1.问题的产生
在学习shiro时,用系统自定义filter,即使用authc拦截规则时,是可以正常启动对用户是否登录的身份验证的。但是,当使用自己定义的拦截器时,一直报No SecurityManager accessible to the calling code, either bound to the org.apache.shiro.util.ThreadContext or as a vm static singleton. This is an invalid application configuration.这个错。我的部分代码如下:
关于shiro的yml文件配置
shiro:
filter-rules:
- /swagger-ui.html==>anon
- /**/swagger-resources/**/**==>anon
- //webjars/**==>anon
- /v2/**==>anon
- /user/login/**==>anon
- /user/queryAll/**==>why
- /**==>authc
自定义的LoginFilter部分代码如下
@Override
protected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse, Object o) throws Exception {
User user = (User) SecurityUtils.getSubject().getPrincipal();
if (null != user && isLoginRequest(servletRequest,servletResponse)){
return true;
}
return false;
}
实体类的注入:
package com.why.greenhouse.front.shiro.manager;
import com.why.greenhouse.front.shiro.realms.SampleRealm;
import com.why.greenhouse.front.shiro.filter.LoginFilter;
import com.why.greenhouse.front.shiro.model.ShiroFilterProperties;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.realm.Realm;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import javax.servlet.Filter;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
/**
* @author why
*/
@Configuration
@ConditionalOnProperty(name = "shiro.web.enabled", matchIfMissing = true)
public class BeanManager {
private static final Logger LOGGER = LoggerFactory.getLogger(BeanManager.class);
@Autowired
private ShiroFilterProperties filterProperties;
@Autowired
private LoginFilter loginFilter;
@Bean
public SecurityManager securityManager(SampleRealm sampleRealm) {
List<Realm> realms = new ArrayList<>();
realms.add(sampleRealm);
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealms(realms);
return securityManager;
}
@ConditionalOnMissingBean
@Bean
public ShiroFilterFactoryBean filterFactoryBean(SecurityManager securityManager) {
LOGGER.info("开始初始化拦截器配置信息");
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
//自己没有定义拦截器的默认使用authc
Map<String, Filter> filterMap = new HashMap<>(20);
//定义拦截器名称
filterMap.put("why", loginFilter);
shiroFilterFactoryBean.setFilters(filterMap);
Map<String, String> filterChainMap = new HashMap<>(20);
List<String> filters = filterProperties.getFilterRules();
if (null != filters) {
for (String filter : filters) {
String[] temp = filter.split("==>");
if (temp.length != 2) {
throw new IllegalStateException("过滤规则配置不正确,格式为:url==>filters");
}
filterChainMap.put(temp[0], temp[1]);
}
}
//把自己定义的拦截相关规则交给shiro管理
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainMap);
shiroFilterFactoryBean.setLoginUrl("/user/needLogin");
shiroFilterFactoryBean.setSuccessUrl("/");
shiroFilterFactoryBean.setUnauthorizedUrl("/403");
return shiroFilterFactoryBean;
}
}
每次项目启动连接swagger接口时,后台就会报上面的错误。yml文件改为authc则可以正常操作。
问题查询
经过网上搜索可以知道这种问题是由于自定义的filter是在部分其他filter实列化之后实例化的,导致shiro无法正常管理该shiro。所以就会出现上面filter无法找到SercurityManager的异常信息。
问题解决
原因:
web.xml文件中filter顺序问题:多个filter的执行顺序从上往下做用户登录权限效验出错,由于把shiro filter写到了struts filter后面,当登录的时候会先走struts的filter大概意思就是shiro无法管理到这个请求,而你又在配置文件里设置要shiro管理这个请求。
1.非spring boot项目
解决:
shiro filter放在struts2 filter前面
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
2.spring boot项目
对于spring boot项目由于没有web.xml文件,无法在filter启动的顺序上面直接通过配置文件修改。因此对实例化拦截器做了如下修改:拦截器在实例化ShiroFilterFactoryBean时创建新对象,这样就保证了我们定义的filter能被shiro管理了。具体修改如下:
去掉自定义filter中的@Component注解,不交给spring管理该对象
/**
* @author why
*/
@Component
public class LoginFilter extends AccessControlFilter {
在加入自定义的拦截器时,项目启动,自定义的filter可以正常工作
Map<String, Filter> filterMap = new HashMap<>(20);
//定义拦截器名称
filterMap.put("why", new LoginFilter());
shiroFilterFactoryBean.setFilters(filterMap);
Map<String, String> filterChainMap = new HashMap<>(20);