Shiro Shiro Web Support

主要参考: http://shiro.apache.org/web.html 还有涛哥的

作为资源控制访问的事情,主要使用在网络后台方面,所以了解了本地的测试之后,了解web方面的还是比较的很有必要的,本文主要讲解如何简单的定义一个web项目,然后简单的了解实现的方式是怎么样的!

配置 shiro.ini 放置在 resource目录下面至于这些配置的到底是什么意思,这个不是我们关注的重点,随便看看就知道了,一会慢慢的深入了就知道了这个到底是啥子意思了。

[main]
#默认是/login.jsp
authc.loginUrl=/login
roles.unauthorizedUrl=/unauthorized
perms.unauthorizedUrl=/unauthorized

logout.redirectUrl=/login

[users]
zhang=123,admin
wang=123

[roles]
admin=user:*,menu:*

[urls]
/logout2=logout
/login=anon
/logout=anon
/unauthorized=anon
/static/**=anon
/authenticated=authc
/role=authc,roles[admin]
/permission=authc,perms["user:create"]
  • 1

maven配置

<dependencies>
        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <version>4.9</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>commons-logging</groupId>
            <artifactId>commons-logging</artifactId>
            <version>1.1.3</version>
        </dependency>
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-core</artifactId>
            <version>1.2.2</version>
        </dependency>

        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-web</artifactId>
            <version>1.2.2</version>
        </dependency>
        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <version>5.1.25</version>
        </dependency>
        <dependency>
            <groupId>com.alibaba</groupId>
            <artifactId>druid</artifactId>
            <version>0.2.23</version>
        </dependency>

        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>javax.servlet-api</artifactId>
            <version>3.0.1</version>
            <scope>provided</scope>
        </dependency>


    </dependencies>

 

然后就是web项目的重点配置web.xml 
这个加载的顺序listener加载完了才是其他的过滤器啊等等,因为从字面的意思就可以知道了,用于监听容器的启动与关闭事件,所以我们猜,都知道shrio的入口就像之前使用测试文件加载一样从这个Listener中加载配置文件的信息。所以本节研究的重点就是这里啦。

<!--- shiro 1.2 -->
    <listener>
        <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
    </listener>
    <context-param>
        <param-name>shiroEnvironmentClass</param-name>
        <param-value>org.apache.shiro.web.env.IniWebEnvironment</param-value><!-- 默认先从/WEB-INF/shiro.ini,如果没有找classpath:shiro.ini -->
    </context-param>
    <context-param>
        <param-name>shiroConfigLocations</param-name>
        <param-value>classpath:shiro.ini</param-value>
    </context-param>
    <filter>
        <filter-name>shiroFilter</filter-name>
        <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>shiroFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

EnvironmentLoaderListener

public class EnvironmentLoaderListener extends EnvironmentLoader implements ServletContextListener {

    /**
     * Initializes the Shiro {@code WebEnvironment} and binds it to the {@code ServletContext} at application
     * startup for future reference.
     * @param sce the ServletContextEvent triggered upon application startup
     *创建一个WebEnvironment 绑定在ServletContext上,这里调用的是父类的方法。
     */
    public void contextInitialized(ServletContextEvent sce) {
        initEnvironment(sce.getServletContext());
    }

    /**
     * Destroys any previously created/bound {@code WebEnvironment} instance created by
     * the {@link #contextInitialized(javax.servlet.ServletContextEvent)} method.
     *
     * @param sce the ServletContextEvent triggered upon application shutdown
     */
    public void contextDestroyed(ServletContextEvent sce) {
        destroyEnvironment(sce.getServletContext());
    }
}

其实主要的都是有父类创建的EnvironmentLoader主要就是创建一个WebEnvironment的实例,然后调用初始化的方法!这个类的信息不是很清楚需要了解继承结构。

