This subject is anonymous - it does not have any identifying principals and authorization operations

大家好,我是烤鸭:

    最近使用shiro,遇到如下问题:

严重: Servlet.service() for servlet [dispatcherServlet] in context with path [/etc] threw exception [Request processing failed; nested exception is org.apache.shiro.authz.UnauthenticatedException: This subject is anonymous - it does not have any identifying principals and authorization operations require an identity to check against.  A Subject instance will acquire these identifying principals automatically after a successful login is performed be executing org.apache.shiro.subject.Subject.login(AuthenticationToken) or when 'Remember Me' functionality is enabled by the SecurityManager.  This exception can also occur when a previously logged-in Subject has logged out which makes it anonymous again.  Because an identity is currently not known due to any of these conditions, authorization is denied.] with root cause

 

1.    场景介绍

    项目是前后端分离的,接口用postman自测的时候是没有问题的。但是前端登录后访问有权限限制的接口会报错。

    前端是 react 项目,后端是 springboot 项目。

 

2.    原因猜想

    可能是前端每次请求并没有携带cookie。由于前端项目本地启动请求后端项目需要使用代理。

    默认访问的域名应该是localhost:3000

 

3.   解决方式

   如果前端联调的是测试环境,建议将前端项目也部署测试环境,并且和后端项目部署在同一个域名下(nginx配置一下就可以了)。这种就不存在跨域和携带cookie的问题了。

   如果前端联调的是开发同学的本地环境。需要前后端都做一些修改。

前端:

     fetch请求默认不携带cookie

增加

credentials: "include"   

            var myHeaders = new Headers();
            fetch(url, {
              method: 'GET',
              headers: myHeaders,
              credentials: "include"
            })

withCredentials: true

var xhr = new XMLHttpRequest();
xhr.withCredentials = true;

后端:

    如果是和本地联调,肯定存在跨域问题。需要设置  Access-Control-Allow-Origin 为指定ip,不能设置为 *

    浏览器的安全角度 如果设置 为 * ,是不能携带cookie的。

    本例中如下设置。(Access-Control-Allow-Origin 设置 为 localhost:3000)

@Configuration
public class CorsConfig implements WebMvcConfigurer {

    private CorsConfiguration buildConfig() {
        CorsConfiguration corsConfiguration = new CorsConfiguration();
        corsConfiguration.addAllowedHeader("*"); // 允许任何头
        corsConfiguration.addAllowedOrigin("localhost:3000"); // 允许任何头
        corsConfiguration.addAllowedMethod("*"); // 允许任何方法(post、get等)
        return corsConfiguration;
    }

    @Bean
    public CorsFilter corsFilter() {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", buildConfig()); // 对接口配置跨域设置
        return new CorsFilter(source);
    }

}
@Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        //每一次的请求先校验cookie
        HttpServletRequest reqeust = (HttpServletRequest)req;
        HttpServletResponse response = (HttpServletResponse) res;
        response.setHeader("Access-Control-Allow-Origin", "localhost:3000");
        response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.addHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
        chain.doFilter(req, res);
    }

总结:

    最开始前端说后端接口访问不同,想到是shiro的问题,但是第一时间并没有想到cookie的问题。 

    找到问题比较慢,解决问题也是。最好的方式就是都部署到测试环境,避免跨域的问题出现就好了。


 

展开阅读全文

没有更多推荐了,返回首页