一、概述
Apache Shiro 是Java 的一个安全框架。Shiro 可以非常容易的开发出足够好的应用,其不仅可以用在JavaSE 环境,也可以用在JavaEE 环境。Shiro 可以帮助我们完成:认证、授权、加密、会话管理、与Web 集成、缓存等。
1.1 功能
- 验证用户来核实他们的身份
- 对用户执行访问控制,如: 判断用户是否被分配了一个确定的安全角色 判断用户是否被允许做某事
- 在任何环境下使用 Session API,即使没有 Web 或 EJB 容器。
- 在身份验证,访问控制期间或在会话的生命周期,对事件作出反应。
- 聚集一个或多个用户安全数据的数据源,并作为一个单一的复合用户“视图”。
- 启用单点登录(SSO)功能。
- 为没有关联到登录的用户启用"Remember Me"服务
1.2 与Spring Security的对比
- Shiro: Shiro较之 Spring Security,Shiro在保持强大功能的同时,还在简单性和灵活性方面拥有巨大优势。
- 易于理解的 Java Security API;
- 简单的身份认证(登录),支持多种数据源(LDAP,JDBC,Kerberos,ActiveDirectory 等);
- 对角色的简单的签权(访问控制),支持细粒度的签权;
- 支持一级缓存,以提升应用程序的性能;
- 内置的基于 POJO 企业会话管理,适用于 Web 以及非 Web 的环境;
- 异构客户端会话访问;
- 非常简单的加密 API;
- 不跟任何的框架或者容器捆绑,可以独立运行
- Spring Security: 除了不能脱离Spring,shiro的功能它都有。而且Spring Security对Oauth、OpenID也有支持,Shiro则需要自己手动实现。Spring Security的权限细粒度更高。
1.3 基本功能
Authentication 身份认证/登录,验证用户是不是拥有相应的身份;
Authorization 授权,即权限验证,验证某个已认证的用户是否拥有某个权限;即判断用户是否能做事情,常见的如:验证某个用户是否拥有某个角色。或者细粒度的验证某个用户对某个资源是否具有某个权限;
Session Manager 会话管理,即用户登录后就是一次会话,在没有退出之前,它的所有信息都在会话中;会话可以是普通JavaSE环境的,也可以是如Web环境的;
Cryptography:加密,保护数据的安全性,如密码加密存储到数据库,而不是明文存储;
Web Support**:Web 支持,可以非常容易的集成到Web 环境;
Caching:缓存,比如用户登录后,其用户信息、拥有的角色/权限不必每次去查,这样可以提高效率;
Concurrency:shiro 支持多线程应用的并发验证,即如在一个线程中开启另一个线程,能把权限自动传播过去;
Testing:提供测试支持;
Run As:允许一个用户假装为另一个用户(如果他们允许)的身份进行访问;
Remember Me:记住我,这个是非常常见的功能,即一次登录后,下次再来的话不用登录了。
Shiro 不会去维护用户、维护权限;这些需要我们自己去设计提供;然后通过相应的接口注入给Shiro即可。
1.4 架构
Subject Subject即主体,外部应用与subject进行交互,subject记录了当前操作用户,将用户的概念理解为当前操作的主体,可能是一个通过浏览器请求的用户,也可能是一个运行的程序。 Subject在shiro中是一个接口,接口中定义了很多认证授相关的方法,外部程序通过subject进行认证授,而subject是通过SecurityManager安全管理器进行认证授权
SecurityManager SecurityManager即安全管理器,对全部的subject进行安全管理,它是shiro的核心,负责对所有的subject进行安全管理。通过SecurityManager可以完成subject的认证、授权等,实质上SecurityManager是通过Authenticator进行认证,通过Authorizer进行授权,通过SessionManager进行会话管理等。 SecurityManager是一个接口,继承了Authenticator, Authorizer, SessionManager这三个接口。
Authenticator Authenticator即认证器,对用户身份进行认证,Authenticator是一个接口,shiro提供ModularRealmAuthenticator实现类,通过ModularRealmAuthenticator基本上可以满足大多数需求,也可以自定义认证器。
Authorizer Authorizer即授权器,用户通过认证器认证通过,在访问功能时需要通过授权器判断用户是否有此功能的操作权限。
realm Realm即领域,相当于datasource数据源,securityManager进行安全认证需要通过Realm获取用户权限数据,比如:如果用户身份数据在数据库那么realm就需要从数据库获取用户身份信息。 注意:不要把realm理解成只是从数据源取数据,在realm中还有认证授权校验的相关的代码。
sessionManager sessionManager即会话管理,管理所有Subject的session包括创建、维护、删除、失效、验证等工作。SessionManager是顶层组件,由SecurityManager管理。shiro框架定义了一套会话管理,提供了三种实现方式。可以使它不依赖web容器的session,所以shiro可以使用在非web应用上,也可以将分布式应用的会话集中在一点管理,此特性可使它实现单点登录。
- DefaultSessionManager:用于JavaSE环境
- ServletContainerSessionManager:用于Web环境,直接使用servlet容器的会话。
- DefaultWebSessionManager:用于web环境,自己维护会话(自己维护着会话,直接废弃了Servlet容器的会话管理)。 在web程序中,通过shiro的Subject.login()方法登录成功后,用户的认证信息实际上是保存在HttpSession中.
