xiao_chao

xiao_chao

关注
发信
关注(28)粉丝(399)

【转载+修改】shiro安全框架扩展教程--如何扩展异步(ajax)请求认证失败处理

转载地址: http://blog.csdn.net/shadowsick/article/details/39021265

更多shiro资料:
张开涛博客:http://jinnianshilongnian.iteye.com/blog/2025656

上一个章节我们学习了如何自定义自己的filter,这个只是为了这一章打基础;相信我们这一群shiro使用者比较关注异步请求认证失败会如何处理这个问题,确实我们现在的项目很大一部分请求都是异步的,所以这个问题是无可避免,我看了网上很多资料都是没有完整地给出扩展方案,下面我把自己的处理方案给展示下,如有不爽,请勿跨省,家无水表,不收快递...


直接进入主题,先看看我们之前的配置,自定义一个RoleAuthorizationFilter



点击(此处)折叠或打开

  1. <!-- 过滤链配置 -->
  2.     <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
  3.         <property name="securityManager" ref="securityManager" />
  4.         <property name="loginUrl" value="/" />
  5.         <property name="successUrl" value="/cms/index.do" />
  6.         <property name="unauthorizedUrl" value="/" />
  7.         <property name="filters">
  8.             <map>
  9.                 <entry key="role">
  10.                     <bean
  11.                         class="com.silvery.security.shiro.filter.RoleAuthorizationFilter" />
  12.                 </entry>
  13.                 <entry key="authc">
  14.                     <bean
  15.                         class="com.silvery.security.shiro.filter.SimpleFormAuthenticationFilter" />
  16.                 </entry>
  17.             </map>
  18.         </property>
  19.     </bean>

  21.     <!-- 权限资源配置 -->
  22.     <bean id="filterChainDefinitionsService"
  23.         class="com.silvery.security.shiro.service.impl.SimpleFilterChainDefinitionsService">
  24.         <property name="definitions">
  25.             <value>
  26.                 /static/** = anon
  27.                 /admin/user/login.do = anon
  28.                 /test/** = role[admin]
  29.                 /abc/** = authc
  30.             </value>
  31.         </property>
  32.     </bean>


点击(此处)折叠或打开

  1. public class RoleAuthorizationFilter extends AuthorizationFilter {

  3.     public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)
  4.             throws IOException {

  6.         Subject subject = getSubject(request, response);
  7.         String[] rolesArray = (String[]) mappedValue;

  9.         if (rolesArray == null || rolesArray.length == 0) {
  10.             // no roles specified, so nothing to check - allow access.
  11.             return true;
  12.         }

  14.         Set<String> roles = CollectionUtils.asSet(rolesArray);
  15.         for (String role : roles) {
  16.             if (subject.hasRole(role)) {
  17.                 return true;
  18.             }
  19.         }
  20.         return false;
  21.     }

  23. }



我们先看看这个源码,发现是继承了AuthorizationFilter类,然后只写了isAccessAllowed方法,然后我们就想isAccessAllowed是判断是否拥有权限,那肯定会有一个方法是认证失败回调的方法,这是框架一贯的做法,来验证下我们的想当然是不是正确的,我们打开AuthorizationFilter类的源码看看



点击(此处)折叠或打开

  1. public abstract class AuthorizationFilter extends AccessControlFilter
  2. {

  4.     public AuthorizationFilter()
  5.     {
  6.     }

  8.     public String getUnauthorizedUrl()
  9.     {
  10.         return unauthorizedUrl;
  11.     }

  13.     public void setUnauthorizedUrl(String unauthorizedUrl)
  14.     {
  15.         this.unauthorizedUrl = unauthorizedUrl;
  16.     }

  18.     protected boolean onAccessDenied(ServletRequest request, ServletResponse response)
  19.         throws IOException
  20.     {
  21.         Subject subject = getSubject(request, response);
  22.         if(subject.getPrincipal() == null)
  23.         {
  24.             saveRequestAndRedirectToLogin(request, response);
  25.         } else
  26.         {
  27.             String unauthorizedUrl = getUnauthorizedUrl();
  28.             if(StringUtils.hasText(unauthorizedUrl))
  29.                 WebUtils.issueRedirect(request, response, unauthorizedUrl);
  30.             else
  31.                 WebUtils.toHttp(response).sendError(401);
  32.         }
  33.         return false;
  34.     }

  36.     private String unauthorizedUrl;
  37. }


看到源码的时候我就很开心地贱笑了,果然是我想的那样,我们很明显地看到一个方法onAccessDenied,认证失败处理,逻辑就是如果登录实体为null就保存请求和跳转登录页面,否则就跳转无权限配置页面



我们开始动手改造这个方法,把这个方法也在我们自己的RoleAuthorizationFilter里写下
【声明】:以下方法由于原作者的一些处理方法未提供,故改之,效果是一样的

  1. package com.aviva.agent.support.shiro;

  3. import java.io.IOException;
  4. import java.io.PrintWriter;
  5. import java.util.Set;

  7. import javax.servlet.ServletRequest;
  8. import javax.servlet.ServletResponse;
  9. import javax.servlet.http.HttpServletRequest;
  10. import javax.servlet.http.HttpServletResponse;

