Shiro URL过滤器无法正常工作

时间:2012-09-03 12:17:39

标签: java jsf-2 shiro

我创建了一个简单的JSF登录页面,并使用Apache Shiro提供身份验证和授权机制,但是shiro.ini中指定的URL过滤器似乎不起作用。

在根WebContent目录中,我有两个名为“test.xhtml”和“login.xhtml”的文件,任何人都可以访问,无需登录。我还有一个名为“protected”的子目录,其中包含一个名为“success.xhtml”的文件,只有在用户登录后才能访问该文件。

当shiro.ini文件的[urls]部分包含/protected/** = myFilter时,用户无需登录即可访问protected / success.xhtml页面。当shiro.ini文件的[urls]部分时包含/** = myFilter xhtml页面不由JSF呈现,而是提示用户下载xhtml文件。

是否有人能够建议我如何配置Shiro以允许任何人访问WebContent根目录中的页面,但只允许已登录的用户访问受保护子目录中的页面?

我正在使用Apache MyFaces 2.1.5和Shiro 1.2.1。

shiro.ini文件的全部内容如下:

[main]
myFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
myFilter.loginUrl = /login.xhtml
myFilter.successUrl = /protected/success.xhtml

[users]
user01 = user01, Users
user02 = user02, Users

[roles]
Users = *

[urls]
/protected/** = myFilter

web.xml文件的内容如下:

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <display-name>FooBarWeb</display-name>
    <context-param>
        <param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
        <param-value>resources.application</param-value>
    </context-param>
    <context-param>
        <description>
        State saving method: 'client' or 'server' (=default). See JSF Specification 2.5.2</description>
        <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
        <param-value>client</param-value>
    </context-param>
    <context-param>
        <description>

    This parameter tells MyFaces if javascript code should be allowed in
    the rendered HTML output.
    If javascript is allowed, command_link anchors will have javascript code
    that submits the corresponding form.
    If javascript is not allowed, the state saving info and nested parameters
    will be added as url parameters.
    Default is 'true'</description>
        <param-name>org.apache.myfaces.ALLOW_JAVASCRIPT</param-name>
        <param-value>true</param-value>
    </context-param>
    <context-param>
        <description>

    If true, rendered HTML code will be formatted, so that it is 'human-readable'
    i.e. additional line separators and whitespace will be written, that do not
    influence the HTML code.
    Default is 'true'</description>
        <param-name>org.apache.myfaces.PRETTY_HTML</param-name>
        <param-value>true</param-value>
    </context-param>
    <context-param>
        <param-name>org.apache.myfaces.DETECT_JAVASCRIPT</param-name>
        <param-value>false</param-value>
    </context-param>
    <context-param>
        <description>

    If true, a javascript function will be rendered that is able to restore the
    former vertical scroll on every request. Convenient feature if you have pages
    with long lists and you do not want the browser page to always jump to the top
    if you trigger a link or button action that stays on the same page.
    Default is 'false'
</description>
        <param-name>org.apache.myfaces.AUTO_SCROLL</param-name>
        <param-value>true</param-value>
    </context-param>

    <listener>
        <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
    </listener>
    <filter>
        <filter-name>ShiroFilter</filter-name>
        <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>ShiroFilter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher> 
        <dispatcher>FORWARD</dispatcher> 
        <dispatcher>INCLUDE</dispatcher> 
        <dispatcher>ERROR</dispatcher>
    </filter-mapping>

    <listener>
        <listener-class>org.apache.myfaces.webapp.StartupServletContextListener</listener-class>
    </listener>
    <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
        <enabled>true</enabled>
        <async-supported>false</async-supported>
    </servlet>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>/faces/*</url-pattern>
    </servlet-mapping>
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
        <welcome-file>default.html</welcome-file>
        <welcome-file>default.htm</welcome-file>
        <welcome-file>default.jsp</welcome-file>
    </welcome-file-list>
</web-app>

1 个答案:

答案 0 :(得分:0)

经过进一步调查后,网址似乎需要以“/ faces”作为前缀。 shiro.ini文件应该如下所示.... 

[main]
myFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
myFilter.loginUrl = /faces/login.xhtml
myFilter.successUrl = /faces/protected/success.xhtml

[users]
user01 = user01, Users
user02 = user02, Users

[roles]
Users = *

[urls]
/faces/protected/** = myFilter

通过在URL中添加/ faces,Shiro现在阻止未经身份验证的用户访问受保护子目录中的页面。

相关问题
最新问题