版本:
- Spring Boot 1.5.4.RELEASE
- Shiro 1.4.0
问题
当session超时后,发起Ajax请求(查询更新表格内容),页面没有跳转到登陆画面。
原因
因为使用了Shiro,默认的“authc”是FormAuthenticationFilter 过滤器,该类中的onAccessDenied方法如下,从中可以看出:当访问被拒,并且不是登录请求时,会重定向(302)到登录URL。
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
if (isLoginRequest(request, response)) {
if (isLoginSubmission(request, response)) {
if (log.isTraceEnabled()) {
log.trace("Login submission detected. Attempting to execute login.");
}
return executeLogin(request, response);
} else {
if (log.isTraceEnabled()) {
log.trace("Login page view.");
}
//allow them to see the login page ;)
return true;
}
} else {
if (log.isTraceEnabled()) {
log.trace("Attempting to access a path which requires authentication. Forwarding to the " +
"Authentication url [" + getLoginUrl() + "]");
}
// 这里重定向到登录画面
saveRequestAndRedirectToLogin(request, response);
return false;
}
}
如果不是Ajax请求,是没有问题的,浏览器可以正常跳转到登陆画面。如果是jQuery Ajax请示,则ajaxComplete事件最终拿到的response status是redirect之后的status,即访问登陆画面后的响应状态200。
解决方法
重写FormAuthenticationFilter 类的onAccessDenied方法,并判断如果请求是ajax请求,就在header中添加一个需要登录的标识,并且设置response status为401,避免还是200而继续走ajax的成功回调。然后Ajax添加全局事件,当有需要登录的标识时,将页面定位到登录画面。
重写FormAuthenticationFilter
public class MyShiroAuthcFilter extends FormAuthenticationFilter {
public MyShiroAuthcFilter() {
super();
}
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
if (isLoginRequest(request, response)) {
return super.onAccessDenied(request, response);
} else {
if (isAjax((HttpServletRequest) request)) {
HttpServletResponse httpServletResponse = WebUtils.toHttp(response);
httpServletResponse.addHeader("REQUIRE_AUTH", "true");
httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
} else {
saveRequestAndRedirectToLogin(request, response);
}
return false;
}
}
private boolean isAjax(HttpServletRequest request) {
String requestedWithHeader = request.getHeader("X-Requested-With");
return "XMLHttpRequest".equals(requestedWithHeader);
}
}
配置重写后的filter
@Configuration
public class ShiroConfig {
@Bean
public SpringTemplateEngine templateEngine(ITemplateResolver templateResolver) {
SpringTemplateEngine engine = new SpringTemplateEngine();
engine.setTemplateResolver(templateResolver);
final ShiroDialect dialect = new ShiroDialect();
engine.addDialect(dialect);
return engine;
}
// @Bean
// public HashedCredentialsMatcher hashedCredentialsMatcher(){
// HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher();
// credentialsMatcher.setHashAlgorithmName("SHA1");
// credentialsMatcher.setHashIterations(5);
// credentialsMatcher.setStoredCredentialsHexEncoded(true);
// return credentialsMatcher;
// }
@Bean
public MyShiroRealm myShiroRealm() {
MyShiroRealm myShiroRealm = new MyShiroRealm();
// myShiroRealm.setCredentialsMatcher(hashedCredentialsMatcher);
return myShiroRealm;
}
@Bean
public EhCacheManager ehCacheManager() {
EhCacheManager cacheManager = new EhCacheManager();
return cacheManager;
}
@Bean
public SecurityManager securityManager(MyShiroRealm myShiroRealm) {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(myShiroRealm);
securityManager.setCacheManager(ehCacheManager());
securityManager.getSessionManager();
return securityManager;
}
// @Bean
// public MyShiroAuthcFilter myShiroAuthcFilter() {
// MyShiroAuthcFilter myShiroAuthcFilter = new MyShiroAuthcFilter();
// return myShiroAuthcFilter;
// }
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}
@Bean
public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) {
ShiroFilterFactoryBean filter = new ShiroFilterFactoryBean();
filter.setSecurityManager(securityManager);
filter.setLoginUrl("/login");
filter.setSuccessUrl("/index");
filter.setUnauthorizedUrl("/403");
filter.setUnauthorizedUrl("/404");
filter.setUnauthorizedUrl("/500");
Map<String, Filter> filters = filter.getFilters();
// filters.put("authd", myShiroAuthcFilter());
// 注意这里不要用Bean的方式,否则会报错
filters.put("authd", new MyShiroAuthcFilter());
filters.put("anon", new AnonymousFilter());
filters.put("logout", new LogoutFilter());
filter.setFilters(filters);
Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
filterChainDefinitionMap.put("/resources/**", "anon");
filterChainDefinitionMap.put("/loginSubmit", "anon");
filterChainDefinitionMap.put("/logout", "logout");
filterChainDefinitionMap.put("/**", "authd");
filter.setFilterChainDefinitionMap(filterChainDefinitionMap);
return filter;
}
@Bean
public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
}
Ajax全局事件
$(document).ready(function() {
// 解决session超时,Ajax请求页面不跳转的问题
$(document).ajaxComplete(function(event, xhr, settings) {
if (xhr.getResponseHeader('REQUIRE_AUTH') === 'true') {
window.location.href = ctx + "/index";
}
});
});
参考:
https://stackoverflow.com/questions/30461823/spring-mvc-detect-ajax-request
https://stackoverflow.com/questions/199099/how-to-manage-a-redirect-request-after-a-jquery-ajax-call
http://shiro-user.582556.n2.nabble.com/redirect-302-Found-td5769710.html
https://blog.csdn.net/callmesong/article/details/78826696
http://shiro-user.582556.n2.nabble.com/Session-Timeout-doesn-t-redirect-to-login-page-td7577730.html
http://shiro-user.582556.n2.nabble.com/Web-Filter-to-return-HTTP-status-code-td7577672.html
