不经登录的页面访问
生产线项目使用了Apache Shiro安全框架进行身份验证,授权,密码学和会话管理。使用生产线创建的页面,默认都是需要登录后才可以访问的。
这里讲述不用登录就可以访问生产线创建的issue页面的配置方法。
Option1:找到配置方法
生产线zsoft-web-5.0-SNAPSHOT.jar,对web层做很多功能实现,也规范了自定义代码结构。这里先找到自定义代码合适的地方。
Apache Shiro 是通过Filter进行过滤与权限验证,这里需要定义URL的访问规则与权限。
在package zsoft.web.boot,中定义了很多Config类,其中的ShiroWebConfiguration,是就是Shiro 相关的Config类,找到ShiroFilterFactoryBean相关的代码
@EnableConfigurationProperties(WebProperties.class)
@Configuration
public class ShiroWebConfiguration {
...
private final WebProperties webProperties;
public ShiroWebConfiguration(ApplicationContext applicationContext, WebProperties webProperties) {
...
this.webProperties = webProperties;
}
@ConditionalOnMissingBean(ShiroFilterFactoryBean.class)
@Bean
public ShiroFilterFactoryBean shiroFilter() {
return new ZShiroFilterFactoryBean(this);
}
//ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
/**
* 这是 shiro在 app-server filters中的唯一入口,通过它再转给 authc、user等具体的 filter来处理
*
* @see org.apache.catalina.core.ApplicationFilterChain#filters
*/
public static class ZShiroFilterFactoryBean extends ShiroFilterFactoryBean {
...
public ZShiroFilterFactoryBean(ShiroWebConfiguration shiroConfiguration) {
...
setBuiltinFilters();
/*这里加入了可以自定义 shiro filter 的入口,只要了解WebProperties.buildFilterChainDefinitions()就知道如果自定代码了*/ setFilterChainDefinitions(shiroConfiguration.webProperties.buildFilterChainDefinitions());
...
}
}
在上面的代码找到可以自定义shiro filter 的入口后,再看引用的WebProperties。在项目启动时,spring 会先读取配置文件application.properties,初始化WebProperties实例,也就是说,最后只要正确修改application.properties就可以了。先看WebProperties关键代码:
@ConfigurationProperties("zsoft.web")
public class WebProperties {
private String filterChainDefinitions;
private String filterChainDefinitionsExtension;
public String getFilterChainDefinitions() {
return filterChainDefinitions;
}
public void setFilterChainDefinitions(String filterChainDefinitions) {
if ("".equals(filterChainDefinitions)) {
filterChainDefinitions = null;
}
this.filterChainDefinitions = filterChainDefinitions;
}
public String getFilterChainDefinitionsExtension() {
return filterChainDefinitionsExtension;
}
public void setFilterChainDefinitionsExtension(String filterChainDefinitionsExtension) {
if ("".equals(filterChainDefinitionsExtension)) {
filterChainDefinitionsExtension = null;
}
this.filterChainDefinitionsExtension = filterChainDefinitionsExtension;
}
/**
*
* @return
* @see org.apache.catalina.core.ApplicationFilterChain#filters
* @see <a href="http://shiro.apache.org/web.html">shiro filters</a>
*/
public String buildFilterChainDefinitions() {
if (filterChainDefinitions != null) {
return filterChainDefinitions; // 已被全量重置
}
StringBuilder chainsBuilder = new StringBuilder(400)
.append("/zsoft/captcha/** = anon\n")
.append("/zsoft/codeText/** = anon\n")
.append("/zsoft/api/** = noSessionCreation, anon\n")
.append("/api/** = noSessionCreation, anon\n")
.append("/static/** = noSessionCreation, anon\n")
.append("/custom/** = noSessionCreation, anon\n")
.append("/plugin/** = noSessionCreation, anon\n")
.append("/favicon.ico = noSessionCreation, anon\n")
.append("/errors/** = anon\n")
.append("/login = zAuthc\n")
.append("/quickLogin = quickLogin\n")
.append("/logout = zLogout\n")
;
//当filterChainDefinitionsExtension不为空,用filterChainDefinitionsExtension的值扩展了chainsBuilder,其值最终作为ShiroFilterFactoryBean.setFilterChainDefinitions 的参数
if (filterChainDefinitionsExtension != null) {
chainsBuilder.append(filterChainDefinitionsExtension).append('\n');
}
return chainsBuilder
.append("/** = user\n")
.toString();
}
}
当filterChainDefinitionsExtension不为空,用filterChainDefinitionsExtension的值扩展了chainsBuilder,其值最终作为ShiroFilterFactoryBean.setFilterChainDefinitions 的参数,扩展了Shiro Filter。
Option2:不经登录的页面访问配置
编辑application.properties
zsoft.web.filterChainDefinitionsExtension=/issues/v1/issue = anon\n
重启应用。就可以不经登录访问/issues/v1/issue