Apache Shiro Web 模块深入分析与教学文档<\/h1>

1. Shiro-Web 概述<\/h2>

Shiro-Web 是 Shiro-Core 的包装器(wrapper)，主要提供与 Servlet 容器的集成能力。其核心特征是"实现一方，调用一方"的设计模式：<\/p>

实现 Filter 接口使 Tomcat 可以调用<\/li>
ShiroFilter 调用 WebSubject<\/li>

WebSubject 调用 Subject 接口（继承自 shiro-core）<\/li> <\/ul>

关键特性<\/h3>

双向调用关系<\/strong>：<\/p>

主要调用方向：shiro-web → shiro-core<\/li>
特殊情况：shiro-core 也会回调 wrapper 中的实现（如 SessionManager 的两种实现）<\/li> <\/ul> <\/li>

Session 管理冲突处理<\/strong>：<\/p>

Servlet 容器（如 Tomcat）已有 Session 管理实现<\/li>
Shiro 提供了自己的 SessionManager<\/li>
开发者需要选择使用哪种 Session 管理方式<\/li> <\/ul> <\/li> <\/ol>
2. 架构设计与解耦机制<\/h2>
Shiro-Web 通过继承方式实现与核心模块的解耦：<\/p>
Servlet容器 → ShiroFilter → WebSubject → WebSecurityManager <\/code><\/pre> 这种设计使得：<\/p> shiro-web 不直接依赖 shiro-core<\/li> 大部分逻辑由 shiro-core 实现<\/li> shiro-web 只需关注特定于 Web 的部分<\/li> <\/ul> 3. Filter 体系结构<\/h2> 3.1 类图结构<\/h3> OncePerRequestFilter ├── 直接对接 Servlet 容器的 Filter 分支 └── 实际执行过滤逻辑的 Filter 分支 └── AbstractShiroFilter (ShiroFilter) └── AdviceFilter └── AccessControlFilter ├── InvalidRequestFilter (封锁恶意请求) └── UserFilter (允许已知用户访问) <\/code><\/pre> 3.2 核心 Filter 详解<\/h3> OncePerRequestFilter<\/strong>:<\/p> doFilter()<\/code> 方法实际逻辑由 doFilterInternal()<\/code> 决定（子类实现）<\/li> 确保每个请求只被过滤一次<\/li> <\/ul> AbstractShiroFilter<\/strong>:<\/p> 初始化：读取解析配置文件<\/li> 核心算法：获取执行链<\/li> 执行过滤操作<\/li> <\/ol> <\/li> <\/ul> AdviceFilter<\/strong>:<\/p> 提供 AOP 风格的"环绕"通知： preHandle<\/code>: 请求处理前<\/li> postHandle<\/code>: 请求处理后<\/li> afterCompletion<\/code>: 请求完成后<\/li> <\/ul> <\/li> <\/ul> AccessControlFilter<\/strong>:<\/p> 访问控制基类<\/li> 主要子类： InvalidRequestFilter<\/code>: 封锁恶意请求<\/li> UserFilter<\/code>: 仅允许已知用户（已认证或记住我）访问<\/li> <\/ul> <\/li> <\/ul> 4. Filter 链管理<\/h2> 4.1 FilterChainManager<\/h3> 管理从可用 Filter 实例池中创建和修改 Filter 链。<\/p> 关键组件：<\/p> NamedFilterList<\/code>: 装载 NameableFilter<\/code> 及其子类的列表<\/li> NameableFilter<\/code>: 配置文件中配置的过滤器<\/li> <\/ul> 4.2 配置示例<\/h3> [main]<\/span> <\/span><\/span>shiro.loginUrl<\/span> =<\/span> \/login<\/span> <\/span><\/span>shiro.successUrl<\/span> =<\/span> \/loginSuccess<\/span> <\/span><\/span>filterName<\/span> =<\/span> className<\/span> <\/span><\/span> <\/span><\/span>[urls]<\/span> <\/span><\/span>\/login<\/span> =<\/span> authc<\/span> <\/span><\/span>\/admin<\/span> =<\/span> authc, roles[admin]<\/span> <\/span><\/span>\/user<\/span> =<\/span> authc, roles[user]<\/span> <\/span><\/span>\/**<\/span> =<\/span> anon<\/span> <\/span><\/span><\/code><\/pre>URL 配置格式：<\/p> \/some\/path\/** = myFilter,otherFilter <\/code><\/pre> 表示该路径需要经过 myFilter 和 otherFilter 两个过滤器<\/p> 4.3 默认过滤器<\/h3> Shiro 提供了一组默认过滤器（如 authc, anon, roles 等），可直接在配置中使用。