Shiro:ajax的session超时处理

Posted 小溪(潺潺流水,润泽千里)

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Shiro:ajax的session超时处理相关的知识,希望对你有一定的参考价值。

本问题解决方案参照网站多篇文章融合解决,在此表示感谢!

环境:springboot+shiro+jquery-easyui

问题:在ajax请求时,如果此时session已经失效,系统没有自动跳转到登录页面。后来在服务端加了判断ajax请求的代码,结果还是没有用,无法取到ajax特定的head值(X-Requested-With)。发现jquery-easyui表单提交时没有就没有传递这个值。

解决办法:

1.添加拦截器

import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class SessionFilter extends FormAuthenticationFilter {

  private Logger logger = LoggerFactory.getLogger(SessionFilter.class);
  private final static String X_REQUESTED_WITH_STRING = "X-Requested-With";
  private final static String XML_HTTP_REQUEST_STRING = "XMLHttpRequest";
  private final static String SESSION_OUT_STIRNG = "sessionOut";

  @Override
  protected boolean onAccessDenied(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
    if (this.isLoginRequest(servletRequest, servletResponse)) {
      if (this.isLoginSubmission(servletRequest, servletResponse)) {
        return this.executeLogin(servletRequest, servletResponse);
      } else {
        return true;
      }
    } else {
      if (isAjax((HttpServletRequest) servletRequest)) {
        servletResponse.getWriter().print(SESSION_OUT_STIRNG);
      } else {
        this.saveRequestAndRedirectToLogin(servletRequest, servletResponse);
      }
      return false;
    }
  }

  public boolean isAjax(HttpServletRequest httpServletRequest) {
    String header = httpServletRequest.getHeader(X_REQUESTED_WITH_STRING);
    if (XML_HTTP_REQUEST_STRING.equalsIgnoreCase(header)) {
      logger.debug("当前请求为Ajax请求:{}", httpServletRequest.getRequestURI());
      return Boolean.TRUE;
    }
    logger.debug("当前请求非Ajax请求:{}", httpServletRequest.getRequestURI());
    return Boolean.FALSE;
  }

}

2.覆盖默认shiro拦截器

@Bean
  public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
    ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
    // 必须设置 SecurityManager
    shiroFilterFactoryBean.setSecurityManager(securityManager);
    // 如果不设置默认会自动寻找Web工程根目录下的"/login.jsp"页面
    shiroFilterFactoryBean.setLoginUrl("/login");
    // 登录成功后要跳转的链接
    shiroFilterFactoryBean.setSuccessUrl("/index");
    // 未授权界面;
    shiroFilterFactoryBean.setUnauthorizedUrl("/403");
    // 自定义拦截器
    Map<String, Filter> filtersMap = new LinkedHashMap<String, Filter>();
    // 限制同一帐号同时在线的个数。
    filtersMap.put("kickout", filterKickoutSessionControl());
    shiroFilterFactoryBean.setFilters(filtersMap);
    // 权限控制map.
    Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>();
    filterChainDefinitionMap.put("/servlet/authimage", "anon");
    filterChainDefinitionMap.put("/**", "authc");
    shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
    Map<String, Filter> filters=new LinkedHashMap<>();
    filters.put("authc", new SessionFilter());
    shiroFilterFactoryBean.setFilters(filters);
    return shiroFilterFactoryBean;
  }

这个是重点,覆盖shiro默认的拦截器:

Map<String, Filter> filters=new LinkedHashMap<>();
    filters.put("authc", new SessionFilter());
    shiroFilterFactoryBean.setFilters(filters);

3.改造前端

一开始采用了修改form提交的参数,把iframe=false就可以提交X-Requested-With,但是这样的异步请求实在太多,不仅仅在form提交,还有combo,tree等等。所以最后用了网上说的方法,改造$.ajax达到统一处理。

//首先备份下jquery的ajax方法  
var _ajax = $.ajax;
// 重写jquery的ajax方法
$.ajax = function(opt) {
    // 备份opt中error和success方法
    var fn = {
        error : function(XMLHttpRequest, textStatus, errorThrown) {
        },
        success : function(data, textStatus) {
        }
    }
    if (opt.error) {
        fn.error = opt.error;
    }
    if (opt.success) {
        fn.success = opt.success;
    }

    // 扩展增强处理
    var _opt = $.extend(opt, {
        error : function(XMLHttpRequest, textStatus, errorThrown) {
            debugger;
            erro = eval("(" + XMLHttpRequest.responseText + ")");
            // 错误方法增强处理
            fn.error(XMLHttpRequest, textStatus, errorThrown);
        },
        success : function(data, textStatus) {
            if (data != \'sessionOut\') {
                fn.success(data, textStatus)
                return false;
            } else {
                top.location.href = appPath + "/";
            }
        }
    });
    return _ajax(_opt);
};

这个地方要根据个人情况修改一下:

image

以上是关于Shiro:ajax的session超时处理的主要内容,如果未能解决你的问题,请参考以下文章

Shiro 设置session超时时间

shiro session超时

Shiro + SSM(框架) + Freemarker(jsp)

MVC 3 / Jquery AJAX / Session Expires / C# - 在 ajax 调用期间处理会话超时

shiro session过期后ajax请求跳转(转)

shiro的session失效后重新登录,怎么回到首页