//主要为了生成管家!
public class EnvironmentLoader {

    /**
     * Servlet Context config param for specifying the {@link WebEnvironment} implementation class to use:
     * WebEnvironment 的实现类,主要负责解析Ini文件,生成管家
     */
    public static final String ENVIRONMENT_CLASS_PARAM = "shiroEnvironmentClass";

    /**
     * Servlet Context config param for the resource path to use for configuring the {@link WebEnvironment} instance:
     * 配置文件的位置,在web.xml中可以指定
     */
    public static final String CONFIG_LOCATIONS_PARAM = "shiroConfigLocations";
    /**
    *唯一的Key放置在ServletContext中
    **/
    public static final String ENVIRONMENT_ATTRIBUTE_KEY = 
           EnvironmentLoader.class.getName() + ".ENVIRONMENT_ATTRIBUTE_KEY";


    /**
     * Initializes Shiro's {@link WebEnvironment} instance for the specified {@code ServletContext} 
     *加载的起点
     */
    public WebEnvironment initEnvironment(ServletContext servletContext) throws IllegalStateException {
         //比较的严谨
        if (servletContext.getAttribute(ENVIRONMENT_ATTRIBUTE_KEY) != null) {
            throw new IllegalStateException(msg);
        }

        servletContext.log("Initializing Shiro environment");
        log.info("Starting Shiro environment initialization.");

        long startTime = System.currentTimeMillis();

        try {
            //创建这个WebEnvironment,放置在servletContext中,全局共享
            WebEnvironment environment = createEnvironment(servletContext);
            servletContext.setAttribute(ENVIRONMENT_ATTRIBUTE_KEY, environment);
            return environment;
        } catch (RuntimeException ex) {
            log.error("Shiro environment initialization failed", ex);
            servletContext.setAttribute(ENVIRONMENT_ATTRIBUTE_KEY, ex);
            throw ex;
        } catch (Error err) {
            log.error("Shiro environment initialization failed", err);
            servletContext.setAttribute(ENVIRONMENT_ATTRIBUTE_KEY, err);
            throw err;
        }
    }

    /**
     * Return the WebEnvironment implementation class to use, either the default
     * {@link IniWebEnvironment} or a custom class if specified. 
     * 可以在配置文件中配置WebEnvironment的实现类,默认为IniWebEnvironment 扩展很好啊!
     * 不过一般都不会改变的,通过反射来创建这个实例
     */
    protected Class<?> determineWebEnvironmentClass(ServletContext servletContext) {
        String className = servletContext.getInitParameter(ENVIRONMENT_CLASS_PARAM);
        if (className != null) {
            try {
                return ClassUtils.forName(className);
            } catch (UnknownClassException ex) {
                throw new ConfigurationException();
            }
        } else {
            return IniWebEnvironment.class;
        }
    }

    /**
     * Instantiates a {@link WebEnvironment} based on the specified ServletContext.
     */
    protected WebEnvironment createEnvironment(ServletContext sc) {

        Class<?> clazz = determineWebEnvironmentClass(sc);//选择CLSS
        if (!MutableWebEnvironment.class.isAssignableFrom(clazz)) {
            throw new ConfigurationException("Custom WebEnvironment class [" + clazz.getName() +
                    "] is not of required type [" + WebEnvironment.class.getName() + "]");
        }

        String configLocations = sc.getInitParameter(CONFIG_LOCATIONS_PARAM);
        boolean configSpecified = StringUtils.hasText(configLocations);

        if (configSpecified && !(ResourceConfigurable.class.isAssignableFrom(clazz))) {
            throw new ConfigurationException(msg);
        }

