Shiro Shiro Web Support
主要参考: http://shiro.apache.org/web.html 还有涛哥的
作为资源控制访问的事情,主要使用在网络后台方面,所以了解了本地的测试之后,了解web方面的还是比较的很有必要的,本文主要讲解如何简单的定义一个web项目,然后简单的了解实现的方式是怎么样的!
配置 shiro.ini 放置在 resource目录下面至于这些配置的到底是什么意思,这个不是我们关注的重点,随便看看就知道了,一会慢慢的深入了就知道了这个到底是啥子意思了。
[main]
#默认是/login.jsp
authc.loginUrl=/login
roles.unauthorizedUrl=/unauthorized
perms.unauthorizedUrl=/unauthorized
logout.redirectUrl=/login
[users]
zhang=123,admin
wang=123
[roles]
admin=user:*,menu:*
[urls]
/logout2=logout
/login=anon
/logout=anon
/unauthorized=anon
/static/**=anon
/authenticated=authc
/role=authc,roles[admin]
/permission=authc,perms["user:create"]
- 1
maven配置
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.9</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.1.3</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.2</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.2.2</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.25</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>0.2.23</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.0.1</version>
<scope>provided</scope>
</dependency>
</dependencies>
然后就是web项目的重点配置web.xml
这个加载的顺序listener加载完了才是其他的过滤器啊等等,因为从字面的意思就可以知道了,用于监听容器的启动与关闭事件,所以我们猜,都知道shrio的入口就像之前使用测试文件加载一样从这个Listener中加载配置文件的信息。所以本节研究的重点就是这里啦。
<!--- shiro 1.2 -->
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<context-param>
<param-name>shiroEnvironmentClass</param-name>
<param-value>org.apache.shiro.web.env.IniWebEnvironment</param-value><!-- 默认先从/WEB-INF/shiro.ini,如果没有找classpath:shiro.ini -->
</context-param>
<context-param>
<param-name>shiroConfigLocations</param-name>
<param-value>classpath:shiro.ini</param-value>
</context-param>
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
EnvironmentLoaderListener
public class EnvironmentLoaderListener extends EnvironmentLoader implements ServletContextListener {
/**
* Initializes the Shiro {@code WebEnvironment} and binds it to the {@code ServletContext} at application
* startup for future reference.
* @param sce the ServletContextEvent triggered upon application startup
*创建一个WebEnvironment 绑定在ServletContext上,这里调用的是父类的方法。
*/
public void contextInitialized(ServletContextEvent sce) {
initEnvironment(sce.getServletContext());
}
/**
* Destroys any previously created/bound {@code WebEnvironment} instance created by
* the {@link #contextInitialized(javax.servlet.ServletContextEvent)} method.
*
* @param sce the ServletContextEvent triggered upon application shutdown
*/
public void contextDestroyed(ServletContextEvent sce) {
destroyEnvironment(sce.getServletContext());
}
}
其实主要的都是有父类创建的EnvironmentLoader主要就是创建一个WebEnvironment的实例,然后调用初始化的方法!这个类的信息不是很清楚需要了解继承结构。
//主要为了生成管家!
public class EnvironmentLoader {
/**
* Servlet Context config param for specifying the {@link WebEnvironment} implementation class to use:
* WebEnvironment 的实现类,主要负责解析Ini文件,生成管家
*/
public static final String ENVIRONMENT_CLASS_PARAM = "shiroEnvironmentClass";
/**
* Servlet Context config param for the resource path to use for configuring the {@link WebEnvironment} instance:
* 配置文件的位置,在web.xml中可以指定
*/
public static final String CONFIG_LOCATIONS_PARAM = "shiroConfigLocations";
/**
*唯一的Key放置在ServletContext中
**/
public static final String ENVIRONMENT_ATTRIBUTE_KEY =
EnvironmentLoader.class.getName() + ".ENVIRONMENT_ATTRIBUTE_KEY";
/**
* Initializes Shiro's {@link WebEnvironment} instance for the specified {@code ServletContext}
*加载的起点
*/
public WebEnvironment initEnvironment(ServletContext servletContext) throws IllegalStateException {
//比较的严谨
if (servletContext.getAttribute(ENVIRONMENT_ATTRIBUTE_KEY) != null) {
throw new IllegalStateException(msg);
}
servletContext.log("Initializing Shiro environment");
log.info("Starting Shiro environment initialization.");
long startTime = System.currentTimeMillis();
try {
//创建这个WebEnvironment,放置在servletContext中,全局共享
WebEnvironment environment = createEnvironment(servletContext);
servletContext.setAttribute(ENVIRONMENT_ATTRIBUTE_KEY, environment);
return environment;
} catch (RuntimeException ex) {
log.error("Shiro environment initialization failed", ex);
servletContext.setAttribute(ENVIRONMENT_ATTRIBUTE_KEY, ex);
throw ex;
} catch (Error err) {
log.error("Shiro environment initialization failed", err);
servletContext.setAttribute(ENVIRONMENT_ATTRIBUTE_KEY, err);
throw err;
}
}
/**
* Return the WebEnvironment implementation class to use, either the default
* {@link IniWebEnvironment} or a custom class if specified.
