Shiro升级1.8之后默认不允许中文参数，以及分号(;)参数，导致系统首次打开时，因带有;JSESSIONID=参数，系统出现400错误页面。

配置允许;号参数后即可解决，如果想要去掉JSESSIONID参数，可按如下方式处理

一、去掉登录时url里面的JSESSIONID参数

    @Bean    @ConditionalOnMissingBean    public DefaultWebSessionManager sessionManager(ShiroProp shiroProp) {        DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();        // 去掉shiro登录时url里的JSESSIONID        sessionManager.setSessionIdUrlRewritingEnabled(false);        return sessionManager;    }    @Bean    @ConditionalOnMissingBean    public org.apache.shiro.mgt.SecurityManager securityManager(EhCacheManager cacheManager,                                                                RememberMeManager rememberMeManager, AbstractShiroDbRealm shiroDbRealm,                                                                SessionManager sessionManager, ShiroProp shiroProp) {        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();        // 设置realm.        securityManager.setRealm(shiroDbRealm);        securityManager.setCacheManager(cacheManager);        securityManager.setRememberMeManager(rememberMeManager);        // 设置sessionManager，去掉shiro登录时url里的JSESSIONID        securityManager.setSessionManager(sessionManager);        return securityManager;    }

重写invalidRequest过滤器，允许;号参数以及中文参数

1）定义InvalidRequestFilter bean对象 2）配置shiroFilter对象，重新配置invalidRequest过滤器

    private InvalidRequestFilter invalidRequestFilter(){        InvalidRequestFilter invalidRequestFilter = new InvalidRequestFilter();        //允许中文参数地址        invalidRequestFilter.setBlockNonAscii(false);        //允许地址带分号;        invalidRequestFilter.setBlockSemicolon(false);        return invalidRequestFilter;    }    @ConditionalOnMissingBean    @Bean("shiroFilter")    public ShiroFilterFactoryBean shirFilter(org.apache.shiro.mgt.SecurityManager securityManager, Section section) {        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();        // 必须设置 SecurityManager        shiroFilterFactoryBean.setSecurityManager(securityManager);        // 如果不设置默认会自动寻找Web工程根目录下的"/login.jsp"页面        shiroFilterFactoryBean.setLoginUrl("/login");        // 登录成功后要跳转的链接        shiroFilterFactoryBean.setSuccessUrl("/index");        // 未授权界面;        shiroFilterFactoryBean.setUnauthorizedUrl("/403");        // 拦截器.        shiroFilterFactoryBean.setFilterChainDefinitionMap(section);        Map<String, Filter> filters = new HashMap<>();        // 配置 invalidRequestFilter        filters.put("invalidRequest", invalidRequestFilter());        shiroFilterFactoryBean.setFilters(filters);        logger.info("Shiro拦截器工厂类注入成功");        return shiroFilterFactoryBean;    }

这个问题我试了很久，只有以下方法能解决

1）重写过滤器 2）配置nginx，http请求强制转发到https

1、重写过滤器

public class MyFormAuthenticationFilter extends FormAuthenticationFilter {    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {        if (isLoginRequest(request, response)) {            if (isLoginSubmission(request, response)) {                return executeLogin(request, response);            } else {                //allow them to see the login page ;)                return true;            }        } else {            saveRequestAndRedirectToLogin(request, response);            return false;        }    }    // 配置https，跳转后变成http --start    protected void saveRequestAndRedirectToLogin(ServletRequest request, ServletResponse response) throws IOException {        saveRequest(request);        redirectToLogin(request, response);    }    protected void redirectToLogin(ServletRequest request, ServletResponse response) throws IOException {        String loginUrl = getLoginUrl();        WebUtils.issueRedirect(request, response, loginUrl, null, true, false);    }    // 配置https，跳转后变成http --end}

proxy_redirect http:// $scheme://;