Shiro--整合jwt--通过url路径控制权限--使用/教程/实例

以你之姓@ 2022-09-14 00:12 279阅读 0赞

原文网址：[Shiro--整合jwt--通过url路径控制权限--使用/教程/实例\_IT利刃出鞘的博客-CSDN博客][Shiro--_jwt--_url_--_IT_-CSDN]

# 简介 #

**说明**

本文用实例介绍shiro的使用。采用jwt+url权限的方式控制权限。

1.  使用jwt替代默认的authc作为认证方式，通过url路径控制授权。
2.  其他尽量使用原生的shiro配置，尽量少自定义配置。

我自己自测通过，代码可用。

**关联文章**

本文是在[此文章][Link 1]基础上进行修改，修改点如下：

*  数据库
    
     *  t\_permission表的name字段改为url字段
     *  t\_permission相应的插入的数据发生变化
 *  Mapper
    
     *  PermissionMapper
        
         *  原先：返回t\_permission.name字段
         *  本文：返回t\_permission.url字段
 *  Controller
    
     *  原先：使用@RequiresPermissions、@RequiresRoles控制权限
     *  本文：去掉这两个注解，通过url控制权限
 *  Shiro配置
    
     *  注册授权过滤器（url路径过滤器）
        
         *  提供url路径过滤器（UrlFiter类）
         *  将url路径过滤器注册进去（ShiroConfig\#shiroFilterFactoryBean）
     *  修改认证过滤器（JwtFilter）
        
         *  原先：只需通过返回true或者executeLogin即可
         *  本文：自定义响应数据。（若不这么写，响应数据会很不友好，因为我们已经不是shiro的标准用法了）

除了上述修改之外，其他的代码、逻辑一点都没变。

# 修改点数据库 #

DROP DATABASE IF EXISTS shiro;
    CREATE DATABASE shiro DEFAULT CHARACTER SET utf8;
    USE shiro;
    
    DROP TABLE IF EXISTS t_user;
    DROP TABLE IF EXISTS t_role;
    DROP TABLE IF EXISTS t_permission;
    DROP TABLE IF EXISTS t_user_role_mid;
    DROP TABLE IF EXISTS t_role_permission_mid;
    
    CREATE TABLE t_user (
      id bigint AUTO_INCREMENT,
      user_name VARCHAR(100),
      password VARCHAR(100),
      salt VARCHAR(100),
      PRIMARY KEY(id)
    ) charset=utf8 ENGINE=InnoDB;
    
    CREATE TABLE t_role (
      id bigint AUTO_INCREMENT,
      name VARCHAR(100),
      description VARCHAR(100),
      PRIMARY KEY(id)
    ) charset=utf8 ENGINE=InnoDB;
    
    CREATE TABLE t_permission (
      id bigint AUTO_INCREMENT,
      url VARCHAR(100),
      description VARCHAR(100),
      PRIMARY KEY(id)
    ) charset=utf8 ENGINE=InnoDB;
    
    CREATE TABLE t_user_role_mid (
      id bigint AUTO_INCREMENT,
      user_id bigint,
      role_id bigint,
      PRIMARY KEY(id)
    ) charset=utf8 ENGINE=InnoDB;
    
    CREATE TABLE t_role_permission_mid (
      id bigint AUTO_INCREMENT,
      role_id bigint,
      permission_id bigint,
      PRIMARY KEY(id)
    ) charset=utf8 ENGINE=InnoDB;
    
