Spring-shiro源码陶冶-DefaultFilter
阅读源码有助于陶冶情操,本文旨在简单的分析shiro在Spring中的使用
简单介绍
Shiro是一个强大易用的Java安全框架,提供了认证、授权、加密和会话管理等功能
Apache Shiro自带的默认Filter
直接查看DefaultFilter类便可以一目了然,具体代码如下
public enum DefaultFilter {
//从此处可看,shiro默认的filter有11个
anon(AnonymousFilter.class),
authc(FormAuthenticationFilter.class),
authcBasic(BasicHttpAuthenticationFilter.class),
logout(LogoutFilter.class),
noSessionCreation(NoSessionCreationFilter.class),
perms(PermissionsAuthorizationFilter.class),
port(PortFilter.class),
rest(HttpMethodPermissionFilter.class),
roles(RolesAuthorizationFilter.class),
ssl(SslFilter.class),
user(UserFilter.class);
private final Class<? extends Filter> filterClass;
//存放的是相关的filter类
private DefaultFilter(Class<? extends Filter> filterClass) {
this.filterClass = filterClass;
}
public Filter newInstance() {
return (Filter) ClassUtils.newInstance(this.filterClass);
}
public Class<? extends Filter> getFilterClass() {
return this.filterClass;
}
//创建map集合
public static Map<String, Filter> createInstanceMap(FilterConfig config) {
Map<String, Filter> filters = new LinkedHashMap<String, Filter>(values().length);
for (DefaultFilter defaultFilter : values()) {
Filter filter = defaultFilter.newInstance();
if (config != null) {
try {
filter.init(config);
} catch (ServletException e) {
String msg = "Unable to correctly init default filter instance of type " +
filter.getClass().getName();
throw new IllegalStateException(msg, e);
}
}
filters.put(defaultFilter.name(), filter);
}
return filters;
}
}
从代码中可以查看得知拥有的默认Filter有11个,决定分类逐个分析他们,在此之前先观察下这几个Filter类的共性
默认Filter类的继承关系
大致采用了模板模式的设计模式
OncePerRequestFilter抽象类-对每个请求只调用一次
public final void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
String alreadyFilteredAttributeName = getAlreadyFilteredAttributeName();
if ( request.getAttribute(alreadyFilteredAttributeName) != null ) {
log.trace("Filter '{}' already executed. Proceeding without invoking this filter.", getName());
filterChain.doFilter(request, response);
} else //noinspection deprecation
if (!isEnabled(request, response) ||
shouldNotFilter(request) ) {
log.debug("Filter '{}' is not enabled for the current request. Proceeding without invoking this filter.",
getName());
filterChain.doFilter(request, response);
} else {
// Do invoke this filter...
log.trace("Filter '{}' not yet executed. Executing now.", getName());
request.setAttribute(alreadyFilteredAttributeName, Boolean.TRUE); try {
//可见容子类去复写
doFilterInternal(request, response, filterChain);
} finally {
// Once the request has finished, we're done and we don't
// need to mark as 'already filtered' any more.
