@startuml token-structure
!include ./class-settings.puml

interface AuthenticationToken {
  + Object getPrincipal()
  + Object getCredentials()
}

interface HostAuthenticationToken {
  + String getHost()
}

interface RememberMeAuthenticationToken {
  + boolean isRememberMe()
}

class UsernamePasswordToken {
  - String username
  - char[] password
  - boolean rememberMe
  - String host
  + void clear()
}

class BearerToken {
  - String token
  - String host
}

HostAuthenticationToken --|> AuthenticationToken
RememberMeAuthenticationToken --|> AuthenticationToken
UsernamePasswordToken ..|> HostAuthenticationToken
UsernamePasswordToken ..|> RememberMeAuthenticationToken
BearerToken ..|> HostAuthenticationToken
@enduml

@startuml subject-structure
!include ./class-settings.puml

interface Subject {
  + Object getPrincipal()
  + PrincipalCollection getPrincipals()
  + boolean isPermitted(String)
  + boolean isPermitted(Permission)
  + boolean[] isPermitted(String...)
  + boolean{} isPermitted(List<Permission>)
  + boolean isPermittedAll(String...)
  + boolean isPermittedAll(Collection<Permission>)
  + void checkPermission(String)
  + void checkPermission(Permission)
  + void checkPermissions(String...)
  + void checkPermissions(Collection<Permission>)
  + boolean hasRole(String roleIdentifier)
  + boolean hasRoles(List<String>)
  + boolean hasAllRoles(Collection<String>)
  + void checkRole(String)
  + void checkRoles(Collection<String>)
  + void checkRoles(String...)
  + void login(AuthenticationToken)
  + boolean isAuthenticated()
  + boolean isRemembered()
  + Session getSession()
  + Session getSession(boolean)
  + void logout()
  + <V> V execute(Callable<V>)
  + void execute(Runnable)
  + <V> Callable<V> associateWith(Callable<V>)
  + Runnable associateWith(Runnable)
  + void runAs(PrincipalCollection)
  + boolean isRunAs()
  + PrincipalCollection getPreviousPrincipals()
  + PrincipalCollection releaseRunAs()
}

interface PrincipalCollection {
  + Object getPrimaryPrincipal()
  + <T> T oneByType(Class<T>)
  + <T> Collection<T> byType(Class<T>)
  + List asList()
  + Set asSet()
  + Collection fromRealm(String)
  + Set<String> getRealmNames()
  + boolean isEmpty()
}

interface MutablePrincipalCollection {
  + void add(Object, String)
  + void addAll(Collection, String)
  + void addAll(PrincipalCollection)
  + void clear()
}

class SimplePrincipalCollection

interface PrincipalMap {
  + Map<String, Object> getRealmPrincipals(String)
  + Map<String, Object> setRealmPrincipals(String, Map<String, Object>)
  + Object setRealmPrincipal(String, String, Object)
  + Object getRealmPrincipal(String, String)
  + Object removeRealmPrincipal(String, String)
}

class SimplePrincipalMap

interface SubjectContext {
  + SecurityManager getSecurityManager()
  + void setSecurityManager(SecurityManager)
  + SecurityManager resolveSecurityManager()
  + Serializable getSessionId()
  + void setSessionId(Serializable)
  + Subject getSubject()
  + void setSubject(Subject subject)
  + PrincipalCollection getPrincipals()
  + PrincipalCollection resolvePrincipals()
  + void setPrincipals(PrincipalCollection)
  + Session getSession()
  + void setSession(Session)
  + Session resolveSession()
  + boolean isAuthenticated()
  + void setAuthenticated(boolean)
  + boolean isSessionCreationEnabled()
  + void setSessionCreationEnabled(boolean)
  + boolean resolveAuthenticated()
  + AuthenticationInfo getAuthenticationInfo()
  + void setAuthenticationInfo()
  + AuthenticationToken getAuthenticationToken()
  + void setAuthenticationToken(AuthenticationToken)
  + String getHost()
  + void setHost(String)
  + String resolveHost()
}