    -- 密码：12345
    INSERT INTO `t_user` VALUES (1,"zhang3","a7d59dfc5332749cb801f86a24f5f590","e5ykFiNwShfCXvBRPr3wXg==");
    -- 密码：abcde
    INSERT INTO `t_user` VALUES (2,"li4","43e28304197b9216e45ab1ce8dac831b","jPz19y7arvYIGhuUjsb6sQ==");
    INSERT INTO `t_role` VALUES (1,"admin","超级管理员");
    INSERT INTO `t_role` VALUES (2,"productManager","产品管理员");
    INSERT INTO `t_role` VALUES (3,"orderManager","订单管理员");
    INSERT INTO `t_permission` VALUES (1,"/product/add","增加产品");
    INSERT INTO `t_permission` VALUES (2,"/product/delete","删除产品");
    INSERT INTO `t_permission` VALUES (3,"/product/edit","编辑产品");
    INSERT INTO `t_permission` VALUES (4,"/product/view","查看产品");
    INSERT INTO `t_permission` VALUES (5,"/order/add","增加订单");
    INSERT INTO `t_permission` VALUES (6,"/order/delete","删除订单");
    INSERT INTO `t_permission` VALUES (7,"/order/edit","编辑订单");
    INSERT INTO `t_permission` VALUES (8,"/order/view","查看订单");
    INSERT INTO `t_user_role_mid` VALUES (1,2,2);
    INSERT INTO `t_user_role_mid` VALUES (2,1,1);
    INSERT INTO `t_role_permission_mid` VALUES (1,1,1);
    INSERT INTO `t_role_permission_mid` VALUES (2,1,2);
    INSERT INTO `t_role_permission_mid` VALUES (3,1,3);
    INSERT INTO `t_role_permission_mid` VALUES (4,1,4);
    INSERT INTO `t_role_permission_mid` VALUES (5,1,5);
    INSERT INTO `t_role_permission_mid` VALUES (6,1,6);
    INSERT INTO `t_role_permission_mid` VALUES (7,1,7);
    INSERT INTO `t_role_permission_mid` VALUES (8,1,8);
    INSERT INTO `t_role_permission_mid` VALUES (9,2,1);
    INSERT INTO `t_role_permission_mid` VALUES (10,2,2);
    INSERT INTO `t_role_permission_mid` VALUES (11,2,3);
    INSERT INTO `t_role_permission_mid` VALUES (12,2,4);
    INSERT INTO `t_role_permission_mid` VALUES (13,3,5);
    INSERT INTO `t_role_permission_mid` VALUES (14,3,6);
    INSERT INTO `t_role_permission_mid` VALUES (15,3,7);
    INSERT INTO `t_role_permission_mid` VALUES (16,3,8);

# 修改点代码 #

## Shiro配置 ##

**添加Url过滤器（继承PathMatchingFilter）**

package com.example.demo.config.shiro.filter;
    
    import com.example.demo.common.entity.Result;
    import com.example.demo.common.util.ApplicationContextHolder;
    import com.example.demo.common.util.ResponseUtil;
    import com.example.demo.common.util.auth.JwtUtil;
    import com.example.demo.rbac.permission.service.PermissionService;
    import com.fasterxml.jackson.databind.ObjectMapper;
    import lombok.extern.slf4j.Slf4j;
    import org.apache.shiro.web.filter.PathMatchingFilter;
    import org.springframework.http.HttpHeaders;
    import org.springframework.http.HttpStatus;
    
    import javax.servlet.ServletRequest;
    import javax.servlet.ServletResponse;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    import java.util.Set;
    
    @Slf4j
    public class UrlFilter extends PathMatchingFilter {
        private PermissionService permissionService;
    
        @Override
        protected boolean onPreHandle(ServletRequest request,
                                      ServletResponse response,
                                      Object mappedValue) throws Exception {
    
            HttpServletRequest httpServletRequest = (HttpServletRequest) request;
            String uri = httpServletRequest.getRequestURI();
            String token = httpServletRequest.getHeader(HttpHeaders.COOKIE);
            String userIdStr = JwtUtil.getUserIdByToken(token);
            Long userId = Long.parseLong(userIdStr);
    
            if (permissionService == null) {
                permissionService = ApplicationContextHolder.getContext().getBean(PermissionService.class);
            }
            Set<String> permissions = permissionService.getPermissionsByUserId(userId);
    
            // 实际应该从数据库或者redis里通过userId获得拥有权限的url
            if (permissions.contains(uri)) {
                return true;
            }
    