* 可以在配置文件中配置WebEnvironment的实现类,默认为IniWebEnvironment 扩展很好啊!
* 不过一般都不会改变的,通过反射来创建这个实例
*/
protected Class<?> determineWebEnvironmentClass(ServletContext servletContext) {
String className = servletContext.getInitParameter(ENVIRONMENT_CLASS_PARAM);
if (className != null) {
try {
return ClassUtils.forName(className);
} catch (UnknownClassException ex) {
throw new ConfigurationException();
}
} else {
return IniWebEnvironment.class;
}
}
/**
* Instantiates a {@link WebEnvironment} based on the specified ServletContext.
*/
protected WebEnvironment createEnvironment(ServletContext sc) {
Class<?> clazz = determineWebEnvironmentClass(sc);//选择CLSS
if (!MutableWebEnvironment.class.isAssignableFrom(clazz)) {
throw new ConfigurationException("Custom WebEnvironment class [" + clazz.getName() +
"] is not of required type [" + WebEnvironment.class.getName() + "]");
}
String configLocations = sc.getInitParameter(CONFIG_LOCATIONS_PARAM);
boolean configSpecified = StringUtils.hasText(configLocations);
if (configSpecified && !(ResourceConfigurable.class.isAssignableFrom(clazz))) {
throw new ConfigurationException(msg);
}
MutableWebEnvironment environment = (MutableWebEnvironment)
ClassUtils.newInstance(clazz);
//反射实例
environment.setServletContext(sc);
if (configSpecified && (environment instanceof ResourceConfigurable)) {
((ResourceConfigurable) environment).setConfigLocations(configLocations);
//设置配置文件路径
}
customizeEnvironment(environment);//子类可以重写定制
LifecycleUtils.init(environment);//初始化WebEnvironment,加载配置文件信息
return environment;
}
protected void customizeEnvironment(WebEnvironment environment) {
}
/**
* Destroys the {@link WebEnvironment} for the given servlet context.
*/
public void destroyEnvironment(ServletContext servletContext) {
servletContext.log("Cleaning up Shiro Environment");
try {
Object environment = servletContext.getAttribute(ENVIRONMENT_ATTRIBUTE_KEY);
LifecycleUtils.destroy(environment);
} finally {
servletContext.removeAttribute(ENVIRONMENT_ATTRIBUTE_KEY);
}
}
}
WebEnvironment 继承结构图简单
复杂继承结构图
默认的实现是最后一个,就是我们的末端。先把最上面的接口了解清楚之后在一一的进行处了解,慢慢的去理解思想,shiro很喜欢用模板方法,不懂的自己去看看设计模式。
Environment
public interface Environment {
/**
* Returns the application's {@code SecurityManager} instance.
*
* @return the application's {@code SecurityManager} instance.
*/
SecurityManager getSecurityManager();
}
NamedObjectEnvironment
public interface NamedObjectEnvironment extends Environment {
/**
* 这个接口的意思应该是从一个Map<String,Object>中取一个类型安全的东西!
* 由于擦除了类型~
*/
<T> T getObject(String name, Class<T> requiredType) throws RequiredTypeException;
}
WebEnvironment
/**
* A web-specific {@link Environment} instance, used in web applications.
