重定向出现jsessionid=xxx路径的问题
web.xml文件配置
第一点,注意配置版本为3.0版本,
Servlet3.0规范中的<tracking-mode>允许你定义JSESSIONID是存储在cookie中还是URL参数中。如果会话ID存储在URL中,那么它可能会被无意的存储在多个地方,包括浏览器历史、代理服务器日志、引用日志和web日志等。暴露了会话ID使得网站被session劫持***的几率大增。然而,确保JSESSIONID被存储在cookie中
xsi:schemaLocation="http://java.sun.com/xml/ns/javaeehttp://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"version="3.0"><session-config><tracking-mode>COOKIE</tracking-mode></session-config>
===============================我是分割线====================================
在使用shiro之后,shiro的重定向跳转,默认是带有JSESSIONID的
附上ShiroHttpServletResponse源码
@OverridepublicStringencodeRedirectURL(Stringurl){/**下面是ShiroHttpServletResponse源码,重写shiro的encodeRedirectURL方法,把url路径里的JSESSIONID去掉**/if(isEncodeable(toAbsolute(url))){returntoEncoded(url,request.getSession().getId());}else{returnurl;}returnurl;}
上面是此类第一个方法,下面是此类第二个方法
@OverrideprotectedStringtoEncoded(Stringurl,StringsessionId){if((url==null)||(sessionId==null))return(url);Stringpath=url;Stringquery="";Stringanchor="";intquestion=url.indexOf('?');if(question>=0){path=url.substring(0,question);query=url.substring(question);}intpound=path.indexOf('#');if(pound>=0){anchor=path.substring(pound);path=path.substring(0,pound);}StringBuildersb=newStringBuilder(path);/**下面是ShiroHttpServletResponse源码,重写shiro的toEncoded方法使其不拼接JSESSIONID**/if(sb.length()>0){//sessionidparamcan'tbefirst.sb.append(";");sb.append(DEFAULT_SESSION_ID_PARAMETER_NAME);sb.append("=");sb.append(sessionId);}sb.append(anchor);sb.append(query);return(sb.toString());}
由此我们知道shiro第一次访问重定向的时候会带有JSESSIONID=xxxxxxxxxxxx
那么解决方案如下:
新建MyShiroHttpServletResponse继承ShiroHttpServletResponse
重写其方法encodeRedirectURL和toEncoded
packagecom.uu.back.util;importorg.apache.shiro.web.servlet.ShiroHttpServletRequest;importorg.apache.shiro.web.servlet.ShiroHttpServletResponse;importjavax.servlet.ServletContext;importjavax.servlet.http.HttpServletResponse;/***CreatedbyAlexon2016/9/26.*/publicclassMyShiroHttpServletResponseextendsShiroHttpServletResponse{publicMyShiroHttpServletResponse(HttpServletResponsewrapped,ServletContextcontext,ShiroHttpServletRequestrequest){super(wrapped,context,request);}@OverridepublicStringencodeRedirectURL(Stringurl){/**下面是ShiroHttpServletResponse源码,重写shiro的encodeRedirectURL方法,把url路径里的JSESSIONID去掉**///if(isEncodeable(toAbsolute(url))){//returntoEncoded(url,request.getSession().getId());//}else{//returnurl;//}returnurl;}@OverrideprotectedStringtoEncoded(Stringurl,StringsessionId){if((url==null)||(sessionId==null))return(url);Stringpath=url;Stringquery="";Stringanchor="";intquestion=url.indexOf('?');if(question>=0){path=url.substring(0,question);query=url.substring(question);}intpound=path.indexOf('#');if(pound>=0){anchor=path.substring(pound);path=path.substring(0,pound);}StringBuildersb=newStringBuilder(path);/**下面是ShiroHttpServletResponse源码,重写shiro的toEncoded方法使其不拼接JSESSIONID**///if(sb.length()>0){//sessionidparamcan'tbefirst.//sb.append(";");//sb.append(DEFAULT_SESSION_ID_PARAMETER_NAME);//sb.append("=");//sb.append(sessionId);//}sb.append(anchor);sb.append(query);return(sb.toString());}}
新建MySpringShiroFilter继承AbstractShiroFilter
packagecom.uu.back.util;importorg.apache.shiro.web.filter.mgt.FilterChainResolver;importorg.apache.shiro.web.mgt.WebSecurityManager;importorg.apache.shiro.web.servlet.AbstractShiroFilter;importorg.apache.shiro.web.servlet.ShiroHttpServletRequest;importjavax.servlet.ServletResponse;importjavax.servlet.http.HttpServletResponse;/***CreatedbyAlexon2016/9/26.*/publicclassMySpringShiroFilterextendsAbstractShiroFilter{protectedMySpringShiroFilter(WebSecurityManagerwebSecurityManager,FilterChainResolverresolver){super();if(webSecurityManager==null){thrownewIllegalArgumentException("WebSecurityManagerpropertycannotbenull.");}setSecurityManager(webSecurityManager);if(resolver!=null){setFilterChainResolver(resolver);}}@OverrideprotectedServletResponsewrapServletResponse(HttpServletResponseorig,ShiroHttpServletRequestrequest){returnnewMyShiroHttpServletResponse(orig,getServletContext(),request);}}
新建MyShiroFilterFactoryBean继承ShiroFilterFactoryBean
packagecom.uu.back.util;importorg.apache.shiro.mgt.SecurityManager;importorg.apache.shiro.spring.web.ShiroFilterFactoryBean;importorg.apache.shiro.web.filter.mgt.FilterChainManager;importorg.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver;importorg.apache.shiro.web.mgt.WebSecurityManager;importorg.apache.shiro.web.servlet.AbstractShiroFilter;importorg.springframework.beans.factory.BeanInitializationException;/***CreatedbyAlexon2016/9/26.*/publicclassMyShiroFilterFactoryBeanextendsShiroFilterFactoryBean{@OverridepublicClassgetObjectType(){returnMySpringShiroFilter.class;}@OverrideprotectedAbstractShiroFiltercreateInstance()throwsException{SecurityManagersecurityManager=getSecurityManager();if(securityManager==null){Stringmsg="SecurityManagerpropertymustbeset.";thrownewBeanInitializationException(msg);}if(!(securityManagerinstanceofWebSecurityManager)){Stringmsg="ThesecuritymanagerdoesnotimplementtheWebSecurityManagerinterface.";thrownewBeanInitializationException(msg);}FilterChainManagermanager=createFilterChainManager();PathMatchingFilterChainResolverchainResolver=newPathMatchingFilterChainResolver();chainResolver.setFilterChainManager(manager);returnnewMySpringShiroFilter((WebSecurityManager)securityManager,chainResolver);}}
修改shiro的配置文件:
注释掉的就是原有的,现在我们不用原有的,使用我们自己写好的
<!--<beanid="shiroFilter"class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">--><beanid="shiroFilter"class="com.uu.back.util.MyShiroFilterFactoryBean">/****/</bean>
重启,访问:
声明:本站所有文章资源内容,如无特殊说明或标注,均为采集网络资源。如若本站内容侵犯了原著者的合法权益,可联系本站删除。
