behavior is implemented by iterating over the collection of realms and interacting with each over the course of the authentication attempt. As this is more complicated, this authenticator allows customized behavior for interpreting what happens when interacting with multiple realms - for example, you might require all realms to be successful during the attempt, or perhaps only at least one must be successful, or some other interpretation. This customized behavior can be performed via the use of a {@link #setAuthenticationStrategy(AuthenticationStrategy) AuthenticationStrategy}, which you can inject as a property of this class. <p/> The strategy object provides callback methods that allow you to determine what constitutes a success or failure in a multi-realm (PAM) scenario. And because this only makes sense in a multi-realm scenario, the strategy object is only utilized when more than one Realm is configured. <p/> As most multi-realm applications require at least one Realm authenticates successfully, the default implementation is the {@link AtLeastOneSuccessfulStrategy}.
@see #setRealms @see AtLeastOneSuccessfulStrategy @see AllSuccessfulStrategy @see FirstSuccessfulStrategy