            // 构造无权限时的response
            HttpServletResponse httpResponse = (HttpServletResponse) response;
            ResponseUtil.jsonResponse(httpResponse, HttpStatus.FORBIDDEN.value(),
                    "用户(" + userId + ")无此url(" + uri + ")权限");
    
            return false;
        }
    }

**注册Url过滤器**

package com.example.demo.config.shiro;
    
    import com.example.demo.common.constant.WhiteList;
    import com.example.demo.config.shiro.filter.JwtFilter;
    import com.example.demo.config.shiro.filter.UrlFilter;
    import com.example.demo.config.shiro.realm.AccountRealm;
    import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;
    import org.apache.shiro.mgt.DefaultSubjectDAO;
    import org.apache.shiro.mgt.SecurityManager;
    import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
    import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
    import org.apache.shiro.spring.web.config.DefaultShiroFilterChainDefinition;
    import org.apache.shiro.spring.web.config.ShiroFilterChainDefinition;
    import org.apache.shiro.web.filter.authc.AuthenticatingFilter;
    import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
    import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
    import org.springframework.context.annotation.Bean;
    import org.springframework.context.annotation.Configuration;
    import org.springframework.context.annotation.Lazy;
    
    import javax.servlet.Filter;
    import java.util.LinkedHashMap;
    import java.util.Map;
    
    @Configuration
    public class ShiroConfig {
        @Lazy
        @Bean("shiroFilterFactoryBean")
        public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {
            ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
            shiroFilterFactoryBean.setSecurityManager(securityManager);
            // 如果实现了AuthenticatingFilter.java要设置下边这个，因为shiro很多地方依据loginUrl进行判断
            // shiroFilterFactoryBean.setLoginUrl("/login");
            // // 登录成功后要跳转的链接
            // shiroFilterFactoryBean.setSuccessUrl("/index");
            // // 未授权界面;
            // shiroFilterFactoryBean.setUnauthorizedUrl("/unauthorized");
    
            Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
    
            WhiteList.ALL.forEach(str -> {
                filterChainDefinitionMap.put(str, "anon");
            });
    
            filterChainDefinitionMap.put("/login", "anon");
            filterChainDefinitionMap.put("/logout", "jwtAuthc");
    
            // 下边这行不要打开。原因待确定
            // filterChainDefinitionMap.put("/logout", "logout");
            filterChainDefinitionMap.put("/**", "jwtAuthc,urlAuthz");
    
            Map<String, Filter> customisedFilters = new LinkedHashMap<>();
            //不能通过注入来设置过滤器。如果通过注入，则本过滤器优先级会最高（/**优先级最高，导致前边所有请求都无效）。
            // springboot会扫描所有实现了javax.servlet.Filter接口的类，无需加@Component也会扫描到。
            customisedFilters.put("jwtAuthc", new JwtFilter());
            customisedFilters.put("urlAuthz", new UrlFilter());
    
            shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
            shiroFilterFactoryBean.setFilters(customisedFilters);
    
            return shiroFilterFactoryBean;
        }
    
        @Bean
        public DefaultWebSecurityManager securityManager() {
            DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();
            DefaultSessionStorageEvaluator defaultSessionStorageEvaluator = new DefaultSessionStorageEvaluator();
            // 关闭shiro自带的session。这样不能通过session登录shiro，后面将采用jwt凭证登录。
            // 见：http://shiro.apache.org/session-management.html#SessionManagement-DisablingSubjectStateSessionStorage
            defaultSessionStorageEvaluator.setSessionStorageEnabled(false);
            subjectDAO.setSessionStorageEvaluator(defaultSessionStorageEvaluator);
    
            DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
            securityManager.setRealm(getDatabaseRealm());
            securityManager.setSubjectDAO(subjectDAO);
    
            return securityManager;
        }
    
        @Bean
        public AccountRealm getDatabaseRealm() {
            return new AccountRealm();
        }
    
        /**
         * setUsePrefix(true)用于解决一个奇怪的bug。如下：
         *  在引入spring aop的情况下，在@Controller注解的类的方法中加入@RequiresRole等
         *  shiro注解，会导致该方法无法映射请求，导致返回404。加入这项配置能解决这个bug。
         */
        @Bean
        public static DefaultAdvisorAutoProxyCreator getDefaultAdvisorAutoProxyCreator(){
            DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator=new DefaultAdvisorAutoProxyCreator();
            defaultAdvisorAutoProxyCreator.setUsePrefix(true);
            return defaultAdvisorAutoProxyCreator;
        }
    
