大家好我想知道我可以将用户重定向到shiro custom jdbcrealm中的accessdeniedpage.jsp 这是我的代码......
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws HostUnauthorizedException,AuthenticationException {
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
String username = upToken.getUsername();
String clientIP = upToken.getHost();
// Null username is invalid
if (username == null) {
throw new AccountException("Null usernames are not allowed by this realm.");
}
Connection conn = null;
AuthenticationInfo info = null;
try {
conn = dataSource.getConnection();
String password = getPasswordForUser(conn, username); // get userpassword
boolean ipFlag = getIPFlag(conn,username); // check whether users ip needs to be check i.e. get ipflag from users tbl, if true check user's ip else not
boolean ipMatched = checkIP(conn,username,clientIP,ipFlag); // returns if user's ip matched with ip stored in database..
if (password == null) {
throw new UnknownAccountException("No account found for user [" + username + "]");
}
if(ipMatched == false){
// how to redirect user to accessdeniedpage.jsp ?
}
info = buildAuthenticationInfo(username, password.toCharArray());
} catch (SQLException e) {
final String message = "There was a SQL error while authenticating user [" + username + "]";
if (log.isErrorEnabled()) {
log.error(message, e);
}
// Rethrow any SQL errors as an authentication exception
throw new AuthenticationException(message, e);
} finally {
JdbcUtils.closeConnection(conn);
}
return info;
}
我正在检查用户ip,如果在数据库中找不到ip我想将用户重定向到accessdenied页面
更新shiro.ini
[main]
ds = org.apache.shiro.jndi.JndiObjectFactory
ds.requiredType = javax.sql.DataSource
ds.resourceName = jdbc/myDataSource
ds.resourceRef = true
jdbcRealm = com.java.realm.MyRealm
# password hashing specification
sha256Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha256Matcher.hashAlgorithmName = SHA-256
jdbcRealm.credentialsMatcher = $sha256Matcher
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.authenticationQuery = SELECT password FROM users WHERE username = ?
jdbcRealm.userRolesQuery = SELECT role_name FROM user_roles WHERE username = ?
jdbcRealm.permissionsQuery = SELECT roleper FROM roles_permissions WHERE role_name = ?
jdbcRealm.permissionsQueryIP = SELECT ip FROM user_ip_permissions WHERE username = ?
jdbcRealm.permissionsQueryCountry = SELECT countryname FROM country_permissions WHERE username = ?
jdbcRealm.defaultPageQuery = SELECT default_page FROM users WHERE username = ?
jdbcRealm.dataSource = $ds
jdbcRealm.authorizationCachingEnabled = false
# specify login page
authc.loginUrl = /login.jsp
# redirect after successful login
authc.successUrl = /home.jsp
# roles filter: redirect to error page if user does not have access rights
# perms filter: redirect to error page if user does not have permissions
roles.unauthorizedUrl = /accessdenied.jsp
perms.unauthorizedUrl = /accessdenied.jsp
# request parameter with login error information; if not present filter assumes 'shiroLoginFailure'
# authc.failureKeyAttribute = simpleShiroApplicationLoginFailure
[urls]
/login.jsp = authc
# only users with some roles are allowed to use role-specific pages
/admin/** = authc,perms[page:*]
/java/** = authc,perms[page:javadeveloperpage]
/php/** = authc,perms[page:phpdeveloperpage]
/ruby/** = authc,perms[page:rubydeveloperpage]
/deo/** = authc,perms[page:deopage]
# enable authc filter for all application pages
/ApacheShiroLogin/** = authc
谢谢&问候
答案 0 :(得分:0)
由于您要拒绝访问,从逻辑上讲,您需要抛出AuthorizationException并将其映射到web.xml
if(ipMatched == false){
throw new AuthorizationException();
}
在 web.xml
中<error-page>
<exception-type>org.apache.shiro.authz.AuthorizationException</exception-type>
<location>/path/to/accessdeniedpage.jsp</location>
</error-page>
另外,只有在身份验证失败的情况下,投掷AuthenticationException才会逻辑。