shiro教程 | http://jinnianshilongnian.iteye.com/blog/2018398 |
验证码kaptcha | http://aperise.iteye.com/blog/2276496 |
FormAuthenticationFilter 的successUrl不跳转问题 |
http://aperise.iteye.com/blog/2276496 |
1.shiro教程
shiro教程参见这篇博客,讲解的太细了,也讲的非常到位,望尘莫及,膜拜膜拜!
《跟我学Shiro》教程 http://jinnianshilongnian.iteye.com/blog/2018398
2.shiro中增加验证码kaptcha
2.1 增加对于kaptcha的maven依赖
<!-- kaptcha验证码 --> <dependency> <version>0.0.9</version> <groupId>com.github.axet</groupId> <artifactId>kaptcha</artifactId> </dependency>
2.2 web.xml中增加kaptcha servlet拦截
<!-- kaptcha验证码 --> <servlet> <servlet-name>kaptcha</servlet-name> <servlet-class>com.google.code.kaptcha.servlet.KaptchaServlet</servlet-class> <init-param> <param-name>kaptcha.noise.impl</param-name> <param-value>com.google.code.kaptcha.impl.NoNoise</param-value> </init-param> <!-- 验证码图片是否有边框 --> <init-param> <param-name>kaptcha.border</param-name> <param-value>yes</param-value> </init-param> <!-- 验证码图片宽度 --> <init-param> <param-name>kaptcha.image.width</param-name> <param-value>100</param-value> </init-param> <!-- 验证码图片高度 --> <init-param> <param-name>kaptcha.image.height</param-name> <param-value>50</param-value> </init-param> <!-- 图片上验证码位数 --> <init-param> <param-name>kaptcha.textproducer.char.length</param-name> <param-value>4</param-value> </init-param> </servlet> <!-- 拦截request路径为/kaptcha.jpg的请求,然后调用kaptcha产生验证码 --> <servlet-mapping> <servlet-name>kaptcha</servlet-name> <url-pattern>/kaptcha.jpg</url-pattern> </servlet-mapping>
2.3 login.jsp页面增加验证码功能
<script type="text/javascript"> var captcha; function refreshCaptcha(){ document.getElementById("img_kaptcha").src="${contextPath}/kaptcha.jpg?t=" + Math.random(); } </script> <li> <label for="username">用户名:</label> <input type="text" name="username" class="login_input" id="username" /> </li> <li> <label for="password">密码:</label> <input type="password" name="password" class="login_input" id="password" autocomplete="off" /> </li> <li> <label for="kaptcha">验证码:</label> <input type="text" name="kaptcha" class="login_input_kaptcha" id="kaptcha" autocomplete="off" /> <img class="login_input_kaptcha_img" alt="验证码" src="${contextPath}/kaptcha.jpg" title="点击更换" id="img_kaptcha" onclick="javascript:refreshCaptcha();" /> </li>
2.4 shiro配置里实现一个自己的AccessControlFilter类KaptchaFilter
public class KaptchaFilter extends AccessControlFilter { private String kaptchaParam = "kaptcha";// 前台提交的验证码参数名 public String getKaptchaParam() { return kaptchaParam; } public void setKaptchaParam(String kaptchaParam) { this.kaptchaParam = kaptchaParam; } @Override protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception { HttpServletRequest httpServletRequest = WebUtils.toHttp(request); // 验证验证码是否正确 if (null == request.getParameter(kaptchaParam)) { return true; } else { String kaptchaFromWeb = (String) request.getParameter(kaptchaParam); String kaptchaFromSession = (String) httpServletRequest.getSession().getAttribute(Constants.KAPTCHA_SESSION_KEY); return kaptchaFromSession.toUpperCase().equals(kaptchaFromWeb.toUpperCase()); } } @Override protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception { // 如果验证码失败了,存储失败key属性 request.setAttribute(FormAuthenticationFilter.DEFAULT_ERROR_KEY_ATTRIBUTE_NAME, "Kaptcha.error"); return true; } }
2.5 重写自己的FormAuthenticationFilter为KaptchaFormAuthenticationFilter
public class KaptchaFormAuthenticationFilter extends FormAuthenticationFilter { protected boolean onAccessDenied(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception { if (request.getAttribute(getFailureKeyAttribute()) != null) { return true; } return super.onAccessDenied(request, response, mappedValue); } @Override protected boolean onLoginSuccess(AuthenticationToken token, Subject subject, ServletRequest request,ServletResponse response) throws Exception { WebUtils.issueRedirect(request, response, getSuccessUrl()); return false; } }
2.6 shiro配置里修改如下
<!-- 基于Form表单的身份验证过滤器 --> <bean id="formAuthenticationFilter" class="com.xxx.shrio.filter.KaptchaFormAuthenticationFilter"> <property name="usernameParam" value="username" /> <property name="passwordParam" value="password" /> <property name="rememberMeParam" value="rememberMe" /> <property name="loginUrl" value="/login" /> <property name="successUrl" value="/index"/> </bean> <bean id="kaptchaFilter" class="com.xxx.shrio.filter.KaptchaFilter"> <property name="kaptchaParam" value="kaptcha" /> </bean> <!-- Shiro的Web过滤器 --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager"/> <property name="loginUrl" value="/login"/> <property name="successUrl" value="/index"/> <property name="unauthorizedUrl" value="/redirect"/> <property name="filters"> <util:map> <entry key="authc" value-ref="formAuthenticationFilter" /> <entry key="sysUser" value-ref="sysUserFilter" /> <entry key="kaptcha" value-ref="kaptchaFilter" /> </util:map> </property> <property name="filterChainDefinitions"> <value> /login = kaptcha,authc /unauthorized.jsp = authc /redirect = anon /css/** = anon /js/** = anon /img/** = anon /kaptcha.jpg = anon /** = user,sysUser </value> </property> </bean>
