shiro源码篇 - shiro的filter，你值得拥有

前言

　　开心一刻

　　　　已经报废了一年多的电脑，今天特么突然开机了，吓老子一跳，只见电脑管家缓缓地出来了，本次开机一共用时一年零六个月，打败了全国0%的电脑，电脑管家已经对您的电脑失去信心，然后它把自己卸载了，只剩我在一旁发呆。

　　路漫漫其修远兮，吾将上下而求索！

　　github：https://github.com/youzhibing

　　码云(gitee)：https://gitee.com/youzhibing

shiroFilter的注册

　　此篇博文讲到了springboot的filter注册，但只是filter注册的一种方式：通过FilterRegistrationBean实现。而Shiro Filter的注册是采用另外的方式实现的，我们接着往下看

　　ShiroFilterFactoryBean实现了FactoryBean，我们来看下ShiroFilterFactoryBean对FactoryBean的getObject方法的实现

git图一

　　　　可以看到createInstance()返回的是SpringShiroFilter的实例；SpringShiroFilter的类图如下

　　getObject方法只是创建了一个SpringShiroFilter实例，并注册到了spring容器中，那是如何注册到servlet容器的呢？我们来跟下源码

　　　　这篇博文其实涉及到了，只是那时候没细讲，我们还是从那里开始

gif图二

　　　　ServletContextInitializerBeans.java的构造方法，里面有addServletContextInitializerBeans(beanFactory)方法和addAdaptableBeans(beanFactory)，我们来好好瞅一瞅

　　　　addServletContextInitializerBeans(beanFactory)

private void addServletContextInitializerBeans(ListableBeanFactory beanFactory) {

    for (Entry<String, ServletContextInitializer> initializerBean : getOrderedBeansOfType(

            beanFactory, ServletContextInitializer.class)) {

        addServletContextInitializerBean(initializerBean.getKey(),

                initializerBean.getValue(), beanFactory);

    }

}

private void addServletContextInitializerBean(String beanName,

        ServletContextInitializer initializer, ListableBeanFactory beanFactory) {

    if (initializer instanceof ServletRegistrationBean) {

        Servlet source = ((ServletRegistrationBean<?>) initializer).getServlet();

        addServletContextInitializerBean(Servlet.class, beanName, initializer,

                beanFactory, source);

    }

    else if (initializer instanceof FilterRegistrationBean) {

        Filter source = ((FilterRegistrationBean<?>) initializer).getFilter();

        addServletContextInitializerBean(Filter.class, beanName, initializer,

                beanFactory, source);

    }

    else if (initializer instanceof DelegatingFilterProxyRegistrationBean) {

        String source = ((DelegatingFilterProxyRegistrationBean) initializer)

                .getTargetBeanName();

        addServletContextInitializerBean(Filter.class, beanName, initializer,

                beanFactory, source);

    }

    else if (initializer instanceof ServletListenerRegistrationBean) {

        EventListener source = ((ServletListenerRegistrationBean<?>) initializer)

                .getListener();

        addServletContextInitializerBean(EventListener.class, beanName, initializer,

                beanFactory, source);

    }

    else {

        addServletContextInitializerBean(ServletContextInitializer.class, beanName,

                initializer, beanFactory, initializer);

    }

}

　　　　　　会将spring bean工厂（beanFactory）中类型是ServletContextInitalizer类型的实例（包括ServletRegistrationBean、FilterRegistrationBean、DelegatingFilterProxyRegistrationBean、ServletListenerRegistrationBean）添加进ServletContextInitializerBeans的initializers属性中。

private final MultiValueMap<Class<?>, ServletContextInitializer> initializers;

