去掉shiro登录时url里的JSESSIONID

最新推荐文章于 2022-07-29 19:17:30 发布

Mrs陶

最新推荐文章于 2022-07-29 19:17:30 发布

阅读量1k

点赞数

分类专栏： Shiro 文章标签： shiro url jsessionid

Shiro 专栏收录该内容

1 篇文章 0 订阅

订阅专栏

转载自：去掉shiro登录时url里的JSESSIONID

经过查找论坛和分析源码，确认了是在ShiroHttpServletResponse里加上的。

因此继承ShiroHttpServletResponse类，覆盖相应方法，再重写 ShiroFilterFactoryBean就可以把添加JSESSIONID部分去掉。

重写ShiroHttpServletResponse
Java代码


public class MyShiroHttpServletResponse extends ShiroHttpServletResponse {
    public MyShiroHttpServletResponse(HttpServletResponse wrapped,ServletContext context, ShiroHttpServletRequest request) {
        super(wrapped, context, request);
    }  
    @Override
    protected String toEncoded(String url, String sessionId) {
        if ((url == null) || (sessionId == null))
            return (url);
        String path = url;
        String query = "";
        String anchor = "";
        int question = url.indexOf('?');
        if (question >= 0) {
            path = url.substring(0, question);
            query = url.substring(question);
        }
        int pound = path.indexOf('#');
        if (pound >= 0) {
            anchor = path.substring(pound);
            path = path.substring(0, pound);
        }
        StringBuilder sb = new StringBuilder(path);
        //重写toEncoded方法，注释掉这几行代码就不会再生成JESSIONID了。
//        if (sb.length() > 0) { // session id param can't be first.
//            sb.append(";");
//            sb.append(DEFAULT_SESSION_ID_PARAMETER_NAME);
//            sb.append("=");
//            sb.append(sessionId);
//        }
        sb.append(anchor);
        sb.append(query);
        return (sb.toString());
    }
}
 
 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
 
 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

2.扩展ShiroFilterFactoryBean, 使用新建的MyShiroHttpServletResponse。

Java代码

public class MyShiroFilterFactoryBean extends ShiroFilterFactoryBean { 

    @Override  
      public Class getObjectType() {  
        return MySpringShiroFilter.class;  
      } 

    @Override
    protected AbstractShiroFilter createInstance() throws Exception {

        SecurityManager securityManager = getSecurityManager();
        if (securityManager == null) {
            String msg = "SecurityManager property must be set.";
            throw new BeanInitializationException(msg);
        }

        if (!(securityManager instanceof WebSecurityManager)) {
            String msg = "The security manager does not implement the WebSecurityManager interface.";
            throw new BeanInitializationException(msg);
        }
        FilterChainManager manager = createFilterChainManager();

        PathMatchingFilterChainResolver chainResolver = new PathMatchingFilterChainResolver();
        chainResolver.setFilterChainManager(manager);

        return new MySpringShiroFilter((WebSecurityManager) securityManager, chainResolver);
    }

    //主要需要重写MySpringShiroFilter 里面wrapServletResponse方法，返回自定义Response
    private static final class MySpringShiroFilter extends AbstractShiroFilter {  

        protected MySpringShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver resolver) {  
          super();  
          if (webSecurityManager == null) {  
            throw new IllegalArgumentException("WebSecurityManager property cannot be null.");  
          }  
          setSecurityManager(webSecurityManager);  
          if (resolver != null) {  
            setFilterChainResolver(resolver);  
          }  
        }  

        @Override  
        protected ServletResponse wrapServletResponse(HttpServletResponse orig, ShiroHttpServletRequest request) {  
          return new MyShiroHttpServletResponse(orig, getServletContext(), request);  
        }  
    }
}
 
 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
 
 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

3.在shiro相关配置里替换成自己的MyShiroFilterFactoryBean（嗯，我是shiro和spring组合用的)

    <!-- Shiro的Web过滤器 -->
    <bean id="shiroFilter" class="com.jsnr.aws.web.shiro.spring.MyShiroFilterFactoryBean">
        <property name="securityManager" ref="securityManager"/>
        <property name="loginUrl" value="/login.jsp"/>
         <property name="unauthorizedUrl" value="/unauthorized.jsp"/>

 .....  
 </bean>

如果你的shiro版本在1.3.2版本以上这个BUG已经解决只需要在配置文件如下配置中添加红色部分

<!-- 会话管理器 -->
<bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
<property name="sessionIdUrlRewritingEnabled" value="false" />
<!-- 验证会话时会话的过期时间(毫秒) -->
<property name="globalSessionTimeout" value="3600000" />
<property name="sessionFactory" ref="sessionFactory" />
<property name="sessionValidationScheduler" ref="redisValidationScheduler" />
<property name="sessionDAO" ref="sessionDAO" />
<property name="sessionIdCookie" ref="sessionIdCookie" />
<property name="sessionListeners">
<list>
<ref bean="redisSessionListener" />
</list>
</property>
</bean>