按照tomsun28/bootshiro這里的提示,閱讀了他的文章:基于shiro的改造集成真正支持restful請求
- 重寫了
PathMatchingFilterChainResolver的getChain方法:
public class RestPathMatchingFilterChainResolver extends PathMatchingFilterChainResolver {
private static final Logger log = LoggerFactory.getLogger(RestPathMatchingFilterChainResolver.class);
public RestPathMatchingFilterChainResolver() {
super();
}
public RestPathMatchingFilterChainResolver(FilterConfig filterConfig) {
super(filterConfig);
}
@Override
public FilterChain getChain(ServletRequest request, ServletResponse response, FilterChain originalChain) {
FilterChainManager filterChainManager = getFilterChainManager();
if (!filterChainManager.hasChains()) {
return null;
}
String requestURI = getPathWithinApplication(request);
String[] urls = null;
for (String pathPattern : filterChainManager.getChainNames()) {
urls = pathPattern.split("--");
if (urls.length == 2) {
// 分割出url+httpMethod,判斷httpMethod和request請求的method是否一致,不一致直接false
if (WebUtils.toHttp(request).getMethod().toUpperCase().equals(urls[1].toUpperCase())) {
pathPattern = urls[0];
}
}
if (pathMatches(pathPattern, requestURI)) {
if (log.isTraceEnabled()) {
log.trace("Matched path pattern [" + pathPattern + "] for requestURI [" + requestURI + "]. " +
"Utilizing corresponding filter chain...");
}
if (urls.length == 2) {
pathPattern = pathPattern.concat("--").concat(WebUtils.toHttp(request).getMethod().toUpperCase());
}
return filterChainManager.proxy(originalChain, pathPattern);
}
}
return null;
}
}
- 重寫了
ShiroFilterFactoryBean的createInstance方法:
public class RestShiroFilterFactoryBean extends ShiroFilterFactoryBean {
private static final Logger logger = LoggerFactory.getLogger(RestShiroFilterFactoryBean.class);
public RestShiroFilterFactoryBean() {
super();
}
@Override
protected AbstractShiroFilter createInstance() throws Exception {
logger.debug("Creating Shiro Filter instance.");
SecurityManager securityManager = this.getSecurityManager();
String msg;
if (securityManager == null) {
msg = "SecurityManager property must be set.";
throw new BeanInitializationException(msg);
} else if (!(securityManager instanceof WebSecurityManager)) {
msg = "The security manager does not implement the WebSecurityManager interface.";
throw new BeanInitializationException(msg);
} else {
FilterChainManager manager = this.createFilterChainManager();
RestPathMatchingFilterChainResolver chainResolver = new RestPathMatchingFilterChainResolver();
chainResolver.setFilterChainManager(manager);
return new RestShiroFilterFactoryBean.SpringShiroFilter((WebSecurityManager)securityManager, chainResolver);
}
}
private static final class SpringShiroFilter extends AbstractShiroFilter {
protected SpringShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver resolver) {
super();
if (webSecurityManager == null) {
throw new IllegalArgumentException("WebSecurityManager property cannot be null.");
}
setSecurityManager(webSecurityManager);
if (resolver != null) {
setFilterChainResolver(resolver);
}
}
}
}
然后更改shiro配置文件使用自定義的RestShiroFilterFactoryBean:
<bean id="shiroFilter" class="com.web.shiro.stateless.config.RestShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="filters">
<util:map>
<entry key="jwt" value-ref="JWTFilter"/>
</util:map>
</property>
<property name="filterChainDefinitions">
<value>
/api/user/test--POST=anon
/api/**=jwt
/**=anon
</value>
</property>
</bean>
在這里由于我是寫在配置文件中的,所以==的格式不行,換成了--的格式.測試了兩個方法,/api/user/test分別有get和post請求,然后post添加不用認證,如上xml配置文件所示,測試通過,暫時只用到認證,以上可以解決認證的問題.
看基于shiro的改造集成真正支持restful請求還重寫了RestPathMatchingFilter的pathsMatch方法,在他的文章中這個類主要是給BJwtFilter繼承做授權使用,我現(xiàn)在暫時只用到認證,所以還沒有深入了解.
以上已經(jīng)能夠解決同一個url不同的httpMethod請求時的授權問題,如有什么問題,還請大家指出.
