This subject is anonymous - it does not have any identifying principals and authorization operations

最新推荐文章于 2024-04-08 11:31:39 发布

原创最新推荐文章于 2024-04-08 11:31:39 发布 · 1w 阅读

1 ·

CC 4.0 BY-SA版权

文章标签：

#前后端 shiro #This subject is anonymous #shiro不起作用

JAVA 同时被 2 个专栏收录

77 篇文章

订阅专栏

异常

20 篇文章

订阅专栏

大家好，我是烤鸭：

最近使用shiro，遇到如下问题：

严重: Servlet.service() for servlet [dispatcherServlet] in context with path [/etc] threw exception [Request processing failed; nested exception is org.apache.shiro.authz.UnauthenticatedException: This subject is anonymous - it does not have any identifying principals and authorization operations require an identity to check against. A Subject instance will acquire these identifying principals automatically after a successful login is performed be executing org.apache.shiro.subject.Subject.login(AuthenticationToken) or when 'Remember Me' functionality is enabled by the SecurityManager. This exception can also occur when a previously logged-in Subject has logged out which makes it anonymous again. Because an identity is currently not known due to any of these conditions, authorization is denied.] with root cause

1. 场景介绍

项目是前后端分离的，接口用postman自测的时候是没有问题的。但是前端登录后访问有权限限制的接口会报错。

前端是 react 项目，后端是 springboot 项目。

2. 原因猜想

可能是前端每次请求并没有携带cookie。由于前端项目本地启动请求后端项目需要使用代理。

默认访问的域名应该是localhost:3000

3. 解决方式

如果前端联调的是测试环境，建议将前端项目也部署测试环境，并且和后端项目部署在同一个域名下（nginx配置一下就可以了）。这种就不存在跨域和携带cookie的问题了。

如果前端联调的是开发同学的本地环境。需要前后端都做一些修改。

前端：

fetch请求默认不携带cookie

增加

credentials: "include"

            var myHeaders = new Headers();
            fetch(url, {
              method: 'GET',
              headers: myHeaders,
              credentials: "include"
            })

withCredentials: true

var xhr = new XMLHttpRequest();
xhr.withCredentials = true;

后端：

如果是和本地联调，肯定存在跨域问题。需要设置 Access-Control-Allow-Origin 为指定ip，不能设置为 * 。

浏览器的安全角度如果设置为 * ，是不能携带cookie的。

本例中如下设置。(Access-Control-Allow-Origin 设置为 localhost:3000)

@Configuration
public class CorsConfig implements WebMvcConfigurer {

    private CorsConfiguration buildConfig() {
        CorsConfiguration corsConfiguration = new CorsConfiguration();
        corsConfiguration.addAllowedHeader("*"); // 允许任何头
        corsConfiguration.addAllowedOrigin("localhost:3000"); // 允许任何头
        corsConfiguration.addAllowedMethod("*"); // 允许任何方法（post、get等）
        return corsConfiguration;
    }

    @Bean
    public CorsFilter corsFilter() {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", buildConfig()); // 对接口配置跨域设置
        return new CorsFilter(source);
    }

}

@Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        //每一次的请求先校验cookie
        HttpServletRequest reqeust = (HttpServletRequest)req;
        HttpServletResponse response = (HttpServletResponse) res;
        response.setHeader("Access-Control-Allow-Origin", "localhost:3000");
        response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.addHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
        chain.doFilter(req, res);
    }