SpringBoot中shiro过滤器重写与配置的方法
短信预约 -IT技能 免费直播动态提醒
本篇内容介绍了“SpringBoot中shiro过滤器重写与配置的方法”的有关知识,在实际案例的操作过程中,不少人都会遇到这样的困境,接下来就让小编带领大家学习一下如何处理这些情况吧!希望大家仔细阅读,能够学有所成!
问题
遇到问题:在前后端分离跨域访问的项目中shiro进行权限拦截失效 (即使有正确权限的访问也会被拦截) 时造成302重定向错误等问题
报错:Response for preflight is invalid (redirect)
302原因:使用ajax访问后端项目时无法识别重定向操作
shiro拦截失效原因:跨域访问时有一种带预检访问的跨域,即访问时先发出一条methods为OPTIONS的的访问,这种访问不带cookie等信息。造成shiro误判断为无权限访问。
一般使用的访问methods都是:get,post,put,delete
解决方案
让shiro不对预检访问拦截
改变shiro中无权限,未登录拦截的重定向,这就需要重写几个过滤器
将重写的过滤器进行配置
实现代码
1.重写shiro 登录 过滤器
过滤器运行机制:
(1)shiro是否拦截访问 以 isAccessAllowed返回值为准
(2)如果isAccessAllowed 方法返回false会进入onAccessDenied方法重定向至 登录 or 无权限 页面
package com.yaoxx.base.shiro;import java.io.PrintWriter;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import org.apache.commons.lang3.StringUtils;import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;import org.apache.shiro.web.util.WebUtils;import org.springframework.http.HttpStatus;public class MyAuthenticationFilter extends FormAuthenticationFilter { @Override protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) { boolean allowed = super.isAccessAllowed(request, response, mappedValue); if (!allowed) { // 判断请求是否是options请求 String method = WebUtils.toHttp(request).getMethod(); if (StringUtils.equalsIgnoreCase("OPTIONS", method)) { return true; } } return allowed; } @Override protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception { if (isLoginRequest(request, response)) { // 判断是否登录 if (isLoginSubmission(request, response)) { // 判断是否为post访问 return executeLogin(request, response); } else { // sessionID已经注册,但是并没有使用post方式提交 return true; } } else { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse resp = (HttpServletResponse) response; //if (req.getMethod().equals(RequestMethod.OPTIONS.name())) {//resp.setStatus(HttpStatus.OK.value());//return true;//} String ajaxHeader = req.getHeader(CustomSessionManager.AUTHORIZATION); if (StringUtils.isNotBlank(ajaxHeader)) { // 前端Ajax请求,则不会重定向 resp.setHeader("Access-Control-Allow-Origin", req.getHeader("Origin")); resp.setHeader("Access-Control-Allow-Credentials", "true"); resp.setContentType("application/json; charset=utf-8"); resp.setCharacterEncoding("UTF-8"); resp.setStatus(HttpStatus.UNAUTHORIZED.value());//设置未登录状态码 PrintWriter out = resp.getWriter();//Map<String, String> result = new HashMap<>();//result.put("MESSAGE", "未登录用户"); String result = "{"MESSAGE":"未登录用户"}"; out.println(result); out.flush(); out.close(); } else { // == 如果是普通访问重定向至shiro配置的登录页面 == // saveRequestAndRedirectToLogin(request, response); } } return false; }}2.重写role权限 过滤器
package com.yaoxx.base.shiro;import java.io.IOException;import java.io.PrintWriter;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import org.apache.commons.lang3.StringUtils;import org.apache.shiro.web.filter.authz.RolesAuthorizationFilter;import org.apache.shiro.web.util.WebUtils;import org.springframework.http.HttpStatus;import org.springframework.web.bind.annotation.RequestMethod;public class MyAuthorizationFilter extends RolesAuthorizationFilter { @Override public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException { boolean allowed =super.isAccessAllowed(request, response, mappedValue); if (!allowed) { String method = WebUtils.toHttp(request).getMethod(); if (StringUtils.equalsIgnoreCase("OPTIONS", method)) { return true; } } return allowed; } @Override protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse resp = (HttpServletResponse) response; if (req.getMethod().equals(RequestMethod.OPTIONS.name())) { resp.setStatus(HttpStatus.OK.value()); return true; } // 前端Ajax请求时requestHeader里面带一些参数,用于判断是否是前端的请求 String ajaxHeader = req.getHeader(CustomSessionManager.AUTHORIZATION); if (StringUtils.isNotBlank(ajaxHeader)) { // 前端Ajax请求,则不会重定向 resp.setHeader("Access-Control-Allow-Origin", req.getHeader("Origin")); resp.setHeader("Access-Control-Allow-Credentials", "true"); resp.setContentType("application/json; charset=utf-8"); resp.setCharacterEncoding("UTF-8"); PrintWriter out = resp.getWriter(); String result = "{"MESSAGE":"角色,权限不足"}"; out.println(result); out.flush(); out.close(); return false; } return super.onAccessDenied(request, response); }}3.配置过滤器
@Configurationpublic class ShiroConfiguration {@Autowiredprivate RoleService roleService;@Autowiredprivate PermissionService permissionService;@Bean("shiroFilter")public ShiroFilterFactoryBean shiroFilter(@Qualifier("securityManager")SecurityManager manager) {ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();bean.setSecurityManager(manager);Map<String, Filter> filters = bean.getFilters(); filters.put("authc", new MyAuthenticationFilter());filters.put("roles", new MyAuthorizationFilter());Map<String, String> filterChainDefinitionMap =new LinkedHashMap<>();filterChainDefinitionMap.put("/login", "anon");//filterChainDefinitionMap.put("/*", "authc");//filterChainDefinitionMap.put("/admin", "authc,roles[ADMIN]");bean.setFilterChainDefinitionMap(filterChainDefinitionMap);return bean;}“SpringBoot中shiro过滤器重写与配置的方法”的内容就介绍到这里了,感谢大家的阅读。如果想了解更多行业相关的知识可以关注编程网网站,小编将为大家输出更多高质量的实用文章!
免责声明:
① 本站未注明“稿件来源”的信息均来自网络整理。其文字、图片和音视频稿件的所属权归原作者所有。本站收集整理出于非商业性的教育和科研之目的,并不意味着本站赞同其观点或证实其内容的真实性。仅作为临时的测试数据,供内部测试之用。本站并未授权任何人以任何方式主动获取本站任何信息。
② 本站未注明“稿件来源”的临时测试数据将在测试完成后最终做删除处理。有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341
