欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

Shiro Ajax 302 跳转问题

程序员文章站 2024-02-29 18:32:22
...

版本:

  • Spring Boot 1.5.4.RELEASE
  • Shiro 1.4.0

问题

当session超时后,发起Ajax请求(查询更新表格内容),页面没有跳转到登陆画面。

原因

因为使用了Shiro,默认的“authc”是FormAuthenticationFilter 过滤器,该类中的onAccessDenied方法如下,从中可以看出:当访问被拒,并且不是登录请求时,会重定向(302)到登录URL。

protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
    if (isLoginRequest(request, response)) {
        if (isLoginSubmission(request, response)) {
            if (log.isTraceEnabled()) {
                log.trace("Login submission detected.  Attempting to execute login.");
            }
            return executeLogin(request, response);
        } else {
            if (log.isTraceEnabled()) {
                log.trace("Login page view.");
            }
            //allow them to see the login page ;)
            return true;
        }
    } else {
        if (log.isTraceEnabled()) {
            log.trace("Attempting to access a path which requires authentication.  Forwarding to the " +
                      "Authentication url [" + getLoginUrl() + "]");
        }
        // 这里重定向到登录画面
        saveRequestAndRedirectToLogin(request, response);
        return false;
    }
}

如果不是Ajax请求,是没有问题的,浏览器可以正常跳转到登陆画面。如果是jQuery Ajax请示,则ajaxComplete事件最终拿到的response status是redirect之后的status,即访问登陆画面后的响应状态200。

解决方法

重写FormAuthenticationFilter 类的onAccessDenied方法,并判断如果请求是ajax请求,就在header中添加一个需要登录的标识,并且设置response status为401,避免还是200而继续走ajax的成功回调。然后Ajax添加全局事件,当有需要登录的标识时,将页面定位到登录画面。

重写FormAuthenticationFilter

public class MyShiroAuthcFilter extends FormAuthenticationFilter {

    public MyShiroAuthcFilter() {
        super();
    }

    @Override
    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
        if (isLoginRequest(request, response)) {
            return super.onAccessDenied(request, response);
        } else {
            if (isAjax((HttpServletRequest) request)) {
                HttpServletResponse httpServletResponse = WebUtils.toHttp(response);
                httpServletResponse.addHeader("REQUIRE_AUTH", "true");
                httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
            } else {
                saveRequestAndRedirectToLogin(request, response);
            }
            return false;
        }
    }

    private boolean isAjax(HttpServletRequest request) {
        String requestedWithHeader = request.getHeader("X-Requested-With");
        return "XMLHttpRequest".equals(requestedWithHeader);
    }
}

配置重写后的filter

@Configuration
public class ShiroConfig {

    @Bean
    public SpringTemplateEngine templateEngine(ITemplateResolver templateResolver) {
        SpringTemplateEngine engine = new SpringTemplateEngine();
        engine.setTemplateResolver(templateResolver);
        final ShiroDialect dialect = new ShiroDialect();
        engine.addDialect(dialect);
        return engine;
    }

//    @Bean
//    public HashedCredentialsMatcher hashedCredentialsMatcher(){
//        HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher();
//        credentialsMatcher.setHashAlgorithmName("SHA1");
//        credentialsMatcher.setHashIterations(5);
//        credentialsMatcher.setStoredCredentialsHexEncoded(true);
//        return credentialsMatcher;
//    }

    @Bean
    public MyShiroRealm myShiroRealm() {
        MyShiroRealm myShiroRealm = new MyShiroRealm();
//        myShiroRealm.setCredentialsMatcher(hashedCredentialsMatcher);
        return myShiroRealm;
    }

    @Bean
    public EhCacheManager ehCacheManager() {
        EhCacheManager cacheManager = new EhCacheManager();
        return cacheManager;
    }

    @Bean
    public SecurityManager securityManager(MyShiroRealm myShiroRealm) {
        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(myShiroRealm);
        securityManager.setCacheManager(ehCacheManager());
        securityManager.getSessionManager();
        return securityManager;
    }

//    @Bean
//    public MyShiroAuthcFilter myShiroAuthcFilter() {
//        MyShiroAuthcFilter myShiroAuthcFilter = new MyShiroAuthcFilter();
//        return myShiroAuthcFilter;
//    }

    @Bean
    public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
        AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
        authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
        return authorizationAttributeSourceAdvisor;
    }

    @Bean
    public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) {
        ShiroFilterFactoryBean filter = new ShiroFilterFactoryBean();
        filter.setSecurityManager(securityManager);
        filter.setLoginUrl("/login");
        filter.setSuccessUrl("/index");
        filter.setUnauthorizedUrl("/403");
        filter.setUnauthorizedUrl("/404");
        filter.setUnauthorizedUrl("/500");

        Map<String, Filter> filters = filter.getFilters();
//        filters.put("authd", myShiroAuthcFilter());
        // 注意这里不要用Bean的方式,否则会报错
        filters.put("authd", new MyShiroAuthcFilter());
        filters.put("anon", new AnonymousFilter());
        filters.put("logout", new LogoutFilter());
        filter.setFilters(filters);

        Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
        filterChainDefinitionMap.put("/resources/**", "anon");
        filterChainDefinitionMap.put("/loginSubmit", "anon");
        filterChainDefinitionMap.put("/logout", "logout");
        filterChainDefinitionMap.put("/**", "authd");
        filter.setFilterChainDefinitionMap(filterChainDefinitionMap);

        return filter;
    }

    @Bean
    public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
        return new LifecycleBeanPostProcessor();
    }
}

Ajax全局事件

$(document).ready(function() {
    // 解决session超时,Ajax请求页面不跳转的问题
    $(document).ajaxComplete(function(event, xhr, settings) {
        if (xhr.getResponseHeader('REQUIRE_AUTH') === 'true') {
            window.location.href = ctx + "/index";
        }
    });
});

参考:

https://*.com/questions/30461823/spring-mvc-detect-ajax-request

https://*.com/questions/199099/how-to-manage-a-redirect-request-after-a-jquery-ajax-call

http://shiro-user.582556.n2.nabble.com/redirect-302-Found-td5769710.html

https://blog.csdn.net/callmesong/article/details/78826696

http://shiro-user.582556.n2.nabble.com/Session-Timeout-doesn-t-redirect-to-login-page-td7577730.html

http://shiro-user.582556.n2.nabble.com/Web-Filter-to-return-HTTP-status-code-td7577672.html

https://shiro.apache.org/spring-framework.html

https://shiro.apache.org/spring-boot.html