shiro应该算的上java中最流行的权限框架了,使用的多了,便想着研究一下源码,看它究竟怎么运行的。

doFilter是shiro对于每个请求都会走的一个效验过程。它的流程如下

DelegatingFilterProxy开始,执行dofilter(),这里是一个代理模式,执行的是WebApplicationContext中的filter执行的dofilter方法,这个filter就是shiroFilter.从OncePerRequestFilter开始跟踪,它的执行dofilter()。在dofilter()中,只有这个一个判断,就是已经执行过shiro filter的请求不会再去执行shiro filter,实现方式是在http attribute中set一个属性(filter类名.FILTERED),即shiroFilter.FILTERED。接着执行invokeDelegate调用代理对象的dofilter()方法

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws ServletException, IOException {

    // Lazily initialize the delegate if necessary.
    Filter delegateToUse = this.delegate;
    if (delegateToUse == null) {
    	synchronized (this.delegateMonitor) {
    		delegateToUse = this.delegate;
    		if (delegateToUse == null) {
    			WebApplicationContext wac = findWebApplicationContext();
    			if (wac == null) {
    				throw new IllegalStateException("No WebApplicationContext found: " +
    						"no ContextLoaderListener or DispatcherServlet registered?");
    			}
    			delegateToUse = initDelegate(wac);
    		}
		    this.delegate = delegateToUse;
    	}
    }

    // 调用代理对象的dofilter方法
    invokeDelegate(delegateToUse, request, response, filterChain);
}
protected void invokeDelegate(
      Filter delegate, ServletRequest request, ServletResponse response, FilterChain filterChain)
      throws ServletException, IOException {
   delegate.doFilter(request, response, filterChain);
}

delegatefilter的跟踪从AbstractShiroFilter这个父类开始,它是OncePerRequestFilter的子类,OncePerRequestFilter会调用doFilterInternal抽象方法,AbstractShiroFilter去实现它。在doFilterInternal方法中,它会包装request,response,接着将包装后的request,response处理,使用的ServletRequestWrapperServletResponseWrapper,但是包装对象还是原始的request和response,没有替代。这么做的原因应该是便于自定义扩展,比如做一些针对流的操作,流不可重复读写,而采用其他对象包装后,可以把读写后的内容到另一个流里,再去返回。接着生成一个请求对应Subject,让这个Subject去执行新线程的executeChain执行链。

为什么不用线程池去管理线程,而要采用新建线程这种粗暴的方式执行filterChain链,难道Subject的数量是限制了?

在源码中,线程并没有做大小的限制,subject也没有做数量大小的限制,来一个请求就新增一个subject。这里我们采用的方式是重写SubjectFactory,通过redis去缓存principals,根据缓存principals,判断缓存authenticated,通过上面的参数,new Subject。继承Subject,加上user属性,缓存user。

executeChain()方法中,它会在根据请求url,在与FilterChainManager中所有的shiroFilter的chainName(定义的url名)比较,如果存在匹配,这返回对应的filterList。默认使用LinkedHashMap去存url与filterList。并将匹配filter包装到一个FilterChain对象中。接着执行FilterChain

final ServletRequest request = prepareServletRequest(servletRequest, servletResponse, chain);
final ServletResponse response = prepareServletResponse(request, servletResponse, chain);

final Subject subject = createSubject(request, response);

//noinspection unchecked
subject.execute(new Callable() {
    public Object call() throws Exception {
        updateSessionLastAccessTime(request, response);
        executeChain(request, response, chain);
        return null;
    }
});

ProxiedFilterChain是FilterChain的shiro实现类,用于filters链的实现,实现方式很巧妙,在chain执行一个filter,并自增下标,在filter.doFilter()中又调用chain.doFilter,实现链的接下来filter的调用。这个做法是不怎么标准的“责任链模式”。

public class ProxiedFilterChain implements FilterChain {

    private static final Logger log = LoggerFactory.getLogger(ProxiedFilterChain.class);
    private FilterChain orig; //web.xml配置的filter
    private List<Filter> filters; //shiro的filter
    private int index = 0; //执行到了哪一个filter

    public ProxiedFilterChain(FilterChain orig, List<Filter> filters) {
        // init property
    }

    public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {
        if (this.filters == null || this.filters.size() == this.index) {
            this.orig.doFilter(request, response);
        } else {
            this.filters.get(this.index++).doFilter(request, response, this);
        }
    }
}