PrincipalCollection -* Subject
MutablePrincipalCollection --|> PrincipalCollection
MutablePrincipalCollection <|. SimplePrincipalCollection
PrincipalCollection <|-- PrincipalMap
PrincipalMap <|. SimplePrincipalMap
Subject -* SubjectContext
PrincipalCollection -* SubjectContext
Session --* SubjectContext
SubjectContext *-- AuthenticaitonInfo
SubjectContext *-- AuthenticaitonToken
@enduml

@startuml securitymanager-structure
!include ./class-settings.puml

interface SecurityManager {
  + Subject login(Subject, AuthenticationToken)
  + void logout(Subject)
  + Subject createSubject(SubjectContext)
}

interface Authorizer {
  + boolean isPermitted(PrincipalCollection, String)
  + boolean isPermitted(PrincipalCollection, Permission)
  + boolean[] isPermitted(PrincipalCollection, String...)
  + boolean[] isPermitted(PrincipalCollection, List<Permission>)
  + boolean isPermittedAll(PrincipalCollection, String...)
  + boolean isPermittedAll(PrincipalCollection, Collection<Permission>...)
  + void checkPermission(PrincipalCollection, String)
  + void checkPermission(PrincipalCollection, Permission)
  + void checkPermissions(PrincipalCollection, String...)
  + void checkPermissions(PrincipalCollection, Collection<Permission>)
  + boolean hasRole(PrincipalCollection, String)
  + boolean[] hasRoles(PrincipalCollection, List<String>)
  + boolean hasAllRoles(PrincipalCollection, Collection<String>)
  + void checkRole(PrincipalCollection, String)
  + void checkRoles(PrincipalCollection, Collection<String>)
  + void checkRoles(PrincipalCollection, String...)
}

interface Authenticator {
  + AuthenticaionInfo authenticate(AuthenticationToken)
}

interface SessionManager {
  + Session start(SessionContext)
  + Session getSession(SessionKey)
}

interface SessionKey {
  + Serializable getSessionId()
}

interface SessionContext {
  + void setHost(String)
  + String getHost()
  + Serializable getSessionId()
  + void setSessionId(Serializable)
}

abstract class CachingSecurityManager {
  - CacheManager cacheManager
  - EventBus eventBus
  # void afterCacheManagerSet()
  # void applyEventBusToCacheManager()
  # void afterEventBusSet()
  + void destroy()
}

interface CacheManagerAware {
  + void setCacheManager(CacheManager)
}

interface EventBusAware {
  + void setEventBus(EventBus)
}

interface CacheManager {
  + <K, V> Cache<K, V> getCache(String)
}

interface Cache<K, V> {
  + V get(K)
  + V put(K, V)
  + V remove(K)
  + void clear()
  + int size()
  + Set<K> keys()
  + Collection<V> values()
}

interface EventBus {
  + void publish(Object)
  + void register(Object)
  + void unregister(Object)
}

abstract class RealmSecurityManager {
  - Collection<Realm> realms;
  + void setRealms(Collection<Realm>)
  # void afterRealmsSet()
  # void afterCacheManagerSet()
  # void afterEventBusSet()
  # void applyCacheManagerToRealms()
  # void applyEventBusToRealms()
}

abstract class AuthenticatingSecurityManager {
  - Authenticator authenticator
  + AuthenticationInfo authenticate(AuthenticationToken)
}

abstract class AuthorizingSecurityManager {
  - Authorizer authorizer
  --代理方法--
  代理所有Authorizer中的方法
}

abstract class SessionSecurityManager {
  - SessionManager sessionManager
  # void applyCacheManagerToSessionManager()
  # void applyEventBusToSessionManager()
  + Session start(SessionContext)
}

