nested exception is org.apache.shiro.authz.UnauthenticatedException: This subject is anonymous

huashuohehe

已于 2024-08-07 17:35:49 修改

阅读量198

点赞数 2

文章标签： java

于 2024-08-07 17:32:45 首次发布

本文链接：https://blog.csdn.net/huashuohehe/article/details/140997051

版权

shiro发现的问题解决：

nested exception is org.apache.shiro.authz.UnauthenticatedException: This subject is anonymous：

在网上搜了一下，一开始感觉说的还挺有道理，后面翻了一下源码，发现意思完全不一致。

先说结论：

这个报错是在校验权限之前报的错，校验权限前，shiro会先查询用户对应的登录session，如果查询不到就会报这个错误，意思就是：用户的登录状态失效或者未登录的情况下，调用了接口，但是接口的权限校验拦了下来

在我们项目中的场景是这样的：这个接口被配置了白名单，也就是不需要登录就可以调用，但是又在接口上加上了@RequiresPermissions()注解，所以报错了。

源码：

public void checkPermission(String permission) throws AuthorizationException {
        assertAuthzCheckPossible();//在这里去进行了session的查询
        securityManager.checkPermission(getPrincipals(), permission);//这里进行权限校验
    }

protected void assertAuthzCheckPossible() throws AuthorizationException {
        if (!hasPrincipals()) {//这里去拿用户的信息
            String msg = "This subject is anonymous - it does not have any identifying principals and " +
                    "authorization operations require an identity to check against.  A Subject instance will " +
                    "acquire these identifying principals automatically after a successful login is performed " +
                    "be executing " + Subject.class.getName() + ".login(AuthenticationToken) or when 'Remember Me' " +
                    "functionality is enabled by the SecurityManager.  This exception can also occur when a " +
                    "previously logged-in Subject has logged out which " +
                    "makes it anonymous again.  Because an identity is currently not known due to any of these " +
                    "conditions, authorization is denied.";
            throw new UnauthenticatedException(msg);
        }
    }