个人网站开发工具,品牌建设有待加强,国内建网站公司,沈阳做微信和网站的公司目录
1. 常见项目中过滤器配置
2.Url访问控制配置解析为内置过滤器
2.1 DefaultFilterChainManager构造并注册内置过滤器
2.2 构造过滤器链
3. Shiro内置过滤器解析
3.1 内置过滤器概览
3.2 公共继承类解析
3.2.1 顶层Filter接口
3.2.2 AbstractFilter
3.2.3 Nameab…目录
1. 常见项目中过滤器配置
2.Url访问控制配置解析为内置过滤器
2.1 DefaultFilterChainManager构造并注册内置过滤器
2.2 构造过滤器链
3. Shiro内置过滤器解析
3.1 内置过滤器概览
3.2 公共继承类解析
3.2.1 顶层Filter接口
3.2.2 AbstractFilter
3.2.3 NameableFilter
3.2.4 OncePerRequestFilter
3.2.5 AdviceFilter
3.2.6 PathMatchingFilter
3.3 内置过滤器解析
3.3.1 AnonymousFilter
3.3.2 FormAuthenticationFilter
3.3.2.1 AccessControlFilter
3.3.2.2 AuthenticationFilter
3.3.2.3 AuthenticatingFilter
3.3.2.4 FormAuthenticationFilter处理逻辑
3.3.3 RolesAuthorizationFilter
3.3.3.1 AuthorizationFilter 3.3.3.2 RolesAuthorizationFilter处理逻辑
3.3.4 PermissionsAuthorizationFilter
3.3.5 LogoutFilter Shiro框架作为登录鉴权安全模块一款较为流行的开源框架通过简单的配置即可完成登录鉴权配置其中离不开Shiro较为丰富、且简单易用的内置过滤器本文主要对Shiro多种内置过滤器进行源码解析方便更好的深入透析其执行原理 想要全面了解Shiro内置过滤器是如何通过Shiro自定义拦截器SpringShiroFilter进行注册构造的可移步Shiro框架ShiroFilterFactoryBean过滤器源码解析-CSDN博客 1. 常见项目中过滤器配置
在Spring项目中应用Shiro进行登录鉴权安全模块开发配置时我们会对指定的url配置访问控制策略一种常见的url配置如下 如上 anno配置不会被拦截的urlauthc配置必须认证通过才能访问的urllogout配置logout拦截器执行退出处理流程 Shiro对如上Url的过滤器配置是如何解析的呢下面对该解析过程进行详细说明
2.Url访问控制配置解析为内置过滤器
如上url过滤器配置添加到了ShiroFilterFactoryBean中在ShiroFilterFactoryBean初始化bean的过程中会对该过滤器配置进行解析如下其主要包含了以下几部分内容
构造DefaultFilterChainManager注册内置过滤器并初始化自定义过滤器全局属性设置并注册Url过滤链配置解析构造过滤器链
下面进行详细解析; 2.1 DefaultFilterChainManager构造并注册内置过滤器
注册内置过滤器逻辑主要在DefaultFilterChainManager构造函数中如下 public DefaultFilterChainManager() {this.filters new LinkedHashMapString, Filter();this.filterChains new LinkedHashMapString, NamedFilterList();addDefaultFilters(false);}protected void addDefaultFilters(boolean init) {for (DefaultFilter defaultFilter : DefaultFilter.values()) {addFilter(defaultFilter.name(), defaultFilter.newInstance(), init, false);}}protected void addFilter(String name, Filter filter, boolean init, boolean overwrite) {Filter existing getFilter(name);if (existing null || overwrite) {if (filter instanceof Nameable) {((Nameable) filter).setName(name);}if (init) {initFilter(filter);}this.filters.put(name, filter);}}
通过遍历所有内置过滤器DefaultFilter.values()并实例化完成了内置过滤器的注册
内置过滤器枚举如下 2.2 构造过滤器链
在完成内置过滤器以及自定义过滤器如有注册到DefaultFilterChainManager之后下面对url过滤链配置进行解析主要是通过过滤器名称比如anno、auchc映射到已注册的过滤器具体过程如下 这里获取到前述已配置的url过滤器配置并通过createChain方法构造过滤链展开如下 public void createChain(String chainName, String chainDefinition) {String[] filterTokens splitChainDefinition(chainDefinition);//each token is specific to each filter.//strip the name and extract any filter-specific config between brackets [ ]for (String token : filterTokens) {String[] nameConfigPair toNameConfigPair(token);//now we have the filter name, path and (possibly null) path-specific config. Lets apply them:addToChain(chainName, nameConfigPair[0], nameConfigPair[1]);}}
nameConfigPair[0]即为解析到的过滤器名称继续跟踪addToChain方法如下 public void addToChain(String chainName, String filterName, String chainSpecificFilterConfig) {if (!StringUtils.hasText(chainName)) {throw new IllegalArgumentException(chainName cannot be null or empty.);}Filter filter getFilter(filterName);if (filter null) {throw new IllegalArgumentException(There is no filter with name filterName to apply to chain [ chainName ] in the pool of available Filters. Ensure a filter with that name/path has first been registered with the addFilter method(s).);}applyChainConfig(chainName, filter, chainSpecificFilterConfig);NamedFilterList chain ensureChain(chainName);chain.add(filter);}public Filter getFilter(String name) {return this.filters.get(name);}protected NamedFilterList ensureChain(String chainName) {NamedFilterList chain getChain(chainName);if (chain null) {chain new SimpleNamedFilterList(chainName);this.filterChains.put(chainName, chain);}return chain;}
如上getFilter方法根据过滤器名称获取已注册的过滤器 ensureChain方法创建url对应的过滤器链并添加上url映射到的过滤器
至此完成了Url访问控制配置解析为内置过滤器的解析
下面开始对本篇的核心内容-Shiro内置过滤器进行深入解析
