为了处理shiro自动跳转登录也面不自动在URL后面拼接:JSESSIONID,逐步排查定位到shiro,根据资料需要增加sessionIdUrlRewritingEnabled的配置,但是增加后依然无效。
而且我发现在我使用的1.7.1版本的shiro里,sessionIdUrlRewritingEnabled的初始值已经被设置成false了,所以根本不需要再设置。
public class DefaultWebSessionManager extends DefaultSessionManager implements WebSessionManager {
private static final Logger log = LoggerFactory.getLogger(DefaultWebSessionManager.class);
private Cookie sessionIdCookie;
private boolean sessionIdCookieEnabled;
private boolean sessionIdUrlRewritingEnabled;
public DefaultWebSessionManager() {
Cookie cookie = new SimpleCookie("JSESSIONID");
cookie.setHttpOnly(true);
this.sessionIdCookie = cookie;
this.sessionIdCookieEnabled = true;
this.sessionIdUrlRewritingEnabled = false;
}
那么问题出在哪里?
后续经过排查,问题出在项目中sessionManager是继承的DefaultWebSessionManager,
重写了getSessionId方法,主要是为了自定义获取sessionid的途径,在分析原super.getSessionId
方法的源码后发现一下代码,这里可以看到sessionIdUrlRewritingEnabled这个配置是在第一次请求获取sessionid的时候设置到request里面的,后续的跳转也会根据这个配置设置url后面的JSESSIONID:
private Serializable getReferencedSessionId(ServletRequest request, ServletResponse response) {
String id = this.getSessionIdCookieValue(request, response);
if (id != null) {
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE, "cookie");
} else {
id = this.getUriPathSegmentParamValue(request, "JSESSIONID");
if (id == null) {
String name = this.getSessionIdName();
id = request.getParameter(name);
if (id == null) {
id = request.getParameter(name.toLowerCase());
}
}
if (id != null) {
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE, "url");
}
}
if (id != null) {
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, id);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE);
}
request.setAttribute(ShiroHttpServletRequest.SESSION_ID_URL_REWRITING_ENABLED, this.isSessionIdUrlRewritingEnabled());
return id;
}
所以修改如下,在自定义的getSessionId方法里也增加request的这几个信息
@Override
protected Serializable getSessionId(ServletRequest request, ServletResponse response) {
String sid = request.getParameter("__sid");
if (StringUtils.isNotBlank(sid)) {
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE, "url");
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, sid);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE);
//禁止在url上拼接SessionId
request.setAttribute(ShiroHttpServletRequest.SESSION_ID_URL_REWRITING_ENABLED, this.isSessionIdUrlRewritingEnabled());
return sid;
}else{
return super.getSessionId(request, response);
}
}