SpringBoot中shiro过滤器的重写与配置详解

网友投稿 1598 2022-10-09

SpringBoot中shiro过滤器的重写与配置详解

SpringBoot中shiro过滤器的重写与配置详解

目录问题解决方案实现代码1.重写shiro 登录 过滤器2.重写role权限 过滤器3.配置过滤器

问题

遇到问题:在前后端分离跨域访问的项目中shiro进行权限拦截失效 (即使有正确权限的访问也会被拦截) 时造成302重定向错误等问题报错:Response for preflight is invalid (redirect)

1.302原因:使用ajax访问后端项目时无法识别重定向操作

2.shiro拦截失效原因:跨域访问时有一种带预检访问的跨域,即访问时先发出一条methods为OPTIONS的的访问,这种访问不带cookie等信息。造成shiro误判断为无权限访问。

3.一般使用的访问methods都是:get,post,put,delete

解决方案

1.让shiro不对预检访问拦截

2. 改变shiro中无权限,未登录拦截的重定向,这就需要重写几个过滤器

3. 将重写的过滤器进行配置

实现代码

1.重写shiro 登录 过滤器

过滤器运行机制:

(1)shiro是否拦截访问 以 isAccessAllowed返回值为准

(2)如果isAccessAllowed 方法返回false会进入onAccessDenied方法重定向至 登录 or 无权限 页面

package com.yaoxx.base.shiro;

import java.io.PrintWriter;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import org.apache.commons.lang3.StringUtils;

import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;

import org.apache.shiro.web.util.WebUtils;

import org.springframework.http.HttpStatus;

/**

*

* @version: 1.0

* @since: JDK 1.8.0_91

* @Description:

* 未登录过滤器,重写方法为【跨域的预检访问】放行

*/

public class MyAuthenticationFilter extends FormAuthenticationFilter {

@Override

protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {

boolean allowed = super.isAccessAllowed(request, response, mappedValue);

if (!allowed) {

// 判断请求是否是options请求

String method = WebUtils.toHttp(request).getMethod();

if (StringUtils.equalsIgnoreCase("OPTIONS", method)) {

return true;

}

}

return allowed;

}

@Override

protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {

if (isLoginRequest(request, response)) { // 判断是否登录

if (isLoginSubmission(request, response)) { // 判断是否为post访问

return executeLogin(request, response);

} else {

// sessionID已经注册,但是并没有使用post方式提交

return true;

}

} else {

HttpServletRequest req = (HttpServletRequest) request;

HttpServletResponse resp = (HttpServletResponse) response;

/*

* 跨域访问有时会先发起一条不带token,不带cookie的访问。

* 这就需要我们抓取这条访问,然后给他通过,否则只要是跨域的访问都会因为未登录或缺少权限而被拦截

* (如果重写了isAccessAllowed,就无需下面的判断)

*/

// if (req.getMethod().equals(RequestMethod.OPTIONS.name())) {

// resp.setStatus(HttpStatus.OK.value());

// return true;

// }

/*

* 跨域的第二次请求就是普通情况的request了,在这对他进行拦截

*/

String ajaxHeader = req.getHeader(CustomSessionManager.AUTHORIZATION);

if (StringUtils.isNotBlank(ajaxHeader)) {

// 前端Ajax请求,则不会重定向

resp.setHeader("Access-Control-Allow-Origin", req.getHeader("Origin"));

resp.setHeader("Access-Control-Allow-Credentials", "true");

resp.setContentType("application/json; charset=utf-8");

resp.setCharacterEncoding("UTF-8");

resp.setStatus(HttpStatus.UNAUTHORIZED.value());//设置未登录状态码

PrintWriter out = resp.getWriter();

// Map result = new HashMap<>();

// result.put("MESSAGE", "未登录用户");

String result = "{"MESSAGE":"未登录用户"}";

out.println(result);

out.flush();

out.close();

} else {

// == 如果是普通访问重定向至shiro配置的登录页面 == //

saveRequestAndRedirectToLogin(request, response);

}

}

return false;

}

}

2.重写role权限 过滤器

package com.yaoxx.base.shiro;

import java.io.IOException;

import java.io.PrintWriter;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import org.apache.commons.lang3.StringUtils;

import org.apache.shiro.web.filter.authz.RolesAuthorizationFilter;

import org.apache.shiro.web.util.WebUtils;

import org.springframework.http.HttpStatus;

import org.springframework.web.bind.annotation.RequestMethod;

/**

*

* @author: yao_x_x

* @since: JDK 1.8.0_91

* @Description: role的过滤器

*/

public class MyAuthorizationFilter extends RolesAuthorizationFilter {

@Override

public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)

throws IOException {

boolean allowed =super.isAccessAllowed(request, response, mappedValue);

if (!allowed) {

String method = WebUtils.toHttp(request).getMethod();

if (StringUtils.equalsIgnoreCase("OPTIONS", method)) {

return true;

}

}

return allowed;

}

@Override

protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException {

HttpServletRequest req = (HttpServletRequest) request;

HttpServletResponse resp = (HttpServletResponse) response;

if (req.getMethod().equals(RequestMethod.OPTIONS.name())) {

resp.setStatus(HttpStatus.OK.value());

return true;

}

// 前端Ajax请求时requestHeader里面带一些参数,用于判断是否是前端的请求

String ajaxHeader = req.getHeader(CustomSessionManager.AUTHORIZATION);

if (StringUtils.isNotBlank(ajaxHeader)) {

// 前端Ajax请求,则不会重定向

resp.setHeader("Access-Control-Allow-Origin", req.getHeader("Origin"));

resp.setHeader("Access-Control-Allow-Credentials", "true");

resp.setContentType("application/json; charset=utf-8");

resp.setCharacterEncoding("UTF-8");

http://PrintWriter out = resp.getWriter();

String result = "{"MESSAGE":"角色,权限不足"}";

out.println(result);

out.flush();

out.close();

return false;

}

return super.onAccessDenied(request, response);

}

}

3.配置过滤器

@Configuration

public class ShiroConfiguration {

@Autowired

private RoleService roleService;

@Autowired

private PermissionService permissionService;

@Bean("shiroFilter")

public ShiroFilterFactoryBean shiroFilter(@Qualifier("securityManager")SecurityManager manager) {

ShiroFilterFactoryBean bean = new ShiroFilhttp://terFactoryBean();

bean.setSecurityManager(manager);

/* 自定义filter注册 */

Map filters = bean.getFilters();

filters.put("authc", new MyAuthenticationFilter());

filters.put("roles", new MyAuthorizationFilter());

Map filterChainDefinitionMap =new LinkedHashMap<>();

filterChainDefinitionMap.put("/login", "anon");

// filterChainDefinitionMap.put("/*", "authc");

// filterChainDefinitionMap.put("/admin", "authc,roles[ADMIN]");

bean.setFilterChainDefinitionMap(filterChainDefinitionMap);

return bean;

}

以上就是SpringBoot中shiro过滤器的重写与配置详解的详细内容,更多关于SpringBoot shiro过滤器重写配置的资料请关注我们其它相关文章!

版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。

上一篇:How can we find out the truth
下一篇:WeChat_ayibang 微信小程序仿阿姨帮
相关文章

 发表评论

暂时没有评论,来抢沙发吧~