springBoot前后端分离项目中shiro的302跳转问题

网友投稿 791 2022-09-08


springBoot前后端分离项目中shiro的302跳转问题

springBoot前后端分离项目shiro的302跳转

项目是使用的springboot ,使用的shiro做的用户鉴权。在前端请求时当用户信息失效,session失效的时候,shiro会重定向到配置的login.jsp 页面,或者是自己配置的logUrl。

因是前后端分离项目,与静态资源文件分离,固重定向后,接着会404。

经过查找网上配置资料,发现302原因是

FormAuthenticationFilter中onAccessDenied 方法做了相应处理。那知道问题所在,就可以有解决方了。

重写 onAccessDenied 方法,针对自己的业务做相应处理,然后在加载过滤器配置的时候添加到配置中。

以下是代码

增加类ShiroFormAuthenticationFilter 重新方法

package com.oilpay.wallet.shiro;

import com.alibaba.fastjson.JSONObject;

import com.oilpay.wallet.interceptor.TokenInterceptor;

import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;

import org.slf4j.Logger;

import org.slf4j.LoggerFactory;

import org.springframework.http.HttpStatus;

import org.springframework.web.bind.annotation.RequestMethod;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import java.io.PrintWriter;

/**

*

* 重写权限验证问题,登录失效后返回状态码

*

*/

public class ShiroFormAuthenticationFilter extends FormAuthenticationFilter {

Logger logger = LoggerFactory.getLogger(TokenInterceptor.class);

@Override

protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {

if (isLoginRequest(request, response)) {

if (isLoginSubmission(request, response)) {

if (logger.isTraceEnabled()) {

logger.trace("Login submission detected. Attempting to execute login.");

}

return executeLogin(request, response);

} else {

if (logger.isTraceEnabled()) {

logger.trace("Login page view.");

}

//allow them to see the login page ;)

return true;

}

} else {

HttpServletRequest req = (HttpServletRequest)request;

HttpServletResponse resp = (HttpServletResponse) response;

if(req.getMethod().equals(RequestMethod.OPTIONS.name())) {

resp.setStatus(HttpStatus.OK.value());

return true;

}

if (logger.isTraceEnabled()) {

logger.trace("Attempting to access a path which requires authentication. Forwarding to the " +

"Authentication url [" + getLoginUrl() + "]");

}

//前端Ajax请求时requestHeader里面带一些参数,用于判断是否是前端的请求

String test= req.getHeader("test");

if (test!= null || req.getHeader("wkcheck") != null) {

//前端Ajax请求,则不会重定向

resp.setHeader("Access-Control-Allow-Origin", req.getHeader("Origin"));

resp.setHeader("Access-Control-Allow-Credentials", "true");

resp.setContentType("application/json; charset=utf-8");

resp.setCharacterEncoding("UTF-8");

PrintWriter out = resp.getWriter();

JSONObject result = new JSONObject();

result.put("message", "登录失效");

result.put("resultCode", 1000);

out.println(result);

out.flush();

out.close();

} else {

saveRequestAndRedirectToLogin(request, response);

}

return false;

}

}

}

在过滤器配置中添加

@Bean(name="shiroFilter")

public ShiroFilterFactoryBean shiroFilter(@Qualifier("securityManager") SecurityManager manager) {

ShiroFilterFactoryBean shiroFilterFactoryBean=new ShiroFilterFactoryBean();

shiroFilterFactoryBean.setSecurityManager(manager);

//配置访问权限

LinkedHashMap filterChainDefinitionMap=new LinkedHashMap();

filterChainDefinitionMap.put("/common/logout", "logout");

filterChainDefinitionMap.put("/","anon");

filterChainDefinitionMap.put("/common/login","anon");

filterChainDefinitionMap.put("/common/*","anon");

filterChainDefinitionMap.put("/imageVerifyCode/getCode", "anon");

filterChainDefinitionMap.put("/sendVerifyCode/register", "anon");

filterChainDefinitionMap.put("/sendVerifyCode/resetLoginPwd", "anon");

filterChainDefinitionMap.put("/**", "authc"); //表示需要认证才可以访问

LinkedHashMap filtsMap=new LinkedHashMap();

filtsMap.put("authc",new ShiroFormAuthenticationFilter() );

shiroFilterFactoryBean.setFilters(filtsMap);

shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);

return shiroFilterFactoryBean;

}

至此,可以按照自己的需求做相应处理。

关于shiro 总是302的问题

我的原因是使用了authc,由于autuc对应的过滤器FormAuthenticationFilter中onAccessDenied方法返回的值都为false,所以访问url时会一直进行循环重定向,解决方案:重写onAccessDenied方法,并注入到shiroFiter中。

附上shiro配置文件

/login.html=anon

/js/**=anon

/templates/**=anon

/assets/**=anon

/css/**=anon

/index.do=authc

/user/login.do=anon

/**=authc

重写onAccessDenied方法

package com.jd.risk.giasys.service.realm.filter;

import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;

import org.slf4j.Logger;

import org.slf4j.LoggerFactory;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

/**

* Created by jianghaisong on 2017/12/17.

*/

public class MyFilter extends FormAuthenticationFilter{

private Logger log = LoggerFactory.getLogger(MyFilter.class);

protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {

//进行重写,业务逻辑

}

}


版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。

上一篇:WOLFLAB内部教材大纲《VMware NSX-T卷2》NSX Edge介绍
下一篇:解读《VMware NSX-T卷2》Edge Node 到底是什么?-07(解读《暗算》)
相关文章

 发表评论

暂时没有评论,来抢沙发吧~