shiro发现的问题解决:
nested exception is org.apache.shiro.authz.UnauthenticatedException: This subject is anonymous:
在网上搜了一下,一开始感觉说的还挺有道理,后面翻了一下源码,发现意思完全不一致。
先说结论:
这个报错是在校验权限之前报的错,校验权限前,shiro会先查询用户对应的登录session,如果查询不到就会报这个错误,意思就是:用户的登录状态失效或者未登录的情况下,调用了接口,但是接口的权限校验拦了下来
在我们项目中的场景是这样的: 这个接口被配置了白名单,也就是不需要登录就可以调用,但是又在接口上加上了@RequiresPermissions()注解,所以报错了。
源码:
public void checkPermission(String permission) throws AuthorizationException {
assertAuthzCheckPossible();//在这里去进行了session的查询
securityManager.checkPermission(getPrincipals(), permission);//这里进行权限校验
}
protected void assertAuthzCheckPossible() throws AuthorizationException {
if (!hasPrincipals()) {//这里去拿用户的信息
String msg = "This subject is anonymous - it does not have any identifying principals and " +
"authorization operations require an identity to check against. A Subject instance will " +
"acquire these identifying principals automatically after a successful login is performed " +
"be executing " + Subject.class.getName() + ".login(AuthenticationToken) or when 'Remember Me' " +
"functionality is enabled by the SecurityManager. This exception can also occur when a " +
"previously logged-in Subject has logged out which " +
"makes it anonymous again. Because an identity is currently not known due to any of these " +
"conditions, authorization is denied.";
throw new UnauthenticatedException(msg);
}
}