这次执行的就是匹配filter执行dofilter,我们这里匹配的filter是AuthenticatingFilter下的子类。它会先走AdviceFilterdoFilterInternal()。在doFilterInternal(),依次调用preHandleexecuteChainpostHandle三个方法,就好像AOP的切面中的执行前,执行,执行后三个方法。preHandle就是这个filter验证的逻辑,executeChain将调用chain.dofilter(),继续执行下一个filter,postHandle()是递归回来后,去执行什么操作,默认不执行任何操作。这样执行链chain中所有filter,设计精巧,脑洞清奇。如果某个filter失效了,直接在preHandle()中用webTool.write写返回,或默认跳转页面。

shiro源码解析-doFilter

public void doFilterInternal(ServletRequest request, ServletResponse response, FilterChain chain)
        throws ServletException, IOException {
    Exception exception = null;
    try {
        boolean continueChain = preHandle(request, response);
        if (log.isTraceEnabled()) {
            log.trace("Invoked preHandle method.  Continuing chain?: [" + continueChain + "]");
        }
        if (continueChain) {
            executeChain(request, response, chain);
        }
        postHandle(request, response);
        if (log.isTraceEnabled()) {
            log.trace("Successfully invoked postHandle method");
        }
    } catch (Exception e) {
        exception = e;
    } finally {
        cleanup(request, response, exception);
    }
}

调用preHandle会先进入AccessControlFilter重写的preHandle方法,它会判断允许通过处理或禁止通过处理。用||判断,所以isAccessAllowed通过了就不会再走onAccessDenied()

这里有一个设计的bug,就是访问login接口的时候带正确token,它在isAccessAllowed方法中返回true,不会进入onAccessDenied。而生成并返回新token的处理一般就是在onAccessDenied中,它复杂未通过效验的处理。
解决方法是,重写isAccessAllowed方法,在方法中加上isLoginUrl()的判断,如果是loginUrl,返回false,让它走isAccessAllowed

public boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
    return isAccessAllowed(request, response, mappedValue) || onAccessDenied(request, response, mappedValue);
}

isAccessAllowed方法

@Override
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
    return super.isAccessAllowed(request, response, mappedValue) ||
                (!isLoginRequest(request, response) && isPermissive(mappedValue));
}

AuthorizationFilter的onAccessDenied方法

protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException {

    Subject subject = getSubject(request, response);
    // If the subject isn't identified, redirect to login URL
    if (subject.getPrincipal() == null) {
        saveRequestAndRedirectToLogin(request, response);
    } else {
        // If subject is known but not authorized, redirect to the unauthorized URL if there is one
        // If no unauthorized URL is specified, just return an unauthorized HTTP status code
        String unauthorizedUrl = getUnauthorizedUrl();
        //SHIRO-142 - ensure that redirect _or_ error code occurs - both cannot happen due to response commit:
        if (StringUtils.hasText(unauthorizedUrl)) {
            WebUtils.issueRedirect(request, response, unauthorizedUrl);
        } else {
            WebUtils.toHttp(response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
        }
    }
    return false;
}

这是子AuthorizationFilter的onAccessDenied

Subject subject = getSubject(request, response);
// If the subject isn't identified, redirect to login URL
if (subject.getPrincipal() == null) {
    saveRequestAndRedirectToLogin(request, response);
} else {
    // If subject is known but not authorized, redirect to the unauthorized URL if there is one
    // If no unauthorized URL is specified, just return an unauthorized HTTP status code
    String unauthorizedUrl = getUnauthorizedUrl();
    //SHIRO-142 - ensure that redirect _or_ error code occurs - both cannot happen due to response commit:
    if (StringUtils.hasText(unauthorizedUrl)) {
        WebUtils.issueRedirect(request, response, unauthorizedUrl);
    } else {
        WebUtils.toHttp(response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
    }
}

实际上在我们项目中,只有一个filter执行,在preHandle()方法中验证是否通过效验,如果没有通过,使用调用login接口,接着直接webTool.write,返回response,结束请求。

如果return ture,它接着执行filter,并由tomcat的filter WsFilter,进入程序接口。

dofilter流程图

shiro源码解析-doFilter

注意

spring的filter源码也是这么处理的,从OncePerRequestFilter开始,做法一致。

总体来说,shiro的dofilter流程如下。首先进入shiro的主filter,这个filter的作用是获得该url与shiro适配的filters,并把这个适配的List<filter>放入filterChain中去继续执行。接着执行filteChain中的下一个filter,这个filter是FilterChain中的,它是shiro中筛选url的filter。这些filter都继承AdviceFilter,去执行doFilterInternal()doFilterInternal()依次执行preHandleexecuteChainpostHandle三个方法,分别是判断是否执行(具体filter的业务就是重写preHandle,),执行链中的下一个filter,filter执行结束后的操作。AdviceFilter有的executeChain会调用下一个filter,从而实现所有filter的效验。AccessControlFilter

分类:

技术点:

相关文章: