首页 > 其他 > 详细


时间:2021-03-15 14:45:23      阅读:12      评论:0      收藏:0      [点我收藏+]

Apache Shiro作为一个优秀的权限框架,其最重要的两项工作:其一是认证,即解决登录的用户的身份是否合法;其二是用户登录后有什么样的权限。本文将基于Shiro源码来剖析Shiro的认证流程,只有深层次的理解Shiro认证流程,认证过程中各个组件的作用,才能在实际应用中灵活使用。由于Shiro一般用于Web环境且会与Spring集成使用,所以此次认证流程的分析的前提也是Web环境且Shiro已与Spring集成。





<!-- Shiro的Web过滤器 -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
    <property name="securityManager" ref="securityManager"/>
    <property name="loginUrl" value="/login.jsp"/>
    <property name="unauthorizedUrl" value="/unauthorized.jsp"/>
    <property name="filters">
            <entry key="authc" value-ref="formAuthenticationFilter"/>
    <property name="filterChainDefinitions">
            /index.jsp = anon
            /unauthorized.jsp = anon
            /login.jsp = authc
            /logout = logout
            /authenticated.jsp = authc 
            /** = user


public Object getObject() throws Exception {
    if (instance == null) {
        instance = createInstance();
    return instance;

protected AbstractShiroFilter createInstance() throws Exception {

    log.debug("Creating Shiro Filter instance.");
    // 获取配置文件中设置的安全管理器
    SecurityManager securityManager = getSecurityManager();
    if (securityManager == null) {
        String msg = "SecurityManager property must be set.";
        throw new BeanInitializationException(msg);
    // 必须是Web环境的安全管理器
    if (!(securityManager instanceof WebSecurityManager)) {
        String msg = "The security manager does not implement the WebSecurityManager interface.";
        throw new BeanInitializationException(msg);

    // 创建过滤器链管理器
    FilterChainManager manager = createFilterChainManager();

    // 创建基于路径匹配的过滤器链解析器
    PathMatchingFilterChainResolver chainResolver = new PathMatchingFilterChainResolver();

    // 返回SpringShiroFilter对象
    return new SpringShiroFilter((WebSecurityManager) securityManager, chainResolver);



public void setFilterChainDefinitions(String definitions) {
    Ini ini = new Ini();
    //did they explicitly state a ‘urls‘ section?  Not necessary, but just in case:
    Ini.Section section = ini.getSection(IniFilterChainResolverFactory.URLS);
    if (CollectionUtils.isEmpty(section)) {
        //no urls section.  Since this _is_ a urls chain definition property, just assume the
        //default section contains only the definitions:
        section = ini.getSection(Ini.DEFAULT_SECTION_NAME);
    /** 获取默认section,也就是加载
            /index.jsp = anon
            /unauthorized.jsp = anon
            /login.jsp = authc
            /logout = logout
            /authenticated.jsp = authc 
            /** = user
    // 设置filterChainDefinitionMap


protected FilterChainManager createFilterChainManager() {
    // 创建DefaultFilterChainManager
    DefaultFilterChainManager manager = new DefaultFilterChainManager();
    // 创建Shiro默认Filter,根据org.apache.shiro.web.filter.mgt.DefaultFilter创建
    Map<String, Filter> defaultFilters = manager.getFilters();
    //apply global settings if necessary:
    for (Filter filter : defaultFilters.values()) {
        // 设置相关Filter的loginUrl、successUrl、unauthorizedUrl属性

    // 获取在Spring配置文件中配置的Filter
    Map<String, Filter> filters = getFilters();
    if (!CollectionUtils.isEmpty(filters)) {
        for (Map.Entry<String, Filter> entry : filters.entrySet()) {
            String name = entry.getKey();
            Filter filter = entry.getValue();
            if (filter instanceof Nameable) {
                ((Nameable) filter).setName(name);
            // 将配置的Filter添加至链中,如果同名Filter已存在则覆盖默认Filter
            manager.addFilter(name, filter, false);

