经过查找论坛和分析源码,确认了是在ShiroHttpServletResponse里加上的。 因此继承ShiroHttpServletResponse类,覆盖相应方法,再重写 ShiroFilterFactoryBean就可以把添加JSESSIONID部分去掉。 重写ShiroHttpServletResponse Java代码 public class MyShiroHttpServletResponse extends ShiroHttpServletResponse { public MyShiroHttpServletResponse(HttpServletResponse wrapped,ServletContext context, ShiroHttpServletRequest request) { super(wrapped, context, request); } @Override protected String toEncoded(String url, String sessionId) { if ((url == null) || (sessionId == null)) return (url); String path = url; String query = ""; String anchor = ""; int question = url.indexOf('?'); if (question >= 0) { path = url.substring(0, question); query = url.substring(question); } int pound = path.indexOf('#'); if (pound >= 0) { anchor = path.substring(pound); path = path.substring(0, pound); } StringBuilder sb = new StringBuilder(path); //重写toEncoded方法,注释掉这几行代码就不会再生成JESSIONID了。 // if (sb.length() > 0) { // session id param can't be first. // sb.append(";"); // sb.append(DEFAULT_SESSION_ID_PARAMETER_NAME); // sb.append("="); // sb.append(sessionId); // } sb.append(anchor); sb.append(query); return (sb.toString()); } } 2.扩展ShiroFilterFactoryBean, 使用新建的MyShiroHttpServletResponse。 Java代码 public class MyShiroFilterFactoryBean extends ShiroFilterFactoryBean { @Override public Class getObjectType() { return MySpringShiroFilter.class; } @Override protected AbstractShiroFilter createInstance() throws Exception { SecurityManager securityManager = getSecurityManager(); if (securityManager == null) { String msg = "SecurityManager property must be set."; throw new BeanInitializationException(msg); } if (!(securityManager instanceof WebSecurityManager)) { String msg = "The security manager does not implement the WebSecurityManager interface."; throw new BeanInitializationException(msg); } FilterChainManager manager = createFilterChainManager(); PathMatchingFilterChainResolver chainResolver = new PathMatchingFilterChainResolver(); chainResolver.setFilterChainManager(manager); return new MySpringShiroFilter((WebSecurityManager) securityManager, chainResolver); } private static final class MySpringShiroFilter extends AbstractShiroFilter { protected MySpringShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver resolver) { super(); if (webSecurityManager == null) { throw new IllegalArgumentException("WebSecurityManager property cannot be null."); } setSecurityManager(webSecurityManager); if (resolver != null) { setFilterChainResolver(resolver); } } @Override protected ServletResponse wrapServletResponse(HttpServletResponse orig, ShiroHttpServletRequest request) { return new MyShiroHttpServletResponse(orig, getServletContext(), request); } } } 3.在shiro相关配置里替换成自己的MyShiroFilterFactoryBean(嗯,我是shiro和spring组合用的) <!-- Shiro的Web过滤器 --> <bean id="shiroFilter" class="com.jsnr.aws.web.shiro.spring.MyShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager"/> <property name="loginUrl" value="/login.jsp"/> <property name="unauthorizedUrl" value="/unauthorized.jsp"/> ..... </bean>