<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
    <property name="securityManager" ref="securityManager"/>
    public Object getObject() throws Exception {
        if (instance == null) {
            instance = createInstance();
        return instance;
  protected AbstractShiroFilter createInstance() throws Exception {

        // 这里是通过FactoryBean注入的SecurityManager(必须)
        SecurityManager securityManager = getSecurityManager();
        if (securityManager == null) {
            String msg = "SecurityManager property must be set.";
            throw new BeanInitializationException(msg);

        if (!(securityManager instanceof WebSecurityManager)) {
            String msg = "The security manager does not implement the WebSecurityManager interface.";
            throw new BeanInitializationException(msg);

        FilterChainManager manager = createFilterChainManager();

        PathMatchingFilterChainResolver chainResolver = new PathMatchingFilterChainResolver();

        return new SpringShiroFilter((WebSecurityManager) securityManager, chainResolver);
  • SecurityManager:我们知道其在Shiro中的地位,类似于一个“安全大管家”,相当于SpringMVC中的DispatcherServlet或者Struts2中的FilterDispatcher,是Shiro的心脏,所有具体的交互都通过SecurityManager进行控制,它管理着所有Subject、且负责进行认证和授权、及会话、缓存的管理。
  • ChainResolver:Filter链解析器,用来解析出该次请求需要执行的Filter链。
  • PathMatchingFilterChainResolverChainResolver的实现类,其中还包含了两个重要组件FilterChainManagerPatternMatcher
  • FilterChainManager:管理着Filter和Filter链,配合PathMatchingFilterChainResolver解析出Filter链
  • PatternMatcher:用来进行请求路径匹配,默认为Ant风格的路径匹配


<!-- Shiro的Web过滤器 -->
    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
        <property name="securityManager" ref="securityManager" />
        <property name="loginUrl" value="/login" />
        <property name="unauthorizedUrl" value="/special/unauthorized" />
        <property name="filters">
                <entry key="authc" value-ref="formAuthenticationFilter" />
                <entry key="logout" value-ref="logoutFilter" />
                <entry key="ssl" value-ref="sslFilter"></entry>
        <property name="filterChainDefinitions">
                /resources/** = anon
                /plugin/** = anon
                /download/** = anon
                /special/unauthorized = anon
                /register = anon
                /login = ssl,authc
                /logout = logout
                /admin/** = roles[admin]

                /** = user

  protected FilterChainManager createFilterChainManager() {

        // 默认使用的FilterChainManager是DefaultFilterChainManager
        DefaultFilterChainManager manager = new DefaultFilterChainManager();
        // DefaultFilterChainManager默认会注册的filters(后面会列出)
        Map<String, Filter> defaultFilters = manager.getFilters();

        // 将ShiroFilterFactoryBean配置的一些公共属性(上面配置的loginUrl,successUrl,unauthorizeUrl)应用到默认注册的filter上去
        for (Filter filter : defaultFilters.values()) {

        // 处理自定义的filter(上面配置的filters属性),步骤类似上面
        Map<String, Filter> filters = getFilters();
        if (!CollectionUtils.isEmpty(filters)) {
            for (Map.Entry<String, Filter> entry : filters.entrySet()) {
                String name = entry.getKey();
                Filter filter = entry.getValue();
                if (filter instanceof Nameable) {
                    ((Nameable) filter).setName(name);
                // 将Filter添加到manager中去,可以看到对于Filter的管理是依赖于FilterChainManager的
                manager.addFilter(name, filter, false);

        // 根据FilterChainDefinition的配置来构建Filter链(上面配置的filterChainDefinitions属性)
        Map<String, String> chains = getFilterChainDefinitionMap();
        if (!CollectionUtils.isEmpty(chains)) {
            for (Map.Entry<String, String> entry : chains.entrySet()) {
                String url = entry.getKey();
                String chainDefinition = entry.getValue();
                // 后面会分析该步的源码,功能上就是创建Filter链
                manager.createChain(url, chainDefinition);

        return manager;
    private FilterConfig filterConfig;

    private Map<String, Filter> filters; //pool of filters available for creating chains

    private Map<String, NamedFilterList> filterChains; //key: chain name, value: chain
而后面两张map就重要了:filters中缓存了所有添加的filter,filterChains则缓存了所有的filterChain。其中前者的key是filter name,value是Filter。而后者的key是chain name,value是NamedFilterList

