1.shiro拦截注解无反应
//权限注解
@RequiresPermissions()
//角色权限注解
@RequiresRoles()
2.连接成功之后,需要在cookie中有getsessionId,前后端分离需要,继承DefaultWebSessionManager重写getSessionId方法,并且需要注入到Bean中
package xxx.xxx.xxx.xxx;
import org.apache.shiro.web.servlet.ShiroHttpServletRequest;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.apache.shiro.web.util.WebUtils;
import org.springframework.util.StringUtils;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import java.io.Serializable;
/**
* Description:shiro框架 自定义session获取方式
* 可自定义session获取规则。这里采用ajax请求头Authorization携带sessionId的方式
**/
public class MySessionManager extends DefaultWebSessionManager {
private static final String AUTHORIZATION = "Authorization";
private static final String REFERENCED_SESSION_ID_SOURCE = "Stateless request";
public MySessionManager(){
super();
}
@Override
protected Serializable getSessionId(ServletRequest request, ServletResponse response){
String id = WebUtils.toHttp(request).getHeader(AUTHORIZATION);
System.out.println("id:"+id);
if(StringUtils.isEmpty(id)){
//如果没有携带id参数则按照父类的方式在cookie进行获取
System.out.println("super:"+super.getSessionId(request, response));
return super.getSessionId(request, response);
}else{
//如果请求头中有 authToken 则其值为sessionId
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE,REFERENCED_SESSION_ID_SOURCE);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID,id);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID,Boolean.TRUE);
return id;
}
}
}
需要 sessionManager注入到bean中,并且关联到securityManager中进行处理
@Bean
public SessionManager sessionManager(){
return new MySessionManager();
}
@Bean(name="securityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("MyRealm")MyRealm myRealm){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
//关联realm
securityManager.setRealm(myRealm);
//关联securityManager
securityManager.setSessionManager(sessionManager());
return securityManager;
}
3.添加拦截返回信息过滤器(前后端分离如果问题,需要自定义拦截返回类型是什么结果集)
package xxx.xxx.xxx.xxx;
import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
import org.json.JSONObject;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import java.io.PrintWriter;
/**
* 配置shiro自定义拦截响应类
*/
public class MyFormAuthenticationFilter extends FormAuthenticationFilter {
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
httpServletResponse.setContentType("application/json; charset=utf-8");
PrintWriter out = httpServletResponse.getWriter();
JSONObject json = new JSONObject();
json.put("status","401");
json.put("msg","非法访问,没有请求头的Token令牌!");
out.println(json);
out.flush();
out.close();
return false;
}
}
将过滤拦截信息类放入ShiroFilterFactoryBean中,进行处理也就是我们的shiroconfig.java类
map.put("user", new MyFormAuthenticationFilter());