class DefaultSecurityManager {
  # RememberMeManager rememberMeManager
  # SubjectDAO subjectDAO
  # SubjectFactory subjectFactory
  # Subject createSubject(AuthenticationToken, AuthenticationInfo, Subject)
  # void bind(Subject)
  # void rememberMeSuccessfulLogin(AuthenticationToken, AuthenticationInfo, Subject)
  # void rememberMeFailedLogin(AuthenticationToken, AuthenticationException, Subject)
  # void rememberMeLogout(Subject)
  + Subject login(Subject, AuthenticationToken)
  # void onSuccessfulLogin(AuthenticationToken, AuthenticationInfo, Subject)
  # void onFailedLogin(AuthenticationToken, AuthenticationException, Subject)
  # void beforeLogout(Subject)
  # SubjectContext copy(SubjectContext)
  + Subject createSubject(SubjectContext)
  # Subject doCreateSubject(SubjectContext)
  # void save(Subject)
  # void delete(Subject)
  # SubjectContext ensureSecurityManager(SubjectContext)
  # SubjectContext resolveSession(SubjectContext)
  # Session resolveContextSession(SubjectContext)
  # SessionKey getSessionKey(SubjectContext)
  -{static} boolean isEmpty(PrincipalCollection)
  # SubjectContext resolvePrincipals(SubjectContext)
  # SessionContext createSessionContext(SubjectContext)
  + void logout(Subject)
  # void stopSession(Subject)
  # void unbind(Subject)
  # PrincipalCollection getRememberedIdentity(SubjectContext)
}

interface RememberMeManager {
  + PrincipalCollection getRememberedPrincipals(SubjectContext)
  + void forgetIdentity(SubjectContext)
  + void onSuccessfulLogin(Subject, AuthenitcationToken, AuthenticationInfo)
  + void onFailedLogin(Subject, AuthenticationToken, AuthenticationException)
  + void onLogout(Subject)
}

abstract class AbstractRememberMeManager {
  - Serializer<PrincipalCollection> serializer
  - CipherService cipherService
  - byte[] encryptionCipherKey
  - byte[] decryptionCipherKey
  #{abstract} void forgetIdentity(Subject)
  # boolean isRememberMe(AuthenticationToken)
  + void rememberIdentity(Subject, AuthenticationToken, AuthenticationInfo)
  # PrincipalCollection getIdentityToRemember(Subject, AuthenticationInfo)
  # void rememberIdentity(Subject, PrincipalCollection)
  # byte[] convertPrincipalsToBytes(PrincipalCollection)
  #{abstract} void rememberSerializedIdentity(Subject, byte[])
  + PrincipalCollection getRememberedPrincipals(SubjectContext)
  #{abstract} byte[] getRememberedSerializedIdentity(SubjectContext)
  # PrincipalCollection convertBytesToPrincipals(byte[], SubjectContext)
  # PrincipalCollection onRememberedPrincipalFailure(RuntimeException, SubjectContext)
  # byte[] encrypt(byte[])
  # byte[] decrypt(byte[])
  # byte[] serialize(PrincipalCollection)
  # PrincipalCollection deserialize(byte[])
  + void onFailedLogin(Subject, AuthenticationToken, AuthenticationException)
  + void onLogout(Subject)
}

Authorizer <|-- SecurityManager
Authenticator <|-- SecurityManager
SessionManager <|-- SecurityManager
SessionKey --* SessionManager
SessionContext --* SessionManager
SecurityManager <|.. CachingSecurityManager
CacheManagerAware <|.. CachingSecurityManager
EventBusAware <|.. CachingSecurityManager
CacheManagerAware *-- CacheManager
CacheManager *-- Cache
EventBus -* EventBusAware
CachingSecurityManager <|-- RealmSecurityManager
RealmSecurityManager <|-- AuthenticatingSecurityManager
AuthenticatingSecurityManager <|-- AuthorizingSecurityManager
AuthorizingSecurityManager <|-- SessionSecurityManager
SessionSecurityManager <|-- DefaultSecurityManager
RememberMeManager --* DefaultSecurityManager
AbstractRememberMeManager ..|> RememberMeManager
@enduml

@startuml authenticator-structure
!include ./class-settings.puml

interface Authenticator {
  + AuthenticaionInfo authenticate(AuthenticationToken)
}

interface AuthenticationInfo {
  + PrincipalCollection getPrincipals()
  + Object getCredentials()
}

abstract class AbstractAuthenticator {
  - Collection<AuthenticationListener> listeners
  # void notifySuccess(AuthenticationToken, AuthenticationInfo)
  # void notifyFailure(AuthenticationToken, AuthenticationException)
  # void notifyLogout(PrincipalCollection)
  + void onLogout(PrincipalCollection)
  + AuthenticationInfo authenticate(AuthenticationToken)
  #{abstract} AuthenticationInfo doAuthenticate(AuthenticationToken)
}