  • addFilter(缓存filter让manager来管理)
    public void addFilter(String name, Filter filter, boolean init) {
        addFilter(name, filter, init, true);

    protected void addFilter(String name, Filter filter, boolean init, boolean overwrite) {
        Filter existing = getFilter(name);
        if (existing == null || overwrite) {
            if (filter instanceof Nameable) {
                ((Nameable) filter).setName(name);
            if (init) {
            this.filters.put(name, filter);
  • createChain:创建filterChain并将定义的filter都加进去
    // chainName就是拦截路径"/resources/**",chainDefinition就是多个过滤器名的字符串
    public void createChain(String chainName, String chainDefinition) {
        if (!StringUtils.hasText(chainName)) {
            throw new NullPointerException("chainName cannot be null or empty.");
        if (!StringUtils.hasText(chainDefinition)) {
            throw new NullPointerException("chainDefinition cannot be null or empty.");

        if (log.isDebugEnabled()) {
            log.debug("Creating chain [" + chainName + "] from String definition [" + chainDefinition + "]");

        // 先分离出配置的各个filter,比如 
        // "authc, roles[admin,user], perms[file:edit]" 分离后的结果是:
        // { "authc", "roles[admin,user]", "perms[file:edit]" }
        String[] filterTokens = splitChainDefinition(chainDefinition);

        // 进一步分离出"[]"内的内容,其中nameConfigPair是一个长度为2的数组
        // 比如 roles[admin,user] 经过解析后的nameConfigPair 为{"roles", "admin,user"}
        for (String token : filterTokens) {
            String[] nameConfigPair = toNameConfigPair(token);

            // 得到了 拦截路径、filter以及可能的"[]"中的值,那么执行addToChain
            addToChain(chainName, nameConfigPair[0], nameConfigPair[1]);
  • addToChain
   public void addToChain(String chainName, String filterName, String chainSpecificFilterConfig) {
        if (!StringUtils.hasText(chainName)) {
            throw new IllegalArgumentException("chainName cannot be null or empty.");
        Filter filter = getFilter(filterName);
        if (filter == null) {
            throw new IllegalArgumentException("There is no filter with name '" + filterName + "' to apply to chain [" + chainName + "] in the pool of available Filters.  Ensure a " + "filter with that name/path has first been registered with the addFilter method(s).");

        // 将匹配关系注册到filter中,后续会提到
        applyChainConfig(chainName, filter, chainSpecificFilterConfig);

        // 确保chain已经被加到filterChains这张map中了
        NamedFilterList chain = ensureChain(chainName);
        // 将该filter加入当前chain
FilterChain getChain(ServletRequest request, ServletResponse response, FilterChain originalChain);
  • 1


   public FilterChain getChain(ServletRequest request, ServletResponse response, FilterChain originalChain) {
        // 得到 FilterChainManager 
        FilterChainManager filterChainManager = getFilterChainManager();
        if (!filterChainManager.hasChains()) {
            return null;

        String requestURI = getPathWithinApplication(request);

        // chainNames就是刚定义的filterChains的keySet,也就是所有的路径集合(比如:["/resources/**","/login"])
        for (String pathPattern : filterChainManager.getChainNames()) {

            // 请求路径是否匹配某个 定义好的路径:
            if (pathMatches(pathPattern, requestURI)) {
                if (log.isTraceEnabled()) {
                    log.trace("Matched path pattern [" + pathPattern + "] for requestURI [" + requestURI + "].  " + "Utilizing corresponding filter chain...");
                // 找到第一个匹配的Filter链,那么就返回一个ProxiedFilterChain
                return filterChainManager.proxy(originalChain, pathPattern);

        return null;
 public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {
        if (this.filters == null || this.filters.size() == this.index) {
            //we've reached the end of the wrapped chain, so invoke the original one:
            if (log.isTraceEnabled()) {
                log.trace("Invoking original filter chain.");
            this.orig.doFilter(request, response);
        } else {
            if (log.isTraceEnabled()) {
                log.trace("Invoking wrapped filter at index [" + this.index + "]");
            this.filters.get(this.index++).doFilter(request, response, this);
  protected void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse, final FilterChain chain)
            throws ServletException, IOException {

