spring boot实战之shiro session过期时间

在spring boot内，设置session过期时间只需在application.properties内添加server.session.timeout配置即可。在整合shiro时发现，server.session.timeout设置为7200，但未到2小时就需要重新登录，后来发现是shiro的session已经过期了，shiro的session过期时间并不和server.session.timeout一致，目前是采用filter的方式来进行设置。

ShiroSessionFilter

/** 
 * 通过拦截器设置shiroSession过期时间
 * @author yangwk 
 */  
public class ShiroSessionFilter implements Filter {  
    private static Logger logger = LoggerFactory.getLogger(ShiroSessionFilter.class);

    public List excludes = new ArrayList();

    private long serverSessionTimeout = 180000L;//ms

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException,ServletException {  
        if(logger.isDebugEnabled()){
            logger.debug("shiro session filter is open");
        }

        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse resp = (HttpServletResponse) response;
        if(handleExcludeURL(req, resp)){
            filterChain.doFilter(request, response);
            return;
        }

        Subject currentUser = SecurityUtils.getSubject();
        if(currentUser.isAuthenticated()){
            currentUser.getSession().setTimeout(serverSessionTimeout);
        }
        filterChain.doFilter(request, response);
    }

    private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response) {

        if (excludes == null || excludes.isEmpty()) {
            return false;
        }

        String url = request.getServletPath();
        for (String pattern : excludes) {
            Pattern p = Pattern.compile("^" + pattern);
            Matcher m = p.matcher(url);
            if (m.find()) {
                return true;
            }
        }

        return false;
    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        if(logger.isDebugEnabled()){
            logger.debug("shiro session filter init~~~~~~~~~~~~");
        }
        String temp = filterConfig.getInitParameter("excludes");
        if (temp != null) {
            String[] url = temp.split(",");
            for (int i = 0; url != null && i < url.length; i++) {
                excludes.add(url[i]);
            }
        }
        String timeout = filterConfig.getInitParameter("serverSessionTimeout");
        if(StringUtils.isNotBlank(timeout)){
            this.serverSessionTimeout = NumberUtils.toLong(timeout,1800L)*1000L;
        }
    }

    @Override
    public void destroy() {}  

}

注册filter

在被@Configuration注解标注的类内注册ShiroSessionFilter。

@Value("${server.session.timeout}")
private String serverSessionTimeout;

@Bean
public FilterRegistrationBean shiroSessionFilterRegistrationBean() {
    FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
    filterRegistrationBean.setFilter(new ShiroSessionFilter());
    filterRegistrationBean.setOrder(FilterRegistrationBean.LOWEST_PRECEDENCE);
    filterRegistrationBean.setEnabled(true);
    filterRegistrationBean.addUrlPatterns("/*");
    Map initParameters = Maps.newHashMap();
    initParameters.put("serverSessionTimeout", serverSessionTimeout);
    initParameters.put("excludes", "/favicon.ico,/img/*,/js/*,/css/*");
    filterRegistrationBean.setInitParameters(initParameters);
    return filterRegistrationBean;
}

这样当每次请求时，如果用户已登录，就重新设置shiro session有效期，从而和server session保持了一致。

本人搭建好的spring boot web后端开发框架已上传至GitHub，欢迎吐槽！
https://github.com/q7322068/rest-base,已用于多个正式项目，当前可能因为版本问题不是很完善，后续持续优化，希望你能有所收获！