class ModularRealmAuthenticator {
  - Collection<Realm> realms
  - AuthenticationStrategy authenticationStrategy
  # void assertRealmsConfigured()
  # AuthenticationInfo doSingleRealmAuthentication(Realm, AuthenticationToken)
  # AuthenticationInfo doMultiRealmAuthentication(Collection<Realm>, AuthenticationToken)
}

interface AuthenticationStrategy {
  + AuthenticationInfo beforeAllAttempts(Collection<? extends Realm>, AuthenticationToken)
  + AuthenticationInfo beforeAttempt(Realm, AuthenticationToken, AuthenticationInfo)
  + AuthenticationInfo afterAttempt(Realm, AuthenticationToken, AuthenticationInfo, AuthenticationInfo)
  + AuthenticationInfo afterAllAttempts(AuthenticationToken, AuthenticationInfo)
}

abstract class AbstractAuthenticationStrategy {
  # AuthenticationInfo merge(AuthenticationInfo, AuthenticationInfo
}

class FirstSuccessfulStrategy {
  - boolean stopAfterFirstSuccess
}

AuthenticationInfo --* Authenticator
AbstractAuthenticator ..|> Authenticator
ModularRealmAuthenticator --|> AbstractAuthenticator
AuthenticationStrategy --* ModularRealmAuthenticator
AbstractAuthenticationStrategy ..|> AuthenticationStrategy
AllSuccessfulStrategy --|> AbstractAuthenticationStrategy
AtLeastOneSuccessfulStrategy --|> AbstractAuthenticationStrategy
FirstSuccessfulStrategy --|> AbstractAuthenticationStrategy
@enduml

@startuml realm-structure
!include ./class-settings.puml

interface Realm {
  + String getName()
  + boolean supports(AuthenticaitonToken)
  + AuthenticationInfo getAuthenticationInfo(AuthenticationToken)
}

interface LogoutAware {
  + void onLogout(PrincipalCollection)
}

abstract class CachingRealm {
  - String name
  - boolean cachingEnabled
  - CacheManager cacheManager
  # void afterCacheManagerSet()
  -{static} boolean isEmpty(PrincipalCollection)
  # void clearCache(PrincipalCollection)
  # void doClearCache(PrincipalCollection)
  # Object getAvailiablePrincipal(PrincipalCollection)
}

abstract class AuthenticatingRealm {
  - CreadentialMatcher credentialsMatcher
  - Cache<Object, AuthenticationInfo> uthenticationCache
  - boolean authenticationCachingEnabled
  - String authenticationCacheName
  - Class<? extends AuthenticaitonToken> authenticationTokenClass
  + void init()
  # void onInit()
  - Cache<Object, AuthenticationInfo> getAuthenticationacheLazy()
  - AuthenticationInfo getCachedAuthenticaitonInfo(AuthenticationToken)
  - void cacheAuthenticaitonInfoIfPossible(AuthenticationToken, AuthenticationInfo)
  + AuthenticationInfo getAuthenticationInfo(AuthenticationToken)
  # void assertredentialsMatch(AuthenticationToken, AuthenticationInfo)
  # Object getAuthenticationCacheKey(AuthenticationToken)
  # Object getAuthenticationCacheKey(PrincipalCollection)
  # void clearCachedAuthenticationInfo(PrincipalCollection)
  #{abstract} AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken)
}

interface PermissionResolverAware {
  + void setPermissionResolver(PermissionResolver)
}

interface RolePermissionResolverAware {
  + void setRolePermisisonResolver(RolePermisisonResolver)
}

interface Authorizer

abstract class AuthorizingRealm {
  - boolean authorizationCachingEnabled
  - Cache<Object, AuthorizationInfo> authorizationCache
  - String authorizationCacheName
  - PermissionResolver permissionResolver
  - RolePermissionResolver permissionRoleResolver
}

enum SaltStyle {
  NO_SALT
  CRYPT
  COLUMN
  EXTERNAL
}

class JdbcRealm {
  # DataSource dataSource
  # String authenticationQuery
  # String userRolesQuery
  # String permissionsQuery
  # boolean permissionsLookupEnabled
  # SaltStyle saltStyle
  # boolean saltIsBase64Encoded
  - String[] getPasswordForUser(Connection, String)
  # Set<String> getRoleNamesForUser(Connection, String)
  # Set<String> getPermissions(Connection, String, Collection<String>)
  # String getSaltForUser(String)
}

