报错:response for preflight is invalid (redirect)
1.302原因:使用ajax访问后端项目时无法识别重定向操作
2.shiro拦截失效原因:跨域访问时有一种带预检访问的跨域,即访问时先发出一条methods为options的的访问,这种访问不带cookie等信息。造成shiro误判断为无权限访问。
3.一般使用的访问methods都是:get,post,put,delete
解决方案1.让shiro不对预检访问拦截
2. 改变shiro中无权限,未登录拦截的重定向,这就需要重写几个过滤器
3. 将重写的过滤器进行配置
实现代码1.重写shiro 登录 过滤器过滤器运行机制:
(1)shiro是否拦截访问 以 isaccessallowed返回值为准
(2)如果isaccessallowed 方法返回false会进入onaccessdenied方法重定向至 登录 or 无权限 页面
package com.yaoxx.base.shiro;import java.io.printwriter;import javax.servlet.servletrequest;import javax.servlet.servletresponse;import javax.servlet.http.httpservletrequest;import javax.servlet.http.httpservletresponse;import org.apache.commons.lang3.stringutils;import org.apache.shiro.web.filter.authc.formauthenticationfilter;import org.apache.shiro.web.util.webutils;import org.springframework.http.httpstatus;/*** * @version: 1.0* @since: jdk 1.8.0_91* @description:* 未登录过滤器,重写方法为【跨域的预检访问】放行*/public class myauthenticationfilter extends formauthenticationfilter { @override protected boolean isaccessallowed(servletrequest request, servletresponse response, object mappedvalue) { boolean allowed = super.isaccessallowed(request, response, mappedvalue); if (!allowed) { // 判断请求是否是options请求 string method = webutils.tohttp(request).getmethod(); if (stringutils.equalsignorecase("options", method)) { return true; } } return allowed; } @override protected boolean onaccessdenied(servletrequest request, servletresponse response) throws exception { if (isloginrequest(request, response)) { // 判断是否登录 if (isloginsubmission(request, response)) { // 判断是否为post访问 return executelogin(request, response); } else { // sessionid已经注册,但是并没有使用post方式提交 return true; } } else { httpservletrequest req = (httpservletrequest) request; httpservletresponse resp = (httpservletresponse) response; /* * 跨域访问有时会先发起一条不带token,不带cookie的访问。 * 这就需要我们抓取这条访问,然后给他通过,否则只要是跨域的访问都会因为未登录或缺少权限而被拦截 * (如果重写了isaccessallowed,就无需下面的判断) */// if (req.getmethod().equals(requestmethod.options.name())) {// resp.setstatus(httpstatus.ok.value());// return true;// } /* * 跨域的第二次请求就是普通情况的request了,在这对他进行拦截 */ string ajaxheader = req.getheader(customsessionmanager.authorization); if (stringutils.isnotblank(ajaxheader)) { // 前端ajax请求,则不会重定向 resp.setheader("access-control-allow-origin", req.getheader("origin")); resp.setheader("access-control-allow-credentials", "true"); resp.setcontenttype("application/json; charset=utf-8"); resp.setcharacterencoding("utf-8"); resp.setstatus(httpstatus.unauthorized.value());//设置未登录状态码 printwriter out = resp.getwriter();// map<string, string> result = new hashmap<>();// result.put("message", "未登录用户"); string result = "{"message":"未登录用户"}"; out.println(result); out.flush(); out.close(); } else { // == 如果是普通访问重定向至shiro配置的登录页面 == // saverequestandredirecttologin(request, response); } } return false; }}
2.重写role权限 过滤器package com.yaoxx.base.shiro;import java.io.ioexception;import java.io.printwriter;import javax.servlet.servletrequest;import javax.servlet.servletresponse;import javax.servlet.http.httpservletrequest;import javax.servlet.http.httpservletresponse;import org.apache.commons.lang3.stringutils;import org.apache.shiro.web.filter.authz.rolesauthorizationfilter;import org.apache.shiro.web.util.webutils;import org.springframework.http.httpstatus;import org.springframework.web.bind.annotation.requestmethod;/*** * @author: yao_x_x* @since: jdk 1.8.0_91* @description: role的过滤器*/public class myauthorizationfilter extends rolesauthorizationfilter { @override public boolean isaccessallowed(servletrequest request, servletresponse response, object mappedvalue) throws ioexception { boolean allowed =super.isaccessallowed(request, response, mappedvalue); if (!allowed) { string method = webutils.tohttp(request).getmethod(); if (stringutils.equalsignorecase("options", method)) { return true; } } return allowed; } @override protected boolean onaccessdenied(servletrequest request, servletresponse response) throws ioexception { httpservletrequest req = (httpservletrequest) request; httpservletresponse resp = (httpservletresponse) response; if (req.getmethod().equals(requestmethod.options.name())) { resp.setstatus(httpstatus.ok.value()); return true; } // 前端ajax请求时requestheader里面带一些参数,用于判断是否是前端的请求 string ajaxheader = req.getheader(customsessionmanager.authorization); if (stringutils.isnotblank(ajaxheader)) { // 前端ajax请求,则不会重定向 resp.setheader("access-control-allow-origin", req.getheader("origin")); resp.setheader("access-control-allow-credentials", "true"); resp.setcontenttype("application/json; charset=utf-8"); resp.setcharacterencoding("utf-8"); printwriter out = resp.getwriter(); string result = "{"message":"角色,权限不足"}"; out.println(result); out.flush(); out.close(); return false; } return super.onaccessdenied(request, response); }}
3.配置过滤器@configurationpublic class shiroconfiguration { @autowired private roleservice roleservice; @autowired private permissionservice permissionservice; @bean("shirofilter") public shirofilterfactorybean shirofilter(@qualifier("securitymanager")securitymanager manager) { shirofilterfactorybean bean = new shirofilterfactorybean(); bean.setsecuritymanager(manager); /* 自定义filter注册 */ map<string, filter> filters = bean.getfilters(); filters.put("authc", new myauthenticationfilter()); filters.put("roles", new myauthorizationfilter()); map<string, string> filterchaindefinitionmap =new linkedhashmap<>(); filterchaindefinitionmap.put("/login", "anon");// filterchaindefinitionmap.put("/*", "authc");// filterchaindefinitionmap.put("/admin", "authc,roles[admin]"); bean.setfilterchaindefinitionmap(filterchaindefinitionmap); return bean; }
以上就是springboot中shiro过滤器重写与配置的方法的详细内容。