shiro spring-web集成

shiro 在web的初始化流程

基本知识:

web.xml的加载顺序

context-param -> listener -> filter -> servlet

filter 生命周期

1. 容器初始化时调用 init
2. 每次请求时 doFilter
3. 容器卸载时调用 destory

web.xml 中 shiro的配置

 <filter>
        <filter-name>shiroFilter</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        <init-param>
            <param-name>targetFilterLifecycle</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>targetBeanName</param-name>
            <param-value>shiroFilter</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>shiroFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

spring-mvc 配置

装配了 shiroFilter 对象,和内置的属性

<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
        <property name="securityManager" ref="securityManager" />
        <!-- loginUrl认证提交地址，如果没有认证将会请求此地址进行认证，请求此地址将由formAuthenticationFilter进行表单认证 -->
        <property name="loginUrl" value="/login.action" />
        <!-- 认证成功统一跳转到first.action，建议不配置，shiro认证成功自动到上一个请求路径 -->
        <property name="successUrl" value="/index.action" />
        <!-- 通过unauthorizedUrl指定没有权限操作时跳转页面 -->
        <property name="unauthorizedUrl" value="/refuse.action" />

        <!-- 过虑器链定义，从上向下顺序执行，一般将/**放在最下边 -->
        <property name="filterChainDefinitions">
            <value>
                <!-- 静态资源放行 -->
                /login/account = anon

                /user = perms["user:view"]
                <!--商品查询需要商品查询权限 ，取消url拦截配置，使用注解授权方式 -->
                <!-- /itemEdit.action = perms[item:edit] -->

                <!-- 请求 logout.action地址，shiro去清除session -->
                /logout = logout

                <!-- /** = authc 所有url都必须认证通过才可以访问 -->
                /** = authc

                <!-- 所有url都可以匿名访问 -->
                <!-- /** = anon -->
            </value>
        </property>
    </bean>

    <!-- securityManager安全管理器 -->
    <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
        <!-- 注入realm -->
        <property name="realm" ref="customRealm" />
        <property name="sessionManager" ref="sessionManager"/>
    </bean>

    <!-- 会话管理器 -->
    <bean id="sessionManager"
          class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
        <!-- session的失效时长，单位毫秒 -->
        <property name="globalSessionTimeout" value="600000" />
        <!-- 删除失效的session -->
        <property name="deleteInvalidSessions" value="true" />
    </bean>

    <!-- realm -->
    <bean id="customRealm" class="org.apache.shiro.realm.text.IniRealm">
        <constructor-arg index="0" value="classpath:shiro.ini"/>
    </bean>

shiro.ini配置

[users]
root = root, admin
guest = guest, guestrole

[roles]
admin = user:*
guestrole = system:*

主体

org.springframework.web.filter.DelegatingFilterProxy 是一个实现了Filter接口的类

实际上在web运行过程中,运行代理bean的所有操作

代理bean配置为: targetBeanName

接下来介绍 DelegatingFilterProxy 在生命周期中是如何调用代理bean相应的方法的

init

父类GenericFilterBean 实现了init

GenericFilterBean

    public final void init(FilterConfig filterConfig) throws ServletException {
        Assert.notNull(filterConfig, "FilterConfig must not be null");
        if (logger.isDebugEnabled()) {
            logger.debug("Initializing filter '" + filterConfig.getFilterName() + "'");
        }

        this.filterConfig = filterConfig;

        // Set bean properties from init parameters.
        try {
            PropertyValues pvs = new FilterConfigPropertyValues(filterConfig, this.requiredProperties);
            BeanWrapper bw = PropertyAccessorFactory.forBeanPropertyAccess(this);
            ResourceLoader resourceLoader = new ServletContextResourceLoader(filterConfig.getServletContext());
            bw.registerCustomEditor(Resource.class, new ResourceEditor(resourceLoader, this.environment));
            initBeanWrapper(bw);
            bw.setPropertyValues(pvs, true);
        }
        catch (BeansException ex) {
            String msg = "Failed to set bean properties on filter '" +
                filterConfig.getFilterName() + "': " + ex.getMessage();
            logger.error(msg, ex);
            throw new NestedServletException(msg, ex);
        }

        // Let subclasses do whatever initialization they like.
        initFilterBean();

        if (logger.isDebugEnabled()) {
            logger.debug("Filter '" + filterConfig.getFilterName() + "' configured successfully");
        }
    }

级别2

initFilterBean();

DelegatingFilterProxy

@Override
    protected void initFilterBean() throws ServletException {
        synchronized (this.delegateMonitor) {
            if (this.delegate == null) {
                // If no target bean name specified, use filter name.
                if (this.targetBeanName == null) {
                    this.targetBeanName = getFilterName();
                }
                // Fetch Spring root application context and initialize the delegate early,
                // if possible. If the root application context will be started after this
                // filter proxy, we'll have to resort to lazy initialization.
                WebApplicationContext wac = findWebApplicationContext();
                if (wac != null) {
                    this.delegate = initDelegate(wac);
                }
            }
        }
    }

级别3

this.delegate = initDelegate(wac);

获取web.xml 里面配置的targetBeanName: shiroFilter, 用shiroFilter.init

DelegatingFilterProxy

    protected Filter initDelegate(WebApplicationContext wac) throws ServletException {
        Filter delegate = wac.getBean(getTargetBeanName(), Filter.class);
        if (isTargetFilterLifecycle()) {
            delegate.init(getFilterConfig());
        }
        return delegate;
    }

doFilter

1. 判断是否有代理类,没有就初始化
2. 用代理类的doFilter

DelegatingFilterProxy

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
            throws ServletException, IOException {

        // Lazily initialize the delegate if necessary.
        Filter delegateToUse = this.delegate;
        if (delegateToUse == null) {
            synchronized (this.delegateMonitor) {
                if (this.delegate == null) {
                    WebApplicationContext wac = findWebApplicationContext();
                    if (wac == null) {
                        throw new IllegalStateException("No WebApplicationContext found: " +
                                "no ContextLoaderListener or DispatcherServlet registered?");
                    }
                    this.delegate = initDelegate(wac);
                }
                delegateToUse = this.delegate;
            }
        }

        // Let the delegate perform the actual doFilter operation.
        invokeDelegate(delegateToUse, request, response, filterChain);
    }

级别2

invokeDelegate(delegateToUse, request, response, filterChain);

DelegatingFilterProxy

    protected void invokeDelegate(
            Filter delegate, ServletRequest request, ServletResponse response, FilterChain filterChain)
            throws ServletException, IOException {

        delegate.doFilter(request, response, filterChain);
    }

destory

DelegatingFilterProxy

    protected void destroyDelegate(Filter delegate) {
            if (isTargetFilterLifecycle()) {
                delegate.destroy();
            }
    }

    public void destroy() {
        Filter delegateToUse = this.delegate;
        if (delegateToUse != null) {
            destroyDelegate(delegateToUse);
        }
    }

总结

org.springframework.web.filter.DelegatingFilterProxy 使用代理模式
实际上调用的是web.xml配置的 targetBeanName 的init,doFilter,destory

参考网站:

• shiro spring 配置结合: https://www.cnblogs.com/qlqwjy/p/7257502.html
• maven shiro spring 配置: https://blog.csdn.net/userrefister/article/details/72760424