        /**
         * 开启shiro 注解。比如：@RequiresRole
         * 本处不用此方法开启注解，使用引入spring aop依赖的方式。原因见：application.yml里的注释
         */
        /*@Bean
        public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(
                SecurityManager securityManager) {
            AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor =
                    new AuthorizationAttributeSourceAdvisor();
            authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
            return authorizationAttributeSourceAdvisor;
        }*/
    }

**修改JwtFilter**

package com.example.demo.config.shiro.filter;
    
    import com.example.demo.common.util.ResponseUtil;
    import com.example.demo.common.util.auth.JwtUtil;
    import com.example.demo.config.shiro.entity.JwtToken;
    import org.apache.shiro.authc.AuthenticationToken;
    import org.apache.shiro.web.filter.authc.AuthenticatingFilter;
    import org.springframework.http.HttpHeaders;
    import org.springframework.http.HttpStatus;
    import org.springframework.util.StringUtils;
    
    import javax.servlet.ServletRequest;
    import javax.servlet.ServletResponse;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    
    public class JwtFilter extends AuthenticatingFilter {
        /**
         * 所有请求都会到这里来（无论是不是anon）。
         * 返回true：表示允许向下走。后边会走PathMatchingFilter，看路径是否对应anon等
         * 返回false：表示不允许向下走。
         */
        @Override
        protected boolean onAccessDenied(ServletRequest servletRequest,
                                         ServletResponse servletResponse) throws Exception {
            HttpServletRequest request = (HttpServletRequest) servletRequest;
            String token = request.getHeader(HttpHeaders.COOKIE);
            // 自定义Header也可以，但浏览器不会存自定义的Header，需要前端自己去存
            // String token = request.getHeader("Authentication");
    
            if (!StringUtils.hasText(token)) {
                return true;
            } else {
                boolean verified = JwtUtil.verifyToken(token);
                if (!verified) {
                    HttpServletResponse response = (HttpServletResponse) servletResponse;
                    ResponseUtil.jsonResponse(response, HttpStatus.UNAUTHORIZED.value(), "认证失败");
                    return false;
                }
            }
    
            // 此登录并非调用login接口，而是shiro层面的登录。
            // 里边会调用下边的createToken方法
            return executeLogin(servletRequest, servletResponse);
        }
    
        /**
         * 这里的token会传给AuthorizingRealm子类（本处是AccountRealm）的doGetAuthenticationInfo方法作为参数
         */
        @Override
        protected AuthenticationToken createToken(ServletRequest servletRequest,
                                                  ServletResponse servletResponse) {
    
            HttpServletRequest request = (HttpServletRequest) servletRequest;
            String token = request.getHeader(HttpHeaders.COOKIE);
            // 自定义Header也可以，但浏览器不会存自定义的Header，需要前端自己去存
            // String token = request.getHeader("Authentication");
            if (!StringUtils.hasText(token)) {
                return null;
            }
            return new JwtToken(token);
        }
    }

**工具类ResponseUtil**

package com.example.demo.common.util;
    
    
    
    import com.example.demo.common.entity.Result;
    import com.fasterxml.jackson.databind.ObjectMapper;
    import org.springframework.http.HttpStatus;
    
    import javax.servlet.http.HttpServletResponse;
    
    public class ResponseUtil {
        public static void jsonResponse(HttpServletResponse response, int status, String message) throws Exception {
            //让浏览器用utf8来解析返回的数据
            response.setHeader("Content-type", "application/json;charset=UTF-8");
            //告诉servlet用UTF-8转码，而不是用默认的ISO8859
            response.setCharacterEncoding("UTF-8");
            response.setStatus(status);
    
            Result result = new Result().failure().message(message);
            String json = new ObjectMapper().writeValueAsString(result);
            response.getWriter().print(json);
        }
    }

## Mapper ##

修改SQL

package com.example.demo.rbac.permission.mapper;
    
    import com.baomidou.mybatisplus.core.mapper.BaseMapper;
    import com.example.demo.rbac.permission.entity.Permission;
    import org.apache.ibatis.annotations.Param;
    import org.apache.ibatis.annotations.Select;
    import org.springframework.stereotype.Repository;
    
    import java.util.Set;
    