*
* @since 1.2
*/
public interface WebEnvironment extends Environment {
/**
* Returns the web application's {@code FilterChainResolver} if one has been configured or {@code null} if one
* is not available.
*这里使用了Filter的责任链设计模式,这里是返回一个责任链的解析器,过滤器肯定必须使用涩!
*/
FilterChainResolver getFilterChainResolver();
ServletContext getServletContext();
/**
* Returns the web application's security manager instance.
*这个应该和之前的管家类似,增加了一点功能吧!
*/
WebSecurityManager getWebSecurityManager();
}
//过滤器链是不是和filter很相似!
public interface FilterChainResolver {
/**
* Returns the filter chain that should be executed for the given request, or {@code null} if the
* original chain should be used.
* <p/>
* This method allows a implementation to define arbitrary security {@link javax.servlet.Filter Filter}
* chains for any given request or URL pattern.
* @param originalChain the original {@code FilterChain} intercepted by the ShiroFilter implementation.
* @return the filter chain that should be executed for the given request, or {@code null} if the
* original chain should be used.
*/
FilterChain getChain(ServletRequest request, ServletResponse response, FilterChain originalChain);
}
//是否使用Session Http的session
public interface WebSecurityManager extends SecurityManager {
/**
* Security information needs to be retained from request to request, so Shiro makes use of a
* session for this. Typically, a security manager will use the servlet container's HTTP session
* but custom session implementations, for example based on EhCache, may also be used. This
* method indicates whether the security manager is using the HTTP session or not.
*是不是使用Http会话,坑了使用redis或者EhCache之类的缓存服务器
*/
boolean isHttpSessionMode();
}
MutableWebEnvironment用户放入web环境下的信息,管家啊之类的!
//Mutable 可以变化的,用来注入的信息
public interface MutableWebEnvironment extends WebEnvironment {
void setFilterChainResolver(FilterChainResolver filterChainResolver);
void setServletContext(ServletContext servletContext);
void setWebSecurityManager(WebSecurityManager webSecurityManager);
}
DefaultEnvironment就是把实例的的信息字段放置在找Map中,按照类型安全的获取值!
/**
* Simple/default {@code Environment} implementation that stores Shiro objects as key-value pairs in a
* {@link java.util.Map Map} instance. The key is the object name, the value is the object itself.
* 将shiro的一些重要的数据放在Map中
* @since 1.2
*/
public class DefaultEnvironment implements NamedObjectEnvironment, Destroyable {
public static final String DEFAULT_SECURITY_MANAGER_KEY = "securityManager";
protected final Map<String, Object> objects;
private String securityManagerName;
//线程安全
public DefaultEnvironment() {
this(new ConcurrentHashMap<String, Object>());
}
/**
* Creates a new instance with the specified backing map.
*/
@SuppressWarnings({"unchecked"})
public DefaultEnvironment(Map<String, ?> seed) {
this.securityManagerName = DEFAULT_SECURITY_MANAGER_KEY;
if (seed == null) {
throw new IllegalArgumentException("Backing map cannot be null.");
}
this.objects = (Map<String, Object>) seed;
}
public SecurityManager getSecurityManager() throws IllegalStateException {
SecurityManager securityManager = lookupSecurityManager();
if (securityManager == null) {
}
return securityManager;
}
public void setSecurityManager(SecurityManager securityManager) {
if (securityManager == null) {
throw new IllegalArgumentException("Null");
}
String name = getSecurityManagerName();
setObject(name, securityManager);
}
/**
* 从Map中找到保存的备份管家的
*/
protected SecurityManager lookupSecurityManager() {
String name = getSecurityManagerName();
return getObject(name, SecurityManager.class);
}
public String getSecurityManagerName() {
return securityManagerName;
}
public void setSecurityManagerName(String securityManagerName) {
this.securityManagerName = securityManagerName;
}
/**
* Returns the live (modifiable) internal objects collection.