3. Shiro内置过滤器解析
3.1 内置过滤器概览
前述也给出了内置过滤器枚举的图示如下 其内部继承结构展示如下 可以看到内置过滤器的种类以及类继承层次结构还是比较复杂的我们已平时项目中较常用到的几种内置过滤器进行源码剖析包括AnonymousFilter、FormAuthenticationFilter、RolesAuthorizationFilter、PermissionsAuthorizationFilter以及logout
在具体分析内置过滤器之前我们首先对继承结构中一些关键的类按照由上到下的顺序进行解析说明方便更好的理解每个类继承层次的关键职责以及整体过滤器的处理逻辑然后再对分别具体的内置过滤器进行解析
3.2 公共继承类解析
3.2.1 顶层Filter接口
Servlet Filter接口调用doFilter方法执行过滤逻辑 public void init(FilterConfig filterConfig) throws ServletException;public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException;public void destroy();
3.2.2 AbstractFilter
实现了Servlet Filter的初始化方法init并定义了onFilterConfigSet的空实现 /*** Sets the filters {link #setFilterConfig filterConfig} and then immediately calls* {link #onFilterConfigSet() onFilterConfigSet()} to trigger any processing a subclass might wish to perform.** param filterConfig the servlet container supplied FilterConfig instance.* throws javax.servlet.ServletException if {link #onFilterConfigSet() onFilterConfigSet()} throws an Exception.*/public final void init(FilterConfig filterConfig) throws ServletException {setFilterConfig(filterConfig);try {onFilterConfigSet();} catch (Exception e) {if (e instanceof ServletException) {throw (ServletException) e;} else {if (log.isErrorEnabled()) {log.error(Unable to start Filter: [ e.getMessage() ]., e);}throw new ServletException(e);}}}protected void onFilterConfigSet() throws Exception {}
3.2.3 NameableFilter
见名知义定义了过滤器的名称以及名称的解析逻辑 /*** The name of this filter, unique within an application.*/private String name;/*** Returns the filters name.* p/* Unless overridden by calling the {link #setName(String) setName(String)} method, this value defaults to the* filter name as specified by the servlet container at start-up:* pre* this.name {link #getFilterConfig() getFilterConfig()}.{link javax.servlet.FilterConfig#getFilterName() getName()};/pre** return the filter name, or {code null} if none available* see javax.servlet.GenericServlet#getServletName()* see javax.servlet.FilterConfig#getFilterName()*/protected String getName() {if (this.name null) {FilterConfig config getFilterConfig();if (config ! null) {this.name config.getFilterName();}}return this.name;}
3.2.4 OncePerRequestFilter
实现了“每次请求、单次执行”的语义内部是通过设置标志位属性的方式实现的如下 public final void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)throws ServletException, IOException {String alreadyFilteredAttributeName getAlreadyFilteredAttributeName();if ( request.getAttribute(alreadyFilteredAttributeName) ! null ) {log.trace(Filter {} already executed. Proceeding without invoking this filter., getName());filterChain.doFilter(request, response);} else //noinspection deprecationif (/* added in 1.2: */ !isEnabled(request, response) ||/* retain backwards compatibility: */ shouldNotFilter(request) ) {log.debug(Filter {} is not enabled for the current request. Proceeding without invoking this filter.,getName());filterChain.doFilter(request, response);} else {// Do invoke this filter...log.trace(Filter {} not yet executed. Executing now., getName());request.setAttribute(alreadyFilteredAttributeName, Boolean.TRUE);try {doFilterInternal(request, response, filterChain);} finally {// Once the request has finished, were done and we dont// need to mark as already filtered any more.request.removeAttribute(alreadyFilteredAttributeName);}}}/*** Same contract as for* {link #doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)},* but guaranteed to be invoked only once per request.** param request incoming {code ServletRequest}* param response outgoing {code ServletResponse}* param chain the {code FilterChain} to execute* throws ServletException if there is a problem processing the request* throws IOException if there is an I/O problem processing the request*/protected abstract void doFilterInternal(ServletRequest request, ServletResponse response, FilterChain chain)throws ServletException, IOException;