　　　　　　ServletContextInitalizer的子类图如下所示

　　　　　　这也就是上篇博文注册Filter的方式，以RegistrationBean方式实现的，但是SpringShiroFilter不是在这添加进ServletContextInitializerBeans的initializers中的哦

　　　　addAdaptableBeans(beanFactory)

private void addAdaptableBeans(ListableBeanFactory beanFactory) {

    MultipartConfigElement multipartConfig = getMultipartConfig(beanFactory);

    addAsRegistrationBean(beanFactory, Servlet.class,

            new ServletRegistrationBeanAdapter(multipartConfig));

    addAsRegistrationBean(beanFactory, Filter.class,

            new FilterRegistrationBeanAdapter());

    for (Class<?> listenerType : ServletListenerRegistrationBean

            .getSupportedTypes()) {

        addAsRegistrationBean(beanFactory, EventListener.class,

                (Class<EventListener>) listenerType,

                new ServletListenerRegistrationBeanAdapter());

    }

}

　　　　　　会将beanFactory中的Servlet、Filter、Listener实例封装成对应的RegistrationBean，然后添加到ServletContextInitializerBeans的initializers；部分细节没去跟，有兴趣的可以自行去跟下源代码。

　　　　ServletContextInitializerBeans的sortedList的内容最终如下

　　　　然后遍历这个sortedList，逐个注入到servlet容器

　　小结

　　　　springboot下有3种方式注册Filter（Servlet、Listener类似），FilterRegistrationBean、@WebFilter 和@Bean，@WebFilter我还没试过，另外这3种方式注册的Filter的优先级是：FilterRegistrationBean > @WebFilter > @Bean（网上查阅的资料，我没试哦，使用过程中需要注意！）。

　　　　不管是FilterRegistrationBean方式、@WebFilter方式，还是@Bean方式，只要是受spring容器管理，最终都会添加到ServletContextInitializerBeans的initializers中，都会成功注册到servlet容器。@WebFilter方式和@Bean方式注册的Filter都会被封装成FilterRegistrationBean，然后添加进ServletContextInitializerBeans的initializers；3种方式最终殊途同归，都以FilterRegistrationBean的形式存在ServletContextInitializerBeans的initializers中。SpringShiroFilter的注册算是@Bean方式注册的，至此SpringShiroFilter就注册到了servlet容器中了。

　　　　ServletContextInitializerBeans的sortedList如下：

private List<ServletContextInitializer> sortedList;

　　　　是一个有序的ServletContextInitializer List，这个有序针对的同类型，比如所有的FilterRegistrationBean有序，所有的ServletRegistrationBean有序，FilterRegistrationBean与ServletRegistrationBean之间有没有序是无意义的。

shiro中的Filter链

　　shiro的默认filter列表

　　　　除了SpringShiroFilter之外，shiro还有默认的11个Filter；细心的朋友应该在git图一中已经发现了，在创建DefaultFilterChainManager，就把默认的11个Filter添加到它的filters中

private Map<String, Filter> filters; //pool of filters available for creating chains

private Map<String, NamedFilterList> filterChains; //key: chain name, value: chain

public DefaultFilterChainManager() {

    this.filters = new LinkedHashMap<String, Filter>();

    this.filterChains = new LinkedHashMap<String, NamedFilterList>();

    addDefaultFilters(false);    // 将默认的11个Filter添加到filters

}

　　　　这11个Filter具体如下

anon(AnonymousFilter.class),

authc(FormAuthenticationFilter.class),

authcBasic(BasicHttpAuthenticationFilter.class),

logout(LogoutFilter.class),

noSessionCreation(NoSessionCreationFilter.class),

perms(PermissionsAuthorizationFilter.class),

port(PortFilter.class),

rest(HttpMethodPermissionFilter.class),

roles(RolesAuthorizationFilter.class),

ssl(SslFilter.class),

user(UserFilter.class);

　　Filter链

　　　　SpringShiroFilter注册到servlet容器中，请求肯定会经过SpringShiroFilter的doFilter方法，我们就从此开始跟一跟源代码

gif图三

　　　　上图中可能展示的不够细，主要就是两点：1、路径匹配：pathMatches(pathPattern, requestURI)，默认的Fliter逐个与请求URI进行匹配；2、代理FilterChain：ProxiedFilterChain。如果匹配不上，那么直接走servlet的FilterChain，否则先走shiro的代理FilterChain（ProxiedFilterChain），之后再走servlet的FilterChain。