        MutableWebEnvironment environment = (MutableWebEnvironment) 
                               ClassUtils.newInstance(clazz);
                               //反射实例

        environment.setServletContext(sc);

        if (configSpecified && (environment instanceof ResourceConfigurable)) {
            ((ResourceConfigurable) environment).setConfigLocations(configLocations);
             //设置配置文件路径
        }

        customizeEnvironment(environment);//子类可以重写定制

        LifecycleUtils.init(environment);//初始化WebEnvironment,加载配置文件信息

        return environment;
    }

    protected void customizeEnvironment(WebEnvironment environment) {
    }

    /**
     * Destroys the {@link WebEnvironment} for the given servlet context.
     */
    public void destroyEnvironment(ServletContext servletContext) {
        servletContext.log("Cleaning up Shiro Environment");
        try {
            Object environment = servletContext.getAttribute(ENVIRONMENT_ATTRIBUTE_KEY);
            LifecycleUtils.destroy(environment);
        } finally {
            servletContext.removeAttribute(ENVIRONMENT_ATTRIBUTE_KEY);
        }
    }
}

 

WebEnvironment 继承结构图简单 
Shiro Shiro Web Support and EnvironmentLoaderListener_java

复杂继承结构图 
Shiro Shiro Web Support and EnvironmentLoaderListener_apache_02

默认的实现是最后一个,就是我们的末端。先把最上面的接口了解清楚之后在一一的进行处了解,慢慢的去理解思想,shiro很喜欢用模板方法,不懂的自己去看看设计模式。

Environment

public interface Environment {

    /**
     * Returns the application's {@code SecurityManager} instance.
     *
     * @return the application's {@code SecurityManager} instance.
     */
    SecurityManager getSecurityManager();
}

 

NamedObjectEnvironment

public interface NamedObjectEnvironment extends Environment {

    /**
     * 这个接口的意思应该是从一个Map<String,Object>中取一个类型安全的东西! 
     * 由于擦除了类型~
     */
    <T> T getObject(String name, Class<T> requiredType) throws RequiredTypeException;
}

 

WebEnvironment

/**
 * A web-specific {@link Environment} instance, used in web applications.
 *
 * @since 1.2
 */
public interface WebEnvironment extends Environment {

    /**
     * Returns the web application's {@code FilterChainResolver} if one has been configured or {@code null} if one
     * is not available.
     *这里使用了Filter的责任链设计模式,这里是返回一个责任链的解析器,过滤器肯定必须使用涩!
     */
    FilterChainResolver getFilterChainResolver();

    ServletContext getServletContext();

    /**
     * Returns the web application's security manager instance.
     *这个应该和之前的管家类似,增加了一点功能吧!
     */
    WebSecurityManager getWebSecurityManager();
}

//过滤器链是不是和filter很相似!
public interface FilterChainResolver {

    /**
     * Returns the filter chain that should be executed for the given request, or {@code null} if the
     * original chain should be used.
     * <p/>
     * This method allows a implementation to define arbitrary security {@link javax.servlet.Filter Filter}
     * chains for any given request or URL pattern.
     * @param originalChain the original {@code FilterChain} intercepted by the ShiroFilter implementation.
     * @return the filter chain that should be executed for the given request, or {@code null} if the
     *         original chain should be used.
     */
    FilterChain getChain(ServletRequest request, ServletResponse response, FilterChain originalChain);

}
//是否使用Session Http的session
public interface WebSecurityManager extends SecurityManager {

    /**
     * Security information needs to be retained from request to request, so Shiro makes use of a
     * session for this. Typically, a security manager will use the servlet container's HTTP session
     * but custom session implementations, for example based on EhCache, may also be used. This
     * method indicates whether the security manager is using the HTTP session or not.
     *是不是使用Http会话,坑了使用redis或者EhCache之类的缓存服务器
     */
    boolean isHttpSessionMode();
}

 

MutableWebEnvironment用户放入web环境下的信息,管家啊之类的!

//Mutable 可以变化的,用来注入的信息
public interface MutableWebEnvironment extends WebEnvironment {


    void setFilterChainResolver(FilterChainResolver filterChainResolver);


    void setServletContext(ServletContext servletContext);


    void setWebSecurityManager(WebSecurityManager webSecurityManager);
}

 

DefaultEnvironment就是把实例的的信息字段放置在找Map中,按照类型安全的获取值!

