Shiro中Subject對象的建立與綁定流程分析
咱們在日常使用Shrio進行身份認證時,常常經過獲取Subject 對象中保存的Session、Principal等信息,來獲取認證用戶的信息,也就是說Shiro會把認證後的用戶信息保存在Subject 中供程序使用web
public static Subject getSubject() { return SecurityUtils.getSubject(); }
Subject 是Shiro中核心的也是咱們常常用到的一個對象,那麼Subject 對象是怎麼構造建立,並如何存儲綁定供程序調用的,下面咱們就對其流程進行一下探究,首先是Subject 接口自己的繼承與實現,這裏咱們須要特別關注下WebDelegatingSubject這個實現類,這個就是最終返回的具體實現類redis
1、Subject的建立
在Shiro中每一個http請求都會通過SpringShiroFilter的父類AbstractShiroFilte中的doFilterInternal方法,咱們看下具體代碼數據庫
protected void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse, final FilterChain chain) throws ServletException, IOException { Throwable t = null; try { final ServletRequest request = prepareServletRequest(servletRequest, servletResponse, chain); final ServletResponse response = prepareServletResponse(request, servletResponse, chain); //建立Subject final Subject subject = createSubject(request, response); //執行Subject綁定 //noinspection unchecked subject.execute(new Callable() { public Object call() throws Exception { updateSessionLastAccessTime(request, response); executeChain(request, response, chain); return null; } }); } catch (ExecutionException ex) { t = ex.getCause(); } catch (Throwable throwable) { t = throwable; } if (t != null) { if (t instanceof ServletException) { throw (ServletException) t; } if (t instanceof IOException) { throw (IOException) t; } //otherwise it's not one of the two exceptions expected by the filter method signature - wrap it in one: String msg = "Filtered request failed."; throw new ServletException(msg, t); } }
繼續進入createSubject方法,也就是建立Subject對象的入口緩存
protected WebSubject createSubject(ServletRequest request, ServletResponse response) { return new WebSubject.Builder(getSecurityManager(), request, response).buildWebSubject(); }
這裏使用了build的對象構建模式,進入WebSubject接口中查看Builder與buildWebSubject()的具體實現session
Builder()中主要用於初始化SecurityManager 、ServletRequest 、ServletResponse 等對象,構建SubjectContext上下文關係對象ui
*/
public Builder(SecurityManager securityManager, ServletRequest request, ServletResponse response) {
super(securityManager);
if (request == null) {
throw new IllegalArgumentException("ServletRequest argument cannot be null.");
}
if (response == null) {
throw new IllegalArgumentException("ServletResponse argument cannot be null.");
}
setRequest(request);
setResponse(response);
}
buildWebSubject方法中開始構造Subject對象this
public WebSubject buildWebSubject() { Subject subject = super.buildSubject();//父類build方法 if (!(subject instanceof WebSubject)) { String msg = "Subject implementation returned from the SecurityManager was not a " + WebSubject.class.getName() + " implementation. Please ensure a Web-enabled SecurityManager " + "has been configured and made available to this builder."; throw new IllegalStateException(msg); } return (WebSubject) subject; }
進入父類的buildSubject對象咱們能夠看到,具體實現是由SecurityManager來完成的spa
public Subject buildSubject() { return this.securityManager.createSubject(this.subjectContext); }
在createSubject方法中會根據你的配置從緩存、redis、數據庫中獲取Session、Principals等信息,並建立Subject對象線程
public Subject createSubject(SubjectContext subjectContext) { //create a copy so we don't modify the argument's backing map: SubjectContext context = copy(subjectContext); //複製一個SubjectContext對象 //ensure that the context has a SecurityManager instance, and if not, add one: context = ensureSecurityManager(context); // 檢查並初始化SecurityManager對象 //Resolve an associated Session (usually based on a referenced session ID), and place it in the context before //sending to the SubjectFactory. The SubjectFactory should not need to know how to acquire sessions as the //process is often environment specific - better to shield the SF from these details: context = resolveSession(context);//解析獲取Sesssion信息 //Similarly, the SubjectFactory should not require any concept of RememberMe - translate that here first //if possible before handing off to the SubjectFactory: context = resolvePrincipals(context);//解析獲取resolvePrincipals信息 Subject subject = doCreateSubject(context);//建立Subject //save this subject for future reference if necessary: //(this is needed here in case rememberMe principals were resolved and they need to be stored in the //session, so we don't constantly rehydrate the rememberMe PrincipalCollection on every operation). //Added in 1.2: save(subject); return subject; }
在doCreateSubject中經過SubjectFactory建立合成Subject對象3d
protected Subject doCreateSubject(SubjectContext context) { return getSubjectFactory().createSubject(context); }
咱們能夠看到最後返回的是具體實現類WebDelegatingSubject