SessionDAO SessionDAO即会话dao,是对session会话操作的一套接口,比如要将session存储到数据库,可以通过jdbc将会话存储到数据库。
CacheManager CacheManager即缓存管理,将用户权限数据存储在缓存,这样可以提高性能。
Cryptography Cryptography即密码管理,shiro提供了一套加密/解密的组件,方便开发。比如提供常用的散列、加/解密等功能。
1.5 认证
基本概念
即在应用中谁能证明他就是他本人。一般提供如他们的身份ID 一些标识信息来表明他就是他本人,如提供身份证,用户名/密码来证明。在 shiro 中,用户需要提供principals (身份)和credentials(证明)给shiro,从而应用能验证用户身份:
principals 身份,即主体的标识属性,可以是任何东西,如用户名、邮箱等,唯一即可。一个主体可以有多个principals,但只有一个Primary principals,一般是用户名/密码/手机号
credentials 证明/凭证,即只有主体知道的安全值,如密码/数字证书等。
最常见的principals和credentials组合就是用户名/密码了。接下来先进行一个基本的身份认证。
认证流程
- 首先调用Subject.login(token)进行登录,其会自动委托给Security Manager,调用之前必须通过SecurityUtils. setSecurityManager()设置;
- SecurityManager负责真正的身份验证逻辑;它会委托给Authenticator进行身份验证;
- Authenticator才是真正的身份验证者,Shiro API中核心的身份认证入口点,此处可以自定义插入自己的实现;
- Authenticator可能会委托给相应的AuthenticationStrategy进行多Realm身份验证,默认ModularRealmAuthenticator会调用AuthenticationStrategy进行多Realm身份验证;
- Authenticator会把相应的token传入Realm,从Realm获取身份验证信息,如果没有返回/抛出异常表示身份验证失败了。此处可以配置多个Realm,将按照相应的顺序及策略进行访问。
1.6 授权
授权,也叫访问控制,即在应用中控制谁能访问哪些资源(如访问页面/编辑数据/页面操作等)。在授权中需了解的几个关键对象:主体(Subject)、资源(Resource)、权限(Permission)、角色(Role)。
关键对象
主体 主体,即访问应用的用户,在Shiro中使用Subject代表该用户。用户只有授权后才允许访问相应的资源。
资源 在应用中用户可以访问的任何东西,比如访问JSP 页面、查看/编辑某些数据、访问某个业务方法、打印文本等等都是资源。用户只要授权后才能访问。
权限 安全策略中的原子授权单位,通过权限我们可以表示在应用中用户有没有操作某个资源的权力。即权限表示在应用中用户能不能访问某个资源,如:访问用户列表页面查看/新增/修改/删除用户数据(即很多时候都是CRUD(增查改删)式权限控制)打印文档等等。。。
角色 角色代表了操作集合,可以理解为权限的集合,一般情况下我们会赋予用户角色而不是权限,即这样用户可以拥有一组权限,赋予权限时比较方便。典型的如:项目经理、技术总监、CTO、开发工程师等都是角色,不同的角色拥有一组不同的权限。
授权流程
1、首先调用Subject.isPermitted_/hasRole_接口,其会委托给SecurityManager,而SecurityManager接着会委托给Authorizer; 2、Authorizer是真正的授权者,如果我们调用如isPermitted(“user:view”),其首先会通过PermissionResolver把字符串转换成相应的Permission实例; 3、在进行授权之前,其会调用相应的Realm获取Subject相应的角色/权限用于匹配传入的角色/权限; 4、Authorizer会判断Realm的角色/权限是否和传入的匹配,如果有多个Realm,会委托给ModularRealmAuthorizer 进行循环判断,如果匹配如isPermitted_/hasRole_会返回true,否则返回false表示授权失败。
1.7 内置过滤器
Shiro 内置了很多默认的过滤器,比如身份验证、授权等相关的。默认过滤器可以参考
org.apache.shiro.web.filter.mgt.DefaultFilter中的过滤器:
| 过滤器简称 | 对应的java类及说明 |
|---|---|
| anon | org.apache.shiro.web.filter.authc.AnonymousFilter 匿名过滤器,即不需要登录即可访问;一般用于静态资源过滤;示例“/static/**=anon” |
| authc | org.apache.shiro.web.filter.authc.FormAuthenticationFilter 基于表单的过滤器;如“/**=authc”,如果没有登录会跳到相应的登录页面登录 |
| authcBasic | org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter 无参,表示 httpBasic 认证 |
| perms | org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter 参数可写多个,表示需要某个或某些权限才能通过,多个参数时写 perms[“user,admin”],当有多个参数时必须每个参数都通过才算通过 权限授权拦截器,验证用户是否拥有所有权限;属性和roles一样;示例“/user/**=perms["user:create"]” |
| port | org.apache.shiro.web.filter.authz.PortFilter 当请求的URL端口不是8081时,跳转到当前访问主机HOST的8081端口 端口拦截器,主要属性:port(80):可以通过的端口;示例“/test= port[80]”,如果用户访问该页面是非80,将自动将请求端口改为80并重定向到该80端口,其他路径/参数等都一样 |
| rest | org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter 根据请求的方法,相当于 perms[user:method],其中 method 为 post,get,delete 等 rest风格拦截器,自动根据请求方法构建权限字符串(GET=read, POST=create,PUT=update,DELETE=delete,HEAD=read,TRACE=read,OPTIONS=read, MKCOL=create)构建权限字符串;示例“/users=rest[user]”,会自动拼出“user:read,user:create,user:update,user:delete”权限字符串进行权限匹配(所有都得匹配,isPermittedAll) |
