Shiro学习笔记<2>SecurityUtils,SecurityManager,Subject

SecurityUtils是一个抽象的工具类，提供了 SecurityManager 实例的保存和获取的方法，以及创建Subject的方法。

一:SecurityUtils中的方法

SecurityUtils提供了 getSecurityManager()和setSecurityManager外，还有个特别的方法 getSubject()，这是获取subject的最有效的途径。
下面是 SecurityUtils 提供的三个方法：

package org.apache.shiro;
 
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.ThreadContext;
 
public abstract class SecurityUtils {
 
 
    private static SecurityManager securityManager;
 
     
    public static Subject getSubject() {
        Subject subject = ThreadContext.getSubject();
        if (subject == null) {
            subject = (new Subject.Builder()).buildSubject();
            ThreadContext.bind(subject);
        }
        return subject;
    }
 
    public static void setSecurityManager(SecurityManager securityManager) {
        SecurityUtils.securityManager = securityManager;
    }
 
    public static SecurityManager getSecurityManager() throws UnavailableSecurityManagerException {
        SecurityManager securityManager = ThreadContext.getSecurityManager();
        if (securityManager == null) {
            securityManager = SecurityUtils.securityManager;
        }
        if (securityManager == null) {
            String msg = "No SecurityManager accessible to the calling code, either bound to the " +
                    ThreadContext.class.getName() + " or as a vm static singleton.  This is an invalid application " +
                    "configuration.";
            throw new UnavailableSecurityManagerException(msg);
        }
        return securityManager;
    }
}

实际上，创建的subject的工作还是由 SecurityManager 来完成的。 
Buidler是在 Subject的内类，在Buidler中通过SecurityUtils 获取到了 SecurityManager ，调用buildSubject()。 
在buildSubject()中调用了 securityManager.createSubject()方法( 由SecurityManager 的子类DefaultSecurityManager 的 实现createSubject())，完成subject创建的。

二:最终subject创建的代码

DefaultSecurityManager 实例化的时候，生成了 SubjectFactory子类 DefaultSubjectFactory 实例的属性。
DefaultSecurityManager的createSubject()方法 调用 DefaultSubjectFactory 的 createSubject()方法最终完成了subject 的创建：
下面是 DefaultSubjectFactory 中createSubject()方法的代码：

package org.apache.shiro.mgt;
 
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.subject.SubjectContext;
import org.apache.shiro.subject.support.DelegatingSubject;
 
 
/**
 * Default {@link SubjectFactory SubjectFactory} implementation that creates {@link org.apache.shiro.subject.support.DelegatingSubject DelegatingSubject}
 * instances.
 *
 * @since 1.0
 */
public class DefaultSubjectFactory implements SubjectFactory {
 
    public DefaultSubjectFactory() {
    }
 
    public Subject createSubject(SubjectContext context) {
        SecurityManager securityManager = context.resolveSecurityManager();
        Session session = context.resolveSession();
        boolean sessionCreationEnabled = context.isSessionCreationEnabled();
        PrincipalCollection principals = context.resolvePrincipals();
        boolean authenticated = context.resolveAuthenticated();
        String host = context.resolveHost();
 
        return new DelegatingSubject(principals, authenticated, host, session, sessionCreationEnabled, securityManager);
    }
 
    /**
     * @deprecated since 1.2 - override {@link #createSubject(org.apache.shiro.subject.SubjectContext)} directly if you
     *             need to instantiate a custom {@link Subject} class.
     */
    @Deprecated
    protected Subject newSubjectInstance(PrincipalCollection principals, boolean authenticated, String host,
                                         Session session, SecurityManager securityManager) {
        return new DelegatingSubject(principals, authenticated, host, session, true, securityManager);
    }
 
}

可见，subject的最终实例是 DelegatingSubject的实例，并且包含host,authenticated,principals,securityManager等丰富的信息。