在spring boot內，設定session過期時間只需在application.properties內新增server.session.timeout配置即可。在整合shiro時發現，server.session.timeout設定為7200，但未到2小時就需要重新登入，後來發現是shiro的session已經過期了，shiro的session過期時間並不和server.session.timeout一致，目前是採用filter的方式來進行設定。

ShiroSessionFilter

/** 
 * 通過攔截器設定shiroSession過期時間
 * @author yangwk 
 */  
public class ShiroSessionFilter implements Filter {  
    private static Logger logger = LoggerFactory.getLogger(ShiroSessionFilter.class);

    public List<String> excludes = new ArrayList<String>();

    private long serverSessionTimeout = 180000L;//ms

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException,ServletException {  
        if(logger.isDebugEnabled()){
            logger.debug("shiro session filter is open");
        }

        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse resp = (HttpServletResponse) response;
        if(handleExcludeURL(req, resp)){
            filterChain.doFilter(request, response);
            return;
        }

        Subject currentUser = SecurityUtils.getSubject();
        if(currentUser.isAuthenticated()){
            currentUser.getSession().setTimeout(serverSessionTimeout);
        }
        filterChain.doFilter(request, response);
    }

    private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response) {

        if (excludes == null || excludes.isEmpty()) {
            return false;
        }

        String url = request.getServletPath();
        for (String pattern : excludes) {
            Pattern p = Pattern.compile("^" + pattern);
            Matcher m = p.matcher(url);
            if (m.find()) {
                return true;
            }
        }

        return false;
    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        if(logger.isDebugEnabled()){
            logger.debug("shiro session filter init~~~~~~~~~~~~");
        }
        String temp = filterConfig.getInitParameter("excludes");
        if (temp != null) {
            String[] url = temp.split(",");
            for (int i = 0; url != null && i < url.length; i++) {
                excludes.add(url[i]);
            }
        }
        String timeout = filterConfig.getInitParameter("serverSessionTimeout");
        if(StringUtils.isNotBlank(timeout)){
            this.serverSessionTimeout = NumberUtils.toLong(timeout,1800L)*1000L;
        }
    }

    @Override
    public void destroy() {}  

}
 

註冊filter

在被@Configuration註解標註的類內註冊ShiroSessionFilter。

@Value("${server.session.timeout}")
private String serverSessionTimeout;

@Bean
public FilterRegistrationBean shiroSessionFilterRegistrationBean() {
    FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
    filterRegistrationBean.setFilter(new ShiroSessionFilter());
    filterRegistrationBean.setOrder(FilterRegistrationBean.LOWEST_PRECEDENCE);
    filterRegistrationBean.setEnabled(true);
    filterRegistrationBean.addUrlPatterns("/*");
    Map<String, String> initParameters = Maps.newHashMap();
    initParameters.put("serverSessionTimeout", serverSessionTimeout);
    initParameters.put("excludes", "/favicon.ico,/img/*,/js/*,/css/*");
    filterRegistrationBean.setInitParameters(initParameters);
    return filterRegistrationBean;
}
 

這樣當每次請求時，如果使用者已登入，就重新設定shiro session有效期，從而和server session保持了一致。

本人搭建好的spring boot web後端開發框架已上傳至GitHub，歡迎吐槽！
https://github.com/q7322068/rest-base,已用於多個正式專案，當前可能因為版本問題不是很完善，後續持續優化，希望你能有所收穫！