SpringBoot+Shiro跨域,四個主要問題+可能遇到的其他問題

該問題是Shiro跨域所需要面對的第一個問題。
Shiro默認會將SessionId保存到cookie中,但是跨域的情況下,要求前端自己維護一個“cookie”的不太現(xiàn)實.
解決思路是:登錄時將SessionId以結(jié)果的方式返回給前端,然后讓前段將其儲存起來,并在發(fā)起需要認證的請求時,在請求header添加該SessionId(例如給header添加自定義屬性token,設(shè)置值為SessionId).

后端修改默認的Shiro驗證信息獲取過程,從header的請求頭中獲取自定義屬性token(也就是SessionId),交給Shiro做認證。

以上思路具體執(zhí)行主要遇到兩個問題
1.如何修改Shiro默認的SessionId獲取方式
2.跨域配置會將自定義的header屬性token過濾掉,然后報錯,如何配置跨域,使自定義的header屬性token不被攔截
3.跨域問題:跨域訪問的OPTIONS請求通通放行
4.取消shiro的自動跳轉(zhuǎn),只以JSON格式的數(shù)據(jù)通知用戶行為結(jié)果

解決
1.如何修改Shiro默認的SessionId獲取方式
首先在Shiro配置中將cookie禁用掉。

    @Bean(name = "sessionManager")
    public ShiroSessionManager sessionManager(@Qualifier("sessionDAO") RedisSessionDao sessionDAO,
                                              @Qualifier("sessionIdCookie") SimpleCookie sessionIdCookie) {
        ShiroSessionManager manager = new ShiroSessionManager();
        manager.setGlobalSessionTimeout(GloableField.REDIS_TIME_OUT);
        manager.setDeleteInvalidSessions(true);
        manager.setSessionValidationSchedulerEnabled(true);
//        manager.setSessionValidationScheduler(sessionValidationScheduler);
        manager.setSessionDAO(sessionDAO);
        manager.setSessionIdCookieEnabled(false);
//        manager.setSessionIdCookieEnabled(true);
//        manager.setSessionIdCookie(sessionIdCookie);
        manager.setSessionIdUrlRewritingEnabled(false);
        return manager;
    }

然后可以開始分析如何替代從cookie中獲取sessionid的默認邏輯。

Shiro的DefaultWebSessionManager有一個getSessionId(ServletRequest request, ServletResponse response)的方法,可以繼承該類并重新getSessionId(ServletRequest request, ServletResponse response)方法,從header中獲取自定義屬性token所攜帶的SessionId.

首先來看DefaultWebSessionManager的getSessionId()在干什么。

protected Serializable getSessionId(ServletRequest request, ServletResponse response) {
    //  直接調(diào)用了自己的另一個方法getReferencedSessionId()
        return this.getReferencedSessionId(request, response);
}


private Serializable getReferencedSessionId(ServletRequest request, ServletResponse response) {
        //默認從cookie中獲取sessionId(印證了Shiro默認是將SessionId保存在cookie這個邏輯)
        String id = this.getSessionIdCookieValue(request, response);
        if (id != null) {
        //從cookie中獲取到的id,設(shè)置到request header,key是ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE,其對應(yīng)的值為cookie.這個是我們需要改的            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE, "cookie");
        } else {
            //這里是沒有從cookie中取到id的情況,重點關(guān)注
            id = this.getUriPathSegmentParamValue(request, "JSESSIONID");
            if (id == null) {
                String name = this.getSessionIdName();
                id = request.getParameter(name);
                if (id == null) {
                    id = request.getParameter(name.toLowerCase());
                }
            }

            if (id != null) {
              //取到id后要做的事情1,設(shè)置ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE
                request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE, "url");
            }
        }

        if (id != null) {
         //取到id后要做的事情2,給request設(shè)置如下兩個參數(shù)
            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, id);
            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE);
        }

        request.setAttribute(ShiroHttpServletRequest.SESSION_ID_URL_REWRITING_ENABLED, this.isSessionIdUrlRewritingEnabled());
        return id;
    }

根據(jù)源碼,改造如下

import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.web.servlet.ShiroHttpServletRequest;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.apache.shiro.web.util.WebUtils;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import java.io.Serializable;