request.removeAttribute(alreadyFilteredAttributeName);
}
}
}
AdviceFilter抽象类-AOP风格,类似
@Around注解//复写第一级的父类方法
public void doFilterInternal(ServletRequest request, ServletResponse response, FilterChain chain)
throws ServletException, IOException { Exception exception = null; try {
//前处理
boolean continueChain = preHandle(request, response);
if (log.isTraceEnabled()) {
log.trace("Invoked preHandle method. Continuing chain?: [" + continueChain + "]");
} if (continueChain) {
//在前处理返回true的情况下让过滤链往下走
executeChain(request, response, chain);
}
//后处理
postHandle(request, response);
if (log.isTraceEnabled()) {
log.trace("Successfully invoked postHandle method");
} } catch (Exception e) {
exception = e;
} finally {
cleanup(request, response, exception);
}
}
PathMatchingFilter抽象类-url匹配Filter类
//复写第二级的父类方法
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
//如果没有匹配的url集合则表示所有的url都不拦截处理,即返回true
if (this.appliedPaths == null || this.appliedPaths.isEmpty()) {
if (log.isTraceEnabled()) {
log.trace("appliedPaths property is null or empty. This Filter will passthrough immediately.");
}
return true;
}
//根据request中的url匹配
for (String path : this.appliedPaths.keySet()) {
// If the path does match, then pass on to the subclass implementation for specific checks
//(first match 'wins'):
if (pathsMatch(path, request)) {
log.trace("Current requestURI matches pattern '{}'. Determining filter chain execution...", path);
//此处的config一般指代permission、roles、port的标识集合
Object config = this.appliedPaths.get(path);
//其实是调用onPreHandle(request, response, pathConfig)方法,此方法默认是返回true,可供子类复写
return isFilterChainContinued(request, response, path, config);
}
} //no path matched, allow the request to go through:没有path匹配则放行
return true;
}
AccessControlFilter extends PathMatchingFilter-资源访问控制抽象类,认证以及授权等Filter类均需继承此类
//复写父类onPreHandler方法
public boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
//优先判断isAccessAllowed()方法,再判断onAccessDenied()方法,其中的mappedValue参数为pathConfig,类同permission、roles、port的标识集合
//onAccessDenied()方法true代表放行,false则包装response,自行转发数据
return isAccessAllowed(request, response, mappedValue) || onAccessDenied(request, response, mappedValue);
}
AuthenticationFilter extends AccessControlFilter-用户认证Filter抽象类
该抽象类只复写了其中的一个条件方法isAccessAllowed()//判断当前对象是否已通过认证,Subject是接口对象类
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
Subject subject = getSubject(request, response);
return subject.isAuthenticated();
}
AuthenticatingFilter extends AuthenticationFilter-用户认证Filter补充抽象类,表明该类的实现类针对login请求
//复写父类,额外增加通过率
@Override
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
//在父类的基础上又额外添加了返回true的条件:1.不是login请求 2.pathConfig含有permissive字段
return super.isAccessAllowed(request, response, mappedValue) ||
(!isLoginRequest(request, response) && isPermissive(mappedValue));
}
另外此类涉及到了用户Token创建,可见如下代码清单
//登录验证
protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception {
//抽象类,供子类去实现完成创建token,且不允许Token为空
AuthenticationToken token = createToken(request, response);
if (token == null) {
String msg = "createToken method implementation returned null. A valid non-null AuthenticationToken " +
"must be created in order to execute a login attempt.";
throw new IllegalStateException(msg);
}
try {
Subject subject = getSubject(request, response);
//此处的login方法其实调用了token认证接口
subject.login(token);
//login方法无异常,则执行登录成功操作,供子类实现
return onLoginSuccess(token, subject, request, response);
} catch (AuthenticationException e) {
//login方法有异常,则执行登录失败操作,此处也供子类实现
return onLoginFailure(token, e, request, response);
}
}
默认的这些类大多都是继承AdviceFilter类或者PathMatchingFilter类,下面将从这两方面对shiro默认的Filter进行归纳
继承PathMatchingFilter抽象类
即需要复写其主要方法onPreHandle方法
[anno]AnonymousFilter extends PathMatchingFilter-可见对此filter对应的url全部都放行
@Override
protected boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) {
// Always return true since we allow access to anyone
return true;
}
[authc]FormAuthenticationFilter extends AuthenticatingFilter-针对表单提交的认证Filter类
- 设定了表单提交时帐号与密码的参数名,默认为username、password,可通过
<property name="usernameParam/passwordParam">设置 - 复写了另外一个通过判断条件,即onAccessDenied()方法
