spring mvc下shiro的session,request等问题

最近的一个项目使用的是spring mvc,权限框架使用的是shiro.

不过有一个问题一直困扰着我,现在的session到底是谁的session,是servlet的还是shiro的.

于是我把spring controller参数里面的HttpServletRequest对象和HttpSession对象打印了出来

这两个对象打印的结果是org.apache.shiro.web.servlet.ShiroHttpServletRequest和org.apache.shiro.web.servlet.ShiroHttpSession

在不使用shiro时这些对象应该均为tomcat所实现的类,这说明在shiro执行filter时将request对象包装成了shiro实现的类.

那么shiro是在什么时候将request对象包装了的呢?

先看一下shiro的拦截器类图:

ShiroFilter 是整个 Shiro 的入口点，用于拦截需要安全控制的请求进行处理。ShiroFilter 继承自AbstractShiroFilter,而AbstractShiroFilter继承自OncePerRequestFilter

先看一下OncePerRequestFilter的源码 :

public abstract class OncePerRequestFilter extends NameableFilter {

 

    // 已过滤属性的后缀名

    public static final String ALREADY_FILTERED_SUFFIX = ".FILTERED";

 

    // 是否开启过滤功能

    private boolean enabled = true;

 

    public boolean isEnabled() {

        return enabled;

    }

 

    public void setEnabled(boolean enabled) {

        this.enabled = enabled;

    }

 

    public final void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws ServletException, IOException {

        // 获取 Filter 已过滤的属性名

        String alreadyFilteredAttributeName = getAlreadyFilteredAttributeName();

        // 判断是否已过滤

        if (request.getAttribute(alreadyFilteredAttributeName) != null) {

            // 若已过滤，则进入 FilterChain 中下一个 Filter

            filterChain.doFilter(request, response);

        } else {

            // 若未过滤，则判断是否未开启过滤功能（其中 shouldNotFilter 方法将被废弃，由 isEnabled 方法取代）

            if (!isEnabled(request, response) || shouldNotFilter(request)) {

                // 若未开启，则进入 FilterChain 中下一个 Filter

                filterChain.doFilter(request, response);

            } else {

                // 若已开启，则将已过滤属性设置为 true（只要保证 Request 中有这个属性即可）

                request.setAttribute(alreadyFilteredAttributeName, Boolean.TRUE);

                try {

                    // 在子类中执行具体的过滤操作

                    doFilterInternal(request, response, filterChain);

                } finally {

                    // 当前 Filter 执行结束需移除 Request 中的已过滤属性

                    request.removeAttribute(alreadyFilteredAttributeName);

                }

            }

        }

    }

 

    protected String getAlreadyFilteredAttributeName() {

        String name = getName();

        if (name == null) {

            name = getClass().getName();

        }

        return name + ALREADY_FILTERED_SUFFIX;

    }

 protected boolean isEnabled(ServletRequest request, ServletResponse response) throws ServletException, IOException {

        return isEnabled();

    }

 protected boolean shouldNotFilter(ServletRequest request) throws ServletException {

        return false;

    }

 

    protected abstract void doFilterInternal(ServletRequest request, ServletResponse response, FilterChain chain) throws ServletException, IOException;

}

我们看到OncePerRequestFilter里面实现了Servlet规范的doFilter(),并且将该方法声明为final,可以看出shiro不允许其子类再复写该方法.

但OncePerRequestFilter并没有实现 doFilterInternal(request, response, filterChain),这说明该方法是需要在子类中实现的.

再来看一下OncePerRequestFilter的子类AbstractShiroFilter:

protected void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse, final FilterChain chain) throws ServletException, IOException {

        Throwable t = null;

        try {

            // 返回被 Shiro 包装过的 Request 与 Response 对象

            final ServletRequest request = prepareServletRequest(servletRequest, servletResponse, chain);

            final ServletResponse response = prepareServletResponse(request, servletResponse, chain);

            // 创建 Shiro 的 Subject 对象

            final Subject subject = createSubject(request, response);

            // 使用异步的方式执行相关操作

            subject.execute(new Callable() {

                public Object call() throws Exception {

                    // 更新 Session 的最后访问时间

                    updateSessionLastAccessTime(request, response);

                    // 执行 Shiro 的 Filter Chain

                    executeChain(request, response, chain);

                    return null;

                }

            });

        } catch (ExecutionException ex) {

            t = ex.getCause();

        } catch (Throwable throwable) {

            t = throwable;

        }

        if (t != null) {

            if (t instanceof ServletException) {

                throw (ServletException) t;

            }

            if (t instanceof IOException) {

                throw (IOException) t;

            }

            throw new ServletException(t);

        }

    }

果然,在子类AbstractShiroFilter中实现了doFilterInternal()方法.