*返回可以修改的objects,因为这个是线程安全的。
*/
public Map<String,Object> getObjects() {
return this.objects;
}
/**
*返回类型安全的Map中的值
**/
@SuppressWarnings({"unchecked"})
public <T> T getObject(String name, Class<T> requiredType) throws RequiredTypeException {
if (name == null) {
throw new NullPointerException("name parameter cannot be null.");
}
if (requiredType == null) {
throw new NullPointerException("requiredType parameter cannot be null.");
}
Object o = this.objects.get(name);
if (o == null) {
return null;
}
if (!requiredType.isInstance(o)) {
String msg = "Object named '" + name + "' is not of required type [" + requiredType.getName() + "].";
throw new RequiredTypeException(msg);
}
return (T)o;
}
public void setObject(String name, Object instance) {
if (name == null) {
throw new NullPointerException();
}
if (instance == null) {
this.objects.remove(name);
} else {
this.objects.put(name, instance);
}
}
public void destroy() throws Exception {
LifecycleUtils.destroy(this.objects.values());
}
}
- 1
DefaultWebEnvironment 写得分工明确,写的非常的好的!而且各种的接口设计也是非常的合理的。各种需要可以制定的成员变量全部都是处理为接口的!
/**
* Default {@link WebEnvironment} implementation based on a backing {@link Map} instance.
*主要是基于祖上的Map进行处理的,这个是Web所以增加了ServletContext 成员变量,分工很明确啊
*然后返回Web性质的管家进行处理断言!很严谨哦,还有设置过滤链
* @since 1.2
*/
public class DefaultWebEnvironment extends DefaultEnvironment implements MutableWebEnvironment {
private static final String DEFAULT_FILTER_CHAIN_RESOLVER_NAME = "filterChainResolver";
private ServletContext servletContext;
public DefaultWebEnvironment() {
super();
}
public FilterChainResolver getFilterChainResolver() {
return getObject(DEFAULT_FILTER_CHAIN_RESOLVER_NAME, FilterChainResolver.class);
}
public void setFilterChainResolver(FilterChainResolver filterChainResolver) {
setObject(DEFAULT_FILTER_CHAIN_RESOLVER_NAME, filterChainResolver);
}
@Override
public SecurityManager getSecurityManager() throws IllegalStateException {
return getWebSecurityManager();
}
@Override
public void setSecurityManager(SecurityManager securityManager) {
assertWebSecurityManager(securityManager);
super.setSecurityManager(securityManager);
}
//写的非常的严谨
public WebSecurityManager getWebSecurityManager() {
SecurityManager sm = super.getSecurityManager();
assertWebSecurityManager(sm);
return (WebSecurityManager)sm;
}
public void setWebSecurityManager(WebSecurityManager wsm) {
super.setSecurityManager(wsm);
}
private void assertWebSecurityManager(SecurityManager sm) {
if (!(sm instanceof WebSecurityManager)) {
String msg = "SecurityManager instance must be a " + WebSecurityManager.class.getName() + " instance.";
throw new IllegalStateException(msg);
}
}
public ServletContext getServletContext() {
return this.servletContext;
}
public void setServletContext(ServletContext servletContext) {
this.servletContext = servletContext;
}
}
- 1
ResourceConfigurable这个接口更加的直接,设置配置文件的路径,是不是感觉越来越近了,找到熟悉的感觉了。
public interface ResourceConfigurable {
/**
* Convenience method that accepts a comma-delimited string of config locations (resource paths).
*
* @param locations comma-delimited list of config locations (resource paths).
*/
void setConfigLocations(String locations);
/**
* Sets the configuration locations (resource paths) that will be used to configure the instance.
*
* @param locations the configuration locations (resource paths) that will be used to configure the instance.
*/
void setConfigLocations(String[] locations);
}
- 1
ResourceBasedWebEnvironment 就是设置一个路径的位置而已!
/**
* Abstract implementation for {@code WebEnvironment}s that can be initialized via resource paths (config files).