/**
 * Simple/default {@code Environment} implementation that stores Shiro objects as key-value pairs in a
 * {@link java.util.Map Map} instance.  The key is the object name, the value is the object itself.
 * 将shiro的一些重要的数据放在Map中
 * @since 1.2
 */
public class DefaultEnvironment implements NamedObjectEnvironment, Destroyable {

    public static final String DEFAULT_SECURITY_MANAGER_KEY = "securityManager";
    protected final Map<String, Object> objects;
    private String securityManagerName;
    //线程安全
    public DefaultEnvironment() {
        this(new ConcurrentHashMap<String, Object>());
    }

    /**
     * Creates a new instance with the specified backing map.
     */
    @SuppressWarnings({"unchecked"})
    public DefaultEnvironment(Map<String, ?> seed) {
        this.securityManagerName = DEFAULT_SECURITY_MANAGER_KEY;
        if (seed == null) {
            throw new IllegalArgumentException("Backing map cannot be null.");
        }
        this.objects = (Map<String, Object>) seed;
    }


    public SecurityManager getSecurityManager() throws IllegalStateException {
        SecurityManager securityManager = lookupSecurityManager();
        if (securityManager == null) {

        }
        return securityManager;
    }

    public void setSecurityManager(SecurityManager securityManager) {
        if (securityManager == null) {
            throw new IllegalArgumentException("Null");
        }
        String name = getSecurityManagerName();
        setObject(name, securityManager);
    }

    /**
     * 从Map中找到保存的备份管家的
     */
    protected SecurityManager lookupSecurityManager() {
        String name = getSecurityManagerName();
        return getObject(name, SecurityManager.class);
    }

    public String getSecurityManagerName() {
        return securityManagerName;
    }
    public void setSecurityManagerName(String securityManagerName) {
        this.securityManagerName = securityManagerName;
    }

    /**
     * Returns the live (modifiable) internal objects collection.
     *返回可以修改的objects,因为这个是线程安全的。
     */
    public Map<String,Object> getObjects() {
        return this.objects;
    }
    /**
    *返回类型安全的Map中的值
    **/
    @SuppressWarnings({"unchecked"})
    public <T> T getObject(String name, Class<T> requiredType) throws RequiredTypeException {
        if (name == null) {
            throw new NullPointerException("name parameter cannot be null.");
        }
        if (requiredType == null) {
            throw new NullPointerException("requiredType parameter cannot be null.");
        }
        Object o = this.objects.get(name);
        if (o == null) {
            return null;
        }
        if (!requiredType.isInstance(o)) {
            String msg = "Object named '" + name + "' is not of required type [" + requiredType.getName() + "].";
            throw new RequiredTypeException(msg);
        }
        return (T)o;
    }

    public void setObject(String name, Object instance) {
        if (name == null) {
            throw new NullPointerException();
        }
        if (instance == null) {
            this.objects.remove(name);
        } else {
            this.objects.put(name, instance);
        }
    }
    public void destroy() throws Exception {
        LifecycleUtils.destroy(this.objects.values());
    }
}
  • 1

DefaultWebEnvironment 写得分工明确,写的非常的好的!而且各种的接口设计也是非常的合理的。各种需要可以制定的成员变量全部都是处理为接口的

/**
 * Default {@link WebEnvironment} implementation based on a backing {@link Map} instance.
 *主要是基于祖上的Map进行处理的,这个是Web所以增加了ServletContext 成员变量,分工很明确啊
 *然后返回Web性质的管家进行处理断言!很严谨哦,还有设置过滤链
 * @since 1.2
 */
public class DefaultWebEnvironment extends DefaultEnvironment implements MutableWebEnvironment {

    private static final String DEFAULT_FILTER_CHAIN_RESOLVER_NAME = "filterChainResolver";

    private ServletContext servletContext;

    public DefaultWebEnvironment() {
        super();
    }

    public FilterChainResolver getFilterChainResolver() {
        return getObject(DEFAULT_FILTER_CHAIN_RESOLVER_NAME, FilterChainResolver.class);
    }

    public void setFilterChainResolver(FilterChainResolver filterChainResolver) {
        setObject(DEFAULT_FILTER_CHAIN_RESOLVER_NAME, filterChainResolver);
    }

