Shiro:未登录时请求跳转问题
问题:前后端分离项目,在用Shiro做权限控制时,未登录状态发送的请求都会重定向,导致前端无法捕捉重定向后的消息。如何不重定向在原来的请求返回信息提示未登录,前端根据信息调到登录页?
首先,看一下Shiro是在哪里做的重定向。下面是Shiro的部分源码
package org.apache.shiro.web.filter.authc; public class FormAuthenticationFilter extends AuthenticatingFilter { protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception { if (isLoginRequest(request, response)) { if (isLoginSubmission(request, response)) { if (log.isTraceEnabled()) { log.trace("Login submission detected. Attempting to execute login."); } return executeLogin(request, response); } else { if (log.isTraceEnabled()) { log.trace("Login page view."); } //allow them to see the login page ;) return true; } } else { if (log.isTraceEnabled()) { log.trace("Attempting to access a path which requires authentication. Forwarding to the " + "Authentication url [" + getLoginUrl() + "]"); } // 这里做的重定向 saveRequestAndRedirectToLogin(request, response); return false; } } }
发现是FormAuthenticationFilter.onAccessDenied()中做的重定向。接下来就就可以着手解决问题了。
解决:
1. 继承FormAuthenticationFilter,重写onAccessDenied方法
/** * 继承FormAuthenticationFilter,重写onAccessDenied方法 */ public class ShiroFormAuthenticationFilter extends FormAuthenticationFilter { private static final Logger log = LoggerFactory.getLogger(ShiroFormAuthenticationFilter.class); @Override protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception { if (this.isLoginRequest(request, response)) { if (this.isLoginSubmission(request, response)) { if (log.isTraceEnabled()) { log.trace("Login submission detected. Attempting to execute login."); } return this.executeLogin(request, response); } else { if (log.isTraceEnabled()) { log.trace("Login page view."); } return true; } } else { HttpServletRequest req = (HttpServletRequest)request; HttpServletResponse resp = (HttpServletResponse)response; if (req.getMethod().equals(RequestMethod.OPTIONS.name())) { resp.setStatus(HttpStatus.OK.value()); return true; } else { if (log.isTraceEnabled()) { log.trace("Attempting to access a path which requires authentication. Forwarding to the Authentication url [{}]" ,this.getLoginUrl()); } /** * 在这里实现自己想返回的信息,其他地方和源码一样就可以了 */ resp.setHeader("Access-Control-Allow-Origin", req.getHeader("Origin")); resp.setHeader("Access-Control-Allow-Credentials", "true"); resp.setContentType("application/json; charset=utf-8"); resp.setCharacterEncoding("UTF-8"); DataResponse<?> result = DataResponse.failed(ExceptionCode.NO_AUTH); PrintWriter out = resp.getWriter(); out.println(JsonUtils.objectToJson(result)); out.flush(); out.close(); return false; } } } }
2. 在config中配置filter
@Configuration public class ShiroConfig { private static final Logger log = LoggerFactory.getLogger(ShiroConfig.class); private static Map<String, String> filterChainDefinitionMap = new LinkedHashMap(); @Bean(name = "shiroFilter") public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) { ShiroFilterFactoryBean shiroFilterFactory = new ShiroFilterFactoryBean(); shiroFilterFactory.setSecurityManager(securityManager); filterChainDefinitionMap.put("/sys/login","anon"); filterChainDefinitionMap.put("/captcha.jpg", "anon"); filterChainDefinitionMap.put("/favicon.ico", "anon"); filterChainDefinitionMap.put("/logout","anon"); filterChainDefinitionMap.put("/index","anon"); filterChainDefinitionMap.put("/css/**","anon"); filterChainDefinitionMap.put("/js/**","anon"); filterChainDefinitionMap.put("/img/**","anon"); filterChainDefinitionMap.put("/fonts/**","anon"); filterChainDefinitionMap.put("/chosen/**","anon"); filterChainDefinitionMap.put("/static/**","anon"); filterChainDefinitionMap.put("/swagger-ui.html","anon"); filterChainDefinitionMap.put("/swagger-ui.html/**","anon"); filterChainDefinitionMap.put("/webjars/**","anon"); filterChainDefinitionMap.put("/layout/**","anon"); filterChainDefinitionMap.put("/swagger-resources/**","anon"); filterChainDefinitionMap.put("/v2/**","anon"); filterChainDefinitionMap.put("/**","authc"); LinkedHashMap<String, Filter> filtsMap = new LinkedHashMap<>(); // 这里使用自定义的filter filtsMap.put("authc", new ShiroFormAuthenticationFilter()); shiroFilterFactory.setFilters(filtsMap); shiroFilterFactory.setFilterChainDefinitionMap(filterChainDefinitionMap); return shiroFilterFactory; } }
OK,问题解决。
附注:
servlet的两种跳转方式:forward转发、redirect重定向
两者的区别:
1.地址栏
1)forward是服务器内部的跳转,服务器直接访问目标地址,客户端不知情,因此浏览器的网址不发生变化
2)redirect是服务器根据逻辑,发送一个状态码,告诉浏览器重新去请求另一个地址,所以地址栏显示新的地址
2.数据共享
forward在整个跳转过程中用的是同一个request,forward会将request的信息带到被跳转的jsp或者是servlet中使用,所以数据是共享的。而redirect是新的request,所以数据不共享。
3.运用
1) forward一般用于用户登录的时候,根据角色转发到相应的模块
2) redirect一般用于用户注销登录时返回主页或者跳转到其他网站
4.效率
forward效率高,redirect效率低
5.本质
forward转发时服务器上的行为,而redirect重定向是客户端的行为
6.请求次数
forward 一次,redirect两次