java - 无法理解 Shiro 在自定义登录页面请求上的行为

Question

我正在使用 Apache Shiro 来保护我的 Spring MVC 应用程序。这是我的配置:

<!-- Shiro -->
<bean id = "hibernateRealm" class = "com.bidapp.presentation.shiro.HibernateRealm" />

<bean id = "securityManager" class = "org.apache.shiro.web.mgt.DefaultWebSecurityManager">
    <property name = "realm" ref = "hibernateRealm" />
</bean>

<bean id = "lifecycleBeanPostProcessor" class = "org.apache.shiro.spring.LifecycleBeanPostProcessor" />

<bean id = "shiroFilter" class = "org.apache.shiro.spring.web.ShiroFilterFactoryBean">
    <property name = "securityManager" ref = "securityManager" />
</bean>
<!-- Shiro -->

在 web.xml 中(除其他外)

<filter>
    <filter-name>shiroFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param>
        <param-name>targetFilterLifecycle</param-name>
        <param-value>true</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>shiroFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

我的登录页面位于context/account/login。当我尝试提交表单时，收到 400 HTTP 错误代码，其中包含消息 客户端发送的请求在语法上不正确 ()。 并且 Shiro 记录了以下内容

365348 [http-bio-8080-exec-5] TRACE o.a.s.w.s.OncePerRequestFilter - Filter 'shiroFilter' not yet executed.  Executing now. 
365349 [http-bio-8080-exec-5] TRACE o.a.s.mgt.DefaultSecurityManager - Context already contains a SecurityManager instance.  Returning. 
365349 [http-bio-8080-exec-5] TRACE o.a.s.mgt.DefaultSecurityManager - No identity (PrincipalCollection) found in the context.  Looking for a remembered identity. 
365349 [http-bio-8080-exec-5] TRACE o.a.shiro.web.servlet.SimpleCookie - No 'rememberMe' cookie value 
365349 [http-bio-8080-exec-5] TRACE o.a.s.mgt.DefaultSecurityManager - No remembered identity found.  Returning original context. 
365349 [http-bio-8080-exec-5] TRACE o.a.s.s.support.DelegatingSubject - attempting to get session; create = false; session is null = true; session has id = false 
365349 [http-bio-8080-exec-5] TRACE o.a.s.s.support.DelegatingSubject - attempting to get session; create = false; session is null = true; session has id = false 
365349 [http-bio-8080-exec-5] TRACE o.a.s.s.support.DelegatingSubject - attempting to get session; create = false; session is null = true; session has id = false 
365349 [http-bio-8080-exec-5] TRACE o.a.s.s.support.DelegatingSubject - attempting to get session; create = false; session is null = true; session has id = false 
365349 [http-bio-8080-exec-5] TRACE org.apache.shiro.util.ThreadContext - Bound value of type [org.apache.shiro.web.subject.support.WebDelegatingSubject] for key [org.apache.shiro.util.ThreadContext_SUBJECT_KEY] to thread [http-bio-8080-exec-5] 
365349 [http-bio-8080-exec-5] TRACE org.apache.shiro.util.ThreadContext - Bound value of type [org.apache.shiro.web.mgt.DefaultWebSecurityManager] for key [org.apache.shiro.util.ThreadContext_SECURITY_MANAGER_KEY] to thread [http-bio-8080-exec-5] 
365349 [http-bio-8080-exec-5] TRACE o.a.s.w.servlet.AbstractShiroFilter - No FilterChain configured for the current request.  Using the default. 
365351 [http-bio-8080-exec-5] TRACE org.apache.shiro.util.ThreadContext - get() - in thread [http-bio-8080-exec-5] 
365351 [http-bio-8080-exec-5] TRACE org.apache.shiro.util.ThreadContext - Retrieved value of type [org.apache.shiro.web.subject.support.WebDelegatingSubject] for key [org.apache.shiro.util.ThreadContext_SUBJECT_KEY] bound to thread [http-bio-8080-exec-5] 
365351 [http-bio-8080-exec-5] TRACE o.a.s.s.support.DelegatingSubject - attempting to get session; create = false; session is null = true; session has id = false 

真正奇怪的是，我可以在浏览器上单击后退，然后单击前进，它会将我带到正确的经过身份验证的网页。我尝试调试，但我的 Controller 甚至从未被调用。但是，如果单击后退和前进将我带到正确的页面，那怎么可能呢？

我的 web.xml 中没有任何其他过滤器，也没有使用 Shiro 的任何默认过滤器，反正我是不知情的。

这是怎么回事？

这对我在 Eclipse Indigo 上进行的开发没有任何影响。这是应该被调用但没有被调用的代码(在 Debug模式下)。

    @RequestMapping(value = "/account/login", method = RequestMethod.POST, params = "login")
    public String login(@RequestParam("username") String username, 
            @RequestParam("password") String password,
            @RequestParam("remember") boolean rememberMe,
            Model model) {
        Subject currentUser = SecurityUtils.getSubject();

        if (!currentUser.isAuthenticated()) {

            UsernamePasswordToken token = new UsernamePasswordToken(username, password);
            token.setRememberMe(rememberMe);
            currentUser.login(token);

            return "redirect:/account/profile";
        }

        return "home";

    }

Answer 1

如果您没有在 Shiro 的配置中定义任何过滤器，Shiro 将允许任何请求通过。换句话说，仅仅因为您有一个经过身份验证的页面，Shiro 就不知道是否要对其进行保护。你必须告诉 Shiro 保护该页面。例如:

[main]
#tell Shiro where to redirect to if login is required:
authc.loginUrl = /account/login

[urls]
# ensure the following pages require authentication (the loginUrl will be 
# allowed however):
/account/** = authc

对于 400 错误，Shiro 不会发出这样的错误响应 - 可能是您的容器或 Spring 发出了该错误。

此外，如果您使用的是 Shiro 1.2 或更高版本，请不要忘记添加相关的 <dispatcher>元素到<filter-mapping> :

http://shiro.apache.org/web.html#Web-Shiro1.2andlater