　　　　ProxiedFilterChain源代码如下

/*

 * Licensed to the Apache Software Foundation (ASF) under one

 * or more contributor license agreements.  See the NOTICE file

 * distributed with this work for additional information

 * regarding copyright ownership.  The ASF licenses this file

 * to you under the Apache License, Version 2.0 (the

 * "License"); you may not use this file except in compliance

 * with the License.  You may obtain a copy of the License at

 *

 *     http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing,

 * software distributed under the License is distributed on an

 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY

 * KIND, either express or implied.  See the License for the

 * specific language governing permissions and limitations

 * under the License.

 */

package org.apache.shiro.web.servlet;

import org.slf4j.Logger;

import org.slf4j.LoggerFactory;

import javax.servlet.*;

import java.io.IOException;

import java.util.List;

/**

 * A proxied filter chain is a {@link FilterChain} instance that proxies an original {@link FilterChain} as well

 * as a {@link List List} of other {@link Filter Filter}s that might need to execute prior to the final wrapped

 * original chain.  It allows a list of filters to execute before continuing the original (proxied)

 * {@code FilterChain} instance.

 *

 * @since 0.9

 */

public class ProxiedFilterChain implements FilterChain {

    //TODO - complete JavaDoc

    private static final Logger log = LoggerFactory.getLogger(ProxiedFilterChain.class);

    private FilterChain orig;                    // 原FilterChain，也就是servlet容器的FilterChain

    private List<Filter> filters;                // shiro默认的11个Filter

    private int index = 0;

    public ProxiedFilterChain(FilterChain orig, List<Filter> filters) {

        if (orig == null) {

            throw new NullPointerException("original FilterChain cannot be null.");

        }

        this.orig = orig;

        this.filters = filters;

        this.index = 0;

    }

    public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {

        if (this.filters == null || this.filters.size() == this.index) {

            //we've reached the end of the wrapped chain, so invoke the original one:

            if (log.isTraceEnabled()) {

                log.trace("Invoking original filter chain.");

            }

            this.orig.doFilter(request, response);                        // 当shiro的11个Filter走完之后，继续走servlet容器的FilterChain

        } else {

            if (log.isTraceEnabled()) {

                log.trace("Invoking wrapped filter at index [" + this.index + "]");

            }

            this.filters.get(this.index++).doFilter(request, response, this);    // 递归逐个走shiro的11个Filter

        }

    }

}

　　　　Shiro对Servlet容器的FilterChain进行了代理，即ShiroFilter在继续Servlet容器的Filter链的执行之前，通过ProxiedFilterChain对Servlet容器的FilterChain进行了代理；即先走Shiro自己的Filter体系，然后才会委托给Servlet容器的FilterChain进行Servlet容器级别的Filter链执行；Shiro的ProxiedFilterChain执行流程：1、先执行Shiro自己的Filter链；2、再执行Servlet容器的Filter链（即原始的 Filter）。

总结

　　1、SpringShiroFilter注册到spring容器，会被包装成FilterRegistrationBean，通过FilterRegistrationBean注册到servlet容器；

　　2、一般而言，shiro的PathMatchingFilterChainResolver会匹配所有的请求，Shiro对Servlet容器的FilterChain进行了代理，生成代理FilterChain：ProxiedFilterChain，请求先走Shiro自己的Filter链，再走Servelt容器的Filter链；

　　3、题外话，springboot注册Filter、Servlet、Listener方式类似，都有3种，具体是哪三种，大家去上文看；关于Shiro的Filter，本文没做更详细的讲解，需要了解的可以去看《跟我学shiro》

参考

　　《跟我学shiro》

　　shiro源码