Shiro 不会重定向到具有无效登录名的未授权Url - Shiro with Spring 和 Tiles [英] Shiro doesn't redirect to unauthorizedUrl w/invalid login - Shiro with Spring and Tiles
问题描述
我正在使用 Spring MVC、Tiles 和 Shiro.
I'm using Spring MVC, Tiles and Shiro.
这是我的未授权Url 属性的配置方式:
This is how my unauthorizedUrl property is configured:
<property name="unauthorizedUrl" value="/unauthorized"/>
我的期望是,当 MyAuthorizingRealm
发现无效凭据时,Shiro 将重定向到 /unauthorized
.
My expectation is that when MyAuthorizingRealm
finds invalid credentials, that Shiro will redirect to /unauthorized
.
但是,在我提交表单时不会发生这种情况.我有一个登录 @Controller
,它被映射为处理 /login
的 GET 和 POST 操作.访问 url /lists
时会显示登录表单.所以它似乎在一种情况下有效,但在另一种情况下无效.
But, that doesn't happen for me on form submission. I have a login @Controller
that is mapped to handle GET and POST actions for /login
. For accesses to the url /lists
the login form is displayed. So it seems to work in one case but not the other.
@Controller
@RequestMapping(value = "/login")
public class LoginController {
@RequestMapping(method = RequestMethod.GET)
public String getLoginFormView(Model model) {
return "login";
}
// if this method doesn't exist a Post not supported exception is thrown
@RequestMapping(method = RequestMethod.POST)
public String handlePost() {
return "this view doesn't exist";
}
}
即使我从 MyAuthorizingRealm.doGetAuthenticationInfo()
中抛出 AuthenticationException
我仍然无法让 Shiro 重定向到 /unauthorized
.它总是以过滤器链结束并执行 @Controller
中的 POST 方法;当然,我希望改为重定向.
Even if I throw AuthenticationException
from MyAuthorizingRealm.doGetAuthenticationInfo()
I still can't get Shiro to redirect to /unauthorized
. It always ends up continuing with the filter chain and executes the POST method in the @Controller
; and of course I expect a redirect instead.
这是我的webapp-context.xml
:http://pastebin.com/XZaCKqEC
这是我的 web.xml
:http://pastebin.com/5H81Tm8A
以下是 Shiro 的一些 TRACE 日志输出.当您尝试访问 /lists
时,Shiro 起作用.但是,当提交登录表单时,重定向到 /unauthorized
永远不会发生.注意,检测到登录提交:http://pastebin.com/ZEK3CTdJ
Following is some TRACE log output from Shiro. Shiro works when you try to access /lists
. But, when the login form is submitted the redirect to /unauthorized
never happens. Note, the login submission is detected:
http://pastebin.com/ZEK3CTdJ
因此,检测到登录提交,但无论如何都会执行原始过滤器链,而不是重定向到 /unauthorized
So, the login submission is detected but the original filter chain is executed anyway instead of redirecting to /unauthorized
我被难住了.非常感谢您的帮助,如果您需要更多信息,请告诉我.
I'm stumped. Many thanks for any help and if you need more info please let me know.
推荐答案
我想我看到了两个问题:
I think I see two problems:
1) 你的 spring xml 的 pastebin 没有显示 SecurityManager正在配置您的领域.IE.它需要看起来像这样:
1) Your pastebin for your spring xml does not show the SecurityManager being configured with your realm. I.e. it needs to look like this:
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="myRealm"/>
</bean>
2) 您正在设置一个 Spring MVC 控制器来执行身份验证,这意味着您希望控制何时调用 subject.login
而不是依赖 Shiro 的内置 FormAuthenticationFilter (验证
).
2) You're setting up a Spring MVC controller to perform authentication, which implies you want to control when subject.login
is called and not rely on Shiro's built-in FormAuthenticationFilter (authc
).
如果您这样做,您将需要重新定义 authc
过滤器为PassThruAuthenticationFilter.
If you do this, you will need to redefine the authc
filter to be a
PassThruAuthenticationFilter.
这允许请求通过"过滤器链到您的您负责调用的登录视图/控制器主题.登录
This allows the request to 'pass through' the filter chain to your Login view/controller where you are responsible for calling subject.login
您可以在 spring.xml 中通过设置 filters
属性并使用 authc
作为配置过滤器的名称来执行此操作:
You can do that in your spring.xml by setting the filters
property and using authc
as the name for your configured filter:
<bean id="passthruAuthcFilter" class="org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter">
<property name="loginUrl" value="/login"/>
</bean>
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
...
<property name="filters">
<util:map>
<entry key="authc" value-ref="passthruAuthcFilter"/>
</util:map>
</property>
...
</bean>
另外,作为一个提示,您可能希望使用 Shiro 的 WebUtils 将最终用户重定向到他们在被重定向到登录之前最初尝试的 url.Shiro 的 FormAuthenticationFilter
自动执行此操作,但是当您自己执行登录时,如果需要,您有责任执行此重定向.
Also, as a tip, you might want to use Shiro's WebUtils to redirect the end-user to the url they originally attempted before being redirected to login. Shiro's FormAuthenticationFilter
does this automatically, but when you perform the login yourself, you're responsible for doing this redirect if it is desired.
例如,在您的 LoginController
的 handlePost 方法中:
For example, in your LoginController
's handlePost method:
subject.login(authcToken);
WebUtils.redirectToSavedRequest(request, response, yourFallbackUrlIfThereIsntASavedRequest);
return null; //tells Spring MVC you've handled the response, and not to render a view
这篇关于Shiro 不会重定向到具有无效登录名的未授权Url - Shiro with Spring 和 Tiles的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!