通过request中的属性KeyalreadyFilteredAttributeName是否已设置判断是否已经执行未执行则执行该过滤器逻辑已执行则跳过继续执行过滤链
同时执行内部过滤逻辑委托给了抽象方法doFilterInternal并交由子类来具体实现
3.2.5 AdviceFilter
AdviceFilter继承自OncePerRequestFilter并实现了抽象方法doFilterInternal具体过滤逻辑如下 /*** Actually implements the chain execution logic, utilizing* {link #preHandle(javax.servlet.ServletRequest, javax.servlet.ServletResponse) pre},* {link #postHandle(javax.servlet.ServletRequest, javax.servlet.ServletResponse) post}, and* {link #afterCompletion(javax.servlet.ServletRequest, javax.servlet.ServletResponse, Exception) after}* advice hooks.** param request the incoming ServletRequest* param response the outgoing ServletResponse* param chain the filter chain to execute* throws ServletException if a servlet-related error occurs* throws IOException if an IO error occurs*/public void doFilterInternal(ServletRequest request, ServletResponse response, FilterChain chain)throws ServletException, IOException {Exception exception null;try {boolean continueChain preHandle(request, response);if (log.isTraceEnabled()) {log.trace(Invoked preHandle method. Continuing chain?: [ continueChain ]);}if (continueChain) {executeChain(request, response, chain);}postHandle(request, response);if (log.isTraceEnabled()) {log.trace(Successfully invoked postHandle method);}} catch (Exception e) {exception e;} finally {cleanup(request, response, exception);}}protected void executeChain(ServletRequest request, ServletResponse response, FilterChain chain) throws Exception {chain.doFilter(request, response);}protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {return true;}protected void postHandle(ServletRequest request, ServletResponse response) throws Exception {}public void afterCompletion(ServletRequest request, ServletResponse response, Exception exception) throws Exception {}
如上AdviceFilter引入了扩展方法并给出了默认空实现也可交由子类进行方法覆盖 preHandle控制后续过滤链是否继续执行还是直接跳过 postHandlehandle后处理 afterCompletion过滤链执行完成后的处理 这些扩展点实现了类似Aop模式的嵌入逻辑并交由子类按需灵活实现
3.2.6 PathMatchingFilter
继承AdviceFilter实现了preHandle方法执行url路径匹配这里的appliedPaths即为url访问控制过滤器配置的url路径匹配的条件下才执行过滤逻辑 protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {if (this.appliedPaths null || this.appliedPaths.isEmpty()) {if (log.isTraceEnabled()) {log.trace(appliedPaths property is null or empty. This Filter will passthrough immediately.);}return true;}for (String path : this.appliedPaths.keySet()) {// If the path does match, then pass on to the subclass implementation for specific checks//(first match wins):if (pathsMatch(path, request)) {log.trace(Current requestURI matches pattern {}. Determining filter chain execution..., path);Object config this.appliedPaths.get(path);return isFilterChainContinued(request, response, path, config);}}//no path matched, allow the request to go through:return true;} isFilterChainContinued方法实现如下内部判断过滤器是否开启如果已开启引入了新的扩展方法onPreHandle来判断是否执行该过滤链 private boolean isFilterChainContinued(ServletRequest request, ServletResponse response,String path, Object pathConfig) throws Exception {if (isEnabled(request, response, path, pathConfig)) { //isEnabled check added in 1.2if (log.isTraceEnabled()) {log.trace(Filter {} is enabled for the current request under path {} with config [{}]. Delegating to subclass implementation for onPreHandle check.,new Object[]{getName(), path, pathConfig});}//The filter is enabled for this specific request, so delegate to subclass implementations//so they can decide if the request should continue through the chain or not:return onPreHandle(request, response, pathConfig);}if (log.isTraceEnabled()) {log.trace(Filter {} is disabled for the current request under path {} with config [{}]. The next element in the FilterChain will be called immediately.,new Object[]{getName(), path, pathConfig});}//This filter is disabled for this specific request,//return true immediately to indicate that the filter will not process the request//and let the request/response to continue through the filter chain:return true;} protected boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {return true;}
