This subject is anonymous - it does not have any identifying principals and authorization operations

大家好，我是烤鸭：

最近使用shiro，遇到如下问题：

严重: Servlet.service() for servlet [dispatcherServlet] in context with path [/etc] threw exception [Request processing failed; nested exception is org.apache.shiro.authz.UnauthenticatedException: This subject is anonymous - it does not have any identifying principals and authorization operations require an identity to check against. A Subject instance will acquire these identifying principals automatically after a successful login is performed be executing org.apache.shiro.subject.Subject.login(AuthenticationToken) or when 'Remember Me' functionality is enabled by the SecurityManager. This exception can also occur when a previously logged-in Subject has logged out which makes it anonymous again. Because an identity is currently not known due to any of these conditions, authorization is denied.] with root cause

1. 场景介绍

项目是前后端分离的，接口用postman自测的时候是没有问题的。但是前端登录后访问有权限限制的接口会报错。

前端是 react 项目，后端是 springboot 项目。

2. 原因猜想

可能是前端每次请求并没有携带cookie。由于前端项目本地启动请求后端项目需要使用代理。

默认访问的域名应该是localhost:3000

3. 解决方式

如果前端联调的是测试环境，建议将前端项目也部署测试环境，并且和后端项目部署在同一个域名下（nginx配置一下就可以了）。这种就不存在跨域和携带cookie的问题了。

如果前端联调的是开发同学的本地环境。需要前后端都做一些修改。

前端：

fetch请求默认不携带cookie

增加

credentials: "include"

            var myHeaders = new Headers();fetch(url, {method: 'GET',headers: myHeaders,credentials: "include"})

withCredentials: true

var xhr = new XMLHttpRequest();
xhr.withCredentials = true;

后端：

如果是和本地联调，肯定存在跨域问题。需要设置 Access-Control-Allow-Origin 为指定ip，不能设置为 * 。

浏览器的安全角度如果设置为 * ，是不能携带cookie的。

本例中如下设置。(Access-Control-Allow-Origin 设置为 localhost:3000)

@Configuration
public class CorsConfig implements WebMvcConfigurer {private CorsConfiguration buildConfig() {CorsConfiguration corsConfiguration = new CorsConfiguration();corsConfiguration.addAllowedHeader("*"); // 允许任何头corsConfiguration.addAllowedOrigin("localhost:3000"); // 允许任何头corsConfiguration.addAllowedMethod("*"); // 允许任何方法（post、get等）return corsConfiguration;}@Beanpublic CorsFilter corsFilter() {UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();source.registerCorsConfiguration("/**", buildConfig()); // 对接口配置跨域设置return new CorsFilter(source);}}

@Overridepublic void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {//每一次的请求先校验cookieHttpServletRequest reqeust = (HttpServletRequest)req;HttpServletResponse response = (HttpServletResponse) res;response.setHeader("Access-Control-Allow-Origin", "localhost:3000");response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");response.setHeader("Access-Control-Max-Age", "3600");response.addHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");chain.doFilter(req, res);}

总结：

最开始前端说后端接口访问不同，想到是shiro的问题，但是第一时间并没有想到cookie的问题。

找到问题比较慢，解决问题也是。最好的方式就是都部署到测试环境，避免跨域的问题出现就好了。