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
//首先判断必须为login请求
if (isLoginRequest(request, response)) {
//判断必须是post类型的表单提交
if (isLoginSubmission(request, response)) {
if (log.isTraceEnabled()) {
log.trace("Login submission detected. Attempting to execute login.");
}
//调用super.executeLogin()方法来进行校验
return executeLogin(request, response);
} else {
if (log.isTraceEnabled()) {
log.trace("Login page view.");
}
//allow them to see the login page ;)
//对login页面请求不拦截
return true;
}
} else {
if (log.isTraceEnabled()) {
log.trace("Attempting to access a path which requires authentication. Forwarding to the " +
"Authentication url [" + getLoginUrl() + "]");
}
//否则跳转至login页面
saveRequestAndRedirectToLogin(request, response);
return false;
}
}
- 复写了createToken()方法
protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) {
String username = getUsername(request);
String password = getPassword(request);
//主要创建UserpasswordToken对象
return createToken(username, password, request, response);
}
- 复写了其中的onLoginSuccess和onLoginFailure()方法
protected boolean onLoginSuccess(AuthenticationToken token, Subject subject,
ServletRequest request, ServletResponse response) throws Exception {
//跳转至成功页面
issueSuccessRedirect(request, response);
//we handled the success redirect directly, prevent the chain from continuing:
return false;
} protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e,
ServletRequest request, ServletResponse response) {
//直接返回true,让过滤链处理
setFailureAttribute(request, e);
//login failed, let request continue back to the login page:
return true;
}
- 设定了表单提交时帐号与密码的参数名,默认为username、password,可通过
[authcBasic]BasicHttpAuthenticationFilter extends AuthenticatingFilter-基于http头的认证Filter
- 同样复写了
onAccessDenied方法
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
boolean loggedIn = false; //false by default or we wouldn't be in this method
//request header含有Authorization字段
if (isLoginAttempt(request, response)) {
//调用super.executeLogin方法
loggedIn = executeLogin(request, response);
}
if (!loggedIn) {
//登录失败则发送401状态错误以及设置WWW-Authenticate的信息`Basic realm="application"`到response的header
sendChallenge(request, response);
}
return loggedIn;
}
- 同样复写了createToken()方法
//主要从request请求的头部中的Authorization获取username/password信息
protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) {
String authorizationHeader = getAuthzHeader(request);
//无Authorization头部信息则默认验证失败
if (authorizationHeader == null || authorizationHeader.length() == 0) {
// Create an empty authentication token since there is no
// Authorization header.
return createToken("", "", request, response);
} if (log.isDebugEnabled()) {
log.debug("Attempting to execute login with headers [" + authorizationHeader + "]");
}
//如果存在应该为(scheme和Base64加密过的username:password组合) 两者以空格分割
String[] prinCred = getPrincipalsAndCredentials(authorizationHeader, request);
if (prinCred == null || prinCred.length < 2) {
// Create an authentication token with an empty password,
// since one hasn't been provided in the request.
String username = prinCred == null || prinCred.length == 0 ? "" : prinCred[0];
return createToken(username, "", request, response);
} String username = prinCred[0];
String password = prinCred[1]; return createToken(username, password, request, response);
}
- 同样复写了
[noSessionCreation]NoSessionCreationFilter extends PathMatchingFilter-不允许创建session Filter类,其会在新Subject创建session时报错,原有的则不报错
@Override
protected boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
request.setAttribute(DefaultSubjectContext.SESSION_CREATION_ENABLED, Boolean.FALSE);
return true;
}
[perms]PermissionsAuthorizationFilter extends AuthorizationFilter-权限认证Filter类,其默认是获取pathConfig中字段并进行比对,一般来说我们需要自定义permissons集合
```java
public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException { Subject subject = getSubject(request, response);
//pathConfig
String[] perms = (String[]) mappedValue; boolean isPermitted = true;
if (perms != null && perms.length > 0) {
if (perms.length == 1) {
if (!subject.isPermitted(perms[0])) {
isPermitted = false;
}
} else {
if (!subject.isPermittedAll(perms)) {
isPermitted = false;
}
}
} return isPermitted;