*一个类的单一任务的原则,在这里体现的淋淋尽致
* @since 1.2
*/
public abstract class ResourceBasedWebEnvironment extends DefaultWebEnvironment implements ResourceConfigurable {
private String[] configLocations;
public String[] getConfigLocations() {
return configLocations;
}
public void setConfigLocations(String locations) {
if (!StringUtils.hasText(locations)) {
throw new IllegalArgumentException("Null/empty locations argument not allowed.");
}
//使用,进行分割的Utils方法
String[] arr = StringUtils.split(locations);
setConfigLocations(arr);
}
public void setConfigLocations(String[] configLocations) {
this.configLocations = configLocations;
}
}
IniWebEnvironment这里主要瑟得到管家和过滤的实例信息。
1. 查找并加载 shiro.ini 配置文件,首先从自身成员变量里查找,然后从 web.xml 中查找,然后从 /WEB-INF 下查找,然后从 classpath 下查找,若均未找到,则直接报错。
2. 当找到了 ini 配置文件后就开始解析,此时构造了一个 Bean 容器(相当于一个轻量级的 IOC 容器),最终的目标是为了创建 WebSecurityManager 对象与 FilterChainResolver 对象,创建过程使用了 Abstract Factory 模式:
/**
* {@link WebEnvironment} implementation configured by an {@link Ini} instance or {@code Ini} resource locations.
*
* @since 1.2
*/
public class IniWebEnvironment extends ResourceBasedWebEnvironment implements Initializable, Destroyable {
public static final String DEFAULT_WEB_INI_RESOURCE_PATH = "/WEB-INF/shiro.ini";
/**
* The Ini that configures this WebEnvironment instance.
*/
private Ini ini;
/**
* 这个方法被调用了之后和之前的一样的去创建,Ini类信息,然后在Configure() 创建一个工厂,
*得到工厂getInstance一样的
* Initializes this instance by resolving any potential (explicit or resource-configured) {@link Ini}
* configuration and calling {@link #configure() configure} for actual instance configuration.
*/
public void init() {
Ini ini = getIni();
String[] configLocations = getConfigLocations();
if (log.isWarnEnabled() && !CollectionUtils.isEmpty(ini) &&
configLocations != null && configLocations.length > 0) {
IniWebEnvironment.class.getName());
}
//先去实例的,没有再去找配置的,没有再去找默认的
if (CollectionUtils.isEmpty(ini)) {
log.debug("Checking any specified config locations.");
ini = getSpecifiedIni(configLocations);
}
if (CollectionUtils.isEmpty(ini)) {
log.debug(" Trying default config locations.");
ini = getDefaultIni();
}
//这里很正常吧,没有配置的异常!
if (CollectionUtils.isEmpty(ini)) {
String msg = "not found or discovered to be empty/unconfigured.";
throw new ConfigurationException(msg);
}
setIni(ini);
configure();//这里是寻找工厂的
}
protected void configure() {
//之前定义的Map哦!,是用来处理一些信息的
this.objects.clear();
//先去创建工厂,然后得到实例~
WebSecurityManager securityManager = createWebSecurityManager();
setWebSecurityManager(securityManager);
//创建过滤链
FilterChainResolver resolver = createFilterChainResolver();
if (resolver != null) {
setFilterChainResolver(resolver);
}
}
protected Ini getSpecifiedIni(String[] configLocations) throws ConfigurationException {
Ini ini = null;
if (configLocations != null && configLocations.length > 0) {
if (configLocations.length > 1) {
}
//required, as it is user specified:
ini = createIni(configLocations[0], true);
}
return ini;
}
protected Ini getDefaultIni() {
Ini ini = null;
String[] configLocations = getDefaultConfigLocations();
if (configLocations != null) {
for (String location : configLocations) {
ini = createIni(location, false);
break;
}
}
}
return ini;
}
protected Ini createIni(String configLocation, boolean required) throws ConfigurationException {
Ini ini = null;
if (configLocation != null) {
ini = convertPathToIni(configLocation, required);
}
if (required && CollectionUtils.isEmpty(ini)) {
}
return ini;
}
//这里得到?从配置中得到信息后怎么处理?
