spring boot实战教程之shiro session过期时间详解

前言

众所周知在spring boot内，设置session过期时间只需在application.properties内添加server.session.timeout配置即可。在整合shiro时发现，server.session.timeout设置为7200，但未到2小时就需要重新登录，后来发现是shiro的session已经过期了，shiro的session过期时间并不和server.session.timeout一致，目前是采用filter的方式来进行设置。

ShiroSessionFilter

/**
* 通过 * 设置shiroSession过期时间
* @author yangwk
*/
public class ShiroSessionFilter implements Filter {
private static Logger logger = LoggerFactory.getLogger(ShiroSessionFilter.class);

public List<String> excludes = new ArrayList<String>();

private long serverSessionTimeout = 180000L;//ms

public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException,ServletException {
 if(logger.isDebugEnabled()){
  logger.debug("shiro session filter is open");
 }

HttpServletRequest req = (HttpServletRequest) request;
 HttpServletResponse resp = (HttpServletResponse) response;
 if(handleExcludeURL(req, resp)){
  filterChain.doFilter(request, response);
  return;
 }

Subject currentUser = SecurityUtils.getSubject();
 if(currentUser.isAuthenticated()){
  currentUser.getSession().setTimeout(serverSessionTimeout);
 }
 filterChain.doFilter(request, response);
}

private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response) {

if (excludes == null || excludes.isEmpty()) {
  return false;
 }

String url = request.getServletPath();
 for (String pattern : excludes) {
  Pattern p = Pattern.compile("^" + pattern);
  Matcher m = p.matcher(url);
  if (m.find()) {
   return true;
  }
 }

return false;
}

@Override
public void init(FilterConfig filterConfig) throws ServletException {
 if(logger.isDebugEnabled()){
  logger.debug("shiro session filter init~~~~~~~~~~~~");
 }
 String temp = filterConfig.getInitParameter("excludes");
 if (temp != null) {
  String[] url = temp.split(",");
  for (int i = 0; url != null && i < url.length; i++) {
   excludes.add(url[i]);
  }
 }
 String timeout = filterConfig.getInitParameter("serverSessionTimeout");
 if(StringUtils.isNotBlank(timeout)){
  this.serverSessionTimeout = NumberUtils.toLong(timeout,1800L)*1000L;
 }
}

@Override
public void destroy() {}

}

注册filter

在被@Configuration注解标注的类内注册ShiroSessionFilter。

@Value("${server.session.timeout}")
private String serverSessionTimeout;

@Bean
public FilterRegistrationBean shiroSessionFilterRegistrationBean() {
FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
filterRegistrationBean.setFilter(new ShiroSessionFilter());
filterRegistrationBean.setOrder(FilterRegistrationBean.LOWEST_PRECEDENCE);
filterRegistrationBean.setEnabled(true);
filterRegistrationBean.addUrlPatterns("/*");
Map<String, String> initParameters = Maps.newHashMap();
initParameters.put("serverSessionTimeout", serverSessionTimeout);
initParameters.put("excludes", "/favicon.ico,/img/*,/js/*,/css/*");
filterRegistrationBean.setInitParameters(initParameters);
return filterRegistrationBean;
}

这样当每次请求时，如果用户已登录，就重新设置shiro session有效期，从而和server session保持了一致。

来源：http://www.jianshu.com/p/21d800215c17