onPreHandle方法默认返回true表示继续执行后续过滤链并可交由子类进行覆盖实现
3.3 内置过滤器解析
3.3.1 AnonymousFilter
AnonymousFilter枚举名称为“anno”表示不对url进行拦截直接放行其具体类图如下 AnonymousFilter类定义非常简单它继承自PathMatchingFilter同时覆盖了扩展方法onPreHandle并固定返回true表示继续执行后续过滤链直接放行
AnonymousFilter类定义如下
public class AnonymousFilter extends PathMatchingFilter {/*** Always returns codetrue/code allowing unchecked access to the underlying path or resource.** return codetrue/code always, allowing unchecked access to the underlying path or resource.*/Overrideprotected boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) {// Always return true since we allow access to anyonereturn true;}}
3.3.2 FormAuthenticationFilter
FormAuthenticationFilter过滤器继承层次结构如下 这里也是继承自PathMatchingFilter下面对继承结构中的其它几个类进行具体分析
3.3.2.1 AccessControlFilter
访问控制过滤器内部覆盖实现了onPreHandle方法允许放行即返回true的条件是 已认证通过比如用户已登录未认证通过时也即访问拒绝后依据访问拒绝后的操作结果来判断是否继续执行后续过滤链比如访问拒绝后会执行用户登录如果登录成功则继续执行后续过滤链 /*** Returns codetrue/code if* {link #isAccessAllowed(ServletRequest,ServletResponse,Object) isAccessAllowed(Request,Response,Object)},* otherwise returns the result of* {link #onAccessDenied(ServletRequest,ServletResponse,Object) onAccessDenied(Request,Response,Object)}.** return codetrue/code if* {link #isAccessAllowed(javax.servlet.ServletRequest, javax.servlet.ServletResponse, Object) isAccessAllowed},* otherwise returns the result of* {link #onAccessDenied(javax.servlet.ServletRequest, javax.servlet.ServletResponse) onAccessDenied}.* throws Exception if an error occurs.*/public boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {return isAccessAllowed(request, response, mappedValue) || onAccessDenied(request, response, mappedValue);}
同时AccessControlFilter又引入了新的扩展方法交由子类灵活实现如下 /*** Returns codetrue/code if the request is allowed to proceed through the filter normally, or codefalse/code* if the request should be handled by the* {link #onAccessDenied(ServletRequest,ServletResponse,Object) onAccessDenied(request,response,mappedValue)}* method instead.** param request the incoming codeServletRequest/code* param response the outgoing codeServletResponse/code* param mappedValue the filter-specific config value mapped to this filter in the URL rules mappings.* return codetrue/code if the request should proceed through the filter normally, codefalse/code if the* request should be processed by this filters* {link #onAccessDenied(ServletRequest,ServletResponse,Object)} method instead.* throws Exception if an error occurs during processing.*/protected abstract boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception;/*** Processes requests where the subject was denied access as determined by the* {link #isAccessAllowed(javax.servlet.ServletRequest, javax.servlet.ServletResponse, Object) isAccessAllowed}* method, retaining the {code mappedValue} that was used during configuration.* p/* This method immediately delegates to {link #onAccessDenied(ServletRequest,ServletResponse)} as a* convenience in that most post-denial behavior does not need the mapped config again.** param request the incoming codeServletRequest/code* param response the outgoing codeServletResponse/code* param mappedValue the config specified for the filter in the matching requests filter chain.* return codetrue/code if the request should continue to be processed; false if the subclass will* handle/render the response directly.* throws Exception if there is an error processing the request.* since 1.0*/protected boolean onAccessDenied(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {return onAccessDenied(request, response);}/*** Processes requests where the subject was denied access as determined by the* {link #isAccessAllowed(javax.servlet.ServletRequest, javax.servlet.ServletResponse, Object) isAccessAllowed}* method.** param request the incoming codeServletRequest/code* param response the outgoing codeServletResponse/code* return codetrue/code if the request should continue to be processed; false if the subclass will* handle/render the response directly.* throws Exception if there is an error processing the request.*/protected abstract boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception;3.3.2.2 AuthenticationFilter
