如何放开Shiro对OPTIONS请求的拦截
如何放开Shiro对OPTIONS请求的拦截
最近出现前台访问后端接口预请求,返回302重定向到shiro的登录地址的bug。定位好久后发现是OPTIONS请求的时候没有带token,导致shiro认为是未登录状态,然后重定向到登录地址。所以我们现在的解决方法就是放开shiro对所有OPTIONS的拦截。
首先确定后端是否配置好跨域,允许所有请求方式跨域访问。然后建立ShiroUserFilter。
package com.jokerliu.config.shiro;
import com.jokerliu.enums.Result;
import com.jokerliu.enums.ResultStatusCode;
import org.apache.shiro.web.filter.authc.UserFilter;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.RequestMethod;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
/**
* 重写shiro的UserFilter,实现通过OPTIONS请求
* @author MDY
*/
public class ShiroUserFilter extends UserFilter {
/**
* 在访问过来的时候检测是否为OPTIONS请求,如果是就直接返回true
*/
@Override
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
HttpServletResponse httpResponse = (HttpServletResponse) response;
HttpServletRequest httpRequest = (HttpServletRequest) request;
if (httpRequest.getMethod().equals(RequestMethod.OPTIONS.name())) {
setHeader(httpRequest,httpResponse);
return true;
}
return super.preHandle(request,response);
}
/**
* 该方法会在验证失败后调用,这里由于是前后端分离,后台不控制页面跳转
* 因此重写改成传输JSON数据
*/
@Override
protected void saveRequestAndRedirectToLogin(ServletRequest request, ServletResponse response) throws IOException {
saveRequest(request);
setHeader((HttpServletRequest) request,(HttpServletResponse) response);
PrintWriter out = response.getWriter();
//自己控制返回的json数据
out.println(new Result(ResultStatusCode.SHIRO_ERROR));
out.flush();
out.close();
}
/**
* 为response设置header,实现跨域
*/
private void setHeader(HttpServletRequest request, HttpServletResponse response){
//跨域的header设置
response.setHeader("Access-control-Allow-Origin", request.getHeader("Origin"));
response.setHeader("Access-Control-Allow-Methods", request.getMethod());
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Headers", request.getHeader("Access-Control-Request-Headers"));
//防止乱码,适用于传输JSON数据
response.setHeader("Content-Type","application/json;charset=UTF-8");
response.setStatus(HttpStatus.OK.value());
}
}
进入shiro主要配置类ShiroConfig中ShiroFilterFactoryBean对之前
filterChainDefinitionManager.put("/**", "authc");
中authc做自定义的拦截配置(就是上面的ShiroUserFilter类)
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean() {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager());
// 没有登陆的用户只能访问登陆页面,前后端分离中登录界面跳转应由前端路由控制,后台仅返回json数据
shiroFilterFactoryBean.setLoginUrl("/common/kickout");
// shiroFilterFactoryBean.setLoginUrl("/common/unauth");
// 登录成功后要跳转的链接
//shiroFilterFactoryBean.setSuccessUrl("/auth/index");
// 未授权界面;
shiroFilterFactoryBean.setUnauthorizedUrl("common/unauth");
Map filters = shiroFilterFactoryBean.getFilters();
// 注意这里不要用Bean的方式,否则会报错
filters.put("authc", new ShiroUserFilter());
shiroFilterFactoryBean.setFilters(filters);
Map filterChainDefinitionManager = new LinkedHashMap<>();
//注意过滤器配置顺序 不能颠倒
//配置退出 过滤器,其中的具体的退出代码Shiro已经替我们实现了,登出后跳转配置的loginUrl
filterChainDefinitionManager.put("/logout", "logout");
// 公共请求
filterChainDefinitionManager.put("/common/**", "anon");
// 测试方法
filterChainDefinitionManager.put("/test/**", "anon");
// 静态资源
filterChainDefinitionManager.put("/static/**", "anon");
filterChainDefinitionManager.put("/homepageadmin/**", "anon");
// 登录方法
filterChainDefinitionManager.put("/login", "anon");
// filterChainDefinitionManager.put("/admin/login*", "anon"); // 表示可以匿名访问
// 注册方法
filterChainDefinitionManager.put("/register", "anon");
// filterChainDefinitionManager.put("/admin/register*", "anon"); // 表示可以匿名访问
// filterChainDefinitionManager.put("/user/**", "authc,roles[ROLE_USER]");//用户为ROLE_USER 角色可以访问。由用户角色控制用户行为。
//需要admin的操作
// filterChainDefinitionManager.put("/admin/**", "authc,roles[admin]");
filterChainDefinitionManager.put("/admin/information/getOne", "anon");
filterChainDefinitionManager.put("/admin/information/page", "anon");
filterChainDefinitionManager.put("/admin/pictureManage/page", "anon");
filterChainDefinitionManager.put("/admin/pictureManage/getOne", "anon");
filterChainDefinitionManager.put("/admin/leavemes/save", "anon");
filterChainDefinitionManager.put("/admin/**", "authc");
//swagger2
filterChainDefinitionManager.put("/swagger-ui.html", "anon");
filterChainDefinitionManager.put("/swagger-resources/**", "anon");
filterChainDefinitionManager.put("/v2/**", "anon");
filterChainDefinitionManager.put("/webjars/**", "anon");
filterChainDefinitionManager.put("/**", "authc");
// filterChainDefinitionManager.put("/**", "anon");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionManager);
//
//
// shiroFilterFactoryBean.setSuccessUrl("/");
// shiroFilterFactoryBean.setUnauthorizedUrl("/403");
return shiroFilterFactoryBean;
}
其中最关键的地方
Map filters = shiroFilterFactoryBean.getFilters();
// 注意这里不要用Bean的方式,否则会报错
filters.put("authc", new ShiroUserFilter());
shiroFilterFactoryBean.setFilters(filters);
这样就将自定义的拦截注入到authc中。
至此解决shiro拦截OPTIONS请求的bug。