前言
1、基于springboot前后端分离项目,基于shiro做权限校验
2、多个realm:1)userRealm:校验登陆验证码; 2) OauthRealm:校验登陆后请求token
3、springboot版本 2.1.1 shiro版本 1.3.2
4、急着处理问题的可以直接看最下面解决的 O(∩_∩)O~
问题描述
Realm自定义自定义的异常无法正常捕获,均捕获为“AuthenticationException”(原来只有一个realm是正常的)
具体代码如下截图
登陆时候按多种情况抛出异常(下面为userRealm方法)
controller层方法捕获异常返回登陆用户信息(下图)
问题分析
1、查看类集成关系,自定义的异常均属于"AuthenticationException"的子类(好像跟问题没关系。。)
2、通过单步调试找到 "ModularRealmAuthenticator"类源码,单个和多个realm方法执行不同(具体代码自行查看)
多个realm遍历执行,并且执行结果及异常放到(aggregate)中再处理返回的
其实关键点就是这个try catch 异常不是直接返回,而是最后在afterAllAttempts中判断的aggregate的内容又new了一个AuthenticationException:
解决方案
既然问题的try catch 那么索引就把try catch去掉了不就行啦,异常就直接往上抛了啊。
import java.util.Collection;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.pam.AuthenticationStrategy;
import org.apache.shiro.authc.pam.ModularRealmAuthenticator;
import org.apache.shiro.realm.Realm;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/***
* 自定义重写ModularRealmAuthenticator类,用与处理多realm的自定义异常捕获问题
* @date 2020-3-11
* @author chenzh
*/
public class CustomModularRealmAuthenticator extends ModularRealmAuthenticator {
private static final Logger log = LoggerFactory.getLogger(ModularRealmAuthenticator.class);
/**
* 重写多realm校验方法,避免无法捕获到realm中的自定义异常
* 取消执行代码 realm.getAuthenticationInfo(token); 的tey catch
* 多个realm时候,如果其中一个realm抛出异常则直接抛出异常,类似single方法,
* @param realms
* @param token
* @return
*/
@Override
protected AuthenticationInfo doMultiRealmAuthentication(Collection<Realm> realms, AuthenticationToken token) {
AuthenticationStrategy strategy = getAuthenticationStrategy();
AuthenticationInfo aggregate = strategy.beforeAllAttempts(realms, token);
if (log.isTraceEnabled()) {
log.trace("Iterating through {} realms for PAM authentication", realms.size());
}
for (Realm realm : realms) {
aggregate = strategy.beforeAttempt(realm, token, aggregate);
if (realm.supports(token)) {
log.trace("Attempting to authenticate token [{}] using realm [{}]", token, realm);
AuthenticationInfo info = null;
Throwable t = null;
/*
* ---
* 此行代码执行取消try catch,若异常直接抛出,其他同原方法
* ---
* */
info = realm.getAuthenticationInfo(token);
aggregate = strategy.afterAttempt(realm, token, info, aggregate, t);
} else {
log.debug("Realm [{}] does not support token {}. Skipping realm.", realm, token);
}
}
aggregate = strategy.afterAllAttempts(token, aggregate);
return aggregate;
}
}
自定义的方法,要让shiro知道并拿来用。
/**
*shiro 相关配置
**/
@Configuration
public class ShiroConfig {
@Autowired
private ShiroConfigProperties shiroConfigProperties;
/**
* 自定义的 ModularRealmAuthenticator
**/
@Bean
public ModularRealmAuthenticator authenticator(){
ModularRealmAuthenticator authenticator = new CustomModularRealmAuthenticator();
return authenticator;
}
@Bean
public Oauth2Realm oauth2Realm(){
Oauth2Realm oauth2Realm = new Oauth2Realm();
oauth2Realm.setAuthenticationCachingEnabled(Boolean.FALSE);
oauth2Realm.setAuthorizationCachingEnabled(Boolean.FALSE);
oauth2Realm.setCachingEnabled(Boolean.FALSE);
return oauth2Realm;
}
@Bean
public UserRealm userRealm(){
UserRealm userRealm = new UserRealm();
userRealm.setAuthenticationCachingEnabled(Boolean.FALSE);
userRealm.setAuthorizationCachingEnabled(Boolean.FALSE);
return userRealm;
}
/*****此处省略10000+行代码 O(∩_∩)O ****/
@Bean
public DefaultWebSecurityManager securityManager(DefaultSessionManager sessionManager, DefaultWebSubjectFactory subjectFactory,
Oauth2Realm oauth2Realm, UserRealm userRealm,ModularRealmAuthenticator authenticator){
DefaultWebSecurityManager securityManager=new DefaultWebSecurityManager();
securityManager.setSessionManager(sessionManager);
securityManager.setSubjectFactory(subjectFactory);
//设置自定义的 ModularRealmAuthenticator
securityManager.setAuthenticator(authenticator);
/*
* 禁用使用Sessions 作为存储策略的实现,但它没有完全地禁用Sessions
* 所以需要配合context.setSessionCreationEnabled(false);
*/
//Add.2.3
((DefaultSessionStorageEvaluator)((DefaultSubjectDAO)securityManager.getSubjectDAO()).getSessionStorageEvaluator()).setSessionStorageEnabled(false);
List<Realm> realms = new ArrayList<Realm>();
realms.add(userRealm);
realms.add(oauth2Realm);
securityManager.setRealms(realms);
return securityManager;
}
/*****此处省略10000+行代码 O(∩_∩)O ****/
}