shiro源码篇 - shiro的filter,你值得拥有
开心一刻
已经报废了一年多的电脑,今天特么突然开机了,吓老子一跳
只见电脑管家缓缓地出来了,本次开机一共用时一年零六个月,打败了全国0%的电脑,电脑管家已经对您的电脑失去信心,然后它把自己卸载了,只剩我在一旁发呆
shiroFilter的注册
此篇博文讲到了springboot的filter注册,但只是filter注册的一种方式:通过FilterRegistrationBean实现。而Shiro Filter的注册是采用另外的方式实现的,我们接着往下看
ShiroFilterFactoryBean实现了FactoryBean,我们来看下ShiroFilterFactoryBean对FactoryBean的getObject方法的实现
git图一
可以看到createInstance()返回的是SpringShiroFilter的实例;SpringShiroFilter的类图如下
getObject方法只是创建了一个SpringShiroFilter实例,并注册到了spring容器中,那是如何注册到servlet容器的呢?我们来跟下源码
这篇博文其实涉及到了,只是那时候没细讲,我们还是从那里开始
gif图二
ServletContextInitializerBeans.java的构造方法,里面有addServletContextInitializerBeans(beanFactory)方法和addAdaptableBeans(beanFactory),我们来好好瞅一瞅
addServletContextInitializerBeans(beanFactory)
private void addServletContextInitializerBeans(ListableBeanFactory beanFactory) { for (Entry<String, ServletContextInitializer> initializerBean : getOrderedBeansOfType( beanFactory, ServletContextInitializer.class)) { addServletContextInitializerBean(initializerBean.getKey(), initializerBean.getValue(), beanFactory); } } private void addServletContextInitializerBean(String beanName, ServletContextInitializer initializer, ListableBeanFactory beanFactory) { if (initializer instanceof ServletRegistrationBean) { Servlet source = ((ServletRegistrationBean<?>) initializer).getServlet(); addServletContextInitializerBean(Servlet.class, beanName, initializer, beanFactory, source); } else if (initializer instanceof FilterRegistrationBean) { Filter source = ((FilterRegistrationBean<?>) initializer).getFilter(); addServletContextInitializerBean(Filter.class, beanName, initializer, beanFactory, source); } else if (initializer instanceof DelegatingFilterProxyRegistrationBean) { String source = ((DelegatingFilterProxyRegistrationBean) initializer) .getTargetBeanName(); addServletContextInitializerBean(Filter.class, beanName, initializer, beanFactory, source); } else if (initializer instanceof ServletListenerRegistrationBean) { EventListener source = ((ServletListenerRegistrationBean<?>) initializer) .getListener(); addServletContextInitializerBean(EventListener.class, beanName, initializer, beanFactory, source); } else { addServletContextInitializerBean(ServletContextInitializer.class, beanName, initializer, beanFactory, initializer); } }
会将spring bean工厂(beanFactory)中类型是ServletContextInitalizer类型的实例(包括ServletRegistrationBean、FilterRegistrationBean、DelegatingFilterProxyRegistrationBean、ServletListenerRegistrationBean)添加进ServletContextInitializerBeans的initializers属性中。
private final MultiValueMap<Class<?>, ServletContextInitializer> initializers;
ServletContextInitalizer的子类图如下所示
这也就是上篇博文注册Filter的方式,以RegistrationBean方式实现的,但是SpringShiroFilter不是在这添加进ServletContextInitializerBeans的initializers中的哦
addAdaptableBeans(beanFactory)
private void addAdaptableBeans(ListableBeanFactory beanFactory) { MultipartConfigElement multipartConfig = getMultipartConfig(beanFactory); addAsRegistrationBean(beanFactory, Servlet.class, new ServletRegistrationBeanAdapter(multipartConfig)); addAsRegistrationBean(beanFactory, Filter.class, new FilterRegistrationBeanAdapter()); for (Class<?> listenerType : ServletListenerRegistrationBean .getSupportedTypes()) { addAsRegistrationBean(beanFactory, EventListener.class, (Class<EventListener>) listenerType, new ServletListenerRegistrationBeanAdapter()); } }
会将beanFactory中的Servlet、Filter、Listener实例封装成对应的RegistrationBean,然后添加到ServletContextInitializerBeans的initializers;部分细节没去跟,有兴趣的可以自行去跟下源代码。
ServletContextInitializerBeans的sortedList的内容最终如下
然后遍历这个sortedList,逐个注入到servlet容器
小结
springboot下有3种方式注册Filter(Servlet、Listener类似),FilterRegistrationBean、@WebFilter 和@Bean,@WebFilter我还没试过,另外这3种方式注册的Filter的优先级是:FilterRegistrationBean > @WebFilter > @Bean(网上查阅的资料,我没试哦,使用过程中需要注意!)。
不管是FilterRegistrationBean方式、@WebFilter方式,还是@Bean方式,只要是受spring容器管理,最终都会添加到ServletContextInitializerBeans的initializers中,都会成功注册到servlet容器。@WebFilter方式和@Bean方式注册的Filter都会被封装成FilterRegistrationBean,然后添加进ServletContextInitializerBeans的initializers;3种方式最终殊途同归,都以FilterRegistrationBean的形式存在ServletContextInitializerBeans的initializers中。SpringShiroFilter的注册算是@Bean方式注册的,至此SpringShiroFilter就注册到了servlet容器中了。
