关于URLPermissionsFilter拦截问题,如果登录后,一系列操作都将无效,比如退出。
chen-jie opened this issue · 2 comments
@OverRide
public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException {
String curUrl = getRequestUrl(request);
Subject subject = SecurityUtils.getSubject();
if(subject.getPrincipal() == null
|| StringUtils.endsWithAny(curUrl, ".js",".css",".html")
|| StringUtils.endsWithAny(curUrl, ".jpg",".png",".gif", ".jpeg")
|| StringUtils.equals(curUrl, "/unauthor")) {
return true;
}
List urls = userService.findPermissionUrl(subject.getPrincipal().toString());
return urls.contains(curUrl);
}
chains.put("/logout", "logout");
chains.put("/**", "authc,perms");
看了下shiro的配置,似乎敲localhost/logout的时候,被第二个“/**”的拦截到了,没有被精确匹配的"/logout"拦截
@chen-jie 这个demo是对/**进行拦截的perms,参考URLPermissionsFilter,所有的url都需要配置的 参考方法
List<String> urls = userService.findPermissionUrl(subject.getPrincipal().toString());
下面是配置shiro filterChain
Map<String, String> chains = Maps.newHashMap(); chains.put("/login", "anon"); chains.put("/unauthor", "anon"); chains.put("/logout", "logout"); chains.put("/base/**", "anon"); chains.put("/css/**", "anon"); chains.put("/layer/**", "anon"); chains.put("/**", "perms");
其他url都是匿名的, logout是LogoutFilter进行处理的