springboot使用shiro后HttpSession的removeAttribute無(wú)效

我的系統(tǒng)中是springboot+shiro做的登錄鑒權(quán)，使用了shiro后自帶的HttpSession的removeAttribute就無(wú)效了。
shiri配置

@Configuration
public class ShiroConfig {
    
    @Bean
    public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
        
        // 必須設(shè)置 SecurityManager
        shiroFilterFactoryBean.setSecurityManager(securityManager);
        // 如果不設(shè)置默認(rèn)會(huì)自動(dòng)尋找Web工程根目錄下的"/login.jsp"頁(yè)面
        shiroFilterFactoryBean.setLoginUrl("/login");
        // 登錄成功后要跳轉(zhuǎn)的鏈接
        shiroFilterFactoryBean.setSuccessUrl("/index");
        // 未授權(quán)界面;
        shiroFilterFactoryBean.setUnauthorizedUrl("/403");
        
        // 權(quán)限控制map.
        Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>();
        //filterChainDefinitionMap.put("/user", "perms[add1]");
        shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
        
        return shiroFilterFactoryBean;
    }
    
    @Bean
    public SecurityManager securityManager() {
        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
        // 設(shè)置realm.
        securityManager.setRealm(myShiroRealm());
        // 自定義緩存實(shí)現(xiàn) 使用redis
        //RedisCacheManager cache = cacheManager();
        //securityManager.setCacheManager(cacheManager());
        // 自定義session管理 使用redis
        securityManager.setSessionManager(SessionManager());
        return securityManager;
    }
...后面的隱藏

使用

@PostMapping(path="/login.api")
    @ResponseBody
    public Result loginApi(@Validated(SysUser.IUserLogin.class) SysUser userForm, BindingResult bindingResult,
                           HttpServletRequest request, HttpSession session){
        result.simple(true, "初始化");
        userForm.initForm(SysUser.IUserLogin.class);
        String verifycode=request.getParameter("verifycode");
        if (bindingResult.hasErrors()) {
            userForm.initFieldErrors(bindingResult);
            result.simple(false, "字段驗(yàn)證失敗");
        }
        **Session s = SecurityUtils.getSubject().getSession();**
        if(!verifycode.equals(s.getAttribute("VerifyCode"))) {
            result.simple(false&result.isFlag(), result.getMsg()+",驗(yàn)證碼不正確");
            result.putItems("verifycodeError", "驗(yàn)證碼不正確!");
        }else{
            result.removeItem("verifycodeError");
        }
        s.removeAttribute("VerifyCode");

        if(result.isFlag()){
            try {
                UsernamePasswordToken token = new UsernamePasswordToken(userForm.getUsername(), userForm.getPassword());
                SecurityUtils.getSubject().login(token);
                result.simple(true, "登錄成功");
            } catch (Exception e) {
                System.out.println(e.toString());
                userForm.getFields().get("password").setError(e.getMessage());
                result.simple(false, "登錄失敗");
            }
        }
        result.putItems("user", userForm);
        return result;
    }

上面代碼中session不能用，s可以用。

回答

編輯回答