class SimpleAccountRealm {
  # Map<String, SimpleAccount> users
  # Map<String, SimpleRole> roles
  # ReadWriteLock USERS_LOCK
  # ReadWriteLock ROLES_LOCK
  # SimpleAccount getUser(String)
  + boolean accountExists(String)
  + void addAccount(String, String)
  + void addAccount(String, String, String...)
  # String getUsername(SimpleAccount)
  # String getUsername(PrincipalCollection)
  # void add(SimpleAccount)
  # SimpleRole getRole(String)
  + boolean roleExists(String)
  # void addRole(String)
  # void add(SimpleRole)
  #{static} Set<String> toSet(String, String)
}

class SimpleAccount {
  - SimpleAuthenticationInfo authcInfo
  - SimpleAuthorizationInfo authzInfo
  - boolean locked
  - boolean credentialsExpired
}

interface MergableAuthenticationInfo {
  + void merge(AuthenticationInfo)
}

interface Account
interface AuthenticationInfo
interface AuthorizationInfo

class SimpleRole {
  # String name
  # Set<Permission> permissions
  + void add(Permission)
  + void addAll(Collection<Permisison>)
  + boolean isPermitted(Permisison)
}

CachingRealm ..|> Realm
CachingRealm ..|> LogoutAware
AuthenticatingRealm --|> CachingRealm
AuthorizingRealm --|> AuthenticatingRealm
AuthorizingRealm .|> Authorizer
AuthorizingRealm ..|> PermissionResolverAware
AuthorizingRealm ..|> RolePermissionResolverAware
SimpleAccountRealm --|> AuthorizingRealm
JdbcRealm --|> AuthorizingRealm
SaltStyle -+ JdbcRealm
SimpleAccount --* SimpleAccountRealm
SimpleRole --* SimpleAccountRealm
Account <|.. SimpleAccount
MergableAuthenticationInfo <|.. SimpleAccount
AuthenticationInfo <|-- Account
AuthenticationInfo <|-- MergableAuthenticationInfo
AuthorizationInfo <|-- Account
@enduml

@startuml shiro-filter-structure
!include ./class-settings.puml

class BearerHttpAuthenticationFilter {
  # AuthenticationToken createBearerToken(String, ServletRequest)
}

class BasicHttpAuthenticaitonFilter

abstract class HttpAuthenticationFilter {
  - String applicationName
  - String authcScheme
  - String authzScheme
  # Set<String> httpMethodsFromOptions(String[])
  # boolean isLoginAttempt(ServletRequest, ServletResponse)
  # boolean isLoginAttempt(String)
  # String getAuthzHeader(ServletRequest)
  # boolean sendChallenge(ServletRequest, ServletResponse)
  # String[] getPrincipalsAndCredentials(String, ServletRequest)
  # String[] getPrincipalsAndCredentials(String, String)
}

abstract class AuthenticatingFilter {
  # boolean executeLogin(ServletRequest, ServletResponse)
  # AuthenticationToken createToken(ServletRequest, ServletResponse)
  # AuthenticationToken createToken(String, String, ServletRequest, ServletResponse)
  # AuthenticationToken createToken(String, String, boolean, String)
  # boolean onLoginSuccess(AuthenticationToken, Subject, ServletRequest, ServletResponse)
  # boolean onLoginFailure(AuthenticationToken, AuthenticationException, ServletRequest, ServletResponse)
  # String getHost(ServletRequest)
  # boolean isRememberMe(ServletRequest)
  # boolean isPermissive(Object)
}

abstract class AuthenticationFilter {
  - String successUrl
  # void isssueSuccessRedirect(ServletRequest, ServletResponse)
}

abstract class AccessControlFilter {
  - String loginUrl
  # Subject getSubject(ServletRequest, ServletResponse)
  # boolean isAccessAllowed(ServletRequest, ServletResponse, Object)
  # boolean onAccessDenied(ServletRequest, ServletResponse, Object)
  # boolean onAccessDenied(ServletRequest, ServletResponse)
  # boolean isLoginRequest(ServletRequest, ServletResponse)
  # void saveRequestAndRedirectToLogin(ServletRequest, ServletResponse)
  # void saveRequest(ServletRequest)
  # void redirectToLogin(ServletRequest, ServletResponse)
}

