shiro框架的UsernamePasswordToken与对应Realm中的AuthenticationToken的一点比较

这里以简单的登陆为例子

控制器对应的登陆方法：

@RequestMapping(value = "/login", method = RequestMethod.GET)
public String login(@RequestParam("username") String username, @RequestParam("password") String password){
    // 获取当前的 Subject. 调用 SecurityUtils.getSubject();
    Subject currentUser = SecurityUtils.getSubject();

    // 测试当前的用户是否已经被认证. 即是否已经登录.
    // 调动 Subject 的 isAuthenticated()
    if (!currentUser.isAuthenticated()) {
        // 把用户名和密码封装为 UsernamePasswordToken 对象
        UsernamePasswordToken token = new UsernamePasswordToken(username, password);
        // rememberme
        token.setRememberMe(true);
        try {
            System.out.println("UsernamePasswordToken:");
            System.out.println("hashCode:" + token.hashCode());
            System.out.println("Principal:" + token.getPrincipal());
            System.out.println("Credentials:" + String.valueOf((char[]) token.getCredentials()));
            System.out.println("host:" + token.getHost());
            System.out.println("Username:" + token.getUsername());
            System.out.println("Password:" + String.valueOf(token.getPassword()));
            // 执行登录.
            currentUser.login(token);
        }
        // ... catch more exceptions here (maybe custom ones specific to your application?
        // 所有认证时异常的父类.
        catch (AuthenticationException ae) {
            //unexpected condition?  error?
            System.out.println("login failed :" + ae.getMessage());
        }
    }
    return "redirect:/index.jsp";
}

在这里打印了所有的UsernamePasswordToken的属性值

再在对应的Realm中打印一下接收的AuthenticationToken的所有属性值

一个简单的例子：

public class ShiroRealm extends AuthenticatingRealm {

    @Resource
    private AdminService adminService;

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        System.out.println("AuthenticationToken:");
        System.out.println("hashCode:" + authenticationToken.hashCode());
        System.out.println("Principal:" + authenticationToken.getPrincipal());
        System.out.println("Credentials:" + authenticationToken.getCredentials().toString());
      
        return null;
    }
}

打印结果：

注意：

credentials这个属性，在UsernamePasswordToken中其实是个Object，查看源代码，getCredentials()方法返回的就是password

源代码，见图：

故，若要正确得到UsernamePasswordToken的password，可以将credentials转为char[]再String.valof()方法获得String。