Shiro:未登录时请求跳转问题

问题：前后端分离项目，在用Shiro做权限控制时，未登录状态发送的请求都会重定向，导致前端无法捕捉重定向后的消息。如何不重定向在原来的请求返回信息提示未登录，前端根据信息调到登录页？

首先，看一下Shiro是在哪里做的重定向。下面是Shiro的部分源码

package org.apache.shiro.web.filter.authc;

public class FormAuthenticationFilter extends AuthenticatingFilter {
       protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
        if (isLoginRequest(request, response)) {
            if (isLoginSubmission(request, response)) {
                if (log.isTraceEnabled()) {
                    log.trace("Login submission detected.  Attempting to execute login.");
                }
                return executeLogin(request, response);
            } else {
                if (log.isTraceEnabled()) {
                    log.trace("Login page view.");
                }
                //allow them to see the login page ;)
                return true;
            }
        } else {
            if (log.isTraceEnabled()) {
                log.trace("Attempting to access a path which requires authentication.  Forwarding to the " +
                        "Authentication url [" + getLoginUrl() + "]");
            }
            // 这里做的重定向    
            saveRequestAndRedirectToLogin(request, response);
            return false;
        }
    }
    
}            

发现是FormAuthenticationFilter.onAccessDenied()中做的重定向。接下来就就可以着手解决问题了。

解决：

1. 继承FormAuthenticationFilter，重写onAccessDenied方法

/**
 * 继承FormAuthenticationFilter，重写onAccessDenied方法
 */
public class ShiroFormAuthenticationFilter extends FormAuthenticationFilter {
    private static final Logger log = LoggerFactory.getLogger(ShiroFormAuthenticationFilter.class);

    @Override
    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
        if (this.isLoginRequest(request, response)) {
            if (this.isLoginSubmission(request, response)) {
                if (log.isTraceEnabled()) {
                    log.trace("Login submission detected.  Attempting to execute login.");
                }

                return this.executeLogin(request, response);
            } else {
                if (log.isTraceEnabled()) {
                    log.trace("Login page view.");
                }

                return true;
            }
        } else {
            HttpServletRequest req = (HttpServletRequest)request;
            HttpServletResponse resp = (HttpServletResponse)response;
            if (req.getMethod().equals(RequestMethod.OPTIONS.name())) {
                resp.setStatus(HttpStatus.OK.value());
                return true;
            } else {
                if (log.isTraceEnabled()) {
                    log.trace("Attempting to access a path which requires authentication.  Forwarding to the Authentication url [{}]" ,this.getLoginUrl());
                }
                /**
                 * 在这里实现自己想返回的信息，其他地方和源码一样就可以了
                 */
                resp.setHeader("Access-Control-Allow-Origin", req.getHeader("Origin"));
                resp.setHeader("Access-Control-Allow-Credentials", "true");
                resp.setContentType("application/json; charset=utf-8");
                resp.setCharacterEncoding("UTF-8");
                DataResponse<?> result = DataResponse.failed(ExceptionCode.NO_AUTH);
                PrintWriter out = resp.getWriter();
                out.println(JsonUtils.objectToJson(result));
                out.flush();
                out.close();
                return false;
            }
        }
    }

}

2. 在config中配置filter

@Configuration
public class ShiroConfig {

    private static final Logger log = LoggerFactory.getLogger(ShiroConfig.class);
    private static Map<String, String> filterChainDefinitionMap = new LinkedHashMap();

    @Bean(name = "shiroFilter")
    public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {
        ShiroFilterFactoryBean shiroFilterFactory = new ShiroFilterFactoryBean();
        shiroFilterFactory.setSecurityManager(securityManager);

        filterChainDefinitionMap.put("/sys/login","anon");
        filterChainDefinitionMap.put("/captcha.jpg", "anon");
        filterChainDefinitionMap.put("/favicon.ico", "anon");
        filterChainDefinitionMap.put("/logout","anon");
        filterChainDefinitionMap.put("/index","anon");
        filterChainDefinitionMap.put("/css/**","anon");
        filterChainDefinitionMap.put("/js/**","anon");
        filterChainDefinitionMap.put("/img/**","anon");
        filterChainDefinitionMap.put("/fonts/**","anon");
        filterChainDefinitionMap.put("/chosen/**","anon");
        filterChainDefinitionMap.put("/static/**","anon");
        filterChainDefinitionMap.put("/swagger-ui.html","anon");
        filterChainDefinitionMap.put("/swagger-ui.html/**","anon");
        filterChainDefinitionMap.put("/webjars/**","anon");
        filterChainDefinitionMap.put("/layout/**","anon");
        filterChainDefinitionMap.put("/swagger-resources/**","anon");
        filterChainDefinitionMap.put("/v2/**","anon");
        filterChainDefinitionMap.put("/**","authc");
        LinkedHashMap<String, Filter> filtsMap = new LinkedHashMap<>();
        // 这里使用自定义的filter
        filtsMap.put("authc", new ShiroFormAuthenticationFilter());
        shiroFilterFactory.setFilters(filtsMap);
        shiroFilterFactory.setFilterChainDefinitionMap(filterChainDefinitionMap);
        return shiroFilterFactory;
    }
}

OK，问题解决。

附注：

servlet的两种跳转方式：forward转发、redirect重定向

两者的区别：

1.地址栏

1）forward是服务器内部的跳转，服务器直接访问目标地址，客户端不知情，因此浏览器的网址不发生变化

2）redirect是服务器根据逻辑，发送一个状态码，告诉浏览器重新去请求另一个地址，所以地址栏显示新的地址

2.数据共享

forward在整个跳转过程中用的是同一个request，forward会将request的信息带到被跳转的jsp或者是servlet中使用，所以数据是共享的。而redirect是新的request，所以数据不共享。

3.运用

1） forward一般用于用户登录的时候，根据角色转发到相应的模块

2） redirect一般用于用户注销登录时返回主页或者跳转到其他网站

4.效率

forward效率高，redirect效率低

5.本质

forward转发时服务器上的行为，而redirect重定向是客户端的行为

6.请求次数

forward 一次，redirect两次