<\/p> 5. FilterChainResolver<\/h2> 根据请求 URL 返回对应的 FilterChain。<\/p> 唯一实现类：PathMatchingFilterChainResolver<\/code><\/p> 工作流程：<\/p> 获取 requestUrl<\/li> 遍历所有 filterChainNames (pathPattern)<\/li> 逐个比对，匹配成功则调用 FilterChainManager.proxy(originalChain, pathPattern)<\/code><\/li> <\/ol> proxy()<\/code> 方法详解：<\/p> \/\/ DefaultFilterChainManager <\/span><\/span><\/span><\/span>public<\/span> FilterChain proxy<\/span>(<\/span>FilterChain original,<\/span> String chainName)<\/span> {<\/span> <\/span><\/span> NamedFilterList configured =<\/span> getChain(<\/span>chainName);<\/span> \/\/ 获取配置的过滤器链 <\/span><\/span><\/span><\/span> if<\/span> (<\/span>configured ==<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> IllegalArgumentException(<\/span>"No configured chain under name ["<\/span> +<\/span> chainName +<\/span> "]"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> configured.<\/span>proxy<\/span>(<\/span>original);<\/span> \/\/ 代理 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>\/\/ SimpleNamedFilterList <\/span><\/span><\/span><\/span>public<\/span> FilterChain proxy<\/span>(<\/span>FilterChain orig)<\/span> {<\/span> <\/span><\/span> return<\/span> new<\/span> ProxiedFilterChain(<\/span>orig,<\/span> this<\/span>);<\/span> \/\/ 创建代理链 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>6. ProxiedFilterChain 架构<\/h2> public<\/span> class<\/span> ProxiedFilterChain<\/span> implements<\/span> FilterChain {<\/span> <\/span><\/span> private<\/span> FilterChain orig;<\/span> \/\/ Servlet 容器原始链 <\/span><\/span><\/span><\/span> private<\/span> List<<\/span>Filter><\/span> filters;<\/span> \/\/ Shiro 实际过滤器 <\/span><\/span><\/span><\/span> private<\/span> int<\/span> index =<\/span> 0<\/span>;<\/span> \/\/ 当前过滤器索引 <\/span><\/span><\/span><\/span> <\/span><\/span> public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest request,<\/span> ServletResponse response)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>this<\/span>.<\/span>filters<\/span> ==<\/span> null<\/span> ||<\/span> this<\/span>.<\/span>filters<\/span>.<\/span>size<\/span>()<\/span> ==<\/span> this<\/span>.<\/span>index<\/span>)<\/span> {<\/span> <\/span><\/span> \/\/ 执行完 Shiro 过滤器后，调用原始链 <\/span><\/span><\/span><\/span> this<\/span>.