@Override protected void initFilterBean() throws ServletException { synchronized (this.delegateMonitor) { if (this.delegate == null) { // If no target bean name specified, use filter name. //如果没有delegate则根据去Spring容器中寻找对应的bean if (this.targetBeanName == null) { this.targetBeanName = getFilterName(); } // Fetch Spring root application context and initialize the delegate early, // if possible. If the root application context will be started after this // filter proxy, we'll have to resort to lazy initialization. WebApplicationContext wac = findWebApplicationContext(); if (wac != null) { this.delegate = initDelegate(wac); } } } }

/user/loginpage = anon /user/login = anon /* = authc /user/perms1 = perms["user:delete"] /user/perms2 = perms["user:select"] /user/admin = roles["admin"] #自定义的过滤器，只要多个权限中有一个满足即可 /user/users = rolesOr["admin","user"]

protected AbstractShiroFilter createInstance() throws Exception {log.debug("Creating Shiro Filter instance."); SecurityManager securityManager = getSecurityManager(); if (securityManager == null) { String msg = "SecurityManager property must be set."; throw new BeanInitializationException(msg); }if (!(securityManager instanceof WebSecurityManager)) { String msg = "The security manager does not implement the WebSecurityManager interface."; throw new BeanInitializationException(msg); }FilterChainManager manager = createFilterChainManager(); //Expose the constructed FilterChainManager by first wrapping it in a // FilterChainResolver implementation. The AbstractShiroFilter implementations // do not know about FilterChainManagers - only resolvers: PathMatchingFilterChainResolver chainResolver = new PathMatchingFilterChainResolver(); chainResolver.setFilterChainManager(manager); //Now create a concrete ShiroFilter instance and apply the acquired SecurityManager and built //FilterChainResolver.It doesn't matter that the instance is an anonymous inner class //here - we're just using it because it is a concrete AbstractShiroFilter instance that accepts //injection of the SecurityManager and FilterChainResolver: return new SpringShiroFilter((WebSecurityManager) securityManager, chainResolver); }

public final void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws ServletException, IOException { String alreadyFilteredAttributeName = getAlreadyFilteredAttributeName(); if ( request.getAttribute(alreadyFilteredAttributeName) != null ) { log.trace("Filter '{}' already executed.Proceeding without invoking this filter.", getName()); filterChain.doFilter(request, response); } else //noinspection deprecation if (/* added in 1.2: */ !isEnabled(request, response) || /* retain backwards compatibility: */ shouldNotFilter(request) ) { log.debug("Filter '{}' is not enabled for the current request.Proceeding without invoking this filter.", getName()); filterChain.doFilter(request, response); } else { // Do invoke this filter... log.trace("Filter '{}' not yet executed.Executing now.", getName()); request.setAttribute(alreadyFilteredAttributeName, Boolean.TRUE); try { doFilterInternal(request, response, filterChain); } finally { // Once the request has finished, we're done and we don't // need to mark as 'already filtered' any more. request.removeAttribute(alreadyFilteredAttributeName); } } }

public abstract class AbstractShiroFilter extends OncePerRequestFilter

protected void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse, final FilterChain chain) throws ServletException, IOException {Throwable t = null; try { final ServletRequest request = prepareServletRequest(servletRequest, servletResponse, chain); final ServletResponse response = prepareServletResponse(request, servletResponse, chain); final Subject subject = createSubject(request, response); //noinspection unchecked subject.execute(new Callable() { public Object call() throws Exception { updateSessionLastAccessTime(request, response); executeChain(request, response, chain); return null; } }); } catch (ExecutionException ex) { t = ex.getCause(); } catch (Throwable throwable) { t = throwable; }if (t != null) { if (t instanceof ServletException) { throw (ServletException) t; } if (t instanceof IOException) { throw (IOException) t; } //otherwise it's not one of the two exceptions expected by the filter method signature - wrap it in one: String msg = "Filtered request failed."; throw new ServletException(msg, t); } }

