Shiro Ajax 302 跳转问题

2018-07-10  本文已影响464人  ilaoke

版本:

问题

当session超时后,发起Ajax请求(查询更新表格内容),页面没有跳转到登陆画面。

原因

因为使用了Shiro,默认的“authc”是FormAuthenticationFilter 过滤器,该类中的onAccessDenied方法如下,从中可以看出:当访问被拒,并且不是登录请求时,会重定向(302)到登录URL。

protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
    if (isLoginRequest(request, response)) {
        if (isLoginSubmission(request, response)) {
            if (log.isTraceEnabled()) {
                log.trace("Login submission detected.  Attempting to execute login.");
            }
            return executeLogin(request, response);
        } else {
            if (log.isTraceEnabled()) {
                log.trace("Login page view.");
            }
            //allow them to see the login page ;)
            return true;
        }
    } else {
        if (log.isTraceEnabled()) {
            log.trace("Attempting to access a path which requires authentication.  Forwarding to the " +
                      "Authentication url [" + getLoginUrl() + "]");
        }
        // 这里重定向到登录画面
        saveRequestAndRedirectToLogin(request, response);
        return false;
    }
}

如果不是Ajax请求,是没有问题的,浏览器可以正常跳转到登陆画面。如果是jQuery Ajax请示,则ajaxComplete事件最终拿到的response status是redirect之后的status,即访问登陆画面后的响应状态200。

解决方法

重写FormAuthenticationFilter 类的onAccessDenied方法,并判断如果请求是ajax请求,就在header中添加一个需要登录的标识,并且设置response status为401,避免还是200而继续走ajax的成功回调。然后Ajax添加全局事件,当有需要登录的标识时,将页面定位到登录画面。

重写FormAuthenticationFilter

public class MyShiroAuthcFilter extends FormAuthenticationFilter {

    public MyShiroAuthcFilter() {
        super();
    }

    @Override
    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
        if (isLoginRequest(request, response)) {
            return super.onAccessDenied(request, response);
        } else {
            if (isAjax((HttpServletRequest) request)) {
                HttpServletResponse httpServletResponse = WebUtils.toHttp(response);
                httpServletResponse.addHeader("REQUIRE_AUTH", "true");
                httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
            } else {
                saveRequestAndRedirectToLogin(request, response);
            }
            return false;
        }
    }

    private boolean isAjax(HttpServletRequest request) {
        String requestedWithHeader = request.getHeader("X-Requested-With");
        return "XMLHttpRequest".equals(requestedWithHeader);
    }
}

配置重写后的filter

@Configuration
public class ShiroConfig {

    @Bean
    public SpringTemplateEngine templateEngine(ITemplateResolver templateResolver) {
        SpringTemplateEngine engine = new SpringTemplateEngine();
        engine.setTemplateResolver(templateResolver);
        final ShiroDialect dialect = new ShiroDialect();
        engine.addDialect(dialect);
        return engine;
    }

//    @Bean
//    public HashedCredentialsMatcher hashedCredentialsMatcher(){
//        HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher();
//        credentialsMatcher.setHashAlgorithmName("SHA1");
//        credentialsMatcher.setHashIterations(5);
//        credentialsMatcher.setStoredCredentialsHexEncoded(true);
//        return credentialsMatcher;
//    }

    @Bean
    public MyShiroRealm myShiroRealm() {
        MyShiroRealm myShiroRealm = new MyShiroRealm();
//        myShiroRealm.setCredentialsMatcher(hashedCredentialsMatcher);
        return myShiroRealm;
    }

    @Bean
    public EhCacheManager ehCacheManager() {
        EhCacheManager cacheManager = new EhCacheManager();
        return cacheManager;
    }

    @Bean
    public SecurityManager securityManager(MyShiroRealm myShiroRealm) {
        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(myShiroRealm);
        securityManager.setCacheManager(ehCacheManager());
        securityManager.getSessionManager();
        return securityManager;
    }

//    @Bean
//    public MyShiroAuthcFilter myShiroAuthcFilter() {
//        MyShiroAuthcFilter myShiroAuthcFilter = new MyShiroAuthcFilter();
//        return myShiroAuthcFilter;
//    }

    @Bean
    public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
        AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
        authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
        return authorizationAttributeSourceAdvisor;
    }

    @Bean
    public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) {
        ShiroFilterFactoryBean filter = new ShiroFilterFactoryBean();
        filter.setSecurityManager(securityManager);
        filter.setLoginUrl("/login");
        filter.setSuccessUrl("/index");
        filter.setUnauthorizedUrl("/403");
        filter.setUnauthorizedUrl("/404");
        filter.setUnauthorizedUrl("/500");

        Map<String, Filter> filters = filter.getFilters();
//        filters.put("authd", myShiroAuthcFilter());
        // 注意这里不要用Bean的方式,否则会报错
        filters.put("authd", new MyShiroAuthcFilter());
        filters.put("anon", new AnonymousFilter());
        filters.put("logout", new LogoutFilter());
        filter.setFilters(filters);

        Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
        filterChainDefinitionMap.put("/resources/**", "anon");
        filterChainDefinitionMap.put("/loginSubmit", "anon");
        filterChainDefinitionMap.put("/logout", "logout");
        filterChainDefinitionMap.put("/**", "authd");
        filter.setFilterChainDefinitionMap(filterChainDefinitionMap);

        return filter;
    }

    @Bean
    public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
        return new LifecycleBeanPostProcessor();
    }
}

Ajax全局事件

$(document).ready(function() {
    // 解决session超时,Ajax请求页面不跳转的问题
    $(document).ajaxComplete(function(event, xhr, settings) {
        if (xhr.getResponseHeader('REQUIRE_AUTH') === 'true') {
            window.location.href = ctx + "/index";
        }
    });
});

参考:

https://stackoverflow.com/questions/30461823/spring-mvc-detect-ajax-request

https://stackoverflow.com/questions/199099/how-to-manage-a-redirect-request-after-a-jquery-ajax-call

http://shiro-user.582556.n2.nabble.com/redirect-302-Found-td5769710.html

https://blog.csdn.net/callmesong/article/details/78826696

http://shiro-user.582556.n2.nabble.com/Session-Timeout-doesn-t-redirect-to-login-page-td7577730.html

http://shiro-user.582556.n2.nabble.com/Web-Filter-to-return-HTTP-status-code-td7577672.html

https://shiro.apache.org/spring-framework.html

https://shiro.apache.org/spring-boot.html

上一篇下一篇

猜你喜欢

热点阅读