溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
web.xml文件配置
第一點,注意配置版本為3.0版本,
Servlet3.0規范中的<tracking-mode>允許你定義JSESSIONID是存儲在cookie中還是URL參數中。如果會話ID存儲在URL中,那么它可能會被無意的存儲在多個地方,包括瀏覽器歷史、代理服務器日志、引用日志和web日志等。暴露了會話ID使得網站被session劫持***的幾率大增。然而,確保JSESSIONID被存儲在cookie中
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0"> <session-config> <tracking-mode>COOKIE</tracking-mode> </session-config>
===============================我是分割線====================================
在使用shiro之后,shiro的重定向跳轉,默認是帶有JSESSIONID的
附上ShiroHttpServletResponse源碼
@Override
public String encodeRedirectURL(String url){
/** 下面是ShiroHttpServletResponse源碼,重寫shiro的encodeRedirectURL方法,把url路徑里的JSESSIONID去掉 **/
if (isEncodeable(toAbsolute(url))) {
return toEncoded(url, request.getSession().getId());
} else {
return url;
}
return url;
}上面是此類第一個方法,下面是此類第二個方法
@Override
protected String toEncoded(String url, String sessionId) {
if ((url == null) || (sessionId == null))
return (url);
String path = url;
String query = "";
String anchor = "";
int question = url.indexOf('?');
if (question >= 0) {
path = url.substring(0, question);
query = url.substring(question);
}
int pound = path.indexOf('#');
if (pound >= 0) {
anchor = path.substring(pound);
path = path.substring(0, pound);
}
StringBuilder sb = new StringBuilder(path);
/** 下面是ShiroHttpServletResponse源碼,重寫shiro的toEncoded方法使其不拼接JSESSIONID **/
if (sb.length() > 0) { // session id param can't be first.
sb.append(";");
sb.append(DEFAULT_SESSION_ID_PARAMETER_NAME);
sb.append("=");
sb.append(sessionId);
}
sb.append(anchor);
sb.append(query);
return (sb.toString());
}由此我們知道shiro第一次訪問重定向的時候會帶有JSESSIONID=xxxxxxxxxxxx
那么解決方案如下:
新建MyShiroHttpServletResponse繼承ShiroHttpServletResponse
重寫其方法encodeRedirectURL和toEncoded
package com.uu.back.util;
import org.apache.shiro.web.servlet.ShiroHttpServletRequest;
import org.apache.shiro.web.servlet.ShiroHttpServletResponse;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletResponse;
/**
* Created by Alex on 2016/9/26.
*/
public class MyShiroHttpServletResponse extends ShiroHttpServletResponse {
public MyShiroHttpServletResponse(HttpServletResponse wrapped, ServletContext context, ShiroHttpServletRequest request) {
super(wrapped, context, request);
}
@Override
public String encodeRedirectURL(String url){
/** 下面是ShiroHttpServletResponse源碼,重寫shiro的encodeRedirectURL方法,把url路徑里的JSESSIONID去掉 **/
// if (isEncodeable(toAbsolute(url))) {
// return toEncoded(url, request.getSession().getId());
// } else {
// return url;
// }
return url;
}
@Override
protected String toEncoded(String url, String sessionId) {
if ((url == null) || (sessionId == null))
return (url);
String path = url;
String query = "";
String anchor = "";
int question = url.indexOf('?');
if (question >= 0) {
path = url.substring(0, question);
query = url.substring(question);
}
int pound = path.indexOf('#');
if (pound >= 0) {
anchor = path.substring(pound);
path = path.substring(0, pound);
}
StringBuilder sb = new StringBuilder(path);
/** 下面是ShiroHttpServletResponse源碼,重寫shiro的toEncoded方法使其不拼接JSESSIONID **/
// if (sb.length() > 0) { // session id param can't be first.
// sb.append(";");
// sb.append(DEFAULT_SESSION_ID_PARAMETER_NAME);
// sb.append("=");
// sb.append(sessionId);
// }
sb.append(anchor);
sb.append(query);
return (sb.toString());
}
}新建MySpringShiroFilter繼承AbstractShiroFilter
package com.uu.back.util;
import org.apache.shiro.web.filter.mgt.FilterChainResolver;
import org.apache.shiro.web.mgt.WebSecurityManager;
import org.apache.shiro.web.servlet.AbstractShiroFilter;
import org.apache.shiro.web.servlet.ShiroHttpServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
/**
* Created by Alex on 2016/9/26.
*/
public class MySpringShiroFilter extends AbstractShiroFilter {
protected MySpringShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver resolver) {
super();
if (webSecurityManager == null) {
throw new IllegalArgumentException("WebSecurityManager property cannot be null.");
}
setSecurityManager(webSecurityManager);
if (resolver != null) {
setFilterChainResolver(resolver);
}
}
@Override
protected ServletResponse wrapServletResponse(HttpServletResponse orig, ShiroHttpServletRequest request) {
return new MyShiroHttpServletResponse(orig, getServletContext(), request);
}
}新建MyShiroFilterFactoryBean繼承ShiroFilterFactoryBean
package com.uu.back.util;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.filter.mgt.FilterChainManager;
import org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver;
import org.apache.shiro.web.mgt.WebSecurityManager;
import org.apache.shiro.web.servlet.AbstractShiroFilter;
import org.springframework.beans.factory.BeanInitializationException;
/**
* Created by Alex on 2016/9/26.
*/
public class MyShiroFilterFactoryBean extends ShiroFilterFactoryBean {
@Override
public Class getObjectType() {
return MySpringShiroFilter.class;
}
@Override
protected AbstractShiroFilter createInstance() throws Exception {
SecurityManager securityManager = getSecurityManager();
if (securityManager == null) {
String msg = "SecurityManager property must be set.";
throw new BeanInitializationException(msg);
}
if (!(securityManager instanceof WebSecurityManager)) {
String msg = "The security manager does not implement the WebSecurityManager interface.";
throw new BeanInitializationException(msg);
}
FilterChainManager manager = createFilterChainManager();
PathMatchingFilterChainResolver chainResolver = new PathMatchingFilterChainResolver();
chainResolver.setFilterChainManager(manager);
return new MySpringShiroFilter((WebSecurityManager) securityManager, chainResolver);
}
}修改shiro的配置文件:
注釋掉的就是原有的,現在我們不用原有的,使用我們自己寫好的
<!--<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">--> <bean id="shiroFilter" class="com.uu.back.util.MyShiroFilterFactoryBean"> /** **/ </bean>
重啟,訪問:
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
