ShiroFilter interception
The above ShiroFilter has the code as shown below
This is mainly used to define which requests ShiroFilter intercepts and how to intercept requests.
interceptor chain
In the image above, the url is on the left and the interceptor is on the right.
Common interceptors are:
- anon: Anyone can access
- authc: Accessible only after authentication
- logout: can only be accessed after logging in
- roles[role name]: Only those with specific roles can access, for example
/admin.jsp = roles[user] - perms["behavior"]: Only those who have a certain behavior can access, for example
/admin/deluser = prems["user:delete"] - For more interceptors, please refer to
shiro.apache.org/web.html#default-filters
url matches
- In the above figure, it is useful
/**, which represents all requests, and is used to intercept other requests that do not define interception rules. - In fact, this reveals that url matching is from top to bottom. For example, because login.jsp is defined earlier
/login.jsp = anon, it will not be handed over/**to intercept. - In addition, there can be multiple interceptors, so
/admin/** = authc, roles[administrator]it is also possible.
url attribute
The ShiroFilter above also configures the properties in the figure below, which is used to define which page to jump to when something happens.
- For example, if loginUrl is configured, any unauthenticated request will jump to loginUrl
- successUrl is used to define which page to adjust to after successful login (if the controller jumps to the view, this will fail)
- unauthorizedUrl is used to define which page to jump to when the access is not authorized by oneself (ordinary authc will not trigger, roles will trigger.).
Customization of the interceptor chain
All of the above use hard-coded methods to define the interceptor chain. The following will solve this hard-coding problem.
One way is to use FilterChainResolver to deal with it, here we use map to deal with it.
Define a class, the core method is to return a LinkedHashMap [ordered to ensure matching from top to bottom]:
copy code
package com.progor.utils;
import java.util.LinkedHashMap;
public class FilterChainMap {
// 使用静态工厂
public static LinkedHashMap<String, String> getFilterChainMap(){
LinkedHashMap<String, String> map = new LinkedHashMap<>();
// 下面的数据可以从数据库中查询出来。
map.put("/login.jsp", "anon");
map.put("/shiro/login", "anon");
map.put("/shiro/logout", "logout");
map.put("/admin.jsp", "authc");
map.put("/**", "authc");
return map;
}
}
Modify applicationContext.xml:
copy code
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/login.jsp"/>
<property name="successUrl" value="/list.jsp"/>
<property name="unauthorizedUrl" value="/unauthorized.jsp"/>
<property name="filterChainDefinitionMap" ref="filteChainMap"></property>
<!--去掉filterChainDefinitions-->
</bean>
<!--核心是获取这个map,由于使用了静态工厂,所以这样定义这个bean-->
<bean id="filteChainMap" class="com.progor.utils.FilterChainMap" factory-method="getFilterChainMap" ></bean>
Replenish:
The configuration of ShiroFilter is described above, which solves the problem of request interception.