}
```
[port]PortFilter extends AuthorizationFilter-请求对特定的端口放行,否则则跳转指定端口的url 调用示例:port[8008]
- 复写父类的isAccessAllowed()方法
//对应的url必须是指定的端口,否则调用onAccessDenied()
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
int requiredPort = toPort(mappedValue);
int requestPort = request.getServerPort();
return requiredPort == requestPort;
}
- 复写父类的onAccessDenied()
protected boolean onAccessDenied(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException { //just redirect to the specified port:默认为80端口
int port = toPort(mappedValue); String scheme = getScheme(request.getScheme(), port); StringBuilder sb = new StringBuilder();
sb.append(scheme).append("://");
sb.append(request.getServerName());
if (port != DEFAULT_HTTP_PORT && port != SslFilter.DEFAULT_HTTPS_PORT) {
sb.append(":");
sb.append(port);
}
if (request instanceof HttpServletRequest) {
sb.append(WebUtils.toHttp(request).getRequestURI());
String query = WebUtils.toHttp(request).getQueryString();
if (query != null) {
sb.append("?").append(query);
}
} WebUtils.issueRedirect(request, response, sb.toString()); return false;
}
[rest]HttpMethodPermissionFilter extends PermissionsAuthorizationFilter-rest风格的请求方法权限Filter类 调用示例:rest[perm1,perm2]-->程序封装:rest[perm1:get,perm:get]
@Override
public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException {
String[] perms = (String[]) mappedValue;
// append the http action to the end of the permissions and then back to super
String action = getHttpMethodAction(request);
//对pathConfig中的内容进行封装,封装为perm:action的组合
String[] resolvedPerms = buildPermissions(perms, action);
return super.isAccessAllowed(request, response, resolvedPerms);
}
[roles]RolesAuthorizationFilter extends AuthorizationFilter-针对roles的权限认证,调用示例:roles[role1,role2]即对指定url需要role1和role2的权限
public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException { Subject subject = getSubject(request, response);
String[] rolesArray = (String[]) mappedValue; if (rolesArray == null || rolesArray.length == 0) {
//no roles specified, so nothing to check - allow access.
return true;
} Set<String> roles = CollectionUtils.asSet(rolesArray);
//需要满足指定的所有roles才返回true
return subject.hasAllRoles(roles);
}
[ssl]SslFilter extends PortFilter-针对https协议的指定端口Filter类,同PortFilter 调用示例:ssl[443]
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
//多个必须为https协议的条件判断
return super.isAccessAllowed(request, response, mappedValue) && request.isSecure();
}
[user]UserFilter extends AccessControlFilter-用户认证Filter类
- 复写isAccessAllowed()方法
//对login页面请求以及当前用户已存在不拦截,类似于session存在用户属性
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
if (isLoginRequest(request, response)) {
return true;
} else {
Subject subject = getSubject(request, response);
// If principal is not null, then the user is known and should be allowed access.
return subject.getPrincipal() != null;
}
}
- 复写onAccessDenied()方法
//直接跳转至login登录页面
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
saveRequestAndRedirectToLogin(request, response);
return false;
}
继承AdviceFilter抽象类
- [logout]LogoutFilter extends AdviceFilter-登录退出Filter类
只复写了父类的一个方法preHandler(),代码清单如下@Override
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
Subject subject = getSubject(request, response);
//默认的退出回调地址为"/"
String redirectUrl = getRedirectUrl(request, response, subject);
//try/catch added for SHIRO-298:
try {
subject.logout();
} catch (SessionException ise) {
log.debug("Encountered session exception during logout. This can generally safely be ignored.", ise);
}
//跳转至指定路径
issueRedirect(request, response, redirectUrl);
return false;
}
下节预告
Spring-shiro源码陶冶-AuthorizingRealm用户认证以及授权
Spring-shiro源码陶冶-DefaultFilter的更多相关文章
- Spring-shiro源码陶冶-DelegatingFilterProxy和ShiroFilterFactoryBean
阅读源码有助于陶冶情操,本文旨在简单的分析shiro在Spring中的使用 简单介绍 Shiro是一个强大易用的Java安全框架,提供了认证.授权.加密和会话管理等功能 web.xml配置Shiro环 ...
- Shiro 源码分析
http://my.oschina.net/huangyong/blog/215153 Shiro 是一个非常优秀的开源项目,源码非常值得学习与研究. 我想尝试做一次 不一样 的源码分析:源码分析不再 ...
- Spring mybatis源码篇章-MybatisDAO文件解析(二)
前言:通过阅读源码对实现机制进行了解有利于陶冶情操,承接前文Spring mybatis源码篇章-MybatisDAO文件解析(一) 默认加载mybatis主文件方式 XMLConfigBuilder ...
