Shiro中Subject对象的创建与绑定流程是怎样的？

我们在平常使用Shrio进行身份认证时，经常通过获取Subject 对象中保存的Session、Principal等信息，来获取认证用户的信息，也就是说Shiro会把认证后的用户信息保存在Subject 中供程序使用 public static Subject getSubject() { return SecurityUtils.getSubject(); } Subject 是Shiro中核心的也是我们经常用到的一个对象，那么Subject 对象是怎么构造创建，并如何存储绑定供程序调用的，下面我们就对其流程进行一下探究，首先是Subject 接口本身的继承与实现，这里我们需要特别关注下WebDelegatingSubject这个实现类，这个就是最终返回的具体实现类 一、Subject的创建 在Shiro中每个http请求都会经过SpringShiroFilter的父类AbstractShiroFilte中的doFilterInternal方法，我们看下具体代码 protected void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse, final FilterChain chain) throws ServletException, IOException { Throwable t = null; try { final ServletRequest request = prepareServletRequest(servletRequest, servletResponse, chain); final ServletResponse response = prepareServletResponse(request, servletResponse, chain); //创建Subject final Subject subject = createSubject(request, response); //执行Subject绑定 //noinspection unchecked subject.execute(new Callable() { public Object call() throws Exception { updateSessionLastAccessTime(request, response); executeChain(request, response, chain); return null; } }); } catch (ExecutionException ex) { t = ex.getCause(); } catch (Throwable throwable) { t = throwable; } if (t != null) { if (t instanceof ServletException) { throw (ServletException) t; } if (t instanceof IOException) { throw (IOException) t; } //otherwise it's not one of the two exceptions expected by the filter method signature - wrap it in one: String msg = "Filtered request failed."; throw new ServletException(msg, t); } } 继续进入createSubject方法，也就是创建Subject对象的