Shiro 3 filter
2016-06-28 10:00
246 查看
首先Shiro提供的过滤器继承关系
过滤器的过滤方法是dofilter,最终可以找到AdviceFilter中的doFilterInternal
这个类中还有一个preHandle方法 返回true or false决定是否通过过滤器,这个方法供子类继承重写,实现不同过滤器业务
比如LogoutFilter中的
@Override
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
Subject subject = getSubject(request, response);
String redirectUrl = getRedirectUrl(request, response, subject);
//try/catch added for SHIRO-298:
try {
subject.logout();
} catch (SessionException ise) {
log.debug("Encountered session exception during logout. This can generally safely be ignored.", ise);
}
issueRedirect(request, response, redirectUrl);
return false;
}
subject注销,重定向到 redirectUrl,返回false
PathMatchingFilter继承了AdviceFilter,在重写的preHandle中加入了对于url配置的其他权限的验证,最后提供了一个方法供重写,其中第三个参数类型为
String[] s = {"role1","role2"} 等
所以匿名过滤器AnonymousFilter继承PathMatchingFilter,它的onPreHandle直接返回true,可以通过
@Override
protected boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) {
// Always return true since we allow access to anyone
return true;
}
AccessControlFilter extends PathMatchingFilter
public boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
return isAccessAllowed(request, response, mappedValue) || onAccessDenied(request, response, mappedValue);
}这两个方法都是有子类实现,这个类还提供了一个方法saveRequestAndRedirectToLogin,不和条件的情况会调用此方法转到登录页
剩下的都是功能业务的过滤器了,只需要分析它们对于上面方法的实现
比如RolesAuthorizationFilter检测subject是否有这些role
@SuppressWarnings({"unchecked"})
public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException {
Subject subject = getSubject(request, response);
String[] rolesArray = (String[]) mappedValue;
if (rolesArray == null || rolesArray.length == 0) {
//no roles specified, so nothing to check - allow access.
return true;
}
Set<String> roles = CollectionUtils.asSet(rolesArray);
return subject.hasAllRoles(roles);
}
比如PermissionsAuthorizationFilter检测subject是否有这些permission
public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException {
Subject subject = getSubject(request, response);
String[] perms = (String[]) mappedValue;
boolean isPermitted = true;
if (perms != null && perms.length > 0) {
if (perms.length == 1) {
if (!subject.isPermitted(perms[0])) {
isPermitted = false;
}
} else {
if (!subject.isPermittedAll(perms)) {
isPermitted = false;
}
}
}
return isPermitted;
}
认证过滤器FormAuthenticationFilter extends AuthenticatingFilter extends AuthenticationFilter extends AccessControlFilter
检测是否登录
AuthenticationFilter
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
Subject subject = getSubject(request, response);
return subject.isAuthenticated();
}
FormAuthenticationFilter
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
if (isLoginRequest(request, response)) {
if (isLoginSubmission(request, response)) {
if (log.isTraceEnabled()) {
log.trace("Login submission detected. Attempting to execute login.");
}
return executeLogin(request, response);
} else {
if (log.isTraceEnabled()) {
log.trace("Login page view.");
}
//allow them to see the login page ;)
return true;
}
} else {
if (log.isTraceEnabled()) {
log.trace("Attempting to access a path which requires authentication. Forwarding to the " +
"Authentication url [" + getLoginUrl() + "]");
}
saveRequestAndRedirectToLogin(request, response);
return false;
}
}
Shiro提供的这些过滤器的封装还是比较清晰的,由这条继承线,我们可以根据业务需要继承它的过滤器很方便的实现自己需要的业务。
过滤器的过滤方法是dofilter,最终可以找到AdviceFilter中的doFilterInternal
这个类中还有一个preHandle方法 返回true or false决定是否通过过滤器,这个方法供子类继承重写,实现不同过滤器业务
比如LogoutFilter中的
@Override
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
Subject subject = getSubject(request, response);