protected WebSubject createSubject(ServletRequest request, ServletResponse response) { return new WebSubject.Builder(getSecurityManager(), request, response).buildWebSubject(); }

public Builder(SecurityManager securityManager, ServletRequest request, ServletResponse response) { super(securityManager); if (request == null) { throw new IllegalArgumentException("ServletRequest argument cannot be null."); } if (response == null) { throw new IllegalArgumentException("ServletResponse argument cannot be null."); } setRequest(request); setResponse(response); }

public WebSubject buildWebSubject() { //调用父类的buildSubject() Subject subject = super.buildSubject(); if (!(subject instanceof WebSubject)) { String msg = "Subject implementation returned from the SecurityManager was not a " + WebSubject.class.getName() + " implementation.Please ensure a Web-enabled SecurityManager " + "has been configured and made available to this builder."; throw new IllegalStateException(msg); } return (WebSubject) subject; }

public Subject buildSubject() { return this.securityManager.createSubject(this.subjectContext); }

public Subject createSubject(SubjectContext subjectContext) { //create a copy so we don't modify the argument's backing map: SubjectContext context = copy(subjectContext); //ensure that the context has a SecurityManager instance, and if not, add one: context = ensureSecurityManager(context); //Resolve an associated Session (usually based on a referenced session ID), and place it in the context before //sending to the SubjectFactory.The SubjectFactory should not need to know how to acquire sessions as the //process is often environment specific - better to shield the SF from these details: context = resolveSession(context); //Similarly, the SubjectFactory should not require any concept of RememberMe - translate that here first //if possible before handing off to the SubjectFactory: context = resolvePrincipals(context); Subject subject = doCreateSubject(context); //save this subject for future reference if necessary: //(this is needed here in case rememberMe principals were resolved and they need to be stored in the //session, so we don't constantly rehydrate the rememberMe PrincipalCollection on every operation). //Added in 1.2: save(subject); return subject; }

protected Subject doCreateSubject(SubjectContext context) { return getSubjectFactory().createSubject(context); }

public Subject createSubject(SubjectContext context) { if (!(context instanceof WebSubjectContext)) { return super.createSubject(context); } WebSubjectContext wsc = (WebSubjectContext) context; SecurityManager securityManager = wsc.resolveSecurityManager(); Session session = wsc.resolveSession(); boolean sessionEnabled = wsc.isSessionCreationEnabled(); PrincipalCollection principals = wsc.resolvePrincipals(); boolean authenticated = wsc.resolveAuthenticated(); String host = wsc.resolveHost(); ServletRequest request = wsc.resolveServletRequest(); ServletResponse response = wsc.resolveServletResponse(); return new WebDelegatingSubject(principals, authenticated, host, session, sessionEnabled, request, response, securityManager); }

protected SubjectContext resolveSession(SubjectContext context) { if (context.resolveSession() != null) { log.debug("Context already contains a session.Returning."); return context; } try { //Context couldn't resolve it directly, let's see if we can since we have direct access to //the session manager: Session session = resolveContextSession(context); if (session != null) { context.setSession(session); } } catch (InvalidSessionException e) { log.debug("Resolved SubjectContext context session is invalid.Ignoring and creating an anonymous " + "(session-less) Subject instance.", e); } return context; }

//SubjectContext.class public Session resolveSession() { Session session = getSession(); if (session == null) { //try the Subject if it exists: Subject existingSubject = getSubject(); if (existingSubject != null) { session = existingSubject.getSession(false); } } return session; }

try { //Context couldn't resolve it directly, let's see if we can since we have direct access to //the session manager: Session session = resolveContextSession(context); if (session != null) { context.setSession(session); } } catch (InvalidSessionException e) { log.debug("Resolved SubjectContext context session is invalid.Ignoring and creating an anonymous " + "(session-less) Subject instance.", e); }

protected Session resolveContextSession(SubjectContext context) throws InvalidSessionException { SessionKey key = getSessionKey(context); if (key != null) { return getSession(key); } return null; }