| roles | org.apache.shiro.web.filter.authz.RolesAuthorizationFilter 参数可写多个,表示是某个或某些角色才能通过,多个参数时写 roles[“admin,user”],当有多个参数时必须每个参数都通过才算通过 角色授权拦截器,验证用户是否拥有所有角色;主要属性: loginUrl:登录页面地址(/login.jsp);unauthorizedUrl:未授权后重定向的地址;示例“/admin/**=roles[admin]” |
| ssl | org.apache.shiro.web.filter.authz.SslFilter 无参,表示安全的URL请求,协议为 https SSL拦截器,只有请求协议是https才能通过;否则自动跳转会https端口(443);其他和port拦截器一样; |
| user | org.apache.shiro.web.filter.authc.UserFilter 无参,表示必须存在用户,当登入操作时不做检查 |
| logout | org.apache.shiro.web.filter.authc.LogoutFilter 无参,注销,执行后会直接跳转到shiroFilterFactoryBean.setLoginUrl(); 设置的url 退出过滤器,主要属性:redirectUrl:退出成功后重定向的地址,如“/logout=logout” |
anon:例子/admins/**=anon 没有参数,表示可以匿名使用。
authc:例如/admins/user/**=authc表示需要认证(登录)才能使用,FormAuthenticationFilter是表单认证,没有参数
注意:anon, authc, authcBasic, user 是第一组认证过滤器,perms, port, rest, roles, ssl 是第二组授权过滤器,要通过授权过滤器,就先要完成登陆认证操作(即先要完成认证才能前去寻找授权) 才能走第二组授权器(例如访问需要 roles 权限的 url,如果还没有登陆的话,会直接跳转到shiroFilterFactoryBean.setLoginUrl(); 设置的 url )
使用FormAuthenticationFilter过虑器实现 ,原理如下:
将用户没有认证时,请求loginurl进行认证,用户身份和用户密码提交数据到loginurl FormAuthenticationFilter拦截住取出request中的username和password(两个参数名称是可以配置的) FormAuthenticationFilter调用realm传入一个token(username和password) realm认证时根据username查询用户信息(在Activeuser中存储,包括 userid、usercode、username、menus)。 如果查询不到,realm返回null,FormAuthenticationFilter向request域中填充一个参数(记录了异常信息)
1.8 项目流程分析
认证
subject.login(token)方法,进入Subject接口的默认实现类,将用户的用户名密码委托给了securityManager去做。 securityManager将用户的token委托给内部认证组件authenticator去做authenticate方法。 authenticator又将任务交由Realm处理。doAuthenticate。 Realm类对象调用doGetAuthenticationInfo(token)方法。重写的方法。
授权
客户端调用 subject.hasRole("admin"),判断当前用户是否有"admin"角色权限。 Subject门面对象接收到要被验证的角色信息"admin",并将其委托给securityManager中验证hasRole。 securityManager将验证请求再次委托内部组件Authorizer authorizer authorizer再次委托到Realm。 realm先拿到PrincipalCollection principal对象,同时传入校验的角色循环校验,循环中先创建鉴权信息。先看缓存中是否已经有鉴权信息 最后是自定义Realm中的重写的授权的方法doGetAuthorizationInfo。
SecurityManager对象创建
服务器启动,监听器捕获到了服务器启动事件。EnvironmentLoaderListener监听器 先根据shiroEnvironmentClass变量的值org.apache.shiro.web.env.IniWebEnvironment,初始化一个shiro环境对象 最后在创建一个SecurityManager对象,再将其绑定到刚才通过字节码创建的Shiro环境对象中
二、使用示例
2.1 与Springboot集成
依赖
xml
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.3.2</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.3.2</version>
</dependency>配置类
java
@Configuration
public class ShiroConfiguration {
//配置自定义的Realm
@Bean
public CustomRealm getRealm() {
return new CustomRealm();
}
//配置安全管理器
@Bean
public SecurityManager securityManager(CustomRealm realm) {
//使用默认的安全管理器
DefaultWebSecurityManager securityManager = new
DefaultWebSecurityManager(realm);
//将自定义的realm交给安全管理器统一调度管理
securityManager.setRealm(realm);
return securityManager;
}
//Filter工厂,设置对应的过滤条件和跳转条件
@Bean
public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) {
//1.创建shiro过滤器工厂
ShiroFilterFactoryBean filterFactory = new ShiroFilterFactoryBean();
//2.设置安全管理器
filterFactory.setSecurityManager(securityManager);
//3.通用配置(配置登录页面,登录成功页面,验证未成功页面)
filterFactory.setLoginUrl("/autherror?code=1"); //设置登录页面
filterFactory.setUnauthorizedUrl("/autherror?code=2"); //授权失败跳转页面