    @Override
    public SecurityManager getSecurityManager() throws IllegalStateException {
        return getWebSecurityManager();
    }

    @Override
    public void setSecurityManager(SecurityManager securityManager) {
        assertWebSecurityManager(securityManager);
        super.setSecurityManager(securityManager);
    }
    //写的非常的严谨
    public WebSecurityManager getWebSecurityManager() {
        SecurityManager sm = super.getSecurityManager();
        assertWebSecurityManager(sm);
        return (WebSecurityManager)sm;
    }

    public void setWebSecurityManager(WebSecurityManager wsm) {
        super.setSecurityManager(wsm);
    }

    private void assertWebSecurityManager(SecurityManager sm) {
        if (!(sm instanceof WebSecurityManager)) {
            String msg = "SecurityManager instance must be a " + WebSecurityManager.class.getName() + " instance.";
            throw new IllegalStateException(msg);
        }
    }

    public ServletContext getServletContext() {
        return this.servletContext;
    }

    public void setServletContext(ServletContext servletContext) {
        this.servletContext = servletContext;
    }
}
  • 1

ResourceConfigurable这个接口更加的直接,设置配置文件的路径,是不是感觉越来越近了,找到熟悉的感觉了。

public interface ResourceConfigurable {

    /**
     * Convenience method that accepts a comma-delimited string of config locations (resource paths).
     *
     * @param locations comma-delimited list of config locations (resource paths).
     */
    void setConfigLocations(String locations);

    /**
     * Sets the configuration locations (resource paths) that will be used to configure the instance.
     *
     * @param locations the configuration locations (resource paths) that will be used to configure the instance.
     */
    void setConfigLocations(String[] locations);

}
  • 1

ResourceBasedWebEnvironment 就是设置一个路径的位置而已!

/**
 * Abstract implementation for {@code WebEnvironment}s that can be initialized via resource paths (config files).
 *一个类的单一任务的原则,在这里体现的淋淋尽致
 * @since 1.2
 */
public abstract class ResourceBasedWebEnvironment extends DefaultWebEnvironment implements ResourceConfigurable {

    private String[] configLocations;

    public String[] getConfigLocations() {
        return configLocations;
    }

    public void setConfigLocations(String locations) {
        if (!StringUtils.hasText(locations)) {
            throw new IllegalArgumentException("Null/empty locations argument not allowed.");
        }
        //使用,进行分割的Utils方法
        String[] arr = StringUtils.split(locations);
        setConfigLocations(arr);
    }

    public void setConfigLocations(String[] configLocations) {
        this.configLocations = configLocations;
    }

}

IniWebEnvironment这里主要瑟得到管家和过滤的实例信息。 
1. 查找并加载 shiro.ini 配置文件,首先从自身成员变量里查找,然后从 web.xml 中查找,然后从 /WEB-INF 下查找,然后从 classpath 下查找,若均未找到,则直接报错。 
2. 当找到了 ini 配置文件后就开始解析,此时构造了一个 Bean 容器(相当于一个轻量级的 IOC 容器),最终的目标是为了创建 WebSecurityManager 对象与 FilterChainResolver 对象,创建过程使用了 Abstract Factory 模式:

