上一篇Shiro源码解析-登录篇中提到了在登录验证成功后有对session的处理,但未详细分析,本文对此部分源码详细分析下。

1. 分析切入点:DefaultSecurityManger的login方法

    public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException {

        AuthenticationInfo info;

        try {

            info = authenticate(token);

        } catch (AuthenticationException ae) {

            try {

                onFailedLogin(token, ae, subject);

            } catch (Exception e) {

                if (log.isInfoEnabled()) {

                    log.info("onFailedLogin method threw an " +

                            "exception.  Logging and propagating original AuthenticationException.", e);

                }

            }

            throw ae; //propagate

        }

        Subject loggedIn = createSubject(token, info, subject); // 登录用户验证成功之后进行session处理

        onSuccessfulLogin(token, info, loggedIn);

        return loggedIn;

    }

继续DefaultSecurityManger

    protected Subject createSubject(AuthenticationToken token, AuthenticationInfo info, Subject existing) {

        SubjectContext context = createSubjectContext();

        context.setAuthenticated(true);

        context.setAuthenticationToken(token);

        context.setAuthenticationInfo(info);

        if (existing != null) {

            context.setSubject(existing);

        }

        return createSubject(context); // 此处创建Subject

    }

DefaultSecurityManger的createSubject方法

    public Subject createSubject(SubjectContext subjectContext) {

        //create a copy so we don't modify the argument's backing map:

        SubjectContext context = copy(subjectContext);

        //ensure that the context has a SecurityManager instance, and if not, add one:

        context = ensureSecurityManager(context);

        //Resolve an associated Session (usually based on a referenced session ID), and place it in the context before

        //sending to the SubjectFactory.  The SubjectFactory should not need to know how to acquire sessions as the

        //process is often environment specific - better to shield the SF from these details:

        context = resolveSession(context);

        //Similarly, the SubjectFactory should not require any concept of RememberMe - translate that here first

        //if possible before handing off to the SubjectFactory:

        context = resolvePrincipals(context);

        Subject subject = doCreateSubject(context);

        //save this subject for future reference if necessary:

        //(this is needed here in case rememberMe principals were resolved and they need to be stored in the

        //session, so we don't constantly rehydrate the rememberMe PrincipalCollection on every operation).

        //Added in 1.2:

        save(subject); // 在这一步存储session

        return subject;

    }

    protected void save(Subject subject) {

       this.subjectDAO.save(subject);

    }




2. 转移到DefaultSubjectDAO
  调用DefaultSubjectDAO.save(subject)方法




    public Subject save(Subject subject) {

        if (isSessionStorageEnabled(subject)) { // 默认sessionStorage是enabled

            saveToSession(subject); // 看这里

        } else {

            log.trace("Session storage of subject state for Subject [{}] has been disabled: identity and " +

                    "authentication state are expected to be initialized on every request or invocation.", subject);

        }

        return subject;

    }




调用DefaultSubjectDAO.saveToSession(subject)方法




   protected void saveToSession(Subject subject) {

        //performs merge logic, only updating the Subject's session if it does not match the current state:

        mergePrincipals(subject);

        mergeAuthenticationState(subject);

    }




调用DefaultSubjectDAO的mergePrincipals方法




   protected void mergePrincipals(Subject subject) {

        //merge PrincipalCollection state:

        PrincipalCollection currentPrincipals = null;

        //SHIRO-380: added if/else block - need to retain original (source) principals

        //This technique (reflection) is only temporary - a proper long term solution needs to be found,

        //but this technique allowed an immediate fix that is API point-version forwards and backwards compatible

        //

        //A more comprehensive review / cleaning of runAs should be performed for Shiro 1.3 / 2.0 +

        if (subject.isRunAs() && subject instanceof DelegatingSubject) {

            try {

                Field field = DelegatingSubject.class.getDeclaredField("principals");

                field.setAccessible(true);

                currentPrincipals = (PrincipalCollection)field.get(subject);

            } catch (Exception e) {

                throw new IllegalStateException("Unable to access DelegatingSubject principals property.", e);

            }

        }

        if (currentPrincipals == null || currentPrincipals.isEmpty()) {

            currentPrincipals = subject.getPrincipals();

        }

        Session session = subject.getSession(false); // 取得session,如果不存在,并不会主动创建session

        if (session == null) {

            if (!isEmpty(currentPrincipals)) {

                session = subject.getSession();  // 第一次用户访问时,会创建session,那么session是如何创建的呢?在缓存还是在DB中,请继续往下看

                session.setAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY, currentPrincipals);

            }

            // otherwise no session and no principals - nothing to save

        } else {

            PrincipalCollection existingPrincipals =

                    (PrincipalCollection) session.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY);

            if (isEmpty(currentPrincipals)) {

                if (!isEmpty(existingPrincipals)) {

                    session.removeAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY);

                }

                // otherwise both are null or empty - no need to update the session

            } else {

                if (!currentPrincipals.equals(existingPrincipals)) {

                    session.setAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY, currentPrincipals);

