- 1、shiro如何介入你的spring程序
基本流程是
调用FilterRegistrationBean向spring注册过滤器-->使用DelegatingFilterProxy代理过滤器-->代理过滤器以bean的形式获取过滤器
shiro通过监听器来介入你的spring程序,在配置的时候
@Bean
public FilterRegistrationBean filterRegistrationBean() {
FilterRegistrationBean filterRegistration = new FilterRegistrationBean();
filterRegistration.setFilter(new DelegatingFilterProxy("shiroFilter"));
filterRegistration.setEnabled(true);
filterRegistration.addUrlPatterns("/*");
filterRegistration.setDispatcherTypes(DispatcherType.REQUEST);
return filterRegistration;
}
在set过滤器的时候使用了DelegatingFilterProxy授权过滤器代理类,该类继承了GenericFilterBean通用过滤器类,并且可以像管理spring bean一样,把过滤器作为一个bean来委托给spring管理其生存周期,其依赖关系如图所示
依赖关系
该类实现了Filter接口,在过滤器初始化时,调用GenericFilterBean的init()方法,其源代码如下所示
@Override
public final void init(FilterConfig filterConfig) throws ServletException {
Assert.notNull(filterConfig, "FilterConfig must not be null");
if (logger.isDebugEnabled()) {
logger.debug("Initializing filter '" + filterConfig.getFilterName() + "'");
}
this.filterConfig = filterConfig;
// Set bean properties from init parameters.
try {
PropertyValues pvs = new FilterConfigPropertyValues(filterConfig, this.requiredProperties);
BeanWrapper bw = PropertyAccessorFactory.forBeanPropertyAccess(this);
ResourceLoader resourceLoader = new ServletContextResourceLoader(filterConfig.getServletContext());
bw.registerCustomEditor(Resource.class, new ResourceEditor(resourceLoader, this.environment));
initBeanWrapper(bw);
bw.setPropertyValues(pvs, true);
}
catch (BeansException ex) {
String msg = "Failed to set bean properties on filter '" +
filterConfig.getFilterName() + "': " + ex.getMessage();
logger.error(msg, ex);
throw new NestedServletException(msg, ex);
}
// Let subclasses do whatever initialization they like.
initFilterBean(); //调用子类的初始化方法
if (logger.isDebugEnabled()) {
logger.debug("Filter '" + filterConfig.getFilterName() + "' configured successfully");
}
}
在该方法的最后会调用initFilterBean()方法,该方法是别其子类DelegatingFilterProxy重写了,所以会调用DelegatingFilterProxy的initFilterBean()方法,其运行栈如下所示
initFilterBean()-->initDelegate()
initDelegate()方法的源代码为
protected Filter initDelegate(WebApplicationContext wac) throws ServletException {
Filter delegate = wac.getBean(getTargetBeanName(), Filter.class);
if (isTargetFilterLifecycle()) {
delegate.init(getFilterConfig());
}
return delegate;
}
在Filter delegate = wac.getBean(getTargetBeanName(), Filter.class);中从程序的上下文中获取bean,在这个地方获取的bean是一个FactoryBean,获取的不是他本身,而是其getObject()方法返回的对象,在上文中
filterRegistration.setFilter(new DelegatingFilterProxy("shiroFilter"));
@Bean(name = "shiroFilter")
public ShiroFilterFactoryBean shiroFilter(){
ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
bean.setSecurityManager(securityManager());
bean.setLoginUrl("/api/user/login");
bean.setUnauthorizedUrl("/api/user/unauthor");
Map<String, Filter>filters = Maps.newHashMap();
filters.put("perms", urlPermissionsFilter());
filters.put("anon", new AnonymousFilter());
bean.setFilters(filters);
Map<String, String> chains = Maps.newHashMap();
chains.put("/api/user/login", "anon");
chains.put("/api/user/unauthor", "anon");
chains.put("/api/user/forgetpw", "anon");
chains.put("/api/user/register", "anon");
chains.put("/api/user/requestSMSCode", "anon");
chains.put("/base/**", "anon");
chains.put("/css/**", "anon");
chains.put("/layer/**", "anon");
chains.put("/**", "authc");
bean.setFilterChainDefinitionMap(chains);
return bean;
}
后面说了DelegatingFilterProxy类把名字为shiroFilter的Bean作为过滤器,注入的是**ShiroFilterFactoryBean **类,该类的getObject()方法为
public Object getObject() throws Exception {
if (instance == null) {
instance = createInstance();
}
return instance;
}
protected AbstractShiroFilter createInstance() throws Exception {
log.debug("Creating Shiro Filter instance.");
SecurityManager securityManager = getSecurityManager();
if (securityManager == null) {
String msg = "SecurityManager property must be set.";
throw new BeanInitializationException(msg);
}
if (!(securityManager instanceof WebSecurityManager)) {
String msg = "The security manager does not implement the WebSecurityManager interface.";
throw new BeanInitializationException(msg);
}
FilterChainManager manager = createFilterChainManager();
//Expose the constructed FilterChainManager by first wrapping it in a
// FilterChainResolver implementation. The AbstractShiroFilter implementations
// do not know about FilterChainManagers - only resolvers:
PathMatchingFilterChainResolver chainResolver = new PathMatchingFilterChainResolver();
chainResolver.setFilterChainManager(manager);
//Now create a concrete ShiroFilter instance and apply the acquired SecurityManager and built
//FilterChainResolver. It doesn't matter that the instance is an anonymous inner class
//here - we're just using it because it is a concrete AbstractShiroFilter instance that accepts
//injection of the SecurityManager and FilterChainResolver:
return new SpringShiroFilter((WebSecurityManager) securityManager, chainResolver);
}
虽然该类没有实现Filter接口,但是在getObject()返回的类中是实现了该接口的类,这是我当时一直迷惑的地方,当时一直在疑问,为什么ShiroFilterFactoryBean 类没有实现Filter接口也可以被当做过滤器注入,当时我没有注意到该类不是普通的spring Bean而是FactoryBean,spring获取的Bean不是该类本身而是该类的getObject()方法返回的对象实例,在该创建实例方法中,最后返回的是SpringShiroFilter类,该类是**ShiroFilterFactoryBean **的一个静态内部类,传入了securityManager,这也是我们能够配置Shiro的核心组件SecurityManager的原因。
网友评论