springBoot前后端分离项目中shiro的302跳转问题

springBoot前后端分离项目中shiro的302跳转问题

springBoot前后端分离项目shiro的302跳转

项目是使用的springboot ,使用的shiro做的用户鉴权。在前端请求时当用户信息失效，session失效的时候，shiro会重定向到配置的login.jsp 页面，或者是自己配置的logUrl。

因是前后端分离项目，与静态资源文件分离，固重定向后，接着会404。

经过查找网上配置资料，发现302原因是

FormAuthenticationFilter中onAccessDenied 方法做了相应处理。那知道问题所在，就可以有解决方了。

重写 onAccessDenied 方法，针对自己的业务做相应处理，然后在加载过滤器配置的时候添加到配置中。

以下是代码

增加类ShiroFormAuthenticationFilter 重新方法

package com.oilpay.wallet.shiro;

import com.alibaba.fastjson.JSONObject;

import com.oilpay.wallet.interceptor.TokenInterceptor;

import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;

import org.slf4j.Logger;

import org.slf4j.LoggerFactory;

import org.springframework.http.HttpStatus;

import org.springframework.web.bind.annotation.RequestMethod;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import java.io.PrintWriter;

/**

*

* 重写权限验证问题，登录失效后返回状态码

*

*/

public class ShiroFormAuthenticationFilter extends FormAuthenticationFilter {

Logger logger = LoggerFactory.getLogger(TokenInterceptor.class);

@Override

protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {

if (isLoginRequest(request, response)) {

if (isLoginSubmission(request, response)) {

if (logger.isTraceEnabled()) {

logger.trace("Login submission detected. Attempting to execute login.");

}

return executeLogin(request, response);

} else {

if (logger.isTraceEnabled()) {

logger.trace("Login page view.");

}

//allow them to see the login page ;)

return true;

}

} else {

HttpServletRequest req = (HttpServletRequest)request;

HttpServletResponse resp = (HttpServletResponse) response;

if(req.getMethod().equals(RequestMethod.OPTIONS.name())) {

resp.setStatus(HttpStatus.OK.value());

return true;

}

if (logger.isTraceEnabled()) {

logger.trace("Attempting to access a path which requires authentication. Forwarding to the " +

"Authentication url [" + getLoginUrl() + "]");

}

//前端Ajax请求时requestHeader里面带一些参数，用于判断是否是前端的请求

String test= req.getHeader("test");

if (test!= null || req.getHeader("wkcheck") != null) {

//前端Ajax请求，则不会重定向

resp.setHeader("Access-Control-Allow-Origin", req.getHeader("Origin"));

resp.setHeader("Access-Control-Allow-Credentials", "true");

resp.setContentType("application/json; charset=utf-8");

resp.setCharacterEncoding("UTF-8");

PrintWriter out = resp.getWriter();

JSONObject result = new JSONObject();

result.put("message", "登录失效");

result.put("resultCode", 1000);

out.println(result);

out.flush();

out.close();

} else {

saveRequestAndRedirectToLogin(request, response);

}

return false;

}

}

}

在过滤器配置中添加

@Bean(name="shiroFilter")

public ShiroFilterFactoryBean shiroFilter(@Qualifier("securityManager") SecurityManager manager) {

ShiroFilterFactoryBean shiroFilterFactoryBean=new ShiroFilterFactoryBean();

shiroFilterFactoryBean.setSecurityManager(manager);

//配置访问权限

LinkedHashMap filterChainDefinitionMap=new LinkedHashMap();

filterChainDefinitionMap.put("/common/logout", "logout");

filterChainDefinitionMap.put("/","anon");

filterChainDefinitionMap.put("/common/login","anon");

filterChainDefinitionMap.put("/common/*","anon");

filterChainDefinitionMap.put("/imageVerifyCode/getCode", "anon");

filterChainDefinitionMap.put("/sendVerifyCode/register", "anon");

filterChainDefinitionMap.put("/sendVerifyCode/resetLoginPwd", "anon");

filterChainDefinitionMap.put("/**", "authc"); //表示需要认证才可以访问

LinkedHashMap filtsMap=new LinkedHashMap();

filtsMap.put("authc",new ShiroFormAuthenticationFilter() );

shiroFilterFactoryBean.setFilters(filtsMap);

shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);

return shiroFilterFactoryBean;

}

至此，可以按照自己的需求做相应处理。

关于shiro 总是302的问题

我的原因是使用了authc，由于autuc对应的过滤器FormAuthenticationFilter中onAccessDenied方法返回的值都为false，所以访问url时会一直进行循环重定向，解决方案：重写onAccessDenied方法，并注入到shiroFiter中。

附上shiro配置文件

/login.html=anon

/js/**=anon

/templates/**=anon

/assets/**=anon

/css/**=anon

/index.do=authc

/user/login.do=anon

/**=authc

重写onAccessDenied方法

package com.jd.risk.giasys.service.realm.filter;

import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;

import org.slf4j.Logger;

import org.slf4j.LoggerFactory;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

/**

* Created by jianghaisong on 2017/12/17.

*/

public class MyFilter extends FormAuthenticationFilter{

private Logger log = LoggerFactory.getLogger(MyFilter.class);

protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {

//进行重写,业务逻辑

}

}

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。