//4.配置过滤器集合
/**
* key :访问连接
* 支持通配符的形式
* value:过滤器类型
* shiro常用过滤器
* anno :匿名访问(表明此链接所有人可以访问)
* authc :认证后访问(表明此链接需登录认证成功之后可以访问)
*/
// 用户不具备操作权限,目标地址不会被执行。会跳转到指定的url连接地址。所以需要在连接地址中更加友好的处理未授权的信息提示
Map<String,String> filterMap = new LinkedHashMap<String,String>();
// 配置不会被拦截的链接 顺序判断
filterMap.put("/user/home", "anon");
filterMap.put("/user/**", "authc");
//5.设置过滤器
filterFactory.setFilterChainDefinitionMap(filterMap);
return filterFactory;
}
//配置shiro注解支持
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor advisor = new
AuthorizationAttributeSourceAdvisor();
advisor.setSecurityManager(securityManager);
return advisor;
}
}认证授权类
java
public class CustomRealm extends AuthorizingRealm {
@Override
public void setName(String name) {
super.setName("customRealm");
}
@Autowired
private UserService userService;
/**
* 构造授权方法
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
//1.获取认证的用户数据
User user = (User)principalCollection.getPrimaryPrincipal();
//2.构造认证数据
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
Set<Role> roles = user.getRoles();
for (Role role : roles) {
//添加角色信息
info.addRole(role.getName());
for (Permission permission:role.getPermissions()) {
//添加权限信息
info.addStringPermission(permission.getCode());
}
}
return info;
}
/**
* 认证方法
*/
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
//1.获取登录的upToken
UsernamePasswordToken upToken = (UsernamePasswordToken)authenticationToken;
//2.获取输入的用户名密码
String username = upToken.getUsername();
String password = new String(upToken.getPassword());
//3.数据库查询用户
User user = userService.findByName(username);
//4.用户存在并且密码匹配存储用户数据
if(user != null && user.getPassword().equals(password)) {
return new SimpleAuthenticationInfo(user,user.getPassword(),this.getName());
}else {
//返回null会抛出异常,表明用户不存在或密码不匹配
return null;
}
}
}鉴权使用
java
// 配置过滤器拦截路径方式
// 注意:基于配置的方式进行授权,一旦操作用户不具备操作权限,目标地址不会被执行。会跳转到指定的url连接地址。所以需要在连接地址中更加友好的处理未授权的信息提示
//配置请求连接过滤器配置
//匿名访问(所有人员可以使用)
filterMap.put("/user/home", "anon");
//具有指定权限访问
filterMap.put("/user/find", "perms[user-find]");
//认证之后访问(登录之后可以访问)
filterMap.put("/user/**", "authc");
//具有指定角色可以访问
filterMap.put("/user/**", "roles[系统管理员]");
// 注解鉴权方式
// 注意:操作用户不具备操作权限,目标方法不会被执行,且抛出AuthorizationException 异常。所以需要做好统一异常处理完成未授权处理
//RequiresPermissions配置到方法上,表明执行此方法必须具有指定的权限
@RequiresPermissions(value = "user-find")
public String find() {
return "查询用户成功";
}
//RequiresRoles 配置到方法上,表明执行此方法必须具有指定的角色
@RequiresRoles(value = "系统管理员")
public String find() {
return "查询用户成功";
}2.2 分布式系统使用
在分布式系统或者微服务架构下,都是通过统一的认证中心进行用户认证。如果使用默认会话管理,用户信息只会保存到一台服务器上。那么其他服务就需要进行会话的同步。因此,可以使用redis配置,维护会话操作
所有服务器的session信息都存储到了同一个Redis集群中,即所有的服务都将 Session 的信息存储到 Redis 集群中,无论是对 Session 的注销、更新都会同步到集群中,达到了 Session 共享的目的。
依赖
java
<!-- 使用开源组件Shiro-Redis可以方便的构建shiro与redis的整合工程-->
<dependency>
<groupId>org.crazycake</groupId>
<artifactId>shiro-redis</artifactId>
<version>3.0.0</version>
</dependency>配置类
java
@Configuration
public class ShiroConfiguration {
@Value("${spring.redis.host}")
private String host;
@Value("${spring.redis.port}")
private int port;
//配置自定义的Realm
@Bean
