原文地址:http://www.hillfly.com/2017/179.html
最近忙着研究在 Springboot 上使用 Shiro 的问题。刚好就遇到个诡异事,百度 Google 也没找到啥有价值的信息,几番周折自己解决了,这里稍微记录下。
自定义 FilterTOCShiro 支持自定义 Filter 大家都知道,也经常用,这里我也用到了一个自定义 Filter,主要用于验证接口调用的 AccessToken 是否有效。
// AccessTokenFilter.java
public class AccessTokenFilter extends AccessControlFilter {
@Override
protected boolean isAccessAllowed(ServletRequest servletRequest,
ServletResponse servletResponse,
Object o) {
if (isValidAccessToken(request)) {
return true;
}
return false;
}
@Override
protected boolean onAccessDenied(ServletRequest servletRequest,
ServletResponse servletResponse) throws Exception {
throw new UnAuthorizedException("操作授权失败!" + SysConstant.ACCESSTOKEN + "失效!");
}
}
// ShiroConfiguration.java
@Bean
public AccessTokenFilter accessTokenFilter(){
return new AccessTokenFilter();
}
@Bean
public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager,
IUrlFilterService urlFilterService) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
// 自定义过滤器
Map filterMap = shiroFilterFactoryBean.getFilters();
filterMap.put("hasToken", accessTokenFilter());
shiroFilterFactoryBean.setFilters(filterMap);
// URL过滤
Map filterChainDefinitionMap = new LinkedHashMap<>();
List urlFilterList = urlFilterService.selectAll();
for (UrlFilter filter : urlFilterList) {
filterChainDefinitionMap.put(filter.getFilterUrl(),
filter.getFilterList());
}
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroFilterFactoryBean;
}
ShiroFilter 中的 FilterChain 是从数据库读取的,如下:
id
url
filter
sort
1
/druid @Bean public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager, IUrlFilterService urlFilterService) { //省略 filterMap.put("hasToken", new AccessTokenFilter()); //省略 }
}