<\/span>orig<\/span>.<\/span>doFilter<\/span>(<\/span>request,<\/span> response);<\/span> <\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> \/\/ 执行当前 Shiro 过滤器 <\/span><\/span><\/span><\/span> this<\/span>.<\/span>filters<\/span>.<\/span>get<\/span>(<\/span>this<\/span>.<\/span>index<\/span>++).<\/span>doFilter<\/span>(<\/span>request,<\/span> response,<\/span> this<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>7. 总体流程<\/h2> 请求到达 ShiroFilter (AbstractShiroFilter)<\/li> 通过 FilterChainResolver 获取匹配的 FilterChain<\/li> 创建 ProxiedFilterChain (包装原始 FilterChain 和 Shiro 过滤器)<\/li> 执行 ProxiedFilterChain 的 doFilter 方法：先执行所有 Shiro 过滤器<\/li> 最后执行原始 Servlet 容器过滤器链<\/li> <\/ul> <\/li> 过滤完成后，请求继续 Servlet 容器的正常处理流程<\/li> <\/ol> 8. 关键设计模式<\/h2> Wrapper 模式<\/strong>:<\/p> shiro-web 作为 shiro-core 的包装器<\/li> 提供 Web 特定功能，同时重用核心逻辑<\/li> <\/ul> <\/li> 责任链模式<\/strong>:<\/p> FilterChain 管理多个过滤器的执行顺序<\/li> ProxiedFilterChain 实现过滤器链的代理<\/li> <\/ul> <\/li> 模板方法模式<\/strong>:<\/p> OncePerRequestFilter 定义算法骨架<\/li> 具体过滤逻辑由子类实现 (doFilterInternal)<\/li> <\/ul> <\/li> 策略模式<\/strong>:<\/p> FilterChainResolver 提供不同的匹配策略<\/li> 目前只有 PathMatchingFilterChainResolver 实现<\/li> <\/ul> <\/li> <\/ol> 9. 最佳实践<\/h2> Session 管理选择<\/strong>:<\/p> 评估是否需要 Shiro 的 SessionManager<\/li> 考虑与容器 Session 的兼容性<\/li> <\/ul> <\/li> 过滤器配置<\/strong>:<\/p> 合理使用默认过滤器<\/li> 自定义过滤器时继承适当的基类<\/li> <\/ul> <\/li> URL 匹配<\/strong>:<\/p> 精确路径优先于通配符<\/li> 注意过滤器顺序的影响<\/li> <\/ul> <\/li> 性能考虑<\/strong>:<\/p> 避免过于复杂的过滤器链<\/li> 利用 OncePerRequestFilter 避免重复过滤<\/li> <\/ul> <\/li> <\/ol> 10. 扩展点<\/h2> 自定义 Filter<\/strong>:<\/p> 继承 AccessControlFilter 或 AdviceFilter<\/li> 实现特定的访问控制逻辑<\/li> <\/ul> <\/li> 自定义 FilterChainResolver<\/strong>:<\/p> 实现不同的 URL 匹配策略<\/li> 如基于正则表达式或其他条件<\/li> <\/ul> <\/li> SessionManager 集成<\/strong>:<\/p> 实现自定义 SessionManager<\/li> 集成第三方 Session 存储<\/li> <\/ul> <\/li> <\/ol> 11. 常见问题解决方案<\/h2> 过滤器不生效<\/strong>:<\/p> 检查 web.xml 配置<\/li> 验证 URL 模式匹配<\/li> 确认过滤器顺序<\/li> <\/ul> <\/li> Session 冲突<\/strong>:<\/p> 明确选择 Session 管理方式<\/li> 必要时实现自定义 SessionManager<\/li> <\/ul> <\/li> 性能问题<\/strong>:<\/p> 减少不必要的过滤器<\/li> 优化 URL 匹配模式<\/li> <\/ul> <\/li> 安全漏洞<\/strong>:<\/p> 确保使用 InvalidRequestFilter<\/li> 定期更新 Shiro 版本<\/li> <\/ul> <\/li> <\/ol> 12. 总结<\/h2> Shiro-Web 通过精心的设计实现了：<\/p> 与 Servlet 容器的无缝集成<\/li> 与核心模块的清晰解耦<\/li> 灵活的过滤器链管理<\/li> 可扩展的安全控制机制<\/li> <\/ul> 理解其内部机制有助于：<\/p> 更有效地使用 Shiro 进行 Web 安全防护<\/li> 更快速地定位和解决问题<\/li> 更灵活地进行定制开发<\/li> <\/ul>