shiro框架之八-------自定義filter
阿新 • • 發佈:2019-01-07
寫在前面
我們知道,shiro框架在Java Web應用中使用時,本質上是通過filter方式整合的。
也就是說,它是遵循過濾器鏈規則的:filter的執行順序與在web.xml中定義的順序一致,如下所示:
<filter> <filter-name>securityFilter</filter-name> <filter-class>com.lenovo.iot.devicemanager.filter.SecurityFilter</filter-class> </filter> <filter-mapping> <filter-name>securityFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- The filter-name matches name of a 'shiroFilter' bean inside applicationContext.xml --> <filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> </filter> <!-- Make sure any request you want accessible to Shiro is filtered. /* catches all --> <!-- requests. Usually this filter mapping is defined first (before all others) to --> <!-- ensure that Shiro works in subsequent filters in the filter chain: --> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
顯然,securityFilter定義在shiroFilter之前,那麼securityFilter也是在shiroFilter之前被訪問到。
根據這個原理,我們可以根據實際情況對shiro的filter進行擴充套件。
舉個例子,shiro預設的org.apache.shiro.web.filter.authc.UserFilter會對請求進行過濾,在未登入時請求會被重定向到登入頁面。
但是在API專案中,響應都是json格式,並不存在登入頁面,此時就會返回404錯誤。
專案實踐
在最新的專案中,前後端完全分離,通過API方式進行資料交換,並且在服務端集成了shiro進行許可權控制,後端專案架構為:SpringMVC + Shiro。
為了在攔截那些未執行登入的請求時返回json格式的響應,對org.apache.shiro.web.filter.authc.UserFilter進行了擴充套件。
具體來說需要做2件事情:
1.擴充套件org.apache.shiro.web.filter.authc.UserFilter實現
public class ShiroUserFilter extends UserFilter { private static final Logger logger = LoggerFactory.getLogger(ShiroUserFilter.class); @Override protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception { if(logger.isErrorEnabled()) { logger.error("account need login for: {}", ((HttpServletRequest)request).getServletPath()); } // 請求被攔截後直接返回json格式的響應資料 response.getWriter().write(JsonResp.getJsonRespError(JsonResp.SC_NOT_LOGINED, "account not logined").toString()); response.getWriter().flush(); response.getWriter().close(); return false; } }
2.在spring中定義並使用自定義擴充套件的filter
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="filters">
<util:map>
<entry key="shiroUserFilter" value-ref="shiroUserFilter" />
</util:map>
</property>
<property name="filterChainDefinitions">
<value>
# some example chain definitions:
# /admin/** = authc, roles[admin]
# /docs/** = authc, perms[document:read]
/**/login.do = anon
/** = shiroUserFilter
# more URL-to-FilterChain definitions here
</value>
</property>
</bean>
<!-- 定義擴充套件的filter例項 -->
<bean id="shiroUserFilter" class="com.lenovo.iot.devicemanager.filter.ShiroUserFilter" />
【參考】
https://shiro.apache.org/web.html#Web-FilterChainDefinitions