3

这是来自 shiro.ini 的配置

shiro.loginUrl = /login.jsp

######### URL 配置 ################### [urls] /login.jsp = anon /public/login/** = anon /public /app/** = 认证

条纹...

@UrlBinding("/public/app/")
public class CalculatorActionBean implements ActionBean {
.....

}

@UrlBinding("/public/login/")
public class UserAuthenticateBean implements ActionBean {

    private static final transient Logger log = LoggerFactory.getLogger(UserAuthenticateBean.class);
    private ActionBeanContext context;
    private String username;
    private String password;
    private String message;

    public ActionBeanContext getContext() {
        return context;
    }

    public void setContext(ActionBeanContext context) {
        this.context = context;
    }

    public String getPassword() {
        return password;
    }

    public void setPassword(String password) {
        this.password = password;
    }

    public String getUsername() {
        return username;
    }

    public void setUsername(String username) {
        this.username = username;
    }

    @DefaultHandler
    @DontValidate
    public Resolution defaultHander() {
        return new ForwardResolution("/login.jsp");
    }

    public Resolution login() {

        Subject currentUser = SecurityUtils.getSubject();
        log.info("CU=" + currentUser.toString());


        if (!currentUser.isAuthenticated()) {
            TenantAuthenticationToken token = new TenantAuthenticationToken(username, password, "jdbcRealm");
            //UsernamePasswordToken token = new UsernamePasswordToken("akumar", "ash");
            token.setRememberMe(true);
            try {
                currentUser.login(token);
            } catch (UnknownAccountException uae) {
                log.info("There is no user with username of " + token.getPrincipal());
            } catch (IncorrectCredentialsException ice) {
                log.info("Password for account " + token.getPrincipal() + " was incorrect!");
            } catch (LockedAccountException lae) {
                log.info("The account for username " + token.getPrincipal() + " is locked.  "
                        + "Please contact your administrator to unlock it.");
            } // ... catch more exceptions here (maybe custom ones specific to your application?
            catch (AuthenticationException ae) {
                //unexpected condition?  error?
                ae.printStackTrace();
            }
        }

        if (currentUser.isAuthenticated()) {
            message = "Success";
        } else {
            message = "Fail";
        }

        System.out.println(message);


        message += getUsername() + getPassword();
        return new ForwardResolution("/logged_in.jsp");
    }
}

登录的.jsp

<a href ="/oc/public/app">app</a>

现在,如果我从 shiro.ini 中删除 /public/app/** = authc 行,我可以为登录用户和访客访问 /public/app

如果我保留这条线,那么没有人可以访问该页面并返回 login.jsp

使我抓狂!

帮助!!

4

1 回答 1

3

更改您的 urls 配置以让 'authc' 过滤实际的登录 url:

[main]
...
authc.loginUrl = /login.jsp

[urls]
/login.jsp = authc
/public/login/** = anon 
/public/app/** = authc

过滤器authc足够聪明,可以知道请求是否未经过身份验证,仍然让它通过底层页面,以便用户可以登录。

于 2012-04-05T22:47:35.850 回答