protected FilterChainResolver createFilterChainResolver() {
FilterChainResolver resolver = null;
Ini ini = getIni();
if (!CollectionUtils.isEmpty(ini)) {
//only create a resolver if the 'filters' or 'urls' sections are defined:
Ini.Section urls = ini.getSection(IniFilterChainResolverFactory.URLS);
Ini.Section filters = ini.getSection(IniFilterChainResolverFactory.FILTERS);
if (!CollectionUtils.isEmpty(urls) || !CollectionUtils.isEmpty(filters)) {
//either the urls section or the filters section was defined. Go ahead and create the resolver:
IniFilterChainResolverFactory factory = new IniFilterChainResolverFactory(ini, this.objects);
resolver = factory.getInstance();
}
}
return resolver;
}
//创建工厂,然后在得到实例!和之前的差不多,这个getbean有点可以哦!
protected WebSecurityManager createWebSecurityManager() {
WebIniSecurityManagerFactory factory;
Ini ini = getIni();
if (CollectionUtils.isEmpty(ini)) {
factory = new WebIniSecurityManagerFactory();
} else {
factory = new WebIniSecurityManagerFactory(ini);
}
WebSecurityManager wsm = (WebSecurityManager)factory.getInstance();
//SHIRO-306 - get beans after they've been created (the call was before the factory.getInstance() call,
//which always returned null.
Map<String, ?> beans = factory.getBeans();
if (!CollectionUtils.isEmpty(beans)) {
this.objects.putAll(beans);
}
return wsm;
}
protected String[] getDefaultConfigLocations() {
return new String[]{
DEFAULT_WEB_INI_RESOURCE_PATH,
IniFactorySupport.DEFAULT_INI_RESOURCE_PATH
};
}
private Ini convertPathToIni(String path, boolean required) {
//TODO - this logic is ugly - it'd be ideal if we had a Resource API to polymorphically encaspulate this behavior
Ini ini = null;
if (StringUtils.hasText(path)) {
InputStream is = null;
//SHIRO-178: Check for servlet context resource and not only resource paths:
if (!ResourceUtils.hasResourcePrefix(path)) {
is = getServletContextResourceStream(path);
} else {
try {
is = ResourceUtils.getInputStreamForPath(path);
} catch (IOException e) {
if (required) {
throw new ConfigurationException(e);
} else {
if (log.isDebugEnabled()) {
log.debug("Unable to load optional path '" + path + "'.", e);
}
}
}
}
if (is != null) {
ini = new Ini();
ini.load(is);
} else {
if (required) {
throw new ConfigurationException("Unable to load resource path '" + path + "'");
}
}
}
return ini;
}
//TODO - this logic is ugly - it'd be ideal if we had a Resource API to polymorphically encaspulate this behavior
private InputStream getServletContextResourceStream(String path) {
InputStream is = null;
path = WebUtils.normalize(path);
ServletContext sc = getServletContext();
if (sc != null) {
is = sc.getResourceAsStream(path);
}
return is;
}
/**
* Returns the {@code Ini} instance reflecting this WebEnvironment's configuration.
*/
public Ini getIni() {
return this.ini;
}
public void setIni(Ini ini) {
this.ini = ini;
}
}
看看继承图 我记得之前我们的工厂的图没有WebIniSecurityManagerFactory 和 IniFilterChainResolverFactory
这个一定看到过的!
WebSecurityManager wsm = (WebSecurityManager)factory.getInstance();
看这个创造的顺序慢慢的一步步的处理~
protected void configure() {
this.objects.clear();
WebSecurityManager securityManager = createWebSecurityManager();
setWebSecurityManager(securityManager);
FilterChainResolver resolver = createFilterChainResolver();
if (resolver != null) {
setFilterChainResolver(resolver);
}
}
其中有两个 Factory 需要关注:
- WebIniSecurityManagerFactory 用于创建 WebSecurityManager。
- IniFilterChainResolverFactory 用于创建 FilterChainResolver。
通过以上分析,相信 EnvironmentLoaderListener 已经不再神秘了,无非就是在容器启动时创建 WebEnvironment 对象,并由该对象来读取 Shiro 配置文件,创建WebSecurityManager 与 FilterChainResolver 对象,它们都在后面将要出现的 ShiroFilter 中起到了重要作用。
从 web.xml 中同样可以得知,ShiroFilter 是整个 Shiro 框架的门面,因为它拦截了所有的请求,后面是需要 Authentication(认证)还是需要 Authorization(授权)都由它说了算。