/**
 * {@link WebEnvironment} implementation configured by an {@link Ini} instance or {@code Ini} resource locations.
 *
 * @since 1.2
 */
public class IniWebEnvironment extends ResourceBasedWebEnvironment implements Initializable, Destroyable {

    public static final String DEFAULT_WEB_INI_RESOURCE_PATH = "/WEB-INF/shiro.ini";
    /**
     * The Ini that configures this WebEnvironment instance.
     */
    private Ini ini;

    /**
     * 这个方法被调用了之后和之前的一样的去创建,Ini类信息,然后在Configure() 创建一个工厂,
     *得到工厂getInstance一样的
     * Initializes this instance by resolving any potential (explicit or resource-configured) {@link Ini}
     * configuration and calling {@link #configure() configure} for actual instance configuration.
     */
    public void init() {
        Ini ini = getIni();

        String[] configLocations = getConfigLocations();
        if (log.isWarnEnabled() && !CollectionUtils.isEmpty(ini) &&
                configLocations != null && configLocations.length > 0) {
                    IniWebEnvironment.class.getName());
        }
        //先去实例的,没有再去找配置的,没有再去找默认的
        if (CollectionUtils.isEmpty(ini)) {
            log.debug("Checking any specified config locations.");
            ini = getSpecifiedIni(configLocations);
        }

        if (CollectionUtils.isEmpty(ini)) {
            log.debug(" Trying default config locations.");
            ini = getDefaultIni();
        }
        //这里很正常吧,没有配置的异常!
        if (CollectionUtils.isEmpty(ini)) {
            String msg = "not found or discovered to be empty/unconfigured.";
            throw new ConfigurationException(msg);
        }
        setIni(ini);
        configure();//这里是寻找工厂的
    }

    protected void configure() {
        //之前定义的Map哦!,是用来处理一些信息的
        this.objects.clear();
        //先去创建工厂,然后得到实例~
        WebSecurityManager securityManager = createWebSecurityManager();
        setWebSecurityManager(securityManager);
        //创建过滤链
        FilterChainResolver resolver = createFilterChainResolver();
        if (resolver != null) {
            setFilterChainResolver(resolver);
        }
    }

    protected Ini getSpecifiedIni(String[] configLocations) throws ConfigurationException {

        Ini ini = null;

        if (configLocations != null && configLocations.length > 0) {

            if (configLocations.length > 1) {
            }

            //required, as it is user specified:
            ini = createIni(configLocations[0], true);
        }

        return ini;
    }

    protected Ini getDefaultIni() {

        Ini ini = null;

        String[] configLocations = getDefaultConfigLocations();
        if (configLocations != null) {
            for (String location : configLocations) {
                ini = createIni(location, false);
                    break;
                }
            }
        }

        return ini;
    }

    protected Ini createIni(String configLocation, boolean required) throws ConfigurationException {

        Ini ini = null;

        if (configLocation != null) {
            ini = convertPathToIni(configLocation, required);
        }
        if (required && CollectionUtils.isEmpty(ini)) {

        }

        return ini;
    }
    //这里得到?从配置中得到信息后怎么处理?
    protected FilterChainResolver createFilterChainResolver() {

        FilterChainResolver resolver = null;
        Ini ini = getIni();
        if (!CollectionUtils.isEmpty(ini)) {
            //only create a resolver if the 'filters' or 'urls' sections are defined:
            Ini.Section urls = ini.getSection(IniFilterChainResolverFactory.URLS);
            Ini.Section filters = ini.getSection(IniFilterChainResolverFactory.FILTERS);
            if (!CollectionUtils.isEmpty(urls) || !CollectionUtils.isEmpty(filters)) {
                //either the urls section or the filters section was defined.  Go ahead and create the resolver:
                IniFilterChainResolverFactory factory = new IniFilterChainResolverFactory(ini, this.objects);
                resolver = factory.getInstance();
            }
        }

        return resolver;
    }
    //创建工厂,然后在得到实例!和之前的差不多,这个getbean有点可以哦!
    protected WebSecurityManager createWebSecurityManager() {
        WebIniSecurityManagerFactory factory;
        Ini ini = getIni();
        if (CollectionUtils.isEmpty(ini)) {
            factory = new WebIniSecurityManagerFactory();
        } else {
            factory = new WebIniSecurityManagerFactory(ini);
        }