public IhrmRealm getRealm() {
return new UserIhrmRealm();
}
//配置安全管理器
@Bean
public SecurityManager securityManager() {
//使用默认的安全管理器
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
// 自定义session管理 使用redis
securityManager.setSessionManager(sessionManager());
// 自定义缓存实现 使用redis
securityManager.setCacheManager(cacheManager());
//将自定义的realm交给安全管理器统一调度管理
securityManager.setRealm(getRealm());
return securityManager;
}
//Filter工厂,设置对应的过滤条件和跳转条件
@Bean
public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) {
//1.创建shiro过滤器工厂
ShiroFilterFactoryBean filterFactory = new ShiroFilterFactoryBean();
//2.设置安全管理器
filterFactory.setSecurityManager(securityManager);
//3.通用配置(配置登录页面,登录成功页面,验证未成功页面)
filterFactory.setLoginUrl("/autherror?code=1"); //设置登录页面
filterFactory.setUnauthorizedUrl("/autherror?code=2"); //授权失败跳转页面
//4.配置过滤器集合
/**
* key :访问连接
* 支持通配符的形式
* value:过滤器类型
* shiro常用过滤器
* anno :匿名访问(表明此链接所有人可以访问)
* authc :认证后访问(表明此链接需登录认证成功之后可以访问)
*/
Map<String,String> filterMap = new LinkedHashMap<String,String>();
//配置请求连接过滤器配置
//匿名访问(所有人员可以使用)
filterMap.put("/frame/login", "anon");
filterMap.put("/autherror", "anon");
//认证之后访问(登录之后可以访问)
filterMap.put("/**", "authc");
//5.设置过滤器
filterFactory.setFilterChainDefinitionMap(filterMap);
return filterFactory;
}
//配置shiro注解支持
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor advisor = new
AuthorizationAttributeSourceAdvisor();
advisor.setSecurityManager(securityManager);
return advisor;
}
//配置shiro redisManager
public RedisManager redisManager() {
RedisManager redisManager = new RedisManager();
redisManager.setHost(host);
redisManager.setPort(port);
return redisManager;
}
//cacheManager缓存 redis实现
public RedisCacheManager cacheManager() {
RedisCacheManager redisCacheManager = new RedisCacheManager();
redisCacheManager.setRedisManager(redisManager());
return redisCacheManager;
}
/**
* RedisSessionDAO shiro sessionDao层的实现 通过redis
* 使用的是shiro-redis开源插件
*/
public RedisSessionDAO redisSessionDAO() {
RedisSessionDAO redisSessionDAO = new RedisSessionDAO();
redisSessionDAO.setRedisManager(redisManager());
return redisSessionDAO;
}
/**
* shiro session的管理
*/
public DefaultWebSessionManager sessionManager() {
IhrmWebSessionManager sessionManager = new IhrmWebSessionManager();
sessionManager.setSessionDAO(redisSessionDAO());
return sessionManager;
}
}会话管理
java
public class IhrmWebSessionManager extends DefaultWebSessionManager {
private static final String AUTHORIZATION = "Authorization";
private static final String REFERENCED_SESSION_ID_SOURCE = "Stateless request";
public IhrmWebSessionManager(){
super();
}
protected Serializable getSessionId(ServletRequest request, ServletResponse response){
String id = WebUtils.toHttp(request).getHeader(AUTHORIZATION);
if(StringUtils.isEmpty(id)){
//如果没有携带id参数则按照父类的方式在cookie进行获取
return super.getSessionId(request, response);
}else{
id = id.replace("Bearer ", "");
//如果请求头中有 authToken 则其值为sessionId
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE,REFERENCED_SESSION_ID_SOURCE);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID,id);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID,Boolean.TRUE);
