自定义两个shiro过滤器

最新推荐文章于 2022-07-30 23:13:04 发布

hxpjava1

最新推荐文章于 2022-07-30 23:13:04 发布

阅读量2.7k

点赞数

分类专栏： shiro

本文链接：https://blog.youkuaiyun.com/hxpjava1/article/details/77917446

版权

shiro 专栏收录该内容

18 篇文章

订阅专栏

本文介绍了一个自定义的Shiro过滤器，用于过滤特定类型的可执行文件请求，并实现了一个RememberMe功能，该功能允许用户在未登录的情况下通过记住我功能进入系统。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

1过滤可执行文件

package com.mark.demo.shiro.security.filter;

import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

import org.apache.shiro.web.filter.authz.AuthorizationFilter;
import org.springframework.util.PatternMatchUtils;


public class SimpleExecutiveFilter extends AuthorizationFilter
{
    protected static final String[] blackUrlPathPattern = new String[]{"*.aspx*", "*.asp*", "*.php*", "*.exe*", "*.jsp*", "*.pl*", "*.py*", "*.groovy*", "*.sh*", "*.rb*",
            "*.dll*", "*.bat*", "*.bin*", "*.dat*", "*.bas*", "*.so*", "*.cmd*", "*.com*", "*.cpp*", "*.jar*", "*.class*", "*.lnk*"};
    
    @Override
    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object obj) throws Exception
    {
        HttpServletRequest httpRequest = (HttpServletRequest) request;
        String reqUrl = httpRequest.getRequestURI().toLowerCase().trim();
        for (String pattern : blackUrlPathPattern)
        {
            if (PatternMatchUtils.simpleMatch(pattern, reqUrl)) { return false; }
        }
        return true;
    }
}

2remember me认证

package com.mark.demo.shiro.security.filter;

import java.io.PrintWriter;

import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;

import com.alibaba.fastjson.JSON;
import com.mark.demo.shiro.constant.CharsetConst;
import com.mark.demo.shiro.entity.JsonMessage;
import com.mark.demo.shiro.entity.User;
import com.mark.demo.shiro.session.RedisSessionManager;
import com.mark.demo.shiro.utils.IPUtil;
import com.mark.demo.shiro.utils.StringUtils;


public class AuthenticationFilter extends org.apache.shiro.web.filter.authc.FormAuthenticationFilter
{
    private String captchaParam = "validateCode";
    
    private String messageParam = "message";
    
    public AuthenticationFilter()
    {
        super();
    }
    
    protected AuthenticationToken createToken(ServletRequest request, ServletResponse response)
    {
        String username = getUsername(request);
        String password = getPassword(request);
        if (password == null)
        {
            password = "";
        }
        boolean rememberMe = isRememberMe(request);
        String host = StringUtils.getRemoteAddr((HttpServletRequest) request);
        return new UsernamePasswordToken(username, password.toCharArray(), rememberMe, host);
    }

    
    @Override
    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception
    {
        if (isLoginRequest(request, response))
        { // 登陆状态下
            if (isLoginSubmission(request, response))
            {
                return executeLogin(request, response);
            }
            else
            {
                return true;
            }
        }
        else
        { // 未登陆状态
            HttpServletRequest httpRequest = (HttpServletRequest) request;
            HttpServletResponse httpResponse = (HttpServletResponse) response;
            if ("XMLHttpRequest".equalsIgnoreCase(httpRequest.getHeader("X-Requested-With")))
            {// ajax请求
                httpResponse.setHeader("Content-type", "text/html;charset=UTF-8");
                httpResponse.setCharacterEncoding(CharsetConst.CHARSET_UT);
                JsonMessage message = new JsonMessage(403,"用户没登入");
                PrintWriter outPrintWriter = httpResponse.getWriter();
                outPrintWriter.println(JSON.toJSON(message));
                outPrintWriter.flush();
                outPrintWriter.close();
                return false;
            }
            else
            {// http 请求
                saveRequestAndRedirectToLogin(request, response);
                return false;
            }
        }
    }
    
    /**
     * 登录失败调用事件
     */
    @Override
    protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e, ServletRequest request, ServletResponse response)
    {
        String className = e.getClass().getName(), message = "";
        if (IncorrectCredentialsException.class.getName().equals(className) || UnknownAccountException.class.getName().equals(className))
        {
            message = "用户或密码错误, 请重试.";
        }
        else if (e.getMessage() != null && StringUtils.startsWith(e.getMessage(), "msg:"))
        {
            message = StringUtils.replace(e.getMessage(), "msg:", "");
        }
        else
        {
            message = "系统出现点问题，请稍后再试！";
        }
        request.setAttribute(getFailureKeyAttribute(), className);
        request.setAttribute("message", message);
        return true;
    }
    
    @Override
    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)
    {
        Subject subject = getSubject(request, response);
        // 如果 isAuthenticated 为 false 证明不是登录过的，
        // 同时 isRememberd 为true 证明是没登陆直接通过记住我功能进来的
        if (!subject.isAuthenticated() && subject.isRemembered())
        {

            Object object = subject.getPrincipal();
            if (null != object)
            {
                HttpServletRequest httpRequest = (HttpServletRequest) request;
                HttpServletResponse httpResponse = (HttpServletResponse) response;
                User userInfo = (User) object;
                if(StringUtils.isBlank(userInfo.getPassword())){//表明这是之前的用户COOKIE
                    // 清理自定义会话
                    RedisSessionManager.clear(httpRequest, httpResponse);
                    // 清理结算平台 cookie;
                    //CookieUtils.remove(httpRequest, httpResponse, CookieConst.PAYMENT);
                    Subject currentUser = SecurityUtils.getSubject();
                    if (null != currentUser) currentUser.logout();
                    return subject.isAuthenticated();
                }
                UsernamePasswordToken token = new UsernamePasswordToken(userInfo.getUserName(), userInfo.getPassword().toCharArray(), true,
                        IPUtil.getOriginalIpAddr(httpRequest));
                subject.login(token);
            }
        }
        return subject.isAuthenticated();
    }
    
    
}