在使用Apache Shiro保护Spring Boot RestAPI时,可能会遇到CORS(跨域资源共享)配置问题。下面是一个解决方法的示例,包含代码示例:
首先,确保你已经在Spring Boot项目中添加了相关的依赖,比如spring-boot-starter-web和shiro-spring-boot-starter。
在Spring Boot的配置文件(application.properties或application.yml)中添加CORS配置,允许来自特定域名(比如http://localhost:3000)的请求。示例配置如下:
# application.properties
# 允许所有的HTTP方法
shiro.filter.cors.allowedMethods = GET, POST, PUT, DELETE, OPTIONS
# 允许来自http://localhost:3000的请求
shiro.filter.cors.allowedOrigins = http://localhost:3000
# 允许带凭证(如cookies)
shiro.filter.cors.allowCredentials = true
# application.yml
shiro:
filter:
cors:
allowedMethods: GET, POST, PUT, DELETE, OPTIONS
allowedOrigins: http://localhost:3000
allowCredentials: true
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
@Configuration
public class ShiroConfig {
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean() {
// 创建ShiroFilterFactoryBean
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
// 设置Shiro的安全管理器
shiroFilterFactoryBean.setSecurityManager(securityManager());
// 设置CORS过滤器
shiroFilterFactoryBean.getFilters().put("cors", corsFilter());
// ...
// 设置其他的过滤器规则
return shiroFilterFactoryBean;
}
@Bean
public CorsFilter corsFilter() {
// 创建CorsFilter
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
// 允许所有的HTTP方法
config.addAllowedMethod("*");
// 允许来自http://localhost:3000的请求
config.addAllowedOrigin("http://localhost:3000");
// 允许带凭证(如cookies)
config.setAllowCredentials(true);
source.registerCorsConfiguration("/**", config);
return new CorsFilter(source);
}
// ...
// 设置其他的Shiro配置,比如Realm、Cache、Session等
}
通过以上步骤,你可以将Shiro和CORS配置结合起来,保护Spring Boot RestAPI并允许特定域名的跨域请求。请根据实际情况进行相应的修改和调整。