在shiro.ini中使用Shiro RolesAuthorizationFilter

时间:2019-02-16 09:19:48

标签: shiro

我一直在使用JdbcRealm进行shiro身份验证和授权,这一直运行良好。我的shiro.ini看起来像这样:

[main]
authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
logout = org.apache.shiro.web.filter.authc.LogoutFilter
authc.loginUrl = /login.xhtml
authc.successUrl = /index.xhtml
logout.redirectUrl = /login.xhtml

jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.authenticationQuery = select password from useraccount where active = true and username LIKE ?
jdbcRealm.userRolesQuery = select rolename from role where id in(select roleid from userrole where useraccountid = (select id from useraccount where username LIKE ?) and active = true) and active = true

ds = org.postgresql.jdbc2.optional.SimpleDataSource
ds.serverName = dbhost:5432
ds.user = db_user
ds.password = db_pass
ds.databaseName = db_name
jdbcRealm.dataSource = $ds
#.
#.
#.
jdbcRealm.credentialsMatcher = $passwordMatcher

[users]

[urls]
#.
#.
#.
/admin** = authc, roles[Admin]

/activity.xhtml = authc
/item.xhtml = authc, roles[Branch]
/unauthorized.xhtml = authc

当用户角色说“分支”尝试访问用于“管理员”的网址时,用户将被安全地重定向到“ /unauthorized.xhtml”

但是,当我决定将身份验证转移到Active Directory时,情况发生了变化。 shiro.ini看起来像这样:

jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.userRolesQuery = select rolename from role where id in(select roleid from userrole where useraccountid = (select id from useraccount where username LIKE ?) and active = true) and active = true
jdbcRealm.dataSource = $ds

ADRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm
ADRealm.url = ldap://xxx.xxx.xxx.xxx:389
ADRealm.searchBase = "OU=Company Name,DC=domain,DC=local"
ADRealm.systemUsername= myuser
ADRealm.systemPassword= mypass
ADRealm.principalSuffix= @domain.local

securityManager.realms = $jdbcRealm,$ADRealm

身份验证可以正常进行,但是尝试访问“未经授权的url”会失败,并显示错误消息:

[org.apache.shiro.authz.AuthorizationException: LDAP naming error while attempting to retrieve authorization for user [myusername]

如何像以前一样使授权安全地重定向到未授权的url,而又不会中断?我什至尝试过:

authz = org.apache.shiro.web.filter.authz.RolesAuthorizationFilter
authz.unauthorizedUrl = /unauthorized.xhtml

但没有成功。

修改 简而言之,在必要的情况下,我们如何配置shiro.ini以返回http响应401/3-(未经授权/禁止)?

1 个答案:

答案 0 :(得分:0)

如果您尝试将403页面重用于401,则/unauthorized.xhtml = authc配置似乎会阻止此操作。

您可能会使用:/unauthorized.xhtml = anon(假设此页面不需要您的用户上下文)