Shiro:未登錄時請求跳轉問題

問題：前后端分離項目，在用Shiro做權限控制時，未登錄狀態發送的請求都會重定向，導致前端無法捕捉重定向后的消息。如何不重定向在原來的請求返回信息提示未登錄，前端根據信息調到登錄頁？

首先，看一下Shiro是在哪里做的重定向。下面是Shiro的部分源碼

package org.apache.shiro.web.filter.authc;

public class FormAuthenticationFilter extends AuthenticatingFilter {
       protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
        if (isLoginRequest(request, response)) {
            if (isLoginSubmission(request, response)) {
                if (log.isTraceEnabled()) {
                    log.trace("Login submission detected.  Attempting to execute login.");
                }
                return executeLogin(request, response);
            } else {
                if (log.isTraceEnabled()) {
                    log.trace("Login page view.");
                }
                //allow them to see the login page ;)
                return true;
            }
        } else {
            if (log.isTraceEnabled()) {
                log.trace("Attempting to access a path which requires authentication.  Forwarding to the " +
                        "Authentication url [" + getLoginUrl() + "]");
            }
            // 這里做的重定向    
            saveRequestAndRedirectToLogin(request, response);
            return false;
        }
    }
    
}            

發現是FormAuthenticationFilter.onAccessDenied()中做的重定向。接下來就就可以着手解決問題了。

解決：

1. 繼承FormAuthenticationFilter，重寫onAccessDenied方法

/**
 * 繼承FormAuthenticationFilter，重寫onAccessDenied方法
 */
public class ShiroFormAuthenticationFilter extends FormAuthenticationFilter {
    private static final Logger log = LoggerFactory.getLogger(ShiroFormAuthenticationFilter.class);

    @Override
    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
        if (this.isLoginRequest(request, response)) {
            if (this.isLoginSubmission(request, response)) {
                if (log.isTraceEnabled()) {
                    log.trace("Login submission detected.  Attempting to execute login.");
                }

                return this.executeLogin(request, response);
            } else {
                if (log.isTraceEnabled()) {
                    log.trace("Login page view.");
                }

                return true;
            }
        } else {
            HttpServletRequest req = (HttpServletRequest)request;
            HttpServletResponse resp = (HttpServletResponse)response;
            if (req.getMethod().equals(RequestMethod.OPTIONS.name())) {
                resp.setStatus(HttpStatus.OK.value());
                return true;
            } else {
                if (log.isTraceEnabled()) {
                    log.trace("Attempting to access a path which requires authentication.  Forwarding to the Authentication url [{}]" ,this.getLoginUrl());
                }
                /**
                 * 在這里實現自己想返回的信息，其他地方和源碼一樣就可以了
                 */
                resp.setHeader("Access-Control-Allow-Origin", req.getHeader("Origin"));
                resp.setHeader("Access-Control-Allow-Credentials", "true");
                resp.setContentType("application/json; charset=utf-8");
                resp.setCharacterEncoding("UTF-8");
                DataResponse<?> result = DataResponse.failed(ExceptionCode.NO_AUTH);
                PrintWriter out = resp.getWriter();
                out.println(JsonUtils.objectToJson(result));
                out.flush();
                out.close();
                return false;
            }
        }
    }

}

2. 在config中配置filter

@Configuration
public class ShiroConfig {

    private static final Logger log = LoggerFactory.getLogger(ShiroConfig.class);
    private static Map<String, String> filterChainDefinitionMap = new LinkedHashMap();

    @Bean(name = "shiroFilter")
    public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {
        ShiroFilterFactoryBean shiroFilterFactory = new ShiroFilterFactoryBean();
        shiroFilterFactory.setSecurityManager(securityManager);

        filterChainDefinitionMap.put("/sys/login","anon");
        filterChainDefinitionMap.put("/captcha.jpg", "anon");
        filterChainDefinitionMap.put("/favicon.ico", "anon");
        filterChainDefinitionMap.put("/logout","anon");
        filterChainDefinitionMap.put("/index","anon");
        filterChainDefinitionMap.put("/css/**","anon");
        filterChainDefinitionMap.put("/js/**","anon");
        filterChainDefinitionMap.put("/img/**","anon");
        filterChainDefinitionMap.put("/fonts/**","anon");
        filterChainDefinitionMap.put("/chosen/**","anon");
        filterChainDefinitionMap.put("/static/**","anon");
        filterChainDefinitionMap.put("/swagger-ui.html","anon");
        filterChainDefinitionMap.put("/swagger-ui.html/**","anon");
        filterChainDefinitionMap.put("/webjars/**","anon");
        filterChainDefinitionMap.put("/layout/**","anon");
        filterChainDefinitionMap.put("/swagger-resources/**","anon");
        filterChainDefinitionMap.put("/v2/**","anon");
        filterChainDefinitionMap.put("/**","authc");
        LinkedHashMap<String, Filter> filtsMap = new LinkedHashMap<>();
        // 這里使用自定義的filter
        filtsMap.put("authc", new ShiroFormAuthenticationFilter());
        shiroFilterFactory.setFilters(filtsMap);
        shiroFilterFactory.setFilterChainDefinitionMap(filterChainDefinitionMap);
        return shiroFilterFactory;
    }
}

OK，問題解決。

附注：

servlet的兩種跳轉方式：forward轉發、redirect重定向

兩者的區別：

1.地址欄

1）forward是服務器內部的跳轉，服務器直接訪問目標地址，客戶端不知情，因此瀏覽器的網址不發生變化

2）redirect是服務器根據邏輯，發送一個狀態碼，告訴瀏覽器重新去請求另一個地址，所以地址欄顯示新的地址

2.數據共享

forward在整個跳轉過程中用的是同一個request，forward會將request的信息帶到被跳轉的jsp或者是servlet中使用，所以數據是共享的。而redirect是新的request，所以數據不共享。

3.運用

1） forward一般用於用戶登錄的時候，根據角色轉發到相應的模塊

2） redirect一般用於用戶注銷登錄時返回主頁或者跳轉到其他網站

4.效率

forward效率高，redirect效率低

5.本質

forward轉發時服務器上的行為，而redirect重定向是客戶端的行為

6.請求次數

forward 一次，redirect兩次