Spring Boot集成Shiro后退出失败的问题
Spring Boot集成Shiro后,用下面这种方法退出,回调退出地址的之后并没有到回调的地址,而是重新进入了首页,有时候还会在logout之前就进入首页,但是这个时候session已经清了,然后就报错了,搞不懂为什么会出现这种情况,后面我用了另一种方法,至少到现在没有出现这个问题。希望有大神知道原因的回复一下,万分感激。
@RequestMapping("/logout") public String logout() { return "redirect:" + casConfigProperties.getLogoutUrl(); }
@Bean(name = "shiroFilter") public ShiroFilterFactoryBean getShiroFilterFactoryBean(DefaultWebSecurityManager securityManager, CasFilter casFilter) { ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); shiroFilterFactoryBean.setSecurityManager(securityManager); shiroFilterFactoryBean.setLoginUrl("/login"); shiroFilterFactoryBean.setSuccessUrl("/main"); shiroFilterFactoryBean.setUnauthorizedUrl("/403"); // 添加casFilter到shiroFilter中 Map<String, Filter> filters = new HashMap<>(); filters.put("casFilter", casFilter); filters.put("authc", new MyFormAuthenticationFilter()); shiroFilterFactoryBean.setFilters(filters); loadShiroFilterChain(shiroFilterFactoryBean); return shiroFilterFactoryBean; } private void loadShiroFilterChain(ShiroFilterFactoryBean shiroFilterFactoryBean) { Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>(); // authc:该过滤器下的页面必须登录后才能访问,它是Shiro内置的一个拦截器org.apache.shiro.web.filter.authc.FormAuthenticationFilter // anon: 可以理解为不拦截 // user: 登录了就不拦截 // roles["admin"] 用户拥有admin角色 // perms["permission1"] 用户拥有permission1权限 // filter顺序按照定义顺序匹配,匹配到就验证,验证完毕结束。 // url匹配通配符支持:? * **,分别表示匹配1个,匹配0-n个(不含子路径),匹配下级所有路径 // 1.shiro集成cas后,首先添加该规则 filterChainDefinitionMap.put("/", "casFilter"); filterChainDefinitionMap.put("/global/**", "anon"); filterChainDefinitionMap.put("/logout", "anon"); filterChainDefinitionMap.put("/passwordResetView", "anon"); filterChainDefinitionMap.put("/passwordReset", "anon"); filterChainDefinitionMap.put("/sendPhoneAuthenticationCode", "anon"); filterChainDefinitionMap.put("/login", "casFilter,authc"); filterChainDefinitionMap.put("/**", "user"); shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap); }
这是我的解决办法,把退出改成用Shrio自己的退出过滤器,再里面设置退出后的回调地址,把控制器里的logout去掉。
至少到现在没有出现上面这种问题。
@Bean(name = "shiroFilter") public ShiroFilterFactoryBean getShiroFilterFactoryBean(DefaultWebSecurityManager securityManager, CasFilter casFilter) { ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); shiroFilterFactoryBean.setSecurityManager(securityManager); shiroFilterFactoryBean.setLoginUrl("/login"); shiroFilterFactoryBean.setSuccessUrl("/main"); shiroFilterFactoryBean.setUnauthorizedUrl("/403"); // 添加casFilter到shiroFilter中 Map<String, Filter> filters = new HashMap<>(); filters.put("casFilter", casFilter); filters.put("authc", new MyFormAuthenticationFilter()); LogoutFilter logoutFilter = new LogoutFilter(); logoutFilter.setRedirectUrl(casConfigProperties.getLogoutUrl()); filters.put("logout", logoutFilter); shiroFilterFactoryBean.setFilters(filters); loadShiroFilterChain(shiroFilterFactoryBean); return shiroFilterFactoryBean; } private void loadShiroFilterChain(ShiroFilterFactoryBean shiroFilterFactoryBean) { Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>(); // authc:该过滤器下的页面必须登录后才能访问,它是Shiro内置的一个拦截器org.apache.shiro.web.filter.authc.FormAuthenticationFilter // anon: 可以理解为不拦截 // user: 登录了就不拦截 // roles["admin"] 用户拥有admin角色 // perms["permission1"] 用户拥有permission1权限 // filter顺序按照定义顺序匹配,匹配到就验证,验证完毕结束。 // url匹配通配符支持:? * **,分别表示匹配1个,匹配0-n个(不含子路径),匹配下级所有路径 // 1.shiro集成cas后,首先添加该规则 filterChainDefinitionMap.put("/", "casFilter"); filterChainDefinitionMap.put("/global/**", "anon"); filterChainDefinitionMap.put("/logout", "logout"); filterChainDefinitionMap.put("/passwordResetView", "anon"); filterChainDefinitionMap.put("/passwordReset", "anon"); filterChainDefinitionMap.put("/sendPhoneAuthenticationCode", "anon"); filterChainDefinitionMap.put("/login", "casFilter,authc"); filterChainDefinitionMap.put("/**", "user"); shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap); }