String redirectUrl = getRedirectUrl(request, response, subject);
//try/catch added for SHIRO-298:
try {
subject.logout();
} catch (SessionException ise) {
log.debug("Encountered session exception during logout. This can generally safely be ignored.", ise);
}
issueRedirect(request, response, redirectUrl);
return false;
}
subject注销,重定向到 redirectUrl,返回false
PathMatchingFilter继承了AdviceFilter,在重写的preHandle中加入了对于url配置的其他权限的验证,最后提供了一个方法供重写,其中第三个参数类型为
String[] s = {"role1","role2"} 等
protected boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
return true;
}所以匿名过滤器AnonymousFilter继承PathMatchingFilter,它的onPreHandle直接返回true,可以通过
@Override
protected boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) {
// Always return true since we allow access to anyone
return true;
}
AccessControlFilter extends PathMatchingFilter
public boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
return isAccessAllowed(request, response, mappedValue) || onAccessDenied(request, response, mappedValue);
}这两个方法都是有子类实现,这个类还提供了一个方法saveRequestAndRedirectToLogin,不和条件的情况会调用此方法转到登录页
剩下的都是功能业务的过滤器了,只需要分析它们对于上面方法的实现
比如RolesAuthorizationFilter检测subject是否有这些role
@SuppressWarnings({"unchecked"})
public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException {
Subject subject = getSubject(request, response);
String[] rolesArray = (String[]) mappedValue;
if (rolesArray == null || rolesArray.length == 0) {
//no roles specified, so nothing to check - allow access.
return true;
}
Set<String> roles = CollectionUtils.asSet(rolesArray);
return subject.hasAllRoles(roles);
}
比如PermissionsAuthorizationFilter检测subject是否有这些permission
public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException {
Subject subject = getSubject(request, response);
String[] perms = (String[]) mappedValue;
boolean isPermitted = true;
if (perms != null && perms.length > 0) {
if (perms.length == 1) {
if (!subject.isPermitted(perms[0])) {
isPermitted = false;
}
} else {
if (!subject.isPermittedAll(perms)) {
isPermitted = false;
}
}
}
return isPermitted;
}
认证过滤器FormAuthenticationFilter extends AuthenticatingFilter extends AuthenticationFilter extends AccessControlFilter
检测是否登录
AuthenticationFilter
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
Subject subject = getSubject(request, response);
return subject.isAuthenticated();
}
FormAuthenticationFilter
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
if (isLoginRequest(request, response)) {
if (isLoginSubmission(request, response)) {
if (log.isTraceEnabled()) {
log.trace("Login submission detected. Attempting to execute login.");
}
return executeLogin(request, response);
} else {
if (log.isTraceEnabled()) {
log.trace("Login page view.");
}
//allow them to see the login page ;)
return true;
}
} else {
if (log.isTraceEnabled()) {
log.trace("Attempting to access a path which requires authentication. Forwarding to the " +
"Authentication url [" + getLoginUrl() + "]");
}
saveRequestAndRedirectToLogin(request, response);
return false;
}
}
Shiro提供的这些过滤器的封装还是比较清晰的,由这条继承线,我们可以根据业务需要继承它的过滤器很方便的实现自己需要的业务。
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Java中Properties类
- PCI9054 学习小结
- PCI9054 学习小结
- PCI9054 学习小结
- 分布式系统理论之租约机制学习
- PCI9054 学习小结
- 注册、卸载DLL
- Mysql时间获取
- 隐藏网页的滚动条的方法
- swift 数据类型1
- Android ListView加入CheckBox/RadioButton选择状态保持、全选、反选的状态
- iOS4 中 Core Motion 框架的介绍和使用
- WebGL可视化地球和地图引擎:Cesium.js
- python 字典(dict)按键和值排序
- eclipse package,source folder,folder区别及相互转换
- Delphi反汇编内部字符串处理函数/过程不完全列表
- 各框架推荐
- 代码管理_SVN_TortoiseSVN 冲突解决详细步骤 (图)
- rancher安装和基本使用
- 中国互联网大会--------网易云捕助力产品打造高品质APP