HttpShiroRequest 接管session

簡單分析完jetty的請求處理過程：http://my.oschina.net/u/782865/blog/505533

來看看shiro是怎麼接管session的；咱們知道web容器都實現有session管理；要把這個容器默認實現屏蔽掉，就須要改變request的getSession方法的默認實現；

shiro是這樣實現的：封裝普通的request成一個wrap,便是ShiroHttpServletRequest;

經過攔截器攔截request並封裝爲ShiroHttpServletRequest;具體以下

shiro的AbstractShiroFilter

protected void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse, final FilterChain chain)
            throws ServletException, IOException {

        Throwable t = null;

        try {
            final ServletRequest request = prepareServletRequest(servletRequest, servletResponse, chain);//執行封裝
            final ServletResponse response = prepareServletResponse(request, servletResponse, chain);

            final Subject subject = createSubject(request, response);

            //noinspection unchecked
            subject.execute(new Callable() {
                public Object call() throws Exception {
                    updateSessionLastAccessTime(request, response);
                    executeChain(request, response, chain);
                    return null;
                }
            });...

@SuppressWarnings({"UnusedDeclaration"})
    protected ServletRequest prepareServletRequest(ServletRequest request, ServletResponse response, FilterChain chain) {
        ServletRequest toUse = request;
        if (request instanceof HttpServletRequest) {
            HttpServletRequest http = (HttpServletRequest) request;
            toUse = wrapServletRequest(http);
        }
        return toUse;
    }

protected ServletRequest wrapServletRequest(HttpServletRequest orig) {
        return new ShiroHttpServletRequest(orig, getServletContext(), isHttpSessions());
    }

默認不用容器的session實現；

再來看看ShiroHttpServletRequest的getSession方法；

public HttpSession getSession() {
        return getSession(true);
    }

public HttpSession getSession(boolean create) {

        HttpSession httpSession;

        if (isHttpSessions()) {//默認是flase;
            httpSession = super.getSession(false);
            if (httpSession == null && create) {
                //Shiro 1.2: assert that creation is enabled (SHIRO-266):
                if (WebUtils._isSessionCreationEnabled(this)) {
                    httpSession = super.getSession(create);
                } else {
                    throw newNoSessionCreationException();
                }
            }
        } else {//這裏是shiro實現的session
            if (this.session == null) {

                boolean existing = getSubject().getSession(false) != null;

                Session shiroSession = getSubject().getSession(create);
                if (shiroSession != null) {
                    this.session = new ShiroHttpSession(shiroSession, this, this.servletContext);
                    if (!existing) {
                        setAttribute(REFERENCED_SESSION_IS_NEW, Boolean.TRUE);
                    }
                }
            }
            httpSession = this.session;
        }

        return httpSession;
    }

那麼實現shiro的sessionDao接口就能夠想存哪就存哪了；