//DefaultWebSecurityManager.class protected SessionKey getSessionKey(SubjectContext context) { //首先判断是否是web环境 if (WebUtils.isWeb(context)) { //获取sessionId Serializable sessionId = context.getSessionId(); ServletRequest request = WebUtils.getRequest(context); ServletResponse response = WebUtils.getResponse(context); return new WebSessionKey(sessionId, request, response); } else { return super.getSessionKey(context); } }

public Serializable getSessionId() { return getTypedValue(SESSION_ID, Serializable.class); }

//SessionSecurityManager public Session getSession(SessionKey key) throws SessionException { return this.sessionManager.getSession(key); }

//AbstractNativeSessionManager.class public Session getSession(SessionKey key) throws SessionException { //首先根据key寻找session Session session = lookupSession(key); return session != null ? createExposedSession(session, key) : null; }

private Session lookupSession(SessionKey key) throws SessionException { if (key == null) { throw new NullPointerException("SessionKey argument cannot be null."); } return doGetSession(key); }

@Override protected final Session doGetSession(final SessionKey key) throws InvalidSessionException { enableSessionValidationIfNecessary(); log.trace("Attempting to retrieve session with key {}", key); Session s = retrieveSession(key); if (s != null) { validate(s, key); } return s; }

//这里使用的是我在CustomeSessionManager中覆写的retrieveSession @Override protected Session retrieveSession(SessionKey sessionKey) throws UnknownSessionException { //通过SessionKey对象获取sessionId Serializable sessionId = getSessionId(sessionKey); ServletRequest request = null; if(sessionKey instanceof WebSessionKey){ request = ((WebSessionKey)sessionKey).getServletRequest(); } //尝试从request中取而不是每次都请求数据库 if(request !=null && sessionId !=null){ Session session = (Session) request.getAttribute(sessionId.toString()); if(session != null){ return session; } } //如果request中没有session则从数据库中请求并把请求结果设置给sessionKey Session session = super.retrieveSession(sessionKey); if(request !=null && sessionId != null){ request.setAttribute(sessionId.toString(),session); } return session; }

//DefaultWebSessionManager.class public Serializable getSessionId(SessionKey key) { Serializable id = super.getSessionId(key); if (id == null && WebUtils.isWeb(key)) { ServletRequest request = WebUtils.getRequest(key); ServletResponse response = WebUtils.getResponse(key); id = getSessionId(request, response); } return id; }

protected Serializable getSessionId(ServletRequest request, ServletResponse response) { return getReferencedSessionId(request, response); }

private Serializable getReferencedSessionId(ServletRequest request, ServletResponse response) { //试图从cookie中获取sessionId(这里已经可以看出shiro的session实现原理也是基于cookie的) String id = getSessionIdCookieValue(request, response); if (id != null) { request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE, ShiroHttpServletRequest.COOKIE_SESSION_ID_SOURCE); } else {//cookie被禁用的情况，使用url后缀裹挟sessionId的方式实现session //not in a cookie, or cookie is disabled - try the request URI as a fallback (i.e. due to URL rewriting)://try the URI path segment parameters first: id = getUriPathSegmentParamValue(request, ShiroHttpSession.DEFAULT_SESSION_ID_NAME); if (id == null) { //not a URI path segment parameter, try the query parameters: String name = getSessionIdName(); id = request.getParameter(name); if (id == null) { //try lowercase: id = request.getParameter(name.toLowerCase()); } } if (id != null) { request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE, ShiroHttpServletRequest.URL_SESSION_ID_SOURCE); } } if (id != null) { request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, id); //automatically mark it valid here.If it is invalid, the //onUnknownSession method below will be invoked and we'll remove the attribute at that time. request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE); }// always set rewrite flag - SHIRO-361 request.setAttribute(ShiroHttpServletRequest.SESSION_ID_URL_REWRITING_ENABLED, isSessionIdUrlRewritingEnabled()); return id; }

private String getSessionIdCookieValue(ServletRequest request, ServletResponse response) { if (!isSessionIdCookieEnabled()) { log.debug("Session ID cookie is disabled - session id will not be acquired from a request cookie."); return null; } if (!(request instanceof HttpServletRequest)) { log.debug("Current request is not an HttpServletRequest - cannot get session ID cookie.Returning null."); return null; } HttpServletRequest httpRequest = (HttpServletRequest) request; return getSessionIdCookie().readValue(httpRequest, WebUtils.toHttp(response)); }