ServletContextInitializerBeans的sortedList如下:
private List<ServletContextInitializer> sortedList;
是一个有序的ServletContextInitializer List,这个有序针对的同类型,比如所有的FilterRegistrationBean有序,所有的ServletRegistrationBean有序,FilterRegistrationBean与ServletRegistrationBean之间有没有序是无意义的。
shiro中的Filter链
shiro的默认filter列表
除了SpringShiroFilter之外,shiro还有默认的11个Filter;细心的朋友应该在git图一中已经发现了,在创建DefaultFilterChainManager,就把默认的11个Filter添加到它的filters中
private Map<String, Filter> filters; //pool of filters available for creating chains private Map<String, NamedFilterList> filterChains; //key: chain name, value: chain public DefaultFilterChainManager() { this.filters = new LinkedHashMap<String, Filter>(); this.filterChains = new LinkedHashMap<String, NamedFilterList>(); addDefaultFilters(false); // 将默认的11个Filter添加到filters }
这11个Filter具体如下
anon(AnonymousFilter.class), authc(FormAuthenticationFilter.class), authcBasic(BasicHttpAuthenticationFilter.class), logout(LogoutFilter.class), noSessionCreation(NoSessionCreationFilter.class), perms(PermissionsAuthorizationFilter.class), port(PortFilter.class), rest(HttpMethodPermissionFilter.class), roles(RolesAuthorizationFilter.class), ssl(SslFilter.class), user(UserFilter.class);
Filter链
SpringShiroFilter注册到servlet容器中,请求肯定会经过SpringShiroFilter的doFilter方法,我们就从此开始跟一跟源代码
gif图三
上图中可能展示的不够细,主要就是两点:1、路径匹配:pathMatches(pathPattern, requestURI),默认的Fliter逐个与请求URI进行匹配;2、代理FilterChain:ProxiedFilterChain。如果匹配不上,那么直接走servlet的FilterChain,否则先走shiro的代理FilterChain(ProxiedFilterChain),之后再走servlet的FilterChain。
ProxiedFilterChain源代码如下
/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. */ package org.apache.shiro.web.servlet; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import javax.servlet.*; import java.io.IOException; import java.util.List; /** * A proxied filter chain is a {@link FilterChain} instance that proxies an original {@link FilterChain} as well * as a {@link List List} of other {@link Filter Filter}s that might need to execute prior to the final wrapped * original chain. It allows a list of filters to execute before continuing the original (proxied) * {@code FilterChain} instance. * * @since 0.9 */ public class ProxiedFilterChain implements FilterChain { //TODO - complete JavaDoc private static final Logger log = LoggerFactory.getLogger(ProxiedFilterChain.class); private FilterChain orig; // 原FilterChain,也就是servlet容器的FilterChain private List<Filter> filters; // shiro默认的11个Filter private int index = 0; public ProxiedFilterChain(FilterChain orig, List<Filter> filters) { if (orig == null) { throw new NullPointerException("original FilterChain cannot be null."); } this.orig = orig; this.filters = filters; this.index = 0; } public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { if (this.filters == null || this.filters.size() == this.index) { //we've reached the end of the wrapped chain, so invoke the original one: if (log.isTraceEnabled()) { log.trace("Invoking original filter chain."); } this.orig.doFilter(request, response); // 当shiro的11个Filter走完之后,继续走servlet容器的FilterChain } else { if (log.isTraceEnabled()) { log.trace("Invoking wrapped filter at index [" + this.index + "]"); } this.filters.get(this.index++).doFilter(request, response, this); // 递归逐个走shiro的11个Filter } } }
Shiro对Servlet容器的FilterChain进行了代理,即ShiroFilter在继续Servlet容器的Filter链的执行之前,通过ProxiedFilterChain对Servlet容器的FilterChain进行了代理;即先走Shiro自己的Filter体系,然后才会委托给Servlet容器的FilterChain进行Servlet容器级别的Filter链执行;Shiro的ProxiedFilterChain执行流程:1、先执行Shiro自己的Filter链;2、再执行Servlet容器的Filter链(即原始的 Filter)。
总结
1、SpringShiroFilter注册到spring容器,会被包装成FilterRegistrationBean,通过FilterRegistrationBean注册到servlet容器;
2、一般而言,shiro的PathMatchingFilterChainResolver会匹配所有的请求,Shiro对Servlet容器的FilterChain进行了代理,生成代理FilterChain:ProxiedFilterChain,请求先走Shiro自己的Filter链,再走Servelt容器的Filter链;
3、题外话,springboot注册Filter、Servlet、Listener方式类似,都有3种,具体是哪三种,大家去上文看;关于Shiro的Filter,本文没做更详细的讲解,需要了解的可以去看《跟我学shiro》
参考
《跟我学shiro》
shiro源码