Shulou(Shulou.com)06/02 Report--

This article will explain in detail how SpringBoot integrates Shiro security authentication. The editor thinks it is very practical, so I share it for you as a reference. I hope you can get something after reading this article.

The working principle of Shiro is that the server writes the SessionID into the cookie of the client browser, the client initiates the request with cookie information, and the server reads the sessionId from the cookie to maintain the session. However, in the front-end separation mode, our back-end service cannot write sessionId to the request browser cookie, and there is a cross-domain problem. Due to security reasons, ajax requests do not carry cookie information, and back-end programs cannot obtain sessionId, so they cannot verify the login.

Implementation idea: return the SessionID to the front end for saving (write it to cookie or localStage), and then when the front end initiates the request, pass the Sessionid to the server, the server gets the SessionID, and then takes the corresponding session

Log in to the backend API. You need to return the SessionId of ShiroSession to the frontend, and save the frontend to cookie.

After a successful login, the sessionID (token) is received in the front-end JS and saved to cookie

First, modify the Shiro security configuration, rewrite the SessionManager class, create a MySessionManager class that inherits the DefaultWebSessionManager class, override the getSessionId method, first get the SessionID from cookie, then get it from the requestHeader, if not, get it from the request parameters

Second, modify the session management class in the Shiro configuration and configure it to our MySessionManager class, where redis is used as the cache manager

Third, add a filter class CrosFilter to the project to deal with cross-domain problems. If the request is preprocessed by OPTIONS, 200 is returned, indicating success, otherwise ajax initiates requests such as post,get, and the server cannot respond. In addition, in the Access-Control-Allow-Headers configuration item, Authorization should be set, and Access-Control-Allow-Credentials should be set to true.

-finally, when the frontend ajax initiates the request, you need to add the request header information, requestHeader to add the Authorization entry, the value is the sessionID returned at login ($.cookie ("token")), and set crossDomain to true. Finally, when the front-end ajax initiates the request, you need to add the request header information, requestHeader to add the Authorization entry, the value is the sessionID returned at login ($.cookie ("token")), and set crossDomain to true.

How to ensure the security of the API interface by separating the API interface from the front and rear end of SpringBoot?

The front end is written in vue and placed directly under nginx. The back end uses SpringBoot as a server to provide API interface for front end access. The front end is divided into public access page and login access page. Those accessed after login can use JWT for API authentication. But how to protect the interface from malicious invocation without login? Get the ip by requesting request. Record the number of ip requests to the redis cache. When the frequency of ip requests is too high, block the ip article on "how to integrate Shiro security authentication with SpringBoot". I hope the above content can be helpful to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.