    //build up the chains:
    Map<String, String> chains = getFilterChainDefinitionMap();
    if (!CollectionUtils.isEmpty(chains)) {
        for (Map.Entry<String, String> entry : chains.entrySet()) {
            String url = entry.getKey();
            String chainDefinition = entry.getValue();
            // 为配置的每一个URL匹配创建FilterChain定义,
            // 这样当访问一个URL的时候,一旦该URL配置上则就知道该URL需要应用上哪些Filter
            // 由于URL配置符会配置多个,所以以第一个匹配上的为准,所以越具体的匹配符应该配置在前面,越宽泛的匹配符配置在后面
            manager.createChain(url, chainDefinition);

    return manager;




public final void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
        throws ServletException, IOException {
    // 用于保证链中同一类型的Filter只会被执行一次
    String alreadyFilteredAttributeName = getAlreadyFilteredAttributeName();
    if ( request.getAttribute(alreadyFilteredAttributeName) != null ) {
        log.trace("Filter ‘{}‘ already executed.  Proceeding without invoking this filter.", getName());
        filterChain.doFilter(request, response);
    } else //noinspection deprecation
        if (/* added in 1.2: */ !isEnabled(request, response) ||
            /* retain backwards compatibility: */ shouldNotFilter(request) ) {
        log.debug("Filter ‘{}‘ is not enabled for the current request.  Proceeding without invoking this filter.",
        filterChain.doFilter(request, response);
    } else {
        // Do invoke this filter...
        log.trace("Filter ‘{}‘ not yet executed.  Executing now.", getName());
        request.setAttribute(alreadyFilteredAttributeName, Boolean.TRUE);

        try {
            // 执行真正的功能代码
            doFilterInternal(request, response, filterChain);
        } finally {
            // Once the request has finished, we‘re done and we don‘t
            // need to mark as ‘already filtered‘ any more.


protected void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse, final FilterChain chain)
            throws ServletException, IOException {

    Throwable t = null;

    try {
        final ServletRequest request = prepareServletRequest(servletRequest, servletResponse, chain);
        final ServletResponse response = prepareServletResponse(request, servletResponse, chain);

        // 创建Subject对象,由此可见,每一个请求到来,都会调用createSubject方法
        final Subject subject = createSubject(request, response);

        // 通过Subject对象执行过滤器链,
        subject.execute(new Callable() {
            public Object call() throws Exception {
                // 更新会话最后访问时间,用于计算会话超时
                updateSessionLastAccessTime(request, response);
                // 执行过滤器链
                executeChain(request, response, chain);
                return null;
    } catch (ExecutionException ex) {
        t = ex.getCause();
    } catch (Throwable throwable) {
        t = throwable;

    // 省略一些代码...


protected WebSubject createSubject(ServletRequest request, ServletResponse response) {
    return new WebSubject.Builder(getSecurityManager(), request, response).buildWebSubject();


public Subject createSubject(SubjectContext context) {
    if (!(context instanceof WebSubjectContext)) {
        return super.createSubject(context);
    WebSubjectContext wsc = (WebSubjectContext) context;
    SecurityManager securityManager = wsc.resolveSecurityManager();
    Session session = wsc.resolveSession();
    boolean sessionEnabled = wsc.isSessionCreationEnabled();
    PrincipalCollection principals = wsc.resolvePrincipals();
    // 判断是已经认证,如果是在没有登录之前,明显返回是false
    boolean authenticated = wsc.resolveAuthenticated();
    String host = wsc.resolveHost();
    ServletRequest request = wsc.resolveServletRequest();
    ServletResponse response = wsc.resolveServletResponse();

    return new WebDelegatingSubject(principals, authenticated, host, session, sessionEnabled,
            request, response, securityManager);


protected void executeChain(ServletRequest request, ServletResponse response, FilterChain origChain)
        throws IOException, ServletException {
    // 获取当前URL匹配的过滤器链
    FilterChain chain = getExecutionChain(request, response, origChain);
    // 执行过滤器链中的过滤器
    chain.doFilter(request, response);

protected FilterChain getExecutionChain(ServletRequest request, ServletResponse response, FilterChain origChain) {
    FilterChain chain = origChain;
    // 获取过滤器链解析器,即上面创建的PathMatchingFilterChainResolver对象
    FilterChainResolver resolver = getFilterChainResolver();
    if (resolver == null) {
        log.debug("No FilterChainResolver configured.  Returning original FilterChain.");
        return origChain;

    // 调用其getChain方法,根据URL匹配相应的过滤器链
    FilterChain resolved = resolver.getChain(request, response, origChain);
    if (resolved != null) {
        log.trace("Resolved a configured FilterChain for the current request.");
        chain = resolved;
    } else {
        log.trace("No FilterChain configured for the current request.  Using the default.");

    return chain;

