Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shiro模块源码几个疑问 #81

Closed
nita22 opened this issue Oct 20, 2019 · 7 comments · Fixed by #97
Closed

Shiro模块源码几个疑问 #81

nita22 opened this issue Oct 20, 2019 · 7 comments · Fixed by #97

Comments

@nita22
Copy link

nita22 commented Oct 20, 2019

看了Shiro模块的相关源码,有几个疑问,求解答,十分感谢!
1、ShiroConfig类中的addDefaultFilterDefinition()方法:为何默认都要经过path拦截器,就是为了记录日志?
2、LoginRedisServiceImpl类的cacheLoginInfo()方法:generate参数并没有用到?
3、LoginUtil类并没有被用到?
4、LoginServiceImpl类的refreshToken方法存在问题:
4.1:签发新token后,jwtToken还是用回旧token的过期时间?
4.2:仅仅是在redis中新增已刷新的token,未删除redis上的过期key?
TIM图片20191020174646
@springboot-plus
Copy link
Collaborator

  1. addDefaultFilterDefinition方法添加RequestPathFilter目的,1是可打印请求路径,2.示范shiro方式配置filter
  2. cacheLoginInfo方法的generate参数删除,新增refreshLoginInfo方法
  3. LoginUtil登陆工具类是用来业务模块使用的,获取当前登陆信息
  4. LoginServiceImpl类的refreshToken方法,已优化
    代码更改:https://github.com/geekidea/spring-boot-plus/commit/766f02f6ea8f049ec411359503a2dadddcc7a19a

@nita22
Copy link
Author

nita22 commented Oct 21, 2019
edited
Loading

  1. addDefaultFilterDefinition方法添加RequestPathFilter目的,1是可打印请求路径,2.示范shiro方式配置filter
  2. cacheLoginInfo方法的generate参数删除,新增refreshLoginInfo方法
  3. LoginUtil登陆工具类是用来业务模块使用的,获取当前登陆信息
  4. LoginServiceImpl类的refreshToken方法,已优化
    代码更改:https://github.com/geekidea/spring-boot-plus/commit/766f02f6ea8f049ec411359503a2dadddcc7a19a

刚看了refreshLoginInfo的实现,首先会调用deleteLoginInfo删除redis中的记录,那getLoginSysUserRedisVo应该取不到对应的value了吧。
应该是先getLoginSysUserRedisVo再deleteLoginInfo吧

@nita22
Copy link
Author

nita22 commented Oct 22, 2019

LoginUtil的getUserId()、getUsername()方法有问题:1、loginSysUserRedisVo为空依然调用getId()、getUsername()方法,容易出现NullPointer异常

@nita22
Copy link
Author

nita22 commented Oct 22, 2019

JwtFilter中的createToken()方法中的token过期时间可能早于redis中的过期时间,可能出现token到期但redis中仍存在对应key-value的情况。
image
另外还有一个小疑问:Shiro模块中抛出的AuthenticationException是没有进行捕获处理吗?

@springboot-plus
Copy link
Collaborator

Redis缓存时间是获取的JwtToken的失效时间,所以是一致的。 @nita22
LoginRedisServiceImpl > cacheLoginInfo

// Redis过期时间与JwtToken过期时间一致
Duration expireDuration = Duration.ofSeconds(jwtToken.getExpireSecond());

@springboot-plus
Copy link
Collaborator

当抛出AuthenticationException等校验异常时,会进入失败方法处理
JwtFilter

 /**
     * 访问失败处理
     *
     * @param request
     * @param response
     * @return
     * @throws Exception
     */
    @Override
    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
        HttpServletRequest httpServletRequest = WebUtils.toHttp(request);
        HttpServletResponse httpServletResponse = WebUtils.toHttp(response);
        // 返回401
        httpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
        // 设置响应码为401或者直接输出消息
        String url = httpServletRequest.getRequestURI();
        log.error("onAccessDenied url:{}", url);
        ApiResult apiResult = ApiResult.fail(ApiCode.UNAUTHORIZED);
        HttpServletResponseUtil.printJSON(httpServletResponse, apiResult);
        return false;
    }

前端响应结果

{
  "code": 401,
  "msg": "非法访问",
  "time": "2019-10-22 10:06:16"
}

@springboot-plus
Copy link
Collaborator

refreshToken方法和LoginUtil工具类方法问题已修复
8e3192e7b2c78521f4f122e064ef38bbd8212762

@nita22 nita22 closed this as completed Oct 22, 2019
This was referenced Nov 4, 2019
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

spring-boot-plus V1.4.0发布 集成用户角色权限部门管理 geekidea/spring-boot-plus
2 participants
@nita22 @springboot-plus