return id;
}
}
}自定义域
java
public class UserIhrmRealm extends IhrmRealm {
@Override
public void setName(String name) {
super.setName("customRealm");
}
@Autowired
private UserService userService;
//认证方法
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
//1.获取用户的手机号和密码
UsernamePasswordToken upToken = (UsernamePasswordToken) authenticationToken;
String mobile = upToken.getUsername();
String password = new String( upToken.getPassword());
//2.根据手机号查询用户
User user = userService.findByMobile(mobile);
//3.判断用户是否存在,用户密码是否和输入密码一致
if(user != null && user.getPassword().equals(password)) {
//4.构造安全数据并返回(安全数据:用户基本数据,权限信息 profileResult)
ProfileResult result = null;
if("user".equals(user.getLevel())) {
result = new ProfileResult(user);
}else {
Map map = new HashMap();
if("coAdmin".equals(user.getLevel())) {
map.put("enVisible","1");
}
List<Permission> list = permissionService.findAll(map);
result = new ProfileResult(user,list);
}
//构造方法:安全数据,密码,realm域名
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(result,user.getPassword(),this.getName());
return info;
}
//返回null,会抛出异常,标识用户名和密码不匹配
return null;
}
}java
public class IhrmRealm extends AuthorizingRealm {
@Override
public void setName(String name) {
super.setName("ihrmRealm");
}
//授权方法
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
//1.获取安全数据
ProfileResult result =
(ProfileResult)principalCollection.getPrimaryPrincipal();
//2.获取权限信息
Set<String> apisPerms = (Set<String>)result.getRoles().get("apis");
//3.构造权限数据,返回值
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
info.setStringPermissions(apisPerms);
return info;
}
/**
* 认证方法
*/
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
return null;
}
}依赖键值对对象
java
@Setter
@Getter
public class ProfileResult implements Serializable,AuthCachePrincipal {
private String mobile;
private String username;
private String company;
private String companyId;
private Map<String,Object> roles = new HashMap<>();
}认证
java
//用户名密码登录
@RequestMapping(value="/login",method = RequestMethod.POST)
public Result login(@RequestBody Map<String,String> loginMap) {
String mobile = loginMap.get("mobile");
String password = loginMap.get("password");
try {
//1.构造登录令牌 UsernamePasswordToken
//加密密码
password = new Md5Hash(password,mobile,3).toString(); //1.密码,盐,加密次数
UsernamePasswordToken upToken = new UsernamePasswordToken(mobile,password);
//2.获取subject
Subject subject = SecurityUtils.getSubject();
//3.调用login方法,进入realm完成认证
subject.login(upToken);
//4.获取sessionId
String sessionId = (String)subject.getSession().getId();
//5.构造返回结果
return new Result(ResultCode.SUCCESS,sessionId);
}catch (Exception e) {
return new Result(ResultCode.MOBILEORPASSWORDERROR);
}
}获取session
java
//使用shiro获取
@ModelAttribute
public void setResAnReq(HttpServletRequest request,HttpServletResponse response) {
this.request = request;
this.response = response;
//获取session中的安全数据
Subject subject = SecurityUtils.getSubject();
//1.subject获取所有的安全数据集合
PrincipalCollection principals = subject.getPrincipals();
if(principals != null && !principals.isEmpty()){
