spring boot集成shiro之前后端分离

前后端分离之后，接口跨域无法鉴权，所以这里需要人工配置token，做法很简单
继承DefaultWebSessionManager重写getSessionId方法

package com.sansence.redwine.config;

import org.apache.shiro.web.servlet.ShiroHttpServletRequest;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.apache.shiro.web.util.WebUtils;
import org.slf4j.LoggerFactory;
import org.springframework.util.StringUtils;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import java.io.Serializable;
 
/**
 * 自定义sessionId获取
 */
public class MySessionManager extends DefaultWebSessionManager {
 
    private static final String AUTHORIZATION = "authorization";
 
    private static final String REFERENCED_SESSION_ID_SOURCE = "cookie";
 
    public MySessionManager() {
        super();
    }
 
    @Override
    protected Serializable getSessionId(ServletRequest request, ServletResponse response) {
        String id = WebUtils.toHttp(request).getHeader(AUTHORIZATION);
        //如果请求头中有 Authorization 则其值为sessionId
        if (!StringUtils.isEmpty(id)) {
            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE, REFERENCED_SESSION_ID_SOURCE);
            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, id);
            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE);
            return id;
        } else {
            //否则按默认规则从cookie取sessionId
            return super.getSessionId(request, response);
        }
    }
}

然后再配置下

@Bean("sessionManager")
    public SessionManager sessionManager(){
        //将我们继承后重写的shiro session 注册
        MySessionManager shiroSession = new MySessionManager();
        //如果后续考虑多tomcat部署应用，可以使用shiro-redis开源插件来做session 的控制，或者nginx 的负载均衡
        shiroSession.setSessionDAO(new EnterpriseCacheSessionDAO());
        //单位为毫秒，600000毫秒为1个小时
        shiroSession.setSessionValidationInterval(3600000*12);
        //3600000 milliseconds = 1 hour
        shiroSession.setGlobalSessionTimeout(3600000*12);
        //是否删除无效的，默认也是开启
        shiroSession.setDeleteInvalidSessions(true);
        return shiroSession;
    }

 /**
     * 注入权限管理
     * @return
     */
    @Bean
    public SecurityManager securityManager(@Qualifier("sessionManager")SessionManager sessionManager){
        DefaultWebSecurityManager securityManager=new DefaultWebSecurityManager();
        securityManager.setRealm(customRealm());
        securityManager.setSessionManager(sessionManager);
        return securityManager;
    }

参考文章：https://blog.csdn.net/wmy_0707/article/details/100118329