文章目录
1.shiro自定义sessionManager
当登录成功时后端生成一个sessionid并返回给前端,前端当前每次请求时携带此次sessionid
/**
*
* 传统结构项目中,shiro从cookie中读取sessionId以此来维持会话,
* 在前后端分离的项目中(也可在移动APP项目使用),我们选择在ajax的请求头中传递sessionId,
* 因此需要重写shiro获取sessionId的方式。
* 自定义CrmSessionManager类继承DefaultWebSessionManager类,重写getSessionId方法
* 前端服务器通过在cookie中携带sessionid告诉后端服务器,本次访问的用户是谁
*/
public class MySessionManager extends DefaultWebSessionManager {
private static final String AUTHORIZATION = "X-TOKEN";
private static final String REFERENCED_SESSION_ID_SOURCE = "Stateless request";
public MySessionManager() {
super();
}
@Override
public Serializable getSessionId(ServletRequest request, ServletResponse response) {
//取到sessionid
String id = WebUtils.toHttp(request).getHeader(AUTHORIZATION);
HttpServletRequest request1 = (HttpServletRequest) request;
//如果请求头中有 X-TOKEN 则其值为sessionId
if (!StringUtils.isEmpty(id)) {
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE, REFERENCED_SESSION_ID_SOURCE);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, id);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE);
return id;
} else {
//否则按默认规则从cookie取sessionId
return super.getSessionId(request, response);
}
}
}
2.自定义身份认证过滤器
对登录用户进行登录认证,对前端的options请求放行,ajax请求session失效时的处理
/**
* 身份验证过滤器
*/
public class MyAuthenticationFilter extends FormAuthenticationFilter {
@Override
//前端options请求放行
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
HttpServletRequest request1 = (HttpServletRequest) request;
//获取请求方式
String method = request1.getMethod();
//如果是options请求方式,则放行
if("OPTIONS".equalsIgnoreCase(method)){
return true;
}
return super.isAccessAllowed(request, response, mappedValue);
}
@Override
//身份认证没有通过是的执行方法
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse resp = (HttpServletResponse) response;
if (this.isLoginRequest(request, response)) {
if (this.isLoginSubmission(request, response)) {
return this.executeLogin(request, response);
} else {
return true;
}
} else {
String ajaxHeader = req.getHeader("X-Requested-With");
if (ajaxHeader != null || req.getHeader("X-TOKEN")