- Spring mybatis源码篇章-MybatisDAO文件解析(一)
前言:通过阅读源码对实现机制进行了解有利于陶冶情操,承接前文Spring mybatis源码篇章-SqlSessionFactory 加载指定的mybatis主文件 Mybatis模板文件,其中的属性 ...
- Spring mybatis源码篇章-NodeHandler实现类具体解析保存Dynamic sql节点信息
前言:通过阅读源码对实现机制进行了解有利于陶冶情操,承接前文Spring mybatis源码篇章-XMLLanguageDriver解析sql包装为SqlSource SqlNode接口类 publi ...
- Spring mybatis源码篇章-XMLLanguageDriver解析sql包装为SqlSource
前言:通过阅读源码对实现机制进行了解有利于陶冶情操,承接前文Spring mybatis源码篇章-MybatisDAO文件解析(二) 首先了解下sql mapper的动态sql语法 具体的动态sql的 ...
- Spring mybatis源码学习指引目录
前言: 分析了很多方面的mybatis的源码以及与spring结合的源码,但是难免出现错综的现象,为了使源码陶冶更为有序化.清晰化,特作此随笔归纳下分析过的内容.博主也为mybatis官方提供过pul ...
- Springboot security cas源码陶冶-ExceptionTranslationFilter
拦截关键的两个异常,对异常进行处理.主要应用异常则跳转至cas服务端登录页面 ExceptionTranslationFilter#doFilter-逻辑入口 具体操作逻辑如下 public void ...
- shiro源码篇 - 疑问解答与系列总结,你值得拥有
前言 开心一刻 小明的朋友骨折了,小明去他家里看他.他老婆很细心的为他换药,敷药,然后出去买菜.小明满脸羡慕地说:你特么真幸福啊,你老婆对你那么好!朋友哭得稀里哗啦的说:兄弟你别说了,我幸福个锤子,就 ...
随机推荐
- Codeforces 791B Bear and Friendship Condition(DFS,有向图)
B. Bear and Friendship Condition time limit per test:1 second memory limit per test:256 megabytes in ...
- Gym101522A Gym101522C Gym101522D
Gym101522A A There are two popular formats for representing a date: day/month/year or month/day/year ...
- cesium编程入门(三)开始使用cesium开发
搭建最简的开发环境 这一节来搭建一个最简单的能运行的helloworld,以后的代码也会在这一节的基础上慢慢增加 创建文件夹 mkdir cesium-test cd cesium-test 引入编译 ...
- UE4 Pure函数的特点
蓝图里的Pure函数跟正常函数的区别是:Pure函数在它连接到的正常函数执行的时候才执行,正常函数按照连接的顺序执行. Pure函数不会改变游戏中其他的变量,所以getter和其他一些纯计算的函数一般 ...
- c++---天梯赛---N个数求和
★题目: ★难点:要求只能以有理数和分数去输出结果. ★分析:可以对输入的数据进行通分处理,随后把结果按格式输出. ★代码: #include<iostream> #include< ...
- EntityFramework默认映射规则
我不太习惯通过CodeFirst去维护数据库(尽管这是未来实现自动编程的必经之路),还是喜欢通过数据库设计工具如PowerDesigner去建表.如果不想对EF的实体和数据表做什么映射的话,就要注意默 ...
- 邓_PHP面试2
又开始搞php了,好多php知识忘记了,学习php的方法是看面试题 下面是我搜集的一份php的面试题目 1.用PHP打印出前一天的时间格式是2006-5-10 22:21:21(2分) echo da ...
- 【编程技巧】applicationContext.xml 里面可配置bean和数据库地址
<bean id="vendorManagerDao" class="com.active.vendor.dao.VendorManagerDaoImpl" ...
- c指针作为参数传递以及指针的指针
指针作为函数参数传递 函数参数传递的只能是数值,所以当指针作为函数参数传递时,传递的是指针的值,而不是地址. #include "stdio.h" void pointer(int ...
- ASPNET 5 和 dnx commands
DNX项目是用来创建和运行.net应用程序适用于windows,mac 和linux 的,dnx提供了一个宿主进程(a host process),CLR托管逻辑( CLR hosting logic ...