        Throwable t = null;

        try {
            final ServletRequest request = prepareServletRequest(servletRequest, servletResponse, chain);
            final ServletResponse response = prepareServletResponse(request, servletResponse, chain);

            final Subject subject = createSubject(request, response);

            //noinspection unchecked
            subject.execute(new Callable() {
                public Object call() throws Exception {
                    // 其实需要关心的就在这里
                    // touch一下session
                    updateSessionLastAccessTime(request, response);
                    // 执行Filter链
                    executeChain(request, response, chain);
                    return null;
        } catch (ExecutionException ex) {
            t = ex.getCause();
        } catch (Throwable throwable) {
            t = throwable;

        if (t != null) {
            if (t instanceof ServletException) {
                throw (ServletException) t;
            if (t instanceof IOException) {
                throw (IOException) t;
            //otherwise it's not one of the two exceptions expected by the filter method signature - wrap it in one:
            String msg = "Filtered request failed.";
            throw new ServletException(msg, t);
    protected void executeChain(ServletRequest request, ServletResponse response, FilterChain origChain)
            throws IOException, ServletException {
        FilterChain chain = getExecutionChain(request, response, origChain);
        chain.doFilter(request, response);
   protected FilterChain getExecutionChain(ServletRequest request, ServletResponse response, FilterChain origChain) {
        FilterChain chain = origChain;

        FilterChainResolver resolver = getFilterChainResolver();
        if (resolver == null) {
            log.debug("No FilterChainResolver configured.  Returning original FilterChain.");
            return origChain;

        FilterChain resolved = resolver.getChain(request, response, origChain);
        if (resolved != null) {
            log.trace("Resolved a configured FilterChain for the current request.");
            chain = resolved;
        } else {
            log.trace("No FilterChain configured for the current request.  Using the default.");

        return chain;
到这里,我们已经根据请求路径找到了一条Filter链(originChain + shiroChain),之后就是对链上的FilterdoFilter,其中关于如何

    protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {

        if (this.appliedPaths == null || this.appliedPaths.isEmpty()) {
            if (log.isTraceEnabled()) {
                log.trace("appliedPaths property is null or empty.  This Filter will passthrough immediately.");
            return true;

        // appliedPaths中保存了该filter中能拦截的路径和该路径配置的key-value对,比如{key="/admin/**", value="[admin]"}
        for (String path : this.appliedPaths.keySet()) {
            // 首先是匹配路径
            if (pathsMatch(path, request)) {
                log.trace("Current requestURI matches pattern '{}'.  Determining filter chain execution...", path);
                // 然后开始验证“[]”中的字符串
                Object config = this.appliedPaths.get(path);
                return isFilterChainContinued(request, response, path, config);

        //no path matched, allow the request to go through:
        return true;
 private boolean isFilterChainContinued(ServletRequest request, ServletResponse response,
                                           String path, Object pathConfig) throws Exception {

        if (isEnabled(request, response, path, pathConfig)) { //isEnabled check added in 1.2
            if (log.isTraceEnabled()) {
                 // log
            return onPreHandle(request, response, pathConfig);

        if (log.isTraceEnabled()) {
            // log
        return true;
    public boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
        return isAccessAllowed(request, response, mappedValue) || onAccessDenied(request, response, mappedValue);
    public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException {

        Subject subject = getSubject(request, response);
        String[] rolesArray = (String[]) mappedValue;

        if (rolesArray == null || rolesArray.length == 0) {
            //no roles specified, so nothing to check - allow access.
            return true;

        Set<String> roles = CollectionUtils.asSet(rolesArray);
        return subject.hasAllRoles(roles);
public enum DefaultFilter {

本文标签: 源码原理shiroFilterFactoryBean