通过前两节的学习,我们知道shiroFilter会使用FilterChainManager来代理过滤器链,从而先执行shiro的过滤器链,然后再执行原过滤器链。平时我们都是如何使用shiro的登陆验证,权限验证的?
配置shiro过滤器
下面的代码是不是很熟悉。
@Bean
public ShiroFilterFactoryBean shiroFilter2(final SecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
// 设置登陆页面
shiroFilterFactoryBean.setLoginUrl("/login2.html");
// 设置登陆成功页面
shiroFilterFactoryBean.setSuccessUrl("/success.html");
// 添加自定义过滤器
Map<String, Filter> filters = new HashMap<String, Filter>();
filters.put("myFilter", new FormAuthenticationFilter());
shiroFilterFactoryBean.setFilters(filters);
// 设置访问请求过滤
Map<String, String> filterChainDefinitionMap = new HashMap<String, String>();
filterChainDefinitionMap.put("/my", "myFilter");
filterChainDefinitionMap.put("/getUser", "authc");
filterChainDefinitionMap.put("/deleteUser", "roles[admin,user]");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroFilterFactoryBean;
}
由上可见,ShiroFilterFactoryBean起到了至关重要的作用!
ShiroFilterFactoryBean实现了FactoryBean, BeanPostProcessor这两个接口(在spring中鼎鼎大名)。
ShiroFilterFactoryBean实现了BeanPostProcessor接口
// 该方法会对所有的bean进行一个初始化之前的代理
public Object postProcessBeforeInitialization(Object bean, String beanName) throws BeansException {
// 如果是spring注册的Filter,也会添加到Shiro中统一管理。
if (bean instanceof Filter) {
log.debug("Found filter chain candidate filter '{}'", beanName);
Filter filter = (Filter) bean;
applyGlobalPropertiesIfNecessary(filter);
getFilters().put(beanName, filter);
} else {
log.trace("Ignoring non-Filter bean '{}'", beanName);
}
return bean;
}
ShiroFilterFactoryBean实现了FactoryBean接口
一般情况下,spring通过反射机制利用bean的class属性指定实现类来实例化Bean,但在某些情况下,实例化bean过程比较复杂,如果按照传统的方式,则需要在<bean>中提供大量的配置信息,配置方式的灵活性是受限的,这就需要使用编码的方式可能会得到一个简单的方案。Spring为此提供了一个FactoryBean接口,用户可以通过实现该接口定制实例化bean的逻辑。在该接口中定义了以下3个方法。
// 返回FactoryBean创建的bean实例,如果isSingleton()返回true,则该实例会放到Spring容器中单实例缓存池中。
public Object getObject() throws Exception {
if (instance == null) {
instance = createInstance();
}
return instance;
}
// 返回FactoryBean创建的bean类型。
public Class getObjectType() {
return SpringShiroFilter.class;
}
// 返回由FactoryBean创建的bean实例的作用域是singleton还是prototype。
public boolean isSingleton() {
return true;
}
从上面可知,ShiroFilterFactoryBean创建的实例是SpringShiroFilter(在上篇已经分析过了)
ShiroFilterFactoryBean.createInstance方法
protected AbstractShiroFilter createInstance() throws Exception {
log.debug("Creating Shiro Filter instance.");
SecurityManager securityManager = getSecurityManager();
if (securityManager == null) {
String msg = "SecurityManager property must be set.";
throw new BeanInitializationException(msg);
}
if (!(securityManager instanceof WebSecurityManager)) {
String msg = "The security manager does not implement the WebSecurityManager interface.";
throw new BeanInitializationException(msg);
}
// 创建FilterChainManager,FilterChainManager在上上篇已经分析过了
FilterChainManager manager = createFilterChainManager();
// 使用FilterChainResolver来包装FilterChainManager,FilterChainManager对于shiroFilter是透明的。
PathMatchingFilterChainResolver chainResolver = new PathMatchingFilterChainResolver();
chainResolver.setFilterChainManager(manager);
//创建shiroFilter实例,并注入SecurityManager和FilterChainResolver
return new SpringShiroFilter((WebSecurityManager) securityManager, chainResolver);
}
ShiroFilterFactoryBean.createFilterChainManager方法
protected FilterChainManager createFilterChainManager() {
DefaultFilterChainManager manager = new DefaultFilterChainManager();
Map<String, Filter> defaultFilters = manager.getFilters();
// 如果有必要,为每个filter配置loginUrl,successUrl,unauthorizedUrl
for (Filter filter : defaultFilters.values()) {
applyGlobalPropertiesIfNecessary(filter);
}
// 获取spring定义的filter和自定义的filter
Map<String, Filter> filters = getFilters();
if (!CollectionUtils.isEmpty(filters)) {
for (Map.Entry<String, Filter> entry : filters.entrySet()) {
String name = entry.getKey();
Filter filter = entry.getValue();
// 如果有必要,为每个filter配置loginUrl,successUrl,unauthorizedUrl
applyGlobalPropertiesIfNecessary(filter);
if (filter instanceof Nameable) {
((Nameable) filter).setName(name);
}
// 将filter添加到FilterChainManager进行管理,初始化参数为false,spring已经初始化完成,
manager.addFilter(name, filter, false);
}
}
// 根据配置的请求路径以及对应的过滤器和配置,创建过滤器链
// 例如 “/deleteUser roles[admin]” 那么url=/deleteUser,FilterChainManager会使用createChain方法解析“roles[admin]”,然后构造“/deleteUser”对应的过滤器链。
Map<String, String> chains = getFilterChainDefinitionMap();
if (!CollectionUtils.isEmpty(chains)) {
for (Map.Entry<String, String> entry : chains.entrySet()) {
String url = entry.getKey();
String chainDefinition = entry.getValue();
manager.createChain(url, chainDefinition);
}
}
return manager;
}
ShiroFilterFactoryBean.applyGlobalPropertiesIfNecessary方法
private void applyGlobalPropertiesIfNecessary(Filter filter) {
applyLoginUrlIfNecessary(filter);
applySuccessUrlIfNecessary(filter);
applyUnauthorizedUrlIfNecessary(filter);
}
private void applyLoginUrlIfNecessary(Filter filter) {
String loginUrl = getLoginUrl();
if (StringUtils.hasText(loginUrl) && (filter instanceof AccessControlFilter)) {
AccessControlFilter acFilter = (AccessControlFilter) filter;
//如果filter实现了AccessControlFilter类,那么为该filter配置loginUrl
String existingLoginUrl = acFilter.getLoginUrl();
if (AccessControlFilter.DEFAULT_LOGIN_URL.equals(existingLoginUrl)) {
acFilter.setLoginUrl(loginUrl);
}
}
}
ShiroFilterFactoryBean.setFilters方法
private Map<String, Filter> filters;
public void setFilters(Map<String, Filter> filters) {
this.filters = filters;
}
还记得开头得例子吗,我们可以使用setFilters方法将自定义的filter方法添加到shiro中,并可以在对应的请求路径中设置自定义的过滤器进行处理。
// 添加自定义过滤器
Map<String, Filter> filters = new HashMap<String, Filter>();
filters.put("myFilter", new FormAuthenticationFilter());
shiroFilterFactoryBean.setFilters(filters);
// 设置访问请求过滤
Map<String, String> filterChainDefinitionMap = new HashMap<String, String>();
filterChainDefinitionMap.put("/my", "myFilter");
当然我们也可以像spring一样直接把myFilter通过@Bean注入到shiro中,然后在对应的请求路径中设置该过滤器处理,这种方式不推荐,对于学习shiro不是很清楚。