根据上述Spring配置,假设现在第一次访问URL: "/authenticated.jsp",则会应用上名为authc的Filter,即FormAuthenticationFilter,根据FormAuthenticationFilter的继承体系,先执行dviceFilter.doFilterInternal方法:

public void doFilterInternal(ServletRequest request, ServletResponse response, FilterChain chain)
            throws ServletException, IOException {
    Exception exception = null;

    try {
        // 执行preHandle
        boolean continueChain = preHandle(request, response);
        if (log.isTraceEnabled()) {
            log.trace("Invoked preHandle method.  Continuing chain?: [" + continueChain + "]");
        // 如果preHandle返回false则过滤器链不再执行
        if (continueChain) {
            executeChain(request, response, chain);

        postHandle(request, response);
        if (log.isTraceEnabled()) {
            log.trace("Successfully invoked postHandle method");

    } catch (Exception e) {
        exception = e;
    } finally {
        cleanup(request, response, exception);


protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {

    if (this.appliedPaths == null || this.appliedPaths.isEmpty()) {
        if (log.isTraceEnabled()) {
            log.trace("appliedPaths property is null or empty.  This Filter will passthrough immediately.");
        return true;

    for (String path : this.appliedPaths.keySet()) {
        // 根据配置,访问URL:"/authenticated.jsp"时,会匹配上FormAuthenticationFilter,
        // 而FormAuthenticationFilter继承自PathMatchingFilter,所以返回true
        if (pathsMatch(path, request)) {
            log.trace("Current requestURI matches pattern ‘{}‘.  Determining filter chain execution...", path);
            Object config = this.appliedPaths.get(path);
            // 执行isFilterChainContinued方法,该方法调用onPreHandle方法
            return isFilterChainContinued(request, response, path, config);

    //no path matched, allow the request to go through:
    return true;


public boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
    // 如果isAccessAllowed方法返回false,则会执行onAccessDenied方法
    return isAccessAllowed(request, response, mappedValue) || onAccessDenied(request, response, mappedValue);


protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
    return super.isAccessAllowed(request, response, mappedValue) ||
            (!isLoginRequest(request, response) && isPermissive(mappedValue));
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
    Subject subject = getSubject(request, response);
    return subject.isAuthenticated();


protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
    // 第一次访问自然不是登录请求
    if (isLoginRequest(request, response)) {
        // 判断是否是POST请求
        if (isLoginSubmission(request, response)) {
            if (log.isTraceEnabled()) {
                log.trace("Login submission detected.  Attempting to execute login.");
            return executeLogin(request, response);
        } else {
            if (log.isTraceEnabled()) {
                log.trace("Login page view.");
            //allow them to see the login page ;)
            return true;
    } else {
        if (log.isTraceEnabled()) {
            log.trace("Attempting to access a path which requires authentication.  Forwarding to the " +
                    "Authentication url [" + getLoginUrl() + "]");
        // 所以执行该方法
        saveRequestAndRedirectToLogin(request, response);
        return false;

protected void saveRequestAndRedirectToLogin(ServletRequest request, ServletResponse response) throws IOException {
    // 将request对象保存在session中,以便登录成功后重新转至上次访问的URL
    // 重定向至登录页面,即:"/login.jsp"
    redirectToLogin(request, response);


protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception {
    // 根据表单填写的用户名密码创建AuthenticationToken
    AuthenticationToken token = createToken(request, response);
    if (token == null) {
        String msg = "createToken method implementation returned null. A valid non-null AuthenticationToken " +
                "must be created in order to execute a login attempt.";
        throw new IllegalStateException(msg);
    try {
        // 获取Subject对象
        Subject subject = getSubject(request, response);
        // 执行Subject.login方法进行登录
        // 如果登录成功,重定向至上次访问的URL
        return onLoginSuccess(token, subject, request, response);
    } catch (AuthenticationException e) {
        // 如果登录失败,则设置错误信息至request,并重新返回登录页面
        return onLoginFailure(token, e, request, response);

protected boolean onLoginSuccess(AuthenticationToken token, Subject subject,
                                     ServletRequest request, ServletResponse response) throws Exception {
    // 重定向至上次访问的URL
    issueSucce***edirect(request, response);
    // 由于返回false,所以过滤器链不再执行
    return false;

protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e,
                                 ServletRequest request, ServletResponse response) {
    // 设置错误信息至request
    setFailureAttribute(request, e);
    // 由于返回true,所以过滤器链继续执行,所以又返回了登录页面
    return true;


-------------------------------- END -------------------------------




评论 一句话评论(0
关于我们 - 联系我们 - 留言反馈 - 联系我们:wmxa8@hotmail.com
© 2014 bubuko.com 版权所有