    @Repository
    public interface PermissionMapper extends BaseMapper<Permission> {
        @Select("SELECT " +
                "    t_permission.`url`  " +
                "FROM " +
                "    t_user, " +
                "    t_user_role_mid, " +
                "    t_role, " +
                "    t_role_permission_mid, " +
                "    t_permission " +
                "WHERE " +
                "    t_user.`id` = #{userId}  " +
                "    AND t_user.id = t_user_role_mid.user_id  " +
                "    AND t_user_role_mid.role_id = t_role.id " +
                "    AND t_role.id = t_role_permission_mid.role_id " +
                "    AND t_role_permission_mid.permission_id = t_permission.id")
        Set<String> getPermissionsByUserId(@Param("userId") Long userId);
    }

## Controller ##

**产品**

package com.example.demo.business.product;
    
    import com.example.demo.common.entity.Result;
    import io.swagger.annotations.Api;
    import io.swagger.annotations.ApiOperation;
    import org.apache.shiro.authz.annotation.RequiresPermissions;
    import org.springframework.web.bind.annotation.GetMapping;
    import org.springframework.web.bind.annotation.PostMapping;
    import org.springframework.web.bind.annotation.RequestMapping;
    import org.springframework.web.bind.annotation.RestController;
    
    @Api(tags = "产品")
    @RestController
    @RequestMapping("product")
    public class ProductController {
        @ApiOperation(value="增加产品")
        @PostMapping("add")
        public Result add() {
            return new Result<>().message("product:add success");
        }
    
        @ApiOperation(value="删除产品")
        @PostMapping("delete")
        public Result delete() {
            return new Result<>().message("product:delete success");
        }
    
        @ApiOperation(value="编辑产品")
        @PostMapping("edit")
        public Result edit() {
            return new Result<>().message("product:edit success");
        }
    
        @ApiOperation(value="查看产品")
        @GetMapping("view")
        public Result view() {
            return new Result<>().message("product:view success");
        }
    }

**订单**

package com.example.demo.business.order;
    
    import com.example.demo.common.entity.Result;
    import io.swagger.annotations.Api;
    import io.swagger.annotations.ApiOperation;
    import org.apache.shiro.authz.annotation.Logical;
    import org.apache.shiro.authz.annotation.RequiresPermissions;
    import org.apache.shiro.authz.annotation.RequiresRoles;
    import org.springframework.web.bind.annotation.GetMapping;
    import org.springframework.web.bind.annotation.PostMapping;
    import org.springframework.web.bind.annotation.RequestMapping;
    import org.springframework.web.bind.annotation.RestController;
    
    @Api(tags = "订单")
    @RestController
    @RequestMapping("order")
    public class OrderController {
        @ApiOperation(value="增加订单")
        @PostMapping("add")
        public Result add() {
            return new Result<>().message("order:add success");
        }
    
        @ApiOperation(value="删除订单")
        @PostMapping("delete")
        public Result delete() {
            return new Result<>().message("order:delete success");
        }
    
        @ApiOperation(value="编辑订单")
        @PostMapping("edit")
        public Result edit() {
            return new Result<>().message("order:edit success");
        }
    
        @ApiOperation(value="查看订单")
        @GetMapping("view")
        public Result view() {
            return new Result<>().message("order:view success");
        }
    }

# 测试 #

## 测试超级管理员（admin） ##

启动项目，访问：[http://localhost:8080/doc.html][http_localhost_8080_doc.html]

![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16][]

**1.测试登录**

1.  登录成功
2.  可以看到，会返回来一个Set-Cookie头，值是token。

![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 1][]

**2.测试有资源权限的接口**

本处测试增加产品接口。

1.  成功访问。
2.  在请求时会传递Cookie

![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 2][]

我使用标准的：Set-Cookie，Cookie来做认证的。若是自定义的header，需要手动写入：

![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 3][]

**3.测试登出**

![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 4][]

**4.再次访问接口**

1.  访问成功。
2.  因为token还没过期，浏览器也还会将其发给服务端，所以成功。

![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 5][]

## 测试产品管理员（productManager） ##

启动项目，访问：[http://localhost:8080/doc.html][http_localhost_8080_doc.html]

