0

我正在使用 Apache Shiro 来保护我的 Spring MVC 应用程序。这是我的配置:

<!-- Shiro -->
<bean id = "hibernateRealm" class = "com.bidapp.presentation.shiro.HibernateRealm" />

<bean id = "securityManager" class = "org.apache.shiro.web.mgt.DefaultWebSecurityManager">
    <property name = "realm" ref = "hibernateRealm" />
</bean>

<bean id = "lifecycleBeanPostProcessor" class = "org.apache.shiro.spring.LifecycleBeanPostProcessor" />

<bean id = "shiroFilter" class = "org.apache.shiro.spring.web.ShiroFilterFactoryBean">
    <property name = "securityManager" ref = "securityManager" />
</bean>
<!-- Shiro -->

在 web.xml 中(除其他外)

<filter>
    <filter-name>shiroFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param>
        <param-name>targetFilterLifecycle</param-name>
        <param-value>true</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>shiroFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

我的登录页面位于context/account/login。当我尝试提交表单时,我收到带有消息的 400 HTTP 错误代码,The request sent by the client was syntactically incorrect ().Shiro 记录了以下内容

365348 [http-bio-8080-exec-5] TRACE o.a.s.w.s.OncePerRequestFilter - Filter 'shiroFilter' not yet executed.  Executing now. 
365349 [http-bio-8080-exec-5] TRACE o.a.s.mgt.DefaultSecurityManager - Context already contains a SecurityManager instance.  Returning. 
365349 [http-bio-8080-exec-5] TRACE o.a.s.mgt.DefaultSecurityManager - No identity (PrincipalCollection) found in the context.  Looking for a remembered identity. 
365349 [http-bio-8080-exec-5] TRACE o.a.shiro.web.servlet.SimpleCookie - No 'rememberMe' cookie value 
365349 [http-bio-8080-exec-5] TRACE o.a.s.mgt.DefaultSecurityManager - No remembered identity found.  Returning original context. 
365349 [http-bio-8080-exec-5] TRACE o.a.s.s.support.DelegatingSubject - attempting to get session; create = false; session is null = true; session has id = false 
365349 [http-bio-8080-exec-5] TRACE o.a.s.s.support.DelegatingSubject - attempting to get session; create = false; session is null = true; session has id = false 
365349 [http-bio-8080-exec-5] TRACE o.a.s.s.support.DelegatingSubject - attempting to get session; create = false; session is null = true; session has id = false 
365349 [http-bio-8080-exec-5] TRACE o.a.s.s.support.DelegatingSubject - attempting to get session; create = false; session is null = true; session has id = false 
365349 [http-bio-8080-exec-5] TRACE org.apache.shiro.util.ThreadContext - Bound value of type [org.apache.shiro.web.subject.support.WebDelegatingSubject] for key [org.apache.shiro.util.ThreadContext_SUBJECT_KEY] to thread [http-bio-8080-exec-5] 
365349 [http-bio-8080-exec-5] TRACE org.apache.shiro.util.ThreadContext - Bound value of type [org.apache.shiro.web.mgt.DefaultWebSecurityManager] for key [org.apache.shiro.util.ThreadContext_SECURITY_MANAGER_KEY] to thread [http-bio-8080-exec-5] 
365349 [http-bio-8080-exec-5] TRACE o.a.s.w.servlet.AbstractShiroFilter - No FilterChain configured for the current request.  Using the default. 
365351 [http-bio-8080-exec-5] TRACE org.apache.shiro.util.ThreadContext - get() - in thread [http-bio-8080-exec-5] 
365351 [http-bio-8080-exec-5] TRACE org.apache.shiro.util.ThreadContext - Retrieved value of type [org.apache.shiro.web.subject.support.WebDelegatingSubject] for key [org.apache.shiro.util.ThreadContext_SUBJECT_KEY] bound to thread [http-bio-8080-exec-5] 
365351 [http-bio-8080-exec-5] TRACE o.a.s.s.support.DelegatingSubject - attempting to get session; create = false; session is null = true; session has id = false

真正奇怪的是,我可以在浏览器上单击back,然后forward它会将我带到正确的经过身份验证的网页。我尝试调试,我Controller什至从未被调用过。但是,如果单击back并将forward我带到正确的页面,那又如何呢?

我的 web.xml 中没有任何其他过滤器,也没有使用 Shiro 的任何默认过滤器,无论如何都不知道。

到底是怎么回事?

并不是说我在 Eclipse Indigo 上开发有什么不同。这是应该调用但不是(在调试模式下)的代码。

    @RequestMapping(value = "/account/login", method = RequestMethod.POST, params = "login")
    public String login(@RequestParam("username") String username, 
            @RequestParam("password") String password,
            @RequestParam("remember") boolean rememberMe,
            Model model) {
        Subject currentUser = SecurityUtils.getSubject();

        if (!currentUser.isAuthenticated()) {

            UsernamePasswordToken token = new UsernamePasswordToken(username, password);
            token.setRememberMe(rememberMe);
            currentUser.login(token);

            return "redirect:/account/profile";
        }

        return "home";

    }
4

2 回答 2

1

如果您没有在 Shiro 的配置中定义任何过滤器,Shiro 将允许任何请求通过。换句话说,仅仅因为您有一个经过身份验证的页面,Shiro 不知道是否对其进行保护。您必须告诉 Shiro 确保该页面的安全。例如:

[main]
#tell Shiro where to redirect to if login is required:
authc.loginUrl = /account/login

[urls]
# ensure the following pages require authentication (the loginUrl will be 
# allowed however):
/account/** = authc

至于 400 错误,Shiro 不会发出这样的错误响应 - 可能是您的容器或 Spring 发出该错误。

此外,如果您使用 Shiro 1.2 或更高版本,请不要忘记将相关<dispatcher>元素添加到<filter-mapping>

http://shiro.apache.org/web.html#Web-Shiro1.2andlater

于 2013-01-18T01:12:27.720 回答
0

所以我仍然无法解释前进和后退按钮的行为,但这不是 Shiro 问题。问题在于我拥有的记住我复选框。在登录的处理程序方法中,我有@RequestParam("remember") boolean rememberMe,但应该是@RequestParam(value = "remember", required = false) boolean rememberMe. 这required意味着您在那里不需要它。默认情况下,Spring 使其为真,因此它会说这是正确的调用方法,但它不能调用它,因为它没有所需的信息,因此是 400。

于 2013-01-20T00:52:51.723 回答