溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊(cè)×
其他方式登錄
點(diǎn)擊 登錄注冊(cè) 即表示同意《億速云用戶服務(wù)條款》

重定向出現(xiàn)jsessionid=xxx路徑的問(wèn)題

發(fā)布時(shí)間:2020-06-14 18:58:13 來(lái)源:網(wǎng)絡(luò) 閱讀:6945 作者:a8752311 欄目:開(kāi)發(fā)技術(shù)

web.xml文件配置


第一點(diǎn),注意配置版本為3.0版本,

Servlet3.0規(guī)范中的<tracking-mode>允許你定義JSESSIONID是存儲(chǔ)在cookie中還是URL參數(shù)中。如果會(huì)話ID存儲(chǔ)在URL中,那么它可能會(huì)被無(wú)意的存儲(chǔ)在多個(gè)地方,包括瀏覽器歷史、代理服務(wù)器日志、引用日志和web日志等。暴露了會(huì)話ID使得網(wǎng)站被session劫持***的幾率大增。然而,確保JSESSIONID被存儲(chǔ)在cookie中

xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">

<session-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>


===============================我是分割線====================================

在使用shiro之后,shiro的重定向跳轉(zhuǎn),默認(rèn)是帶有JSESSIONID的

附上ShiroHttpServletResponse源碼

    @Override
    public String encodeRedirectURL(String url){
        /** 下面是ShiroHttpServletResponse源碼,重寫shiro的encodeRedirectURL方法,把url路徑里的JSESSIONID去掉 **/
        if (isEncodeable(toAbsolute(url))) {
            return toEncoded(url, request.getSession().getId());
        } else {
            return url;
        }
        return url;
    }

上面是此類第一個(gè)方法,下面是此類第二個(gè)方法

@Override
    protected String toEncoded(String url, String sessionId) {
        if ((url == null) || (sessionId == null))
            return (url);

        String path = url;
        String query = "";
        String anchor = "";
        int question = url.indexOf('?');
        if (question >= 0) {
            path = url.substring(0, question);
            query = url.substring(question);
        }
        int pound = path.indexOf('#');
        if (pound >= 0) {
            anchor = path.substring(pound);
            path = path.substring(0, pound);
        }
        StringBuilder sb = new StringBuilder(path);
        /**  下面是ShiroHttpServletResponse源碼,重寫shiro的toEncoded方法使其不拼接JSESSIONID **/
        if (sb.length() > 0) { // session id param can't be first.
            sb.append(";");
            sb.append(DEFAULT_SESSION_ID_PARAMETER_NAME);
            sb.append("=");
            sb.append(sessionId);
        }
        sb.append(anchor);
        sb.append(query);
        return (sb.toString());

    }

由此我們知道shiro第一次訪問(wèn)重定向的時(shí)候會(huì)帶有JSESSIONID=xxxxxxxxxxxx


那么解決方案如下:


新建MyShiroHttpServletResponse繼承ShiroHttpServletResponse

重寫其方法encodeRedirectURL和toEncoded

package com.uu.back.util;

import org.apache.shiro.web.servlet.ShiroHttpServletRequest;
import org.apache.shiro.web.servlet.ShiroHttpServletResponse;

import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletResponse;

/**
 * Created by Alex on 2016/9/26.
 */
public class MyShiroHttpServletResponse extends ShiroHttpServletResponse {
    public MyShiroHttpServletResponse(HttpServletResponse wrapped, ServletContext context, ShiroHttpServletRequest request) {
        super(wrapped, context, request);
    }

    @Override
    public String encodeRedirectURL(String url){
        /** 下面是ShiroHttpServletResponse源碼,重寫shiro的encodeRedirectURL方法,把url路徑里的JSESSIONID去掉 **/
//        if (isEncodeable(toAbsolute(url))) {
//            return toEncoded(url, request.getSession().getId());
//        } else {
//            return url;
//        }
        return url;
    }
    @Override
    protected String toEncoded(String url, String sessionId) {
        if ((url == null) || (sessionId == null))
            return (url);

        String path = url;
        String query = "";
        String anchor = "";
        int question = url.indexOf('?');
        if (question >= 0) {
            path = url.substring(0, question);
            query = url.substring(question);
        }
        int pound = path.indexOf('#');
        if (pound >= 0) {
            anchor = path.substring(pound);
            path = path.substring(0, pound);
        }
        StringBuilder sb = new StringBuilder(path);
        /**  下面是ShiroHttpServletResponse源碼,重寫shiro的toEncoded方法使其不拼接JSESSIONID **/
//        if (sb.length() > 0) { // session id param can't be first.
//            sb.append(";");
//            sb.append(DEFAULT_SESSION_ID_PARAMETER_NAME);
//            sb.append("=");
//            sb.append(sessionId);
//        }
        sb.append(anchor);
        sb.append(query);
        return (sb.toString());

    }
}



新建MySpringShiroFilter繼承AbstractShiroFilter

package com.uu.back.util;

import org.apache.shiro.web.filter.mgt.FilterChainResolver;
import org.apache.shiro.web.mgt.WebSecurityManager;
import org.apache.shiro.web.servlet.AbstractShiroFilter;
import org.apache.shiro.web.servlet.ShiroHttpServletRequest;

import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;


/**
 * Created by Alex on 2016/9/26.
 */
public class MySpringShiroFilter extends AbstractShiroFilter {
    protected MySpringShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver resolver) {
        super();
        if (webSecurityManager == null) {
            throw new IllegalArgumentException("WebSecurityManager property cannot be null.");
        }
        setSecurityManager(webSecurityManager);
        if (resolver != null) {
            setFilterChainResolver(resolver);
        }
    }

    @Override
    protected ServletResponse wrapServletResponse(HttpServletResponse orig, ShiroHttpServletRequest request) {
        return new MyShiroHttpServletResponse(orig, getServletContext(), request);
    }
}



新建MyShiroFilterFactoryBean繼承ShiroFilterFactoryBean

package com.uu.back.util;

import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.filter.mgt.FilterChainManager;
import org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver;
import org.apache.shiro.web.mgt.WebSecurityManager;
import org.apache.shiro.web.servlet.AbstractShiroFilter;
import org.springframework.beans.factory.BeanInitializationException;

/**
 * Created by Alex on 2016/9/26.
 */
public class MyShiroFilterFactoryBean extends ShiroFilterFactoryBean {
    @Override
    public Class getObjectType() {
        return MySpringShiroFilter.class;
    }

    @Override
    protected AbstractShiroFilter createInstance() throws Exception {

        SecurityManager securityManager = getSecurityManager();
        if (securityManager == null) {
            String msg = "SecurityManager property must be set.";
            throw new BeanInitializationException(msg);
        }

        if (!(securityManager instanceof WebSecurityManager)) {
            String msg = "The security manager does not implement the WebSecurityManager interface.";
            throw new BeanInitializationException(msg);
        }

        FilterChainManager manager = createFilterChainManager();

        PathMatchingFilterChainResolver chainResolver = new PathMatchingFilterChainResolver();
        chainResolver.setFilterChainManager(manager);

        return new MySpringShiroFilter((WebSecurityManager) securityManager, chainResolver);
    }
}


修改shiro的配置文件:

注釋掉的就是原有的,現(xiàn)在我們不用原有的,使用我們自己寫好的

<!--<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">-->
<bean id="shiroFilter" class="com.uu.back.util.MyShiroFilterFactoryBean">
    /** **/
</bean>


重啟,訪問(wèn):

重定向出現(xiàn)jsessionid=xxx路徑的問(wèn)題


向AI問(wèn)一下細(xì)節(jié)

免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。

AI