shiro与spring整合的流程
首先需要在web.xml文件中配置以下的过滤器进行拦截请求
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/admin/*</url-pattern>
</filter-mapping>
然后在spring的配置文件中配置ShiroFilterFactoryBean
<bean id="adminShiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="adminSecurityManager" />
<property name="unauthorizedUrl" value="/admin/system/unauthorized.do" />
<property name="filterChainDefinitions">
<value>
/admin/** = authc
</value>
</property>
<property name="filters">
<map>
<entry key="authc" value-ref="authenticationFilter" />
</map>
</property>
</bean>
当请求的url以“/admin”开头的都会被这个过滤器拦截,然后交给shiro来处理。由于本文不是解析shiro的执行流程,而是侧重解析shiro是如何整合到spring中,并由spring进行管理的。所以下面将对shiro和spring如何整合进行源码的解析。
ShiroFilterFactoryBean的原理
首先,从上面的spring的配置文件中可以看到一个很显眼的bean,也就是ShiroFilterFactoryBean。这个以...FactoryBean结尾的bean,在spring中很自然想到:这是spring用于整合第三方框架所留的扩展。
下面来分析一下这个bean是如何运作的
首先,spring容器实例化bean时,会调用getBean()方法。
进到org.springframework.beans.factory.support.AbstractBeanFactory类的doGetBean()方法中
@SuppressWarnings("unchecked")
protected <T> T doGetBean(
final String name, final Class<T> requiredType, final Object[] args, boolean typeCheckOnly)
throws BeansException {
。。。。
//省略前面的代码
Object sharedInstance = getSingleton(beanName);
if (sharedInstance != null && args == null) {
if (logger.isDebugEnabled()) {
if (isSingletonCurrentlyInCreation(beanName)) {
logger.debug("Returning eagerly cached instance of singleton bean '" + beanName +
"' that is not fully initialized yet - a consequence of a circular reference");
}
else {
logger.debug("Returning cached instance of singleton bean '" + beanName + "'");
}
}
//这里将执行实现了FactoryBean接口的类
bean = getObjectForBeanInstance(sharedInstance, name, beanName, null);
}
//省略后面的代码
return (T) bean;
}
从上面的代码可以看出,真正执行ShiroFilterFactoryBean的是getObjectForBeanInstance(sharedInstance, name, beanName, mbd);方法。
最终将调用下面org.springframework.beans.factory.support.FactoryBeanRegistrySupport类的doGetObjectFromFactoryBean方法:
private Object doGetObjectFromFactoryBean(final FactoryBean<?> factory, final String beanName)
throws BeanCreationException {
Object object;
try {
.....省略
//通过factory.getObject()方法来初始化一些配置信息
object = factory.getObject();
}
return object;
}
从上面的代码可以看出最终调用ShiroFilterFactoryBean类的getObject方法,代码如下
public Object getObject() throws Exception {
if (instance == null) {
instance = createInstance();
}
return instance;
}
protected AbstractShiroFilter createInstance() throws Exception {
SecurityManager securityManager = getSecurityManager();
if (!(securityManager instanceof WebSecurityManager)) {
String msg = "The security manager does not implement the WebSecurityManager interface.";
throw new BeanInitializationException(msg);
}
FilterChainManager manager = createFilterChainManager();
PathMatchingFilterChainResolver chainResolver = new PathMatchingFilterChainResolver();
chainResolver.setFilterChainManager(manager);
return new SpringShiroFilter((WebSecurityManager) securityManager, chainResolver);
}
最终依赖注入一些属性,如securityManager ,FilterChain等,这样shiro就可以用了,当有请求来时,将根据url调用指定的过滤器进行拦截和校验。
