最近在springboot項目上使用了shiro,但是shiro配置好後都是默認頁面重定向處理。然而前後端分離後,靜態頁面都是部署在nginx上,統一都通過ajax進行調用。ajax的話不能進行重定向,需要返回指定格式的JSON。所以shiro需要滿足一下幾點要求:
- 1
ajax調用接口沒有登錄時,返回指定格式JSON
ajax調用接口在登錄的情況下,沒有權限時,返回指定格式JSON
普通請求調用接口則進行重定向處理
Shiro的Filter攔截器
這時候需要擴展一下Shiro的Filter,主要有AdviceFilter、RolesAuthorizationFilter、PermissionsAuthorizationFilter
- AdviceFilter有點類似SpringMVC中的HandlerInterceptor攔截器,主要用於在訪問Controller之前用於判斷用戶是否登錄
- RolesAuthorizationFilter主要擴展了在shiro在認證Roles失敗時回調的onAccessDenied方法,用於返回JSON或是重定向,也是需要我們實現的。
- PermissionsAuthorizationFilter主要是認證perms資源,也是一樣重寫onAccessDenied方法
下圖爲Shiro的Filter關係圖
- 可以看到AccessControllerFilter主要是Shiro控制認證和授權的過濾器
Filter攔截器的實現
擴展AdviceFilter,用於ajax訪問接口未登錄的處理
class ShiroLoginFilter extends AdviceFilter {
/**
* 在訪問controller前判斷是否登錄,返回json,不進行重定向。
* @param request
* @param response
* @return true-繼續往下執行,false-該filter過濾器已經處理,不繼續執行其他過濾器
* @throws Exception
*/
@Override
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
SysUser sysUser = (SysUser) httpServletRequest.getSession().getAttribute("user");
if (null == sysUser && !StringUtils.contains(httpServletRequest.getRequestURI(), "/login")) {
String requestedWith = httpServletRequest.getHeader("X-Requested-With");
if (StringUtils.isNotEmpty(requestedWith) && StringUtils.equals(requestedWith, "XMLHttpRequest")) {//如果是ajax返回指定數據
ResponseHeader responseHeader = new ResponseHeader();
responseHeader.setResponse(ResponseHeader.SC_MOVED_TEMPORARILY, null);
httpServletResponse.setCharacterEncoding("UTF-8");
httpServletResponse.setContentType("application/json");
httpServletResponse.getWriter().write(JSONObject.toJSONString(responseHeader));
return false;
} else {//不是ajax進行重定向處理
httpServletResponse.sendRedirect("/login/local");
return false;
}
}
return true;
}
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
擴展RolesAuthorizationFilter,用於ajax訪問接口登錄但是角色認證不通過的處理
public class ShiroRolesFilter extends RolesAuthorizationFilter {
class ShiroLoginFilter extends AdviceFilter {
/**
* 在訪問controller前判斷是否登錄,返回json,不進行重定向。
* @param request
* @param response
* @return true-繼續往下執行,false-該filter過濾器已經處理,不繼續執行其他過濾器
* @throws Exception
*/
@Override
protected boolean onAccessDenied(ServletRequest servletRequest, ServletResponse servletResponse) throws IOException {
HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
String requestedWith = httpServletRequest.getHeader("X-Requested-With");
if (StringUtils.isNotEmpty(requestedWith) &&
StringUtils.equals(requestedWith, "XMLHttpRequest")) {//如果是ajax返回指定格式數據
ResponseHeader responseHeader = new ResponseHeader();
responseHeader.setResponse(ResponseHeader.SC_FORBIDDEN, null);
httpServletResponse.setCharacterEncoding("UTF-8");
httpServletResponse.setContentType("application/json");
httpServletResponse.getWriter().write(JSONObject.toJSONString(responseHeader));
} else {//如果是普通請求進行重定向
httpServletResponse.sendRedirect("/403");
}
return false;
}
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
同樣擴展PermissionsAuthorizationFilter,用於ajax訪問接口登錄但是資源操作認證不通過的處理
public class ShiroPermsFilter extends PermissionsAuthorizationFilter {
/**
* shiro認證perms資源失敗後回調方法
* @param servletRequest
* @param servletResponse
* @return
* @throws IOException
*/
@Override
protected boolean onAccessDenied(ServletRequest servletRequest, ServletResponse servletResponse) throws IOException {
HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
String requestedWith = httpServletRequest.getHeader("X-Requested-With");
if (StringUtils.isNotEmpty(requestedWith) &&
StringUtils.equals(requestedWith, "XMLHttpRequest")) {//如果是ajax返回指定格式數據
ResponseHeader responseHeader = new ResponseHeader();
responseHeader.setResponse(ResponseHeader.SC_FORBIDDEN, null);
httpServletResponse.setCharacterEncoding("UTF-8");
httpServletResponse.setContentType("application/json");
httpServletResponse.getWriter().write(JSONObject.toJSONString(responseHeader));
} else {//如果是普通請求進行重定向
httpServletResponse.sendRedirect("/403");
}
return false;
}
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
最後在配置中將上面自定義的Filter設置到ShiroFilterFactoryBean。由於我的是springboot都是在java代碼配置
@Bean(name = "shiroLoginFilter")
public ShiroLoginFilter shiroLoginFilter(){
ShiroLoginFilter shiroLoginFilter = new ShiroLoginFilter();
return shiroLoginFilter;
}- 1
- 2
- 3
- 4
- 5
- 6
Filter配置後,Shiro處理用戶請求的流程如下
注意點
- 在實現自定義Filter的時候不要用Spring進行單例模式的bean初始化,不然在認證的時候SecurityUtils.getSubject()會拋出:
org.apache.shiro.UnavailableSecurityManagerException: No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton. This is an invalid application configuration.
看着錯誤信息好像就是不要使用單例模式。