我目前正在使用JavaEE6堆栈中的Web应用程序,并且我已经集成了Shiro以确保安全。我认为现在认证和授权工作正常,我有最后一个问题。
当我退出时,我遇到了UnknownSessionException,这是我的配置和检查代码:
的web.xml
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<!-- Welcome page -->
<welcome-file-list>
<welcome-file>home.xhtml</welcome-file>
</welcome-file-list>
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<!-- Map these files with JSF -->
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.faces</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
</web-app>
shiro.ini
[main]
saltedJdbcRealm = com.czetsuya.commons.web.security.shiro.JdbcRealmImpl
# any object property is automatically configurable in Shiro.ini file
saltedJdbcRealm.jndiDataSourceName = czetsuyaPortal
# the realm should handle also authorization
saltedJdbcRealm.permissionsLookupEnabled = true
# If not filled, subclasses of JdbcRealm assume "select password from users where username = ?"
# first result column is password, second result column is salt
saltedJdbcRealm.authenticationQuery = SELECT password, salt FROM czetsuya_users WHERE username = ?
# If not filled, subclasses of JdbcRealm assume "select role_name from user_roles where username = ?"
saltedJdbcRealm.userRolesQuery = SELECT name FROM czetsuya_roles a INNER JOIN czetsuya_user_roles b ON a.id = b.role_id INNER JOIN czetsuya_users c ON c.id = b.user_id WHERE c.username = ?
# If not filled, subclasses of JdbcRealm assume "select permission from roles_permissions where role_name = ?"
saltedJdbcRealm.permissionsQuery = SELECT action FROM czetsuya_permissions WHERE role = ?
# password hashing specification, put something big for hasIterations
sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha256Matcher.hashAlgorithmName = SHA-256
sha256Matcher.hashIterations = 1
saltedJdbcRealm.credentialsMatcher = $sha256Matcher
securityManager.realms = saltedJdbcRealm
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
sessionDAO.activeSessionsCacheName = shiro-activeSessionCache
securityManager.sessionManager.sessionDAO = $sessionDAO
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
sessionValidationScheduler = org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
# 1,800,000 milliseconds = 30 mins
sessionValidationScheduler.interval = 1800000
securityManager.sessionManager.sessionValidationScheduler = $sessionValidationScheduler
securityManager.sessionManager.sessionIdCookie.domain = com.czetsuya
# 1,800,000 milliseconds = 30 mins
securityManager.sessionManager.globalSessionTimeout = 1800000
cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
cacheManager.cacheManagerConfigFile = classpath:shiro-ehcache.xml
securityManager.cacheManager = $cacheManager
czetsuyaFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
czetsuyaFilter.loginUrl = /faces/login.xhtml
czetsuyaFilter.unauthorizedUrl = /faces/login.xhtml
# logout.redirectUrl = /faces/login.xhtml
[urls]
/login.xhtml = czetsuyaFilter
/secure/** = czetsuyaFilter
/api/** = noSessionCreation, czetsuyaFilter
# /logout = logout
我调用注销的部分:
public String logout() {
Subject subject = SecurityUtils.getSubject();
if (subject != null) {
subject.logout();
}
return "/home.xhtml?faces-redirect=true";
}
谢谢,
czetsuya
答案 0 :(得分:0)
此配置的问题是以下行:
securityManager.sessionManager.globalSessionTimeout = 1800000
应该注释掉。它不适用于shiro的原生会话。
或者另一种方法是使用HttpSession(而不是shiro)。这是配置文件:
[main]
saltedJdbcRealm = com.czetsuya.commons.web.security.shiro.JdbcRealmImpl
# any object property is automatically configurable in Shiro.ini file
saltedJdbcRealm.jndiDataSourceName = dropshipDS
# the realm should handle also authorization
saltedJdbcRealm.permissionsLookupEnabled = true
# If not filled, subclasses of JdbcRealm assume "select password from users where username = ?"
# first result column is password, second result column is salt
saltedJdbcRealm.authenticationQuery = SELECT password, salt FROM crm_users WHERE disabled = false AND username = ?
# If not filled, subclasses of JdbcRealm assume "select role_name from user_roles where username = ?"
saltedJdbcRealm.userRolesQuery = SELECT name FROM crm_roles a INNER JOIN crm_user_roles b ON a.id = b.role_id INNER JOIN crm_users c ON c.id = b.user_id WHERE c.username = ?
# If not filled, subclasses of JdbcRealm assume "select permission from roles_permissions where role_name = ?"
saltedJdbcRealm.permissionsQuery = SELECT action FROM crm_permissions WHERE role = ?
# password hashing specification, put something big for hasIterations
sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha256Matcher.hashAlgorithmName = SHA-256
sha256Matcher.hashIterations = 1
saltedJdbcRealm.credentialsMatcher = $sha256Matcher
securityManager.realms = $saltedJdbcRealm
cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
cacheManager.cacheManagerConfigFile = classpath:ehcache.xml
securityManager.cacheManager = $cacheManager
dsFilter = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
dsFilter.loginUrl = /login.xhtml
roles = com.czetsuya.commons.web.security.shiro.RolesAuthorizationFilter
[urls]
/login.xhtml = dsFilter
/backend/** = dsFilter, roles[backend]
/affiliate/** = dsFilter, roles[affiliate]
/api/** = noSessionCreation, dsFilter
/logout = logout