之前项目用前后端分离,结合shiro进行了认证和授权以及数据权限;
后来发现session超时,前端未能接收到相应超时信息;
经查看发现,之前类继承的是AccessControlFilter ,然后改为继承FormAuthenticationFilter:
直接上代码:
import com.tzwy.mcsp.response.BaseResponse;
import com.tzwy.mcsp.response.StatusCode;
import net.sf.json.JSONObject;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.session.ExpiredSessionException;
import org.apache.shiro.session.InvalidSessionException;
import org.apache.shiro.session.Session;
import org.apache.shiro.session.mgt.*;
import org.apache.shiro.session.mgt.eis.SessionDAO;
import org.apache.shiro.web.filter.AccessControlFilter;
import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
import org.apache.shiro.web.util.WebUtils;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.Serializable;
import java.util.Collection;
/**
* Filter that allows access to resources if the accessor is a known user, which is defined as
* having a known principal. This means that any user who is authenticated or remembered via a
* 'remember me' feature will be allowed access from this filter.
* <p/>
* If the accessor is not a known user, then they will be redirected to the {@link #setLoginUrl(String) loginUrl}</p>
*
* @since 0.9
*/
public class GunsUserFilter extends FormAuthenticationFilter {
/**
* 如果isAccessAllowed返回false 则执行onAccessDenied
* @param request
* @param response
* @param mappedValue
* @return
*/
@Override
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
if (request instanceof HttpServletRequest) {
if (((HttpServletRequest) request).getMethod().toUpperCase().equals("OPTIONS")) {
return true;
}
}
return super.isAccessAllowed(request, response, mappedValue);
}
/**
* 在访问controller前判断是否登录,返回json,不进行重定向。
*
* @param request
* @param response
* @return true-继续往下执行,false-该filter过滤器已经处理,不继续执行其他过滤器
* @throws Exception
*/
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException {
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
//这里是个坑,如果不设置的接受的访问源,那么前端都会报跨域错误,因为这里还没到corsConfig里面
httpServletResponse.setHeader("Access-Control-Allow-Origin", ((HttpServletRequest) request).getHeader("Origin"));
httpServletResponse.setHeader("Access-Control-Allow-Credentials", "true");
httpServletResponse.setCharacterEncoding("UTF-8");
httpServletResponse.setContentType("application/json");
BaseResponse res=new BaseResponse(StatusCode.Success);
res.setMsg("登录超时");
res.setCode(302);
httpServletResponse.getWriter().write(JSONObject.fromObject(res).toString());
return false;
}
}
然后将这个类加入到shiro的过滤器中:
//过滤链配置
@Bean("shiroFilter")
public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager){
ShiroFilterFactoryBean shiroFilter=new ShiroFilterFactoryBean();
shiroFilter.setSecurityManager(securityManager);
//设定用户没有登录认证时的跳转链接、没有授权时的跳转链接
//shiroFilter.setLoginUrl("/login.html");
shiroFilter.setUnauthorizedUrl("/");
//过滤器链配置
Map<String, String> filterMap = new LinkedHashMap();
filterMap.put("/swagger/**", "anon");
filterMap.put("/swagger-ui.html", "anon");
filterMap.put("/webjars/**", "anon");
filterMap.put("/swagger-resources/**", "anon");
filterMap.put("/statics/**", "anon");
filterMap.put("/login.html", "anon");
filterMap.put("/report.html", "anon");
filterMap.put("/sys/login", "anon");
filterMap.put("/sys/loginOld", "anon");
filterMap.put("/sys/download/fileDownLoad", "anon");
// filterMap.put("/sys/test/testMsg", "anon");
filterMap.put("/favicon.ico", "anon");
filterMap.put("/captcha.jpg", "anon");
filterMap.put("/**","authc");
// shiroFilter.setFilterChainDefinitionMap(filterMap);
//自定义
filterMap.put("/**","sessionCheck");
shiroFilter.setFilterChainDefinitionMap(filterMap);
Map<String, Filter> filterWonMap = new LinkedHashMap<>();
filterWonMap.put("sessionCheck",new GunsUserFilter());
shiroFilter.setFilters(filterWonMap);
return shiroFilter;
}
测试:
如此解决;