//2.获取安全数据
ProfileResult result = (ProfileResult)principals.getPrimaryPrincipal();
this.companyId = result.getCompanyId();
this.companyName = result.getCompany();
}
}未认证跳转
java
//使用shiro获取
@ModelAttribute
public void setResAnReq(HttpServletRequest request,HttpServletResponse response) {
this.request = request;
this.response = response;
//获取session中的安全数据
Subject subject = SecurityUtils.getSubject();
//1.subject获取所有的安全数据集合
PrincipalCollection principals = subject.getPrincipals();
if(principals != null && !principals.isEmpty()){
//2.获取安全数据
ProfileResult result = (ProfileResult)principals.getPrimaryPrincipal();
this.companyId = result.getCompanyId();
this.companyName = result.getCompany();
}
}redissession 自定义实现
java
package com.itheima.shiro.core.impl;
import com.itheima.shiro.constant.CacheConstant;
import com.itheima.shiro.utils.ShiroRedissionSerialize;
import lombok.extern.log4j.Log4j2;
import org.apache.shiro.session.Session;
import org.apache.shiro.session.mgt.eis.AbstractSessionDAO;
import org.redisson.api.RBucket;
import org.redisson.api.RedissonClient;
import javax.annotation.Resource;
import java.io.Serializable;
import java.util.Collection;
import java.util.Collections;
import java.util.concurrent.TimeUnit;
/**
* @Description 实现shiro session的memcached集中式管理~
*/
@Log4j2
public class RedisSessionDao extends AbstractSessionDAO {
@Resource(name = "redissonClientForShiro")
RedissonClient redissonClient;
private Long globalSessionTimeout;
@Override
protected Serializable doCreate(Session session) {
Serializable sessionId = generateSessionId(session);
assignSessionId(session, sessionId);
// log.info("=============创建sessionId:{}",sessionId);
RBucket<String> sessionIdRBucket = redissonClient.getBucket(CacheConstant.GROUP_CAS+sessionId.toString());
sessionIdRBucket.trySet(ShiroRedissionSerialize.serialize(session), globalSessionTimeout, TimeUnit.SECONDS);
return sessionId;
}
@Override
protected Session doReadSession(Serializable sessionId) {
RBucket<String> sessionIdRBucket = redissonClient.getBucket(CacheConstant.GROUP_CAS+sessionId.toString());
Session session = (Session) ShiroRedissionSerialize.deserialize(sessionIdRBucket.get());
// log.info("=============读取sessionId:{}",session.getId().toString());
return session;
}
@Override
public void delete(Session session) {
// log.info("=============删除sessionId:{}",session.getId().toString());
RBucket<String> sessionIdRBucket = redissonClient.getBucket(CacheConstant.GROUP_CAS+session.getId().toString());
sessionIdRBucket.delete();
}
@Override
public Collection<Session> getActiveSessions() {
return Collections.emptySet();
}
@Override
public void update(Session session) {
RBucket<String> sessionIdRBucket = redissonClient.getBucket(CacheConstant.GROUP_CAS+session.getId().toString());
sessionIdRBucket.set(ShiroRedissionSerialize.serialize(session), globalSessionTimeout, TimeUnit.SECONDS);
// log.info("=============修改sessionId:{}",session.getId().toString());
}
public void setGlobalSessionTimeout(Long globalSessionTimeout) {
this.globalSessionTimeout = globalSessionTimeout;