其中用于包装request的函数:

protected ServletRequest prepareServletRequest(ServletRequest request, ServletResponse response, FilterChain chain) {
        ServletRequest toUse = request;
        if(request instanceof HttpServletRequest) {
            HttpServletRequest http = (HttpServletRequest)request;
            toUse = this.wrapServletRequest(http);
        }

        return toUse;
    }

protected ServletRequest wrapServletRequest(HttpServletRequest orig) {
        return new ShiroHttpServletRequest(orig, this.getServletContext(), this.isHttpSessions());
    }

现在终于知道shiro是怎么把request对象包装成ShiroHttpServletRequest类型的了.

一开始session的困惑也能解开了:

因为session是通过request获取的,所以先看一下ShiroHttpServletRequest获取session的源码:

public HttpSession getSession(boolean create) {
        HttpSession httpSession;
        if(this.isHttpSessions()) {
            httpSession = super.getSession(false);
            if(httpSession == null && create) {
                if(!WebUtils._isSessionCreationEnabled(this)) {
                    throw this.newNoSessionCreationException();
                }

                httpSession = super.getSession(create);
            }
        } else {
            if(this.session == null) {
                boolean existing = this.getSubject().getSession(false) != null;
                Session shiroSession = this.getSubject().getSession(create);
                if(shiroSession != null) {
                    this.session = new ShiroHttpSession(shiroSession, this, this.servletContext);
                    if(!existing) {
                        this.setAttribute(REFERENCED_SESSION_IS_NEW, Boolean.TRUE);
                    }
                }
            }

            httpSession = this.session;
        }

        return httpSession;
    }

这里主要讲的是:

如果this.isHttpSessions()返回true,则返回父类HttpServletRequestWrapper的

也就是servelet规范的session,否则返回ShiroHttpSession对象.

那么this.isHttpSessions()是什么呢?

protected boolean httpSessions = true;

public boolean isHttpSessions() {
        return this.httpSessions;
    }

this.isHttpSessions()返回ShiroHttpServletRequest对象的一个属性值,默认是true.

ShiroHttpServletRequest的构造函数是这样的:

public ShiroHttpServletRequest(HttpServletRequest wrapped, ServletContext servletContext, boolean httpSessions) {
        super(wrapped);
        this.servletContext = servletContext;
        this.httpSessions = httpSessions;
    }

这说明在ShiroHttpServletRequest对象生成之初就必须指定httpSessions的值.

再回到刚才shiro包装request的地方.

protected ServletRequest wrapServletRequest(HttpServletRequest orig) {
        return new ShiroHttpServletRequest(orig, this.getServletContext(), this.isHttpSessions());
    }

protected boolean isHttpSessions() {
        return this.getSecurityManager().isHttpSessionMode();
    }

这里的this.isHttpSessions()取决于this.getSecurityManager().isHttpSessionMode()的值.

我们项目里SecurityManager设置为DefaultWebSecurityManager.其中isHttpSessionMode()方法为:

public boolean isHttpSessionMode() {
        SessionManager sessionManager = this.getSessionManager();
        return sessionManager instanceof WebSessionManager && ((WebSessionManager)sessionManager).isServletContainerSessions();
    }

我们这个项目使用的sessionManager是DefaultWebSessionManager,DefaultWebSessionManager实现了sessionManager 接口.

但是DefaultWebSessionManager中该方法返回的是false.

public boolean isServletContainerSessions() {
        return false;
    }

所以最终session得到的是ShiroHttpSession.

转载请注明出处http://www.cnblogs.com/vinozly/p/5080692.html