//SimpleCookie.class public String readValue(HttpServletRequest request, HttpServletResponse ignored) { String name = getName(); String value = https://www.it610.com/article/null; javax.servlet.http.Cookie cookie = getCookie(request, name); if (cookie != null) { // Validate that the cookie is used at the correct place. String path = StringUtils.clean(getPath()); if (path != null && !pathMatches(path, request.getRequestURI())) { log.warn("Found '{}' cookie at path '{}', but should be only used for '{}'", new Object[] { name, request.getRequestURI(), path}); } else { value = https://www.it610.com/article/cookie.getValue(); log.debug("Found '{}' cookie value [{}]", name, value); } } else { log.trace("No '{}' cookie value", name); }return value; }

Session session = super.retrieveSession(sessionKey);

//DefaultWebSessionManager.class protected Session retrieveSession(SessionKey sessionKey) throws UnknownSessionException { //虽然此时sessionKey中的sessionId依然是null但由于我们在 //getReferencedSessionId方法中获取到sessionId后将sessionId存在了 //request对象中，因此sessionId的值是从request中获取的 Serializable sessionId = getSessionId(sessionKey); if (sessionId == null) { log.debug("Unable to resolve session ID from SessionKey [{}].Returning null to indicate a " + "session could not be found.", sessionKey); return null; } //根据sessionId去数据源取相应的session Session s = retrieveSessionFromDataSource(sessionId); if (s == null) { //session ID was provided, meaning one is expected to be found, but we couldn't find one: String msg = "Could not find session with ID [" + sessionId + "]"; throw new UnknownSessionException(msg); } return s; }

protected Session retrieveSessionFromDataSource(Serializable sessionId) throws UnknownSessionException { return sessionDAO.readSession(sessionId); }

推荐阅读

• 

  椰子油的生活小妙用 椰子油有什么用途和功效
• 

  庆东锅炉故障代码是什么如何解决
• 

  教学教务管理人员是干什么的
• 

  联想yoga2
• 

  如何选择抗体稀释液？ 抗体稀释液
• 

  下载导航地图，导航地图下载
• 

  流媒体后视镜可以当行车记录仪吗 行车记录仪有必要买流媒体吗
• 

  炒苔菜用不用焯水，苔菜用不用焯水再炒
• 

  昆明工业职业技术学院怎么样
• 

  （152）感赏女儿|（152）感赏女儿 2020-12-4
• 

  桃子核发霉外面是好的还能吃吗
• 

  离散傅立叶分析,origin怎么进行傅立叶分析
• 

  次密接触者的一般接触者需要隔离吗
• 

  海带炖土豆的做法 海带炖土豆的做法窍门
• 

  大概的近义词 大概的近义词是什么 标准答案
• 

  合金筷子是塑料还是金属 合金筷子是什么材质
• 

  真我与假我
• 

  钢材包括哪些 钢材怎么分类
• 

  heos,黑色素瘤
• 

  【家事】节如流水

• Shiro之保存Session到数据库中-yellowcong
• Linux|CONFIG_RTC_SYSTOHC
• √|shiro教程（session管理）
• Shiro入门-session管理
• servlet总结|设置session失效时间（不使用框架)----使用shiro设置session失效时间(使用shiro框架)
• Shiro 设置session超时时间
• springboot+shiro入门学习（一）
• Shiro|shiro中的session 获取过期时间/设置过期时间
• Shiro 之Subject、SecurityManager、Realm源码分析