JSF 2 + Spring 3 + Shiro-会话超时不会重定向到登录页面 [英] JSF 2 + Spring 3 + Shiro - Session Timeout doesn't redirect to login page

问题描述

我有这个JSF 2.0/Spring应用程序，它向其中添加了Apache Shiro，并且在用户单击命令按钮或触发AJAX请求时，会话超时后的重定向永远不会发生.当他们刷新浏览器时，它确实起作用.这在所有浏览器中都在发生.这是我的applicationContext.xml:

I have this JSF 2.0/Spring app that added Apache Shiro to and a redirect after session timeout never occurs when a user clicks on a command button or triggers an AJAX request. It does work when they refresh the browser. This is happening in all browsers. Here's my applicationContext.xml:

<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
        <property name="securityManager" ref="securityManager" />
        <property name="loginUrl" value="/index.faces"/>
        <property name="filterChainDefinitions">
                <value>
                        /* = authc 
                </value>
        </property>
</bean>
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
        <property name="realm" ref="opacsRealm" />
</bean>

<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />

<bean id="sha512Matcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">

        <property name="hashAlgorithmName" value="SHA-256" />
        <property name="hashIterations" value="1024" />
</bean>



<bean id="opacsRealm" class="org.apache.shiro.realm.jdbc.JdbcRealm">
        <property name="dataSource" ref="dataSource" />
        <property name="authenticationQuery" 
                value="select PASSWORD, SALT from SEC_USERS where NAME = ?" />
        <property name="userRolesQuery" 
                value="SELECT ROLE_NAME FROM SEC_USERS_ROLES WHERE USER_NAME = ?" />
        <property name="permissionsQuery" 
                value="SELECT permission FROM SEC_ROLES_PERMISSIONS WHERE ROLE_NAME = ?" />
        <property name="permissionsLookupEnabled" value="true" />
        <property name="saltStyle" value="COLUMN" />
        <property name="credentialsMatcher" ref="sha512Matcher"/>
</bean>

我在设置中做错了吗? web.xml看起来像这样:

Am I doing something wrong in the setup? The web.xml looks like this:

<filter>
    <filter-name>shiroFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param>
        <param-name>targetFilterLifecycle</param-name>
        <param-value>true</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>shiroFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<session-config>
  <!-- web.xml expects the session timeout in minutes: -->
  <session-timeout>1</session-timeout>
</session-config>

推荐答案

仅回复了您的邮件.发生的是，重定向是由浏览器在您的Ajax调用中无缝处理的，因此Shiro确实将重定向到登录页面，而您的Ajax请求的最终结果是登录页面的HTML内容，这并不是您真正想要的！

Just replied to your mail. What is happening is that the redirect is handled seamlessly by the browser in your Ajax call so Shiro does redirect to the login page and the end result of your Ajax request is the HTML content of the login page, which isn't really what you want!

解决方法的要点是在您的Ajax Api url中添加一个(自定义)Shiro过滤器，以检查主题是否已通过身份验证，而不是重定向到登录，返回您的Ajax请求可以理解的响应，以表明用户尚未登录.客户端对此响应的处理然后可以重定向到登录页面(或者可能是同一页面，因为Shiro随后将重定向到登录页面，但可以配置为记住您要去的地方，因此可以成功登录后，用户将返回正确的页面.

The gist of how to work around this is to add a (custom) Shiro filter to your Ajax Api urls that checks the Subject for being authenticated and instead of redirecting to login return a response that your Ajax request understands to indicate that the user is not logged in. Client side handling of this response can then do a redirect to the login page (or perhaps the same page because Shiro will then redirect to login but can be configured to remember where you were trying to go and hence take the user back to the correct page upon successful login).

我的过滤器实现返回Http代码401以及"WWW-Authentication"标头和自定义的挑战方案"(如果您进行了基本身份验证，那么浏览器将弹出其基本身份验证对话框-已经存在一个Shiro过滤器这样).

My filter implementation returns Http code 401 along with "WWW-Authentication" header and a custom "challenge scheme" (if you did a basic authentication challenge then the browser would pop up its basic authentication dialog - there is already a Shiro filter that does this).

在您的Ajax调用中，您需要检测到此响应，当前我遇到了一个笨拙的错误回调，但是我认为应该可以修改JavaScript库(JQuery，无论如何)以无缝地处理此响应.

In your Ajax call you need to detect this response, currently I have a clunky error callback that does it BUT I think it should be possible to modify the JavaScript library (JQuery, whatever) to handle this seamlessly.

这篇关于JSF 2 + Spring 3 + Shiro-会话超时不会重定向到登录页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！