我正在将Shiro整合到我的dropwizard webapp中。我已经达到了这一点
但是,如果我尝试访问受保护的资源,无论我是否登录,shiro总是将我发送到登录页面。我相信登录工作正常;我也相信shiro并不尊重我是否已经登录。
my shiro.ini:
[main]
# some other stuff
authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
authc.loginUrl = /auth/login
# NOTE: URLs are evaluated in order, and the first matching pattern is accepted.
[urls]
/static/** = noSessionCreation, anon
/auth/** = authc
/admin/** = authc
/** = anon
另外值得注意的是:我收到的错误是
0:0:0:0:0:0:0:1%0 - - [10/Oct/2013:18:23:54 +0000] "GET /auth/login;JSESSIONID=65e06b39-30e5-45dd-85f9-b2a1c29fc3af HTTP/1.1" 200 739 4 4
WARN [2013-10-10 18:24:08,485] com.sun.jersey.spi.container.servlet.WebComponent:
A servlet request, to the URI http://blah:8080/auth/login, contains form
parameters in the request body but the request body has been consumed by the servlet
or a servlet filter accessing the request parameters. Only resource methods using
@FormParam will work as expected. Resource methods consuming the request body by other
means will not work as expected.
并且每次访问/ admin都会导致错误302.我不知道还有什么与回答此问题相关。我已经探索了其他几个“Shiro一直重定向我登录”的问题,但大多数直接引用Jetty与web.xmls,Dropwizard不使用,也不知道正在应用什么过滤器。我的同事用同样的方法让shiro与他的dropwizard项目合作。
在决定是否将用户发送到登录页面之前,shiro如何对用户进行身份验证?
答案 0 :(得分:1)
我发现了问题。这里有更多的shiro.ini,特别是会话管理部分:
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
# NOTE: The session ID cookie seems to be required in order for authentication to work as intended.
# If the presence of cookies is a deal-breaker, further investigation will be required.
# Here we enable the Secure attribute (serve over SSL only) for this cookie;
# the HttpOnly attribute (not accessible by JavaScript) is enabled by default.
#sessionManager.sessionIdCookie.secure = true
# enabled Ehcache following advice from Shiro docs
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
sessionManager.sessionDAO = $sessionDAO
# can optionally add session listeners here if actions need to be performed on session start/stop/expiration
# sessionManager.sessionListeners = $listener_1, $listener_2, ...
securityManager.sessionManager = $sessionManager
我已经评论了sessionIdCookie.secure(稍后会删除它。)事实证明,如果没有启用ssl,当该变量设置为true时,不会存储cookie。这解释了url栏中的JSESSIONID查询参数,以及为什么在进行身份验证后,它立即忘记了我,并决定我需要再次登录。