abstract class PathMatchingFilter {
  # PatternMatcher pathMatcher
  # Map<String, Object> appliedPaths
  # String getPathWithinApplication(ServletRequest)
  # boolean pathsMatch(String, ServletRequest)
  # boolean pathsMatch(String, String)
  - boolean isFilterChainContinued(ServletRequest, ServletResponse, String, Object)
  # boolean onPreHandle(ServletRequest, ServletResponse, Object)
  # boolean isEnabled(ServletRequest, ServletResponse, String, Object)
}

interface PathConfigProcessor {
  + Filter processPathConfig(String, String)
}

abstract class AdviceFilter {
  # boolean preHandle(ServletRequest, ServletResponse)
  # void postHandle(ServletRequest, ServletResponse)
  + void afterCompletion(ServletRequest, ServletResponse, Exception)
  # void executeChain(ServletRequest, ServletResponse, FilterChain)
  # void cleanup(ServletRequest, ServletResponse)
}

abstract class OncePerRequestFilter {
  - boolean enabled
  # boolean isEnabled(ServletRequest, ServletResponse)
  # String getAlreadyFilterAttributeName()
  # void doFilterInternal(ServletRequest, ServletResponse, FilterChain)
}

abstract class NameableFilter {
  # String name
}

abstract class AbstractFilter {
  # FilterConfig filterConfig
  # String getInitParam(String)
  # void onFilterConfigSet()
}

class ServletContextSupport {
  - ServletContext servletContext
  # String getContextInitParam(String)
  - ServletContext getRequiredServletContext()
  # void setContenxtAttribute(String, Object)
  # Object getContextAttribute(String)
  # void removeContextAttribute(String)
}

interface Filter <<javax.web>> {
  + void init(FilterConfig)
  + void doFilter(ServletRequest, ServletResponse, FilterChain)
  + void destroy()
}

interface Nameable {
  + void setName(String name)
}

class FormAuthenticationFilter {
  - String usernameParam
  - String passwordParam
  - String rememberMeParam
  - String failureKeyAttribute
  # boolean isLoginSubmission(ServletRequest, ServletResponse)
  # void setFailureAttributes(ServletRequest, AuthenticationException)
  - String getUsername(ServletRequest)
  - String getPassword(ServletRequest)
}

class LogoutFilter {
  - String redirectUrl
  - boolean postOnlyLogout
  # Subject getSubject(ServletRequest, ServletResponse)
  # void issueRedirect(ServletRequest, ServletResponse)
  # String getRedirectUrl(ServletRequest, ServletResponse)
  # boolean onLogoutRequestNotAPost(ServletRequest, ServletResponse)
}

class PassThruAuthentcationFilter

class UserFilter

abstract class AuthorizationFilter {
  - String unauthorizedUrl
}

class HostFilter {
  + Map<String, String> authorizedIps
  + Map<String, String> deniedIps
  + Map<String, String> authorizedHostnames
  + Map<String, String> deniedHostnames
  + void setAuthorizedHosts(String)
  + void setDeniedHosts(String)
  # boolean isIpv4Candidate(String)
}

class HttpMethodPermissionFilter {
  - Map<String, String> httpMethodActions
  # String getHttpMethodAction(ServletRequest)
  # String getHttpMethodAction(String)
  # String[] buildPermissions(HttpServletRequest, String[], String)
  # String[] buildPermissions(String[], String)
}

class IpFilter {
  - List<IpAddressMatcher> deniedIpMatchers
  - List<IpAddressMatcher> authorizedIpMatchers
  - IpSource ipSource
  + void setAuthorizedips(String)
  + void setDeniedIps(String)
  + void setIpSource(IpSource)
  + String getHostFromRequest(ServletRequest)
}

class PermissionAuthorizationFilter

class PortFilter {
  - int port
  # int toPort(Object)
  # String getScheme(String, int)
}