![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 6][]

**1.测试登录**

1.  登录成功
2.  可以看到，会返回来一个Set-Cookie头，值是token。

![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 7][]

**2.测试有资源权限的接口**

本处测试增加产品接口。

1.  成功访问。
2.  在请求时会传递Cookie

![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 8][]

**3.测试无资源权限的接口**

本处测试增加订单接口。

1.  访问失败。
2.  在请求时会传递Cookie
3.  有一处细节：提示是红色的。

![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 9][]

点进去看，可以看到状态码是我指定的：403

![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 10][]

## 重启服务再请求 ##

**1.登录**

登录成功

![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 11][]

**2.重启服务器**

重启Idea启动的应用。

**3.访问有权限的接口**

本处访问产品增加接口。

1.  可以看到，访问成功。

![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 12][]

## 超时后再请求 ##

**1.修改配置文件，暂时将token过期时间改短（本处改为10秒）**

application.yml

![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 13][]

**2.登录**

![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 14][]

**3.等待大于10秒之后再请求**

请求失败。

![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 15][]

我代码里指定这种错误为401，点进去验证下：

![watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 16][]

# 其他网址 #

**Shiro实例系列**

[Shiro--SpringBoot--Session--使用/用法/实例/示例\_IT利刃出鞘的博客-CSDN博客][Shiro--SpringBoot--Session--_IT_-CSDN]  
[Shiro--SpringBoot--shiro-redis--使用/用法/实例/示例\_IT利刃出鞘的博客-CSDN博客][Shiro--SpringBoot--shiro-redis--_IT_-CSDN]  
[Shiro--SpringBoot--jwt--使用/用法/实例/示例\_IT利刃出鞘的博客-CSDN博客][Link 1]  
[Shiro--SpringBoot--jwt--url路径(PathMatchingFilter)/通过url路径控制权限--使用/用法/实例/示例\_IT利刃出鞘的博客-CSDN博客][Shiro--_jwt--_url_--_IT_-CSDN]

[Shiro--_jwt--_url_--_IT_-CSDN]: https://knife.blog.csdn.net/article/details/120554963
[Link 1]: https://knife.blog.csdn.net/article/details/120319274
[http_localhost_8080_doc.html]: http://localhost:8080/doc.html
[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16]: /images/20220828/12edef3ca8c44391b59ff91474c6ea65.png
[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 1]: /images/20220828/7fc8790f3cca44c99a5757986302c074.png
[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 2]: /images/20220828/4fc137f398af4ad1a4cba1bd7281c7c3.png
[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 3]: /images/20220828/296633fa390c40448d732bdca2fd53c7.png
[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 4]: /images/20220828/926be77d69904daabdd33181793507ec.png
[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 5]: /images/20220828/fc9decaffcf74af18db1af377700f0c7.png
[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 6]: /images/20220828/3f3657b2d7434bf4a8b009f8636c42cd.png
[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 7]: /images/20220828/904066ad59744461a7b4534c1ae5b640.png
[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 8]: /images/20220828/b378b660400147adb1daed995c5f1763.png
[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 9]: /images/20220828/069517c04ce74c438699d2d45717dd07.png
[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 10]: /images/20220828/1b672ce3e82b45b2af6f5f0d1261ed0c.png
[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 11]: /images/20220828/cf05a825d59e40bb879e2e86ee86e918.png
[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 12]: /images/20220828/6a63a0f965e6421bbe0fba5ecece5d4a.png
[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 13]: /images/20220828/f36d4ebccc46439f89c5e75cd284bc63.png
[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 14]: /images/20220828/94b02470fea44e0baed179c05a60cb8e.png
[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 15]: /images/20220828/6585349e0d324883bcd0b1a7950801fb.png
[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBASVTliKnliIPlh7rpnpg_size_20_color_FFFFFF_t_70_g_se_x_16 16]: /images/20220828/a82ec96d828a41a6b4e431e464afd414.png
[Shiro--SpringBoot--Session--_IT_-CSDN]: https://knife.blog.csdn.net/article/details/120319145
[Shiro--SpringBoot--shiro-redis--_IT_-CSDN]: https://knife.blog.csdn.net/article/details/120319186