接着上一篇来继续分析shiro源码
这篇主要讲解shiro里面的SecurityUtils
首先我们看该类供我们在业务中用的仅有两个get方法,那么这两个get方法获取的subject和sercurityManager怎么来的,我们具体分析
首先我们已经知道每次请求在被拦截后都会走AbstractShiroFilter里的doFilterInternal方法,如果不清楚请先看我的《spring集成shiro登陆流程》的上下篇。
AbstractShiroFilter
其中有这么段代码
//调用DelegatingSubject的execute(Callablecallable)方法 subject.execute(new Callable() { public Object call() throws Exception { updateSessionLastAccessTime(request, response); executeChain(request, response, chain); return null; }});
这里调用了DelegatingSubject的execute(Callable<V> callable)方法
DelegatingSubject
进来看
publicV execute(Callable callable) throws ExecutionException { //这里创建了一个Callable对象,进去看 Callable associated = associateWith(callable); try { return associated.call(); } catch (Throwable t) { throw new ExecutionException(t); } } //继续 public Callable associateWith(Callable callable) { //这里将subject对象传递到SubjectCallable return new SubjectCallable (this, callable); }
SubjectCallable
注意看这里创建了一个SubjectThreadState对象
public SubjectCallable(Subject subject, Callabledelegate) { this(new SubjectThreadState(subject), delegate); } //这个方法主要是将subject对象和securityManager 放在SubjectThreadState上下文 public SubjectThreadState(Subject subject) {
this.subject = subject; SecurityManager securityManager = null; //从subject中获取securityManager对象,每次请求都会将securityManager对象放到subject上下文, (DefaultSecurityManager#createSubject的ensureSecurityManager) if ( subject instanceof DelegatingSubject) { securityManager = ((DelegatingSubject)subject).getSecurityManager(); } if ( securityManager == null) { securityManager = ThreadContext.getSecurityManager(); } this.securityManager = securityManager; }
那么到这儿,在SubjectThreadState中就有了subject和securityManager对象
继续看到DelegatingSubject的execute方法
执行associated.call()
我们点进去看 SubjectCallable#call
SubjectCallable
//首先我们注意到doCall方法就是调用了Callable的call方法,也就是异步执行了executeChain(request, response, chain);方法,简单说就是调用验证等流水账然后进入我们的业务代码 //我们调用SecurityUtis.getSubject就是在doCall异步执行里用的 public V call() throws Exception { try { //我们发现执行目标业务之前有个bind方法 threadState.bind(); return doCall(this.callable); } finally { //执行完后会清空bind的数据 threadState.restore(); } }
protected V doCall(Callabletarget) throws Exception { return target.call(); }
很有必要再进SubjectThreadState方法看看bind这个方法
SubjectThreadState
public void bind() { SecurityManager securityManager = this.securityManager;this.originalResources = ThreadContext.getResources(); //清空ThreadContext里的数据 ThreadContext.remove(); //将subject和securityManager绑定到ThreadContext ThreadContext.bind(this.subject); if (securityManager != null) { ThreadContext.bind(securityManager); } }
走到这儿我们发现把subject和securityManager绑定到ThreadContext
那么这个ThreadContext就很重要了,必须看看
ThreadContext
//定义了个跟线程绑定的ThreadLocal private static final ThreadLocal
那么我们应该再看看SecurityUtils的两个get方法
//从ThreadContext中获取,没有就创建一个并绑定 public static Subject getSubject() { Subject subject = ThreadContext.getSubject(); if (subject == null) { subject = (new Subject.Builder()).buildSubject(); ThreadContext.bind(subject); } return subject; }//先从ThreadContext中获取,如果没有则从SecurityUtils中获取,如果没有就直接从SubjceUtils中获取(如果是spring项目,那么在spirng的配置文件长会配置)public static SecurityManager getSecurityManager() throws UnavailableSecurityManagerException { SecurityManager securityManager = ThreadContext.getSecurityManager(); if (securityManager == null) { securityManager = SecurityUtils.securityManager; }return securityManager; }
看到这儿我们了解到了为什么我们在程序中调用SecurityUtils的getSubject会有值了
小结:
当我们登陆后,每次请求都会将Subject对象和SecurityManager对象与当前线程绑定,在执行完业务逻辑后,会将这些数据与当前线程解绑
那么我们得到了SecurityManager对象后,那么它依赖的数据就轻而易举的可以愉快的拿到了
注:有不好或者错误的地方还请看官在评论区给指出,意见宝贵。