Shiro URL 过滤器不起作用

Posted 2023-02-27

【中文标题】Shiro URL 过滤器不起作用

【英文标题】：Shiro URL filter not working

【发布时间】：2012-08-28 04:24:37

【问题描述】：

我创建了一个简单的 JSF 登录页面，并使用 Apache Shiro 提供身份验证和授权机制，但是 shiro.ini 中指定的 URL 过滤器似乎不起作用。

在 WebContent 根目录中，我有两个名为“test.xhtml”和“login.xhtml”的文件，任何人无需登录即可访问。我还有一个名为“protected”的子目录，其中包含一个名为“success.xhtml”的文件，只有在用户登录后才能访问。

当 shiro.ini 文件的 [urls] 部分包含 /protected/** = myFilter 时，用户无需登录即可访问 protected/success.xhtml 页面。当 shiro.ini 文件的 [urls] 部分包含 @ 987654322@ JSF 不渲染 xhtml 页面，而是提示用户下载 xhtml 文件。

是否有人能建议我如何配置 Shiro 以允许任何人访问 WebContent 根目录中的页面，但只允许已登录的用户访问受保护子目录中的页面？

我正在使用 Apache MyFaces 2.1.5 和 Shiro 1.2.1。

shiro.ini文件完整内容如下：

[main]
myFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
myFilter.loginUrl = /login.xhtml
myFilter.successUrl = /protected/success.xhtml

[users]
user01 = user01, Users
user02 = user02, Users

[roles]
Users = *

[urls]
/protected/** = myFilter

web.xml文件内容如下：

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <display-name>FooBarWeb</display-name>
    <context-param>
        <param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
        <param-value>resources.application</param-value>
    </context-param>
    <context-param>
        <description>
        State saving method: 'client' or 'server' (=default). See JSF Specification 2.5.2</description>
        <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
        <param-value>client</param-value>
    </context-param>
    <context-param>
        <description>

    This parameter tells MyFaces if javascript code should be allowed in
    the rendered HTML output.
    If javascript is allowed, command_link anchors will have javascript code
    that submits the corresponding form.
    If javascript is not allowed, the state saving info and nested parameters
    will be added as url parameters.
    Default is 'true'</description>
        <param-name>org.apache.myfaces.ALLOW_JAVASCRIPT</param-name>
        <param-value>true</param-value>
    </context-param>
    <context-param>
        <description>

    If true, rendered HTML code will be formatted, so that it is 'human-readable'
    i.e. additional line separators and whitespace will be written, that do not
    influence the HTML code.
    Default is 'true'</description>
        <param-name>org.apache.myfaces.PRETTY_HTML</param-name>
        <param-value>true</param-value>
    </context-param>
    <context-param>
        <param-name>org.apache.myfaces.DETECT_JAVASCRIPT</param-name>
        <param-value>false</param-value>
    </context-param>
    <context-param>
        <description>

    If true, a javascript function will be rendered that is able to restore the
    former vertical scroll on every request. Convenient feature if you have pages
    with long lists and you do not want the browser page to always jump to the top
    if you trigger a link or button action that stays on the same page.
    Default is 'false'
</description>
        <param-name>org.apache.myfaces.AUTO_SCROLL</param-name>
        <param-value>true</param-value>
    </context-param>

    <listener>
        <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
    </listener>
    <filter>
        <filter-name>ShiroFilter</filter-name>
        <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>ShiroFilter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher> 
        <dispatcher>FORWARD</dispatcher> 
        <dispatcher>INCLUDE</dispatcher> 
        <dispatcher>ERROR</dispatcher>
    </filter-mapping>

    <listener>
        <listener-class>org.apache.myfaces.webapp.StartupServletContextListener</listener-class>
    </listener>
    <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
        <enabled>true</enabled>
        <async-supported>false</async-supported>
    </servlet>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>/faces/*</url-pattern>
    </servlet-mapping>
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
        <welcome-file>default.html</welcome-file>
        <welcome-file>default.htm</welcome-file>
        <welcome-file>default.jsp</welcome-file>
    </welcome-file-list>
</web-app>

【参考方案1】：

经过进一步调查，URL 似乎需要以“/faces”为前缀。 shiro.ini 文件应该是这样的......

[main]
myFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
myFilter.loginUrl = /faces/login.xhtml
myFilter.successUrl = /faces/protected/success.xhtml

[users]
user01 = user01, Users
user02 = user02, Users

[roles]
Users = *

[urls]
/faces/protected/** = myFilter

通过在 URL 中添加 /faces，Shiro 现在可以防止未经身份验证的用户访问受保护子目录中的页面。

【讨论】：

“/faces”是否只适用于您的应用程序？它指的是什么？