AuthenticationFilter实现了isAccessAllowed方法判断当前登录用户是否已认证通过 /*** Determines whether the current subject is authenticated.* p/* The default implementation {link #getSubject(javax.servlet.ServletRequest, javax.servlet.ServletResponse) acquires}* the currently executing Subject and then returns* {link org.apache.shiro.subject.Subject#isAuthenticated() subject.isAuthenticated()};** return true if the subject is authenticated; false if the subject is unauthenticated*/protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {Subject subject getSubject(request, response);return subject.isAuthenticated();}
3.3.2.3 AuthenticatingFilter
覆盖实现了isAccessAllowed方法判断是否允许访问允许访问的条件包括 用户已认证非登录url且url路径配置中包括“permissive”表示允许放行 /*** Determines whether the current subject should be allowed to make the current request.* p/* The default implementation returns codetrue/code if the user is authenticated. Will also return* codetrue/code if the {link #isLoginRequest} returns false and the quot;permissivequot; flag is set.** return codetrue/code if request should be allowed access*/Overrideprotected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {return super.isAccessAllowed(request, response, mappedValue) ||(!isLoginRequest(request, response) isPermissive(mappedValue));}/*** Returns codetrue/code if the mappedValue contains the {link #PERMISSIVE} qualifier.** return codetrue/code if this filter should be permissive*/protected boolean isPermissive(Object mappedValue) {if(mappedValue ! null) {String[] values (String[]) mappedValue;return Arrays.binarySearch(values, PERMISSIVE) 0;}return false;}
3.3.2.4 FormAuthenticationFilter处理逻辑
上述涉及的父类解析完毕我们看下FormAuthenticationFilter本身的主要实现逻辑
FormAuthenticationFilter覆盖了AccessControlFilter类提供的扩展方法onAccessDenied执行访问拒绝后的后续操作具体实现如下
可以看到这里主要包含了2个代码分支
如果提交url是登录url且是登录提交则会执行具体的登录操作如果不是登录url又因为之前还未认证通过则重定向到登录页面引导用户登录 protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {if (isLoginRequest(request, response)) {if (isLoginSubmission(request, response)) {if (log.isTraceEnabled()) {log.trace(Login submission detected. Attempting to execute login.);}return executeLogin(request, response);} else {if (log.isTraceEnabled()) {log.trace(Login page view.);}//allow them to see the login page ;)return true;}} else {if (log.isTraceEnabled()) {log.trace(Attempting to access a path which requires authentication. Forwarding to the Authentication url [ getLoginUrl() ]);}saveRequestAndRedirectToLogin(request, response);return false;}}
executeLogin方法实现了具体的登录操作获取当面登录用户然后执行登录login protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception {AuthenticationToken token createToken(request, response);if (token null) {String msg createToken method implementation returned null. A valid non-null AuthenticationToken must be created in order to execute a login attempt.;throw new IllegalStateException(msg);}try {Subject subject getSubject(request, response);subject.login(token);return onLoginSuccess(token, subject, request, response);} catch (AuthenticationException e) {return onLoginFailure(token, e, request, response);}}
登录成功会重定向到成功页面并不再执行后续过滤链
登录失败设置登录失败属性用户可以继续登录 protected boolean onLoginSuccess(AuthenticationToken token, Subject subject,ServletRequest request, ServletResponse response) throws Exception {issueSuccessRedirect(request, response);//we handled the success redirect directly, prevent the chain from continuing:return false;}protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e,ServletRequest request, ServletResponse response) {if (log.isDebugEnabled()) {log.debug( Authentication exception, e );}setFailureAttribute(request, e);//login failed, let request continue back to the login page:return true;}protected void setFailureAttribute(ServletRequest request, AuthenticationException ae) {String className ae.getClass().getName();request.setAttribute(getFailureKeyAttribute(), className);}