  12. import org.apache.shiro.subject.Subject;
  13. import org.apache.shiro.util.CollectionUtils;
  14. import org.apache.shiro.web.filter.authz.AuthorizationFilter;
  15. import org.apache.shiro.web.util.WebUtils;
  16. import org.slf4j.Logger;
  17. import org.slf4j.LoggerFactory;
  18. import org.springframework.util.StringUtils;
  19. /**
  20.  *
  21.  * 1.自定义角色鉴权过滤器(满足其中一个角色则认证通过) 2.扩展异步请求认证提示功能;
  22.  *
  23.  */
  24. public class RoleAuthorizationFilter extends AuthorizationFilter {

  26.     private static final Logger logger = LoggerFactory.getLogger(RoleAuthorizationFilter.class);
  27.     
  28.     @Override
  29.      protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException {

  31. //     HttpServletRequest httpRequest = (HttpServletRequest) request;
  32. //     HttpServletResponse httpResponse = (HttpServletResponse) response;

  34.      Subject subject = getSubject(request, response);

  36.      if (subject.getPrincipal() == null) {
  37.      if (isAjax(request)) {//异步请求是会出现无访问权限但是会返回给ajax一个重定向的html,导致无法重定向,且走了ajax的error行方法

  39.          logger.info("RoleAuthorizationFilter-onAccessDenied,登录超时,ajax请求");
  40.          
  41.          saveRequest(request);
  42.          WebUtils.toHttp(response).sendError(HttpServletResponse.SC_UNAUTHORIZED);//错误码401:访问受限

  44.      } else {
  45.          logger.info("RoleAuthorizationFilter-onAccessDenied,登录超时,非ajax请求");
  46.      saveRequestAndRedirectToLogin(request, response);
  47.      }
  48.      } else {
  49.           // If subject is known but not authorized, redirect to the unauthorized URL if there is one
  50.      // If no unauthorized URL is specified, just return an unauthorized HTTP status code
  51.      String unauthorizedUrl = getUnauthorizedUrl();
  52.      //SHIRO-142 - ensure that redirect _or_ error code occurs - both cannot happen due to response commit:
  53.      if (StringUtils.hasText(unauthorizedUrl)) {
  54.      WebUtils.issueRedirect(request, response, unauthorizedUrl);
  55.      } else {
  56.      WebUtils.toHttp(response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
  57.      }
  58.      }
  59.      return false;
  60.      }
  61.     
  62.     @Override
  63.     public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)
  64.             throws IOException {

  66.         Subject subject = getSubject(request, response);
  67.         String[] rolesArray = (String[]) mappedValue;

  69.         if (rolesArray == null || rolesArray.length == 0) {
  70.             // no roles specified, so nothing to check - allow access.
  71.             return true;
  72.         }

  74.         Set<String> roles = CollectionUtils.asSet(rolesArray);
  75.         for (String role : roles) {
  76.             if (subject.hasRole(role)) {
  77.                 return true;
  78.             }
  79.         }
  80.         return false;
  81.     }
  82.     public boolean isAjax(ServletRequest request) {
  83.         HttpServletRequest httpServletRequest = (HttpServletRequest) request;
  84.         return "XMLHttpRequest".equalsIgnoreCase(httpServletRequest
  85.                 .getHeader("X-Requested-With"));
  86.     }
  87. }


其实改造也很简单,只是再加一层ajax的判断,至于如何判断ajax就是自己个人的方式,有的项目喜欢加一个标识参数,有的人喜欢直接用header里面的X-Requested-With参数,这个看自己的需求咯,我个人喜欢是ajax请求认证失败是返回一串标准的json格式字符串,页面兼容处理也方便

下面我们测试下如何效果,先写一个html,配置/test/ajax是不够权限请求的
【声明】:以下方法与原作者的不太一致,但是效果是一样的

点击(此处)折叠或打开

  1. <%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
  2. <%
  3. String path = request.getContextPath();
  4. String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
  5. %>
  6. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
  7. <html xmlns="http://www.w3.org/1999/xhtml">
  8.     <head>
  9.         <base href="">
  10.         <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
  11.         <title>test ajax request</title>
  12.     <script type="text/javascript" src="/static/js/jquery-1.9.1.min.js"></script>
  13.     <script>
  14.         function test(){
  15.              
  16.             $.ajax({
  17.                  url: "${ctx}/test/ajax",
  18.                  data:{policyNo:$("#policyNo").text()},
  19.                  cache: false,
  20.                  complete:function(){
  21.                      alert("complete");
  22.                  },                
  23.                  dataType:"json",
  24.                  success:function (data){
  25.                      alert("success");
  26.                  },
  27.                  error:function(XMLHttpRequest,textStatus){
  28.                         
  29.                          if(XMLHttpRequest.status==401){//访问被拒绝。
  30.                              window.location.href = '${ctx}/login';
  31.                          } else {
  32.                               alert('系统正在维护中,请稍后再试');                
  33.                           }
  34.                  }
  35.             });
  36.         }
  37.     </script>
  38.     </head>
  39. <body>
  40.     <input type="button" value="click" onclick="test();" />
  41. </body>
  42. </html>

设置好超时时间等超时了点击输入框,自动跳转到登录页面(这里主要说ajax异步跳转)。

最后总结下扩展方案,其实shiro的所有filter都是有统一的接口方法,你们可以看看这真实过滤器都是继承了相同的父级filter,所以其他的filter也可以通过继承写onAccessDenied方法提供我们的异步请求分支处理。


08-29 19:11
Powered by LMLPHP ©2025 xiao_chao 0.071173