博客已移至 http://blog.gogl.top
shiro有几种状态,其中包括guest,user,authenticated。guest就是游客,authenticated就是认证后的用户,而user是介于两者之前。user并不代表用户已经成功认证,当用户上次登录时选择rememberMe,下次用户再访问时就是user状态。登录时选择rememberMe,shiro会通过一种加密方式将principal(我们理解为用户名)加密保存到cookie中。shiro可以通过这个cookie解密得到principal。所以当状态为user时,虽然并不代表用户已经通过认证,但我们却可以通过Subject拿到用户名。先贴出代码:
public void autoLogin(HttpServletRequest request, HttpServletResponse response) {
Subject subject = SecurityUtils.getSubject();
if(subject.isRemembered()){
String username = ShiroSecurityHelper.getCurrentUsername();
LOG.info("用户【{}】自动登录----{}", username,TimeHelper.getCurrentTime());
User user = userService.getByUsername(username);
baseLogin(user, request, response);
ShiroAuthorizationHelper.clearAuthorizationInfo(username); // 用户是自动登录,首先清一下用户权限缓存,让重新加载
}
}
public void baseLogin(User user, HttpServletRequest request, HttpServletResponse response) {
try {
Subject subject= SecurityUtils.getSubject();
if (subject.isAuthenticated()) {
return;
}
//如果用户已登录,先踢出
ShiroSecurityHelper.kickOutUser(user.getUsername());
boolean rememberMe = ServletRequestUtils.getBooleanParameter(request, "rememberMe", false);
UsernamePasswordToken token = new UsernamePasswordToken(user.getUsername(), user.getPassword(), rememberMe);
subject.login(token); // 登录
} catch (Exception e) {
//做一些异常处理
}finally{
ShiroAuthorizationHelper.clearAuthorizationInfo(sessionUser.getUsername());
}
}
ShiroAuthorizationHelper在文章