3.3.3 RolesAuthorizationFilter
RolesAuthorizationFilter类继承层次结构如下继承了AuthorizationFilter抽象类进一步继承了AccessControlFilter下面首先看下AuthorizationFilter的实现 3.3.3.1 AuthorizationFilter
AuthorizationFilter内部覆盖了onAccessDenied方法如下 protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException {Subject subject getSubject(request, response);// If the subject isnt identified, redirect to login URLif (subject.getPrincipal() null) {saveRequestAndRedirectToLogin(request, response);} else {// If subject is known but not authorized, redirect to the unauthorized URL if there is one// If no unauthorized URL is specified, just return an unauthorized HTTP status codeString unauthorizedUrl getUnauthorizedUrl();//SHIRO-142 - ensure that redirect _or_ error code occurs - both cannot happen due to response commit:if (StringUtils.hasText(unauthorizedUrl)) {WebUtils.issueRedirect(request, response, unauthorizedUrl);} else {WebUtils.toHttp(response).sendError(HttpServletResponse.SC_UNAUTHORIZED);}}return false;}
在没有访问控制权限的情况下会重定向到无权限的页面提示用户无访问权限并返回false终止后续过滤链的执行 3.3.3.2 RolesAuthorizationFilter处理逻辑
内部实现覆盖了isAccessAllowed方法如下
主要逻辑是判断当前登录用户是否具有配置的角色Role配置角色支持使用注解RequiresRoles进行定义
/*** Filter that allows access if the current user has the roles specified by the mapped value, or denies access* if the user does not have all of the roles specified.** since 0.9*/
public class RolesAuthorizationFilter extends AuthorizationFilter {//TODO - complete JavaDocSuppressWarnings({unchecked})public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException {Subject subject getSubject(request, response);String[] rolesArray (String[]) mappedValue;if (rolesArray null || rolesArray.length 0) {//no roles specified, so nothing to check - allow access.return true;}SetString roles CollectionUtils.asSet(rolesArray);return subject.hasAllRoles(roles);}}
3.3.4 PermissionsAuthorizationFilter PermissionsAuthorizationFilter和RolesAuthorizationFilter一样同样继承AuthorizationFilter类且覆盖实现了isAccessAllowed方法如下
校验用户是否有指定权限支持注解RequiresPermissions进行权限配置
/*** Filter that allows access if the current user has the roles specified by the mapped value, or denies access* if the user does not have all of the roles specified.** since 0.9*/
public class RolesAuthorizationFilter extends AuthorizationFilter {//TODO - complete JavaDocSuppressWarnings({unchecked})public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException {Subject subject getSubject(request, response);String[] rolesArray (String[]) mappedValue;if (rolesArray null || rolesArray.length 0) {//no roles specified, so nothing to check - allow access.return true;}SetString roles CollectionUtils.asSet(rolesArray);return subject.hasAllRoles(roles);}}
3.3.5 LogoutFilter
登录过滤器LogoutFilter继承层次结构如下 其也是继承自AdviceFilter并覆盖实现了preHandle方法如下 Overrideprotected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {Subject subject getSubject(request, response);// Check if POST only logout is enabledif (isPostOnlyLogout()) {// check if the current requests method is a POST, if not redirectif (!WebUtils.toHttp(request).getMethod().toUpperCase(Locale.ENGLISH).equals(POST)) {return onLogoutRequestNotAPost(request, response);}}String redirectUrl getRedirectUrl(request, response, subject);//try/catch added for SHIRO-298:try {subject.logout();} catch (SessionException ise) {log.debug(Encountered session exception during logout. This can generally safely be ignored., ise);}issueRedirect(request, response, redirectUrl);return false;}
如上内部实现获取了当前登录用户并执行用户登出操作并引导跳转到重定向url 这里logout的具体实现以及上面用户登录、角色控制、权限控制的具体操作都是委托SecurityManager安全管理器来完成的由于篇幅较长不再展开说明待后续再单独进行深入分析