        WebSecurityManager wsm = (WebSecurityManager)factory.getInstance();

        //SHIRO-306 - get beans after they've been created (the call was before the factory.getInstance() call,
        //which always returned null.
        Map<String, ?> beans = factory.getBeans();
        if (!CollectionUtils.isEmpty(beans)) {
            this.objects.putAll(beans);
        }

        return wsm;
    }

    protected String[] getDefaultConfigLocations() {
        return new String[]{
                DEFAULT_WEB_INI_RESOURCE_PATH,
                IniFactorySupport.DEFAULT_INI_RESOURCE_PATH
        };
    }


    private Ini convertPathToIni(String path, boolean required) {

        //TODO - this logic is ugly - it'd be ideal if we had a Resource API to polymorphically encaspulate this behavior

        Ini ini = null;

        if (StringUtils.hasText(path)) {
            InputStream is = null;

            //SHIRO-178: Check for servlet context resource and not only resource paths:
            if (!ResourceUtils.hasResourcePrefix(path)) {
                is = getServletContextResourceStream(path);
            } else {
                try {
                    is = ResourceUtils.getInputStreamForPath(path);
                } catch (IOException e) {
                    if (required) {
                        throw new ConfigurationException(e);
                    } else {
                        if (log.isDebugEnabled()) {
                            log.debug("Unable to load optional path '" + path + "'.", e);
                        }
                    }
                }
            }
            if (is != null) {
                ini = new Ini();
                ini.load(is);
            } else {
                if (required) {
                    throw new ConfigurationException("Unable to load resource path '" + path + "'");
                }
            }
        }

        return ini;
    }
    //TODO - this logic is ugly - it'd be ideal if we had a Resource API to polymorphically encaspulate this behavior
    private InputStream getServletContextResourceStream(String path) {
        InputStream is = null;

        path = WebUtils.normalize(path);
        ServletContext sc = getServletContext();
        if (sc != null) {
            is = sc.getResourceAsStream(path);
        }

        return is;
    }

    /**
     * Returns the {@code Ini} instance reflecting this WebEnvironment's configuration.
     */
    public Ini getIni() {
        return this.ini;
    }
    public void setIni(Ini ini) {
        this.ini = ini;
    }
}

 

看看继承图 我记得之前我们的工厂的图没有WebIniSecurityManagerFactory 和 IniFilterChainResolverFactory 
这个一定看到过的! 
WebSecurityManager wsm = (WebSecurityManager)factory.getInstance();

Shiro Shiro Web Support and EnvironmentLoaderListener_java_03

看这个创造的顺序慢慢的一步步的处理~

 protected void configure() {

        this.objects.clear();

        WebSecurityManager securityManager = createWebSecurityManager();
        setWebSecurityManager(securityManager);

        FilterChainResolver resolver = createFilterChainResolver();
        if (resolver != null) {
            setFilterChainResolver(resolver);
        }
    }

 

其中有两个 Factory 需要关注: 
- WebIniSecurityManagerFactory 用于创建 WebSecurityManager。 
- IniFilterChainResolverFactory 用于创建 FilterChainResolver。 
通过以上分析,相信 EnvironmentLoaderListener 已经不再神秘了,无非就是在容器启动时创建 WebEnvironment 对象,并由该对象来读取 Shiro 配置文件,创建WebSecurityManager 与 FilterChainResolver 对象,它们都在后面将要出现的 ShiroFilter 中起到了重要作用。 
从 web.xml 中同样可以得知,ShiroFilter 是整个 Shiro 框架的门面,因为它拦截了所有的请求,后面是需要 Authentication(认证)还是需要 Authorization(授权)都由它说了算。