@Slf4j
public class ShiroSessionManager extends DefaultWebSessionManager {

    /**
     * 客戶端request的header中,自定義屬性的名稱是token(值是sessionid)
     */
    public final static String HEADER_TOKEN_NAME = "token";
  //給ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE設(shè)置的值,值可隨意,但是根據(jù)之前的源碼,我們不能取cookie和url等字段,取mystateless,無狀態(tài)的,應(yīng)該不會和源碼沖突
    private static final String REFERENCED_SESSION_ID_SOURCE = "mystateless";
//    Stateless request
    /**
     * 重寫getSessionId,分析請求頭中的指定參數(shù),做用戶憑證sessionId
     */
    @Override
    protected Serializable getSessionId(ServletRequest request, ServletResponse response){
        String id = WebUtils.toHttp(request).getHeader(HEADER_TOKEN_NAME);
        if(StringUtils.isEmpty(id)){
            //如果沒有攜帶id參數(shù)則按照默認方式獲取,事實上,只有登錄接口和一些不需要游客身份使用的接口以外,沒有任何接口會走這個邏輯,因為我們已經(jīng)沒有了cookie
            //  System.out.println("super:"+super.getSessionId(request, response));
            return super.getSessionId(request, response);
        }else{
            //如果請求頭中有 token ,則參照源碼設(shè)置三項
            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE,REFERENCED_SESSION_ID_SOURCE);
            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID,id);
            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID,Boolean.TRUE);
            return id;
        }
    }
}

第一個問題解決。

2.跨域配置會將自定義的header屬性token過濾掉,然后報錯,如何配置跨域,使自定義的header屬性token不被攔截

在跨域配置中放行token字段就好。

貼出CrossFilter配置

package com.ysty.server.config;

import org.apache.shiro.authz.AuthorizationException;
import org.springframework.stereotype.Component;
import org.springframework.web.bind.annotation.RequestMethod;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@Component
public class CorsFilter implements Filter {

    final static org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(CorsFilter.class);


    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        System.err.println("CorsFilter");
        HttpServletResponse response = (HttpServletResponse) res;
        HttpServletRequest request = (HttpServletRequest) req;
      //跨域設(shè)置,誰來都放行,與設(shè)置成*效果相同,但是這里設(shè)置成*行不通,因此用該方法代替
        response.setHeader("Access-Control-Allow-Origin", request.getHeader("Origin"));
        response.setHeader("Access-Control-Allow-Credentials", "true");
    //不能設(shè)置成*,否則跨域請求會失敗
        response.setHeader("Access-Control-Allow-Methods", "POST,PUT, GET, OPTIONS, DELETE");
        response.setHeader("Access-Control-Max-Age", "3600");
    //我這里需要放行這三個header頭部字段
        response.setHeader("Access-Control-Allow-Headers", "content-type,x-requested-with,token");

        try {
            chain.doFilter(request, response);
        } catch (Exception e) {
//
//            System.err.println("CrosFilter Error start");
//            e.printStackTrace();
//            System.err.println("CrosFilter Error end");
//            if((e.getCause()+"").contains("UnauthorizedException")){
//            }
        }
    }

    public void init(FilterConfig filterConfig) {
    }

    public void destroy() {
    }
}

3.跨域問題:跨域訪問的OPTIONS請求通通放行
跨域請求有一個前置請求,method類型OPTIONS。該請求會被shiro攔截,故而應(yīng)該統(tǒng)統(tǒng)放行。

繼承BasicHttpAuthenticationFilter,然后重寫preHandler方法,最后,在Shiro配置添加到過濾器鏈,key為authc(過濾器鏈添加到ShiroFilterFactoryBean中)

@Override
    protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
        HttpServletResponse httpResponse = (HttpServletResponse) response;
        HttpServletRequest httpRequest = (HttpServletRequest) request;
      //無條件放行OPTIONS
        if (httpRequest.getMethod().equals(RequestMethod.OPTIONS.name())) {
            setHeader(httpRequest, httpResponse);
            return true;
        }
        return super.preHandle(request, response);
    }

    /**
     * 為response設(shè)置header,實現(xiàn)跨域
     */
    private void setHeader(HttpServletRequest request, HttpServletResponse response) {
        System.err.println("ShiroFilter");
//        System.err.println("setHeader -- " + request.getHeader("Access-Control-Request-Headers"));
        //跨域的header設(shè)置
//        response.setHeader("Access-control-Allow-Origin", request.getHeader("Origin"));
//        response.setHeader("Access-Control-Allow-Methods", request.getMethod());
//        response.setHeader("Access-Control-Allow-Credentials", "true");
//        response.setHeader("Access-Control-Allow-Headers", request.getHeader("Access-Control-Request-Headers"));
        response.setHeader("Access-Control-Allow-Origin", request.getHeader("Origin"));
        response.setHeader("Access-Control-Allow-Credentials", "true");
        response.setHeader("Access-Control-Allow-Methods", "POST,PUT, GET, OPTIONS, DELETE");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", "content-type,x-requested-with,token");
//        response.setHeader("Access-Control-Allow-Headers", request.getHeader("Access-Control-Allow-Headers") + ",token");
        //防止亂碼,適用于傳輸JSON數(shù)據(jù)
        response.setHeader("Content-Type", "application/json;charset=UTF-8");
        response.setStatus(HttpStatus.OK.value());
    }

未完待續(xù)...

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容