2.7 最后验证码添加后效果
3.shiro的FormAuthenticationFilter的successUrl不跳转问题
3.1 首先查看shiro源代码WebUtils类里方法
/** * Redirects the to the request url from a previously * {@link #saveRequest(javax.servlet.ServletRequest) saved} request, or if there is no saved request, redirects the * end user to the specified {@code fallbackUrl}. If there is no saved request or fallback url, this method * throws an {@link IllegalStateException}. * <p/> * This method is primarily used to support a common login scenario - if an unauthenticated user accesses a * page that requires authentication, it is expected that request is * {@link #saveRequest(javax.servlet.ServletRequest) saved} first and then redirected to the login page. Then, * after a successful login, this method can be called to redirect them back to their originally requested URL, a * nice usability feature. * * @param request the incoming request * @param response the outgoing response * @param fallbackUrl the fallback url to redirect to if there is no saved request available. * @throws IllegalStateException if there is no saved request and the {@code fallbackUrl} is {@code null}. * @throws IOException if there is an error redirecting * @since 1.0 */ public static void redirectToSavedRequest(ServletRequest request, ServletResponse response, String fallbackUrl) throws IOException { String successUrl = null; boolean contextRelative = true; SavedRequest savedRequest = WebUtils.getAndClearSavedRequest(request); if (savedRequest != null && savedRequest.getMethod().equalsIgnoreCase(AccessControlFilter.GET_METHOD)) { successUrl = savedRequest.getRequestUrl(); contextRelative = false; } if (successUrl == null) { successUrl = fallbackUrl; } if (successUrl == null) { throw new IllegalStateException("Success URL not available via saved request or via the " + "successUrlFallback method parameter. One of these must be non-null for " + "issueSuccessRedirect() to work."); } WebUtils.issueRedirect(request, response, successUrl, null, contextRelative); }首先通过SavedRequest savedRequest = WebUtils.getAndClearSavedRequest(request);
从session中获取到第一次请求时的地址,然后通过successUrl = savedRequest.getRequestUrl();
将FormAuthenticationFilter配置的successUrl值覆盖掉,所以shiro默认跳转到了首次请求的url了。
3.2 shiro的FormAuthenticationFilter的successUrl不跳转问题解决
重写自己的FormAuthenticationFilter类KaptchaFormAuthenticationFilter,主要是覆盖里面的方法onLoginSuccess(AuthenticationToken token, Subject subject, ServletRequest request,ServletResponse response),代码如下:
public class KaptchaFormAuthenticationFilter extends FormAuthenticationFilter { protected boolean onAccessDenied(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception { if (request.getAttribute(getFailureKeyAttribute()) != null) { return true; } return super.onAccessDenied(request, response, mappedValue); } @Override protected boolean onLoginSuccess(AuthenticationToken token, Subject subject, ServletRequest request,ServletResponse response) throws Exception { WebUtils.issueRedirect(request, response, getSuccessUrl()); return false; } }然后覆盖shiro配置:
<!-- 基于Form表单的身份验证过滤器 --> <bean id="formAuthenticationFilter" class="com.xxx.shrio.filter.KaptchaFormAuthenticationFilter"> <property name="usernameParam" value="username" /> <property name="passwordParam" value="password" /> <property name="rememberMeParam" value="rememberMe" /> <property name="loginUrl" value="/login" /> <property name="successUrl" value="/index"/> </bean>这样, shiro登录成功后只会跳转到FormAuthenticationFilter配置的successUrl这个地址。 4.shiro集成spring 4.x和quartz 2.x报错java.lang.InstantiationError: org.quartz.SimpleTrigger shiro集成spring 4.x和quartz 2.x报错java.lang.InstantiationError: org.quartz.SimpleTrigger,主要原因是shiro的org.apache.shiro.session.mgt.quartz.QuartzSessionValidationScheduler是对quartz1.x的实现,但是quartz2.x已经变动很大,导致整合quartz2.x时候,shiro原来对于shiro的实现不可用 ,解决办法如下: 4.1 自己实现quartz2.x的 org.apache.shiro.session.mgt.quartz.QuartzSessionValidationScheduler shiro对于quartz1.x的实现如下: 现在自己更改这个实现如下: 4.2 更改配置为自己的实现