Shiro和Spring集成,在XML文件中配置如下部分(非全部配置):
/user/login = anon
/**=authc,perms
使用authc进行权限控制时,若认证不通过,则shiro默认会重定向到loginUrl路径,前端请求接口时会出现302错误,解决办法是继承FormAuthenticationFilter(org.apache.shiro.web.filter.authc.FormAuthenticationFilter)类,重写onAccessDenied方法,方法如下:
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
// 获取当前登录
Subject subject = getSubject(request, response);
if (subject.getPrincipal() == null) {
// 使用response响应流返回数据到前台(因前端需要接受json数据,注意前后端跨域问题)
return false;
} else {
return true;
}
}
CORS跨域请求有时发送请求时会预先发送一个OPTIONS请求,不会写到token和参数,这就导致shiro拦截到请求后判定当前用户未登录,从而引发问题,解决办法是继承FormAuthenticationFilter(org.apache.shiro.web.filter.authc.FormAuthenticationFilter)类,重写isAccessAllowed方法,方法如下:
@Override
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
boolean allowed = super.isAccessAllowed(request, response, mappedValue);
if (!allowed) {
// 判断请求是否是options请求
String method = WebUtils.toHttp(request).getMethod();
if (StringUtils.equalsIgnoreCase("OPTIONS", method)) {
return true;
}
}
return allowed;
}
前后端跨域请求解决方法:写一个过滤器
@Override
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain)
throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) resp;
response.setHeader("Access-Control-Allow-Credentials","true"); //是否支持cookie跨域
response.setHeader("Access-Control-Allow-Origin", "*"); // 解决跨域访问报错
response.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600"); // 设置过期时间
response.setHeader("Access-Control-Allow-Headers","Origin, X-Requested-With, Content-Type, Accept, client_id, uuid, Authorization");
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // 支持HTTP1.1.
response.setHeader("Pragma", "no-cache"); // 支持HTTP 1.0.
chain.doFilter(req, resp);
}
备注:如果有问题还可以参考 https://blog.csdn.net/China_hdy/article/details/97154272