1. Environment
In one of my own web projects, I use shiro's Filter, and let shiroFilter proxy the entire web's FiltershiroFilter. The general configuration is as follows:
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<property name="loginUrl" value="/" /><!-- 访问需要认证的地址时,没有认证跳转的地址,默认为login.jsp -->
<property name="unauthorizedUrl" value="homePage" /> <!-- 登录后,没有访问权限将跳转到homePage -->
<property name="filterChainDefinitions">
<!-- **表示匹配0个或多个路径 ,*表示匹配0个或多个字符串,?表示匹配一个字符 -->
<value>
/preLogin = anon
/toLogin = anon
/userregister = anon
/registerpage = anon
/static/** = anon
/login = anon
/logout = logout
/analysis/test = authc
/analysis/test1 = authc,perms[admin:edit] <!--要有 admin:edit的权限 -->
/** = user <!-- 主要针对rememberMe功能 ,当使用authc时,还是要认证才能访问 -->
</value>
</property>
</bean>The configuration of shiroFilter in web.xml is as follows:
<filter>
<filter-name>shiroFilter</filter-name>
<!-- DelegatingFilterProxy作用是自动到spring容器查找名字
为shiroFilter(filter-name)的bean并把所有Filter的操作委托给它 -->
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>- The configured Filter manages all access control.
At the same time, a project welcome page is specified in web.xml in the project. code show as below:
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list> In the welcome page is a jsp jump tag, used to jump to the home page of the real project. index.jsp is as follows:
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
<jsp:forward page="/preLogin" />
The preLogin jumped here is the real home page of the project.
At the same time, related interceptors are also configured in springMVC to determine whether the user is logged in, if not, it will jump to the login interface. The interception code is as follows:
public boolean preHandle(HttpServletRequest request, HttpServletResponse response,
Object handler) throws Exception {
String urlPath = request.getRequestURL().toString();
if(urlPath.matches(Const.StaticPath)) { //访问的url是静态资源
return true;
} else { //访问其他的非静态资源的url,当前仅判断用户是否登录,若未登录则跳转到登录界面
User user = (User)sessionUtil.getSessionAttribute(Const.currentUser);
if(user != null) { //用户已登录
return true;
} else { //用户未登录
response.sendRedirect(request.getContextPath() + Const.Login);
return false;
}
}
//return true;
}Because I just started to learn shiro, these intercepted accesses are mixed together, and it is unclear who accesses who first, and how to jump after shiro determines the access rights.
2. Exploration process
Refer to http://blog.csdn.net/chenleixing/article/details/44573495 for the access order of web filters and springMVC interceptors .
Through this blog, you can know that the priority of the filter is greater than the interceptor of springMVC. In other words, when there is a visit, the logic in the Filter is executed first, and then the Interceptor is executed. The filter of shiro will proxy the filter of the web, so the filter of shiro will be executed first and then the interceptor of springMVC will be executed. This can also be found during the step-by-step execution of F6 to break the program.
So who will execute the welcome page and shiroFilter set in web.xml first?
When answering this question, let's first look at the configuration of shiroFilter I wrote.
<property name="loginUrl" value="/" /><!-- 访问需要认证的地址时,没有认证跳转的地址,默认为login.jsp -->
<property name="unauthorizedUrl" value="homePage" /> <!-- 登录后,没有访问权限将跳转到homePage -->When the user is not authenticated (that is, the subject.login() method is not executed), if there are permission restrictions, it will go to the root directory, namely the index.jsp page, and the index.jsp page will immediately jump to the preLogin page. When I enter http://localhost:8080/spiderAndAnalysis/ on the page (ie: visit the root directory of the project/), I can't figure out whether it is the preLogin page accessed through Filter or the index.jsp page accessed directly first. After Filter. So later, I replaced the value of < property name=”loginUrl” value=”/” /> with analysis, visited the project root directory again, and found that this time I jumped directly to the analysis page. Therefore, the priority of shiroFilter is higher than that of the welcome interface, that is, when shiroFilter is configured to manage web access, all requests must first go through shiroFilter, then other filter interceptors, etc.
3. The meaning of some parameters of shiroFilter
When configuring shiroFilter, parameters such as loginUrl, unauthorizedUrl and filterChainDefinitions are used. Personal understanding of the configuration meaning:
loginUrl: When the user is not authenticated (that is, the subject.login() function is not executed to successfully log in), if the url with access rights is accessed at this time, it will jump to the login interface specified by loginUrl. Unauthorized URLs will be accessed directly.
Take the configuration of this article as an example: if you directly access preLogin, toLogin, userregister and other urls without access rights, you will directly access them without jumping. If the url of analysis/test is accessed and the user is not logged in, it will jump to the login interface specified by loginUrl.
unauthorizedUrl: When the user is authenticated and accesses a url that is not authorized to access, it will jump to the address specified by unauthorizedUrl. For example, when user A has logged in but user A only has the admin:add permission, when user A accesses the analysis/test1 url that requires admin:edit permission, it will jump to the homePage address specified by unauthorizedUrl.