以下是来自shiro.ini的配置
shiro.loginUrl = /login.jsp
######### URL CONFIG ################### [urls] /login.jsp = anon / public / login / ** = anon / public / app / ** = authc
条纹 ...
@UrlBinding("/public/app/")
public class CalculatorActionBean implements ActionBean {
.....
}
@UrlBinding("/public/login/")
public class UserAuthenticateBean implements ActionBean {
private static final transient Logger log = LoggerFactory.getLogger(UserAuthenticateBean.class);
private ActionBeanContext context;
private String username;
private String password;
private String message;
public ActionBeanContext getContext() {
return context;
}
public void setContext(ActionBeanContext context) {
this.context = context;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
@DefaultHandler
@DontValidate
public Resolution defaultHander() {
return new ForwardResolution("/login.jsp");
}
public Resolution login() {
Subject currentUser = SecurityUtils.getSubject();
log.info("CU=" + currentUser.toString());
if (!currentUser.isAuthenticated()) {
TenantAuthenticationToken token = new TenantAuthenticationToken(username, password, "jdbcRealm");
//UsernamePasswordToken token = new UsernamePasswordToken("akumar", "ash");
token.setRememberMe(true);
try {
currentUser.login(token);
} catch (UnknownAccountException uae) {
log.info("There is no user with username of " + token.getPrincipal());
} catch (IncorrectCredentialsException ice) {
log.info("Password for account " + token.getPrincipal() + " was incorrect!");
} catch (LockedAccountException lae) {
log.info("The account for username " + token.getPrincipal() + " is locked. "
+ "Please contact your administrator to unlock it.");
} // ... catch more exceptions here (maybe custom ones specific to your application?
catch (AuthenticationException ae) {
//unexpected condition? error?
ae.printStackTrace();
}
}
if (currentUser.isAuthenticated()) {
message = "Success";
} else {
message = "Fail";
}
System.out.println(message);
message += getUsername() + getPassword();
return new ForwardResolution("/logged_in.jsp");
}
}
logged_in.jsp
<a href ="/oc/public/app">app</a>
现在,如果我删除该行 / public / app / ** = authc 从shiro.ini,我可以访问/ public / app登录用户和访客
如果我保留该行,则没有人可以访问该页面并返回login.jsp
让我疯了!
帮助!
答案 0 :(得分:3)
更改您的网址配置,让'authc'过滤实际的登录网址:
[main]
...
authc.loginUrl = /login.jsp
[urls]
/login.jsp = authc
/public/login/** = anon
/public/app/** = authc
authc
过滤器非常智能,可以知道请求是否未经过身份验证,仍然允许它进入基础页面,以便用户可以登录。