关于URLPermissionsFilter拦截问题，如果登录后，一系列操作都将无效，比如退出。

leelance / spring-boot-all

spring-boot,mybatis,activemq,redis,email, freemarker,shiro,websocket,sitemesh,ehcache,easyui,kindeditor,quartz,springfox,swagger,jpa,hibernate,querydsl,netty

Apache License 2.0

1.95k stars 1.25k forks source link

关于URLPermissionsFilter拦截问题，如果登录后，一系列操作都将无效，比如退出。 #3

Closed chen-jie closed 7 years ago

chen-jie commented 7 years ago

@Override public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException { String curUrl = getRequestUrl(request); Subject subject = SecurityUtils.getSubject(); if(subject.getPrincipal() == null || StringUtils.endsWithAny(curUrl, ".js",".css",".html") || StringUtils.endsWithAny(curUrl, ".jpg",".png",".gif", ".jpeg") || StringUtils.equals(curUrl, "/unauthor")) { return true; } List urls = userService.findPermissionUrl(subject.getPrincipal().toString()); return urls.contains(curUrl); }

chen-jie commented 7 years ago

chains.put("/logout", "logout"); chains.put("/**", "authc,perms");

看了下shiro的配置，似乎敲localhost/logout的时候，被第二个“/**”的拦截到了，没有被精确匹配的"/logout"拦截

leelance commented 7 years ago

@chen-jie 这个demo是对/进行拦截的perms，参考URLPermissionsFilter，所有的url都需要配置的参考方法 List<String> urls = userService.findPermissionUrl(subject.getPrincipal().toString()); 下面是配置shiro filterChain `Map<String, String> chains = Maps.newHashMap(); chains.put("/login", "anon"); chains.put("/unauthor", "anon"); chains.put("/logout", "logout"); chains.put("/base/", "anon"); chains.put("/css/", "anon"); chains.put("/layer/", "anon"); chains.put("/**", "perms"); ` 其他url都是匿名的, logout是LogoutFilter进行处理的