                }

                // otherwise they're the same - no need to update the session

            }

        }

    }




3. 转移到DelegatingSubject


调用DelegatingSubject的getSession




    public Session getSession() {

        return getSession(true); // 参数为true,表示不存在此session时创建

    }

 public Session getSession(boolean create) {

        if (log.isTraceEnabled()) {

            log.trace("attempting to get session; create = " + create +

                    "; session is null = " + (this.session == null) +

                    "; session has id = " + (this.session != null && session.getId() != null));

        }

        if (this.session == null && create) {

            //added in 1.2:

            if (!isSessionCreationEnabled()) {

                String msg = "Session creation has been disabled for the current subject.  This exception indicates " +

                        "that there is either a programming error (using a session when it should never be " +

                        "used) or that Shiro's configuration needs to be adjusted to allow Sessions to be created " +

                        "for the current Subject.  See the " + DisabledSessionException.class.getName() + " JavaDoc " +

                        "for more.";

                throw new DisabledSessionException(msg);

            }

            log.trace("Starting session for host {}", getHost());

            SessionContext sessionContext = createSessionContext();

            Session session = this.securityManager.start(sessionContext); // session创建,从这里再往下走(这里的securityMananger是SessionSecurityManager)

            this.session = decorate(session);

        }

        return this.session;

    }




4. 转移到SessionSecurityManager




    public Session start(SessionContext context) throws AuthorizationException {

        return this.sessionManager.start(context); // 如果没有设置sessionManager,则调用默认的ServletContainerSessionManager(内存存储session),demo代码使用如下

    }




5. 如果像demo中soure一样,设置了的sessionManager为DefaultWebSessionManager,那么接下来会转移为到它的父类AbstractValidatingSessionManager




    protected Session createSession(SessionContext context) throws AuthorizationException {

        enableSessionValidationIfNecessary();

        return doCreateSession(context);

    }

   protected Session doCreateSession(SessionContext context) {

        Session s = newSessionInstance(context);

        if (log.isTraceEnabled()) {

            log.trace("Creating session for host {}", s.getHost());

        }

        create(s); // 在此处创建Session

        return s;

    }

    protected Session newSessionInstance(SessionContext context) {

        return getSessionFactory().createSession(context);

    }




6. 调用DefaultSessionManager




    protected void create(Session session) {

        if (log.isDebugEnabled()) {

            log.debug("Creating new EIS record for new session instance [" + session + "]");

        }

        sessionDAO.create(session); // 到这里大家应该看到了,你配置的SessionDAO在什么时候调用,demo中使用EnterpriseCacheSessionDAO

    }




7. 先调用的父类CachingSessionDAO的create方法




    public Serializable create(Session session) {

        Serializable sessionId = super.create(session);// 这里只是生成sessionId,至于生成使用的算法可以在config中设置sessionIdGenerator

        cache(session, sessionId); // 生成session并存储到cache,过程在下面

        return sessionId;

    }




8. 接下来cache方法




    protected void cache(Session session, Serializable sessionId) {

        if (session == null || sessionId == null) {

            return;

        }

        Cache<Serializable, Session> cache = getActiveSessionsCacheLazy(); // 创建cache,名字默认为shiro-activeSessionCache

        if (cache == null) {

            return;

        }

        cache(session, sessionId, cache); // 存储到cache

    }



   protected void cache(Session session, Serializable sessionId, Cache<Serializable, Session> cache) {
      cache.put(sessionId, session);  // 这里调用的Ehcache的put方法,最终是存储在cache中(当然,如果你自定义了SessionDAO,那就可以存储在你指定的地方)
   }




到这里大家基本都明白了整个过程吧,通过源码分析我们可以明白以下关键点


  • SessionManager什么时候调用
    • 

  • SessionDAO何时调用
    • 

  • SessionId什么时候生成
    • 

  • Session什么时候存储到Cache


如有问题,欢迎评论回复!
												


											
Shiro源码解析-Session篇的更多相关文章
	

    
								
  1. Shiro源码解析-登录篇
		
    本文以循序渐进的方式解析Shiro整个login过程的处理,读者可以边阅读本文边自己看代码来思考体会,如有问题,欢迎评论区探讨! 笔者shiro的demo源码路径:https://github.com ...
    
		
    2. 
						
  2. jQuery2.x源码解析(缓存篇)
		
    jQuery2.x源码解析(构建篇) jQuery2.x源码解析(设计篇) jQuery2.x源码解析(回调篇) jQuery2.x源码解析(缓存篇) 缓存是jQuery中的又一核心设计,jQuery ...
    
		
    3. 
						
  3. jQuery2.x源码解析(构建篇)
		
    jQuery2.x源码解析(构建篇) jQuery2.x源码解析(设计篇) jQuery2.x源码解析(回调篇) jQuery2.x源码解析(缓存篇) 笔者阅读了园友艾伦 Aaron的系列博客< ...
    
		
    4. 
						