public Subject createSubject(SubjectContext context) { //SHIRO-646 //Check if the existing subject is NOT a WebSubject. If it isn't, then call super.createSubject instead. //Creating a WebSubject from a non-web Subject will cause the ServletRequest and ServletResponse to be null, which wil fail when creating a session. boolean isNotBasedOnWebSubject = context.getSubject() != null && !(context.getSubject() instanceof WebSubject); if (!(context instanceof WebSubjectContext) || isNotBasedOnWebSubject) { return super.createSubject(context); } //獲取上下文對象中的信息 WebSubjectContext wsc = (WebSubjectContext) context; SecurityManager securityManager = wsc.resolveSecurityManager(); Session session = wsc.resolveSession(); boolean sessionEnabled = wsc.isSessionCreationEnabled(); PrincipalCollection principals = wsc.resolvePrincipals(); boolean authenticated = wsc.resolveAuthenticated(); String host = wsc.resolveHost(); ServletRequest request = wsc.resolveServletRequest(); ServletResponse response = wsc.resolveServletResponse(); //構造返回WebDelegatingSubject對象 return new WebDelegatingSubject(principals, authenticated, host, session, sessionEnabled, request, response, securityManager); }
以上是Subject的建立過程,建立完成後咱們還須要與當前請求線程進行綁定,這樣才能經過SecurityUtils.getSubject()方法獲取到Subject
2、Subject的綁定
Subject對象本質上是與請求所屬的線程進行綁定,Shiro底層定義了一個ThreadContext對象,一個基於ThreadLocal的上下文管理容器,裏面定義了一個InheritableThreadLocalMap<Map<Object, Object>>(),Subject最後就是被放到這個map當中,咱們獲取時也是從這個map中獲取
首先咱們看下綁定操做的入口,execuse是執行綁定,後續操做採用回調機制來實現
//執行Subject綁定 //noinspection unchecked subject.execute(new Callable() { public Object call() throws Exception { updateSessionLastAccessTime(request, response); executeChain(request, response, chain); return null; } });
初始化一個SubjectCallable對象,並把回調方法傳進去
public <V> V execute(Callable<V> callable) throws ExecutionException { Callable<V> associated = associateWith(callable);//初始化一個SubjectCallable對象,並把回調方法傳進去 try { return associated.call(); } catch (Throwable t) { throw new ExecutionException(t); } } public <V> Callable<V> associateWith(Callable<V> callable) { return new SubjectCallable<V>(this, callable); }
看下SubjectCallable類的具體實現
public class SubjectCallable<V> implements Callable<V> { protected final ThreadState threadState; private final Callable<V> callable; public SubjectCallable(Subject subject, Callable<V> delegate) { this(new SubjectThreadState(subject), delegate);//初始化構造方法 } protected SubjectCallable(ThreadState threadState, Callable<V> delegate) { if (threadState == null) { throw new IllegalArgumentException("ThreadState argument cannot be null."); } this.threadState = threadState;//SubjectThreadState對象 if (delegate == null) { throw new IllegalArgumentException("Callable delegate instance cannot be null."); } this.callable = delegate;//回調對象 } public V call() throws Exception { try { threadState.bind();//執行綁定操做 return doCall(this.callable);//執行回調操做 } finally { threadState.restore(); } } protected V doCall(Callable<V> target) throws Exception { return target.call(); } }
具體綁定的操做是經過threadState.bind()來實現的
public void bind() { SecurityManager securityManager = this.securityManager; if ( securityManager == null ) { //try just in case the constructor didn't find one at the time: securityManager = ThreadContext.getSecurityManager(); } this.originalResources = ThreadContext.getResources(); ThreadContext.remove();//首先執行remove操做 ThreadContext.bind(this.subject);//執行綁定操做 if (securityManager != null) { ThreadContext.bind(securityManager); } }
在上面bind方法中又會執行ThreadContext的bind方法,這裏就是以前說到的shiro底層維護了的一個ThreadContext對象,一個基於ThreadLocal的上下文管理容器,bind操做本質上就是把建立的Subject對象維護到resources 這個InheritableThreadLocalMap中, SecurityUtils.getSubject()方法其實就是從InheritableThreadLocalMap中獲取所屬線程對應的Subject
private static final ThreadLocal<Map<Object, Object>> resources = new InheritableThreadLocalMap<Map<Object, Object>>();//定義一個InheritableThreadLocalMap public static void bind(Subject subject) { if (subject != null) { put(SUBJECT_KEY, subject);//向InheritableThreadLocalMap中放入Subject對象 } } public static void put(Object key, Object value) { if (key == null) { throw new IllegalArgumentException("key cannot be null"); } if (value == null) { remove(key); return; } ensureResourcesInitialized(); resources.get().put(key, value); if (log.isTraceEnabled()) { String msg = "Bound value of type [" + value.getClass().getName() + "] for key [" + key + "] to thread " + "[" + Thread.currentThread().getName() + "]"; log.trace(msg); } }
3、總結
從以上對Shiro源碼的分析,咱們對Subject對象的建立與綁定進行了基本的梳理,Subject對象的建立是經過不斷的對context上下文對象進行賦值與完善,並最終構造返回WebDelegatingSubject對象的過程;Subject對象建立後,會經過Shiro底層維護的一個基於ThreadLocal的上下文管理容器,即ThreadContext這個類,與請求所屬的線程進行綁定,供後續訪問使用。對Subject對象建立與綁定流程的分析,有助於理解Shiro底層的實現機制與方法,加深對Shiro的認識,從而在項目中可以正確使用。但願本文對你們能有所幫助,其中若有不足與不正確的地方還望指出與海涵。
相關文章
- 1. Shiro-Subject 分析(轉)
- 2. shiro subject源碼分析
- 3. shiro源碼分析01 -- Subject
- 4. Java 對象建立的流程
- 5. c++對象與lua綁定
- 6. shiro源碼分析(二)Subject和Session
- 7. Java中對象的建立過程(內存分析)
- 8. Application建立流程分析
- 9. java建立對象建立過程分析
- 10. 對象的建立與內存分配
- 更多相關文章...
- • WSDL 綁定 - WSDL 教程
- • Hibernate的運行流程 - Hibernate教程
- • Git五分鐘教程
- • 互聯網組織的未來:剖析GitHub員工的任性之源
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
相關文章