class RolesAuthorizationFilter

class SslFilter {
  - HSTS hsts
}

abstract class AbstractShiroFilter {
  - WebSecurityManager securityManager
  - FilterChainResolver filterChainResolver
  - boolean staticSecurityManagerEnabled
  - void applyStaticSecurityManagerEnabledConfig()
  + void init()
  - void ensureSecurityManager()
  # WebSecurityManager createDefaultSecurityManager()
  # boolean isHttpSession()
  # ServletRequest wrapServletRequest(HttpServletRequest)
  # ServletRequest prepareServletRequest(ServletRequest, ServletResponse, FilterChain)
  # ServletResponse wrapServletResponse(HttpServletResponse, ShiroHttpServletRequest)
  # ServletResponse prepareServletResponss(ServletRequest, ServletResponse, FilterChain)
  # WebSubject createSubject(ServletRequest, ServletResponse)
  # void updateSessionLastAccessTime(ServletRequest, ServletResponse)
  # FilterChain getExecutableChain(ServletRequest, ServletResponse, FilterChain)
  # void executeChain(ServletRequest, ServletResponse, FilterChain)
}

class ShiroFilter

BearerHttpAuthenticationFilter --|> HttpAuthenticationFilter
BasicHttpAuthenticaitonFilter --|> HttpAuthenticationFilter
PortFilter <|- SslFilter
HttpAuthenticationFilter --|> AuthenticatingFilter
FormAuthenticationFilter --|> AuthenticatingFilter
AuthenticatingFilter --|> AuthenticationFilter
PassThruAuthentcationFilter -|> AuthenticationFilter
HttpMethodPermissionFilter --|> PermissionAuthorizationFilter
IpFilter --|> AuthorizationFilter
AuthorizationFilter <|- PortFilter
AuthorizationFilter <|-- RolesAuthorizationFilter
PermissionAuthorizationFilter --|> AuthorizationFilter
HostFilter --|> AuthorizationFilter
AuthenticationFilter --|> AccessControlFilter
UserFilter --|> AccessControlFilter
AuthorizationFilter --|> AccessControlFilter
AccessControlFilter --|> PathMatchingFilter
AnonymousFilter --|> PathMatchingFilter
NoSessionCreationFilter -|> PathMatchingFilter
PathMatchingFilter -|> AdviceFilter
AdviceFilter <|- LogoutFilter
PathMatchingFilter ..|> PathConfigProcessor
ShiroFilter --|> AbstractShiroFilter
AdviceFilter --|> OncePerRequestFilter
OncePerRequestFilter <|-- AbstractShiroFilter
OncePerRequestFilter --|> NameableFilter
AbstractFilter <|-- NameableFilter
NameableFilter ..|> Nameable
ServletContextSupport <|- AbstractFilter
AbstractFilter ..|> Filter
@enduml

@startuml shiro-authc-flow
!include ./activity-settings.puml

start
:用户提交Web请求;
if (用户请求是登录请求) then (是)
  partition Controller {
    :取得用户名及密码;
    :构建相应的AuthenticationToken;
  }
else (否)
  partition Filter {
    :解析用户请求中提供的认证信息;
    :解析认证信息构建AuthenticationToken;
  }
endif
:使用SecurityUtils获取Subject实例;
note right
所有的登录步骤都将存在于
Controller的登录处理方法
和Filter的executeLogin()
方法中。
end note
:使用Subject对AuthenticationToken进行登录验证;
partition SecurityManager {
  :使用Authenticator处理AuthenticationToken;
  repeat
  :Authenticator从Realm列表中获取一个Realm;
  :使用Realm对AuthenticationToken进行验证;
  if (Realm支持处理AuthenticationToken) then (支持)
    :从AuthenticationToken中获取Principal;
    :从用户信息存储中利用Principal获取完整的用户信息;
    :使用用户信息构建AuthenticationInfo;
  else (不支持)
  endif
  repeat while (所有Realm都循环过了) is (否) not (是)
  :根据返回的AuthenticationInfo设置Subject;
}
:获取保存在Subject中的AuthorizationInfo;
:对比用户业务所需的权限;
if (用户拥有所需的权限) then (是)
  :继续用户业务功能的执行;
else (否)
  :阻止用户业务功能的执行;
endif
stop

@enduml