  4. jQuery2.x源码解析(设计篇)
		
    jQuery2.x源码解析(构建篇) jQuery2.x源码解析(设计篇) jQuery2.x源码解析(回调篇) jQuery2.x源码解析(缓存篇) 这一篇笔者主要以设计的角度探索jQuery的源代 ...
    
		
    5. 
						
  5. jQuery2.x源码解析(回调篇)
		
    jQuery2.x源码解析(构建篇) jQuery2.x源码解析(设计篇) jQuery2.x源码解析(回调篇) jQuery2.x源码解析(缓存篇) 通过艾伦的博客,我们能看出,jQuery的pro ...
    
		
    6. 
						
  6. myBatis源码解析-类型转换篇(5)
		
    前言 开始分析Type包前,说明下使用场景.数据构建语句使用PreparedStatement,需要输入的是jdbc类型,但我们一般写的是java类型.同理,数据库结果集返回的是jdbc类型,而我们需 ...
    
		
    7. 
						
  7. Spring源码解析 | 第二篇:Spring IOC容器之XmlBeanFactory启动流程分析和源码解析
		
    一. 前言 Spring容器主要分为两类BeanFactory和ApplicationContext,后者是基于前者的功能扩展,也就是一个基础容器和一个高级容器的区别.本篇就以BeanFactory基 ...
    
		
    8. 
						
  8. myBatis源码解析-数据源篇(3)
		
    前言:我们使用mybatis时,关于数据源的配置多使用如c3p0,druid等第三方的数据源.其实mybatis内置了数据源的实现,提供了连接数据库,池的功能.在分析了缓存和日志包的源码后,接下来分析 ...
    
		
    9. 
						
  9. myBatis源码解析-反射篇(4)
		
    前沿 前文分析了mybatis的日志包,缓存包,数据源包.源码实在有点难顶,在分析反射包时,花费了较多时间.废话不多说,开始源码之路. 反射包feflection在mybatis路径如下: 源码解析  ...
    
		
    10. 
		

	


随机推荐
	

    
									
  1. 多校训练4——Hehe
			
    递推题: dp[i]表示字符串第i个字母前有多少种不同的方法 1.出现一个hehe:dp[i]=dp[i-4]+dp[i-2] 意思是dp[i]=当前的hehe换成wqnmlgb+当前的hehe不换成 ...
    
			
    2. 
						
  2. mongodb 查询条件
			
    这节来说说mongodb条件操作符,"$lt", "$lte", "$gt", "$gte", "$ne&qu ...
    
			
    3. 
						
  3. webstorm最新破解方法
			
    方法来自 Rover12421 大神. 1.从官网下载WebStorm2016.1安装. 2.下载 破解补丁 并解压,记住路径 3.编辑WebStorm安装目录下 bin 文件夹中的 WebStorm ...
    
			
    4. 
						
  4. JS 单例模式
			
    <parctical common lisp>的作者曾说,如果你需要一种模式,那一定是哪里出了问题.他所说的问题是指因为语言的天生缺陷,不得不去寻求和总结一种通用的解决方案. 不管是弱类型 ...
    
			
    5. 
						
  5. .NET基础 (01).NET基础概念
			
    .NET基础概念 1 什么是CTS.CLS和CLR2 开发和运行.NET程序需要的最基本环节是什么3 .NET是否支持多编程语言开发4 CLR技术和COM技术的比较5 什么是程序集和应用程序域 1 什 ...
    
			
    6. 
						
  6. iTerm2 + Oh My Zsh 打造舒适终端体验
			
    iTerm2 + Oh My Zsh 打造舒适终端体验 写在前面 最终效果图: 因为powerline以及homebrew均需要安装command line tool,网络条件优越的同学在执行本文下面 ...
    
			
    7. 
						
  7. Java实现四则运算---任路乾,乐滔
			
    1.GitHub地址:https://github.com/3116004700/ruanjiangongcheng 2.项目需求: 生成的题目中计算过程不能产生负数(完成) 生成的题目中如果存在形如 ...
    
			
    8. 
						
  8. Linq生成操作之DefautIfEmpty,Empty,Range,Repeat源码分析
			
    Linq生成操作之DefautIfEmpty,Empty,Range,Repeat源码分析 Linq的四种生成运算 DefautIfEmpty,Empty,Range,Repeat 也就是给我们初始化 ...
    
			
    9. 
						
  9. C# xsd 验证 XML数据有效性 问题
			
    使用XSD进行批量数据导入时生成的XML数据有效性这样的功能已经不是第一次做了,之前做的时候都没有碰到什么问题,这些天在开发中遇到了一个很头痛的问题就是无论XSD文件规则怎么写,验证都是通过的. 下面 ...
    
			
    10. 
						
  10. Windows store app[Part 2]:全新的File System与Uri不匹配的问题
			
    在Win 8 App的安全沙箱内,除了使用文件选取器FileOpenPicker外,没有其他办法调用某个盘符的数据. 全新的Storage命名空间,借鉴了IOS与Android的设计. 下面引用一个图 ...
    
			
    11.