}
}2.3 与SSM项目集成
依赖
xml
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.3.2</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.3.2</version>
</dependency>web.xml配置
xml
<!-- 初始化SecurityManager对象所需要的环境-->
<context-param>
<param-name>shiroEnvironmentClass</param-name>
<param-value>org.apache.shiro.web.env.IniWebEnvironment</param-value>
</context-param>
<!-- 指定Shiro的配置文件的位置 -->
<context-param>
<param-name>shiroConfigLocations</param-name>
<param-value>classpath:shiro.ini</param-value>
</context-param>
<!-- 监听服务器启动时,创建shiro的web环境。
即加载shiroEnvironmentClass变量指定的IniWebEnvironment类-->
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<!-- shiro过虑器,DelegatingFilterProxy通过代理模式将spring容器中的bean和filter关联起来 -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<!-- 设置true由servlet容器控制filter的生命周期 -->
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
<!-- 设置spring容器filter的bean id,如果不设置则找与filter-name一致的bean-->
<init-param>
<param-name>targetBeanName</param-name>
<param-value>shiroFilter</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>spring配置文件配置
xml
<!-- web.xml中shiro的filter对应的bean -->
<!-- Shiro 的Web过滤器 -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<!-- loginUrl认证提交地址,如果没有认证将会请求此地址进行认证,请求此地址将由formAuthenticationFilter进行表单认证 -->
<property name="loginUrl" value="/login.do" />
<!-- 认证成功统一跳转到index.do,建议不配置,shiro认证成功自动到上一个请求路径 -->
<property name="successUrl" value="/index.do"/>
<!-- 通过unauthorizedUrl指定没有权限操作时跳转页面-->
<property name="unauthorizedUrl" value="/refuse.jsp" />
<!-- 过虑器链定义,从上向下顺序执行,一般将/**放在最下边 -->
<property name="filterChainDefinitions">
<value>
<!-- /** = authc 所有url都必须认证通过才可以访问-->
<!--
anon 不经授权验证
authc 需登录认证后使用
roles 具有相应的角色,多个时需具有全部角色 admins/user/=roles["admin,guest"]
perms 具有相应的权限,多个时需全部满足 /admins/user/=perms["user:add:,user:modify:"]
rest 请求方式权限 /admins/user/=rest[user]相当于/admins/user/=perms[user:method] method为post,get,delete等请求方式
port 端口
authcBasic httpBasic认证 /admins/user/=ssl没有参数,表示安全的url请求,协议为https
user /admins/user/**=user没有参数表示必须存在用户, 身份认证通过或通过记住我认证通过的可以访问
-->
/login.jsp=anon
/** = authc
<!-- /** = anon所有url都可以匿名访问 -->
</value>
</property>
</bean>
<!-- securityManager安全管理器 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="userRealm" />
</bean>
<!-- realm -->
<bean id="userRealm" class="cn.siggy.realm.UserRealm">
<!-- 将凭证匹配器设置到realm中,realm按照凭证匹配器的要求进行散列 -->
<property name="credentialsMatcher" ref="credentialsMatcher"/>
</bean>
<!-- 凭证匹配器 -->
<bean id="credentialsMatcher"
class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="md5" />
<property name="hashIterations" value="1" />
</bean>使用
java
@Controller
public class LoginController {
@RequestMapping("/login.do")
public String login(HttpServletRequest req,Model model){
String exceptionClassName = (String)req.getAttribute("shiroLoginFailure");
String error = null;
if(UnknownAccountException.class.getName().equals(exceptionClassName)) {
error = "用户名/密码错误";
} else if(IncorrectCredentialsException.class.getName().equals(exceptionClassName))
{
error = "用户名/密码错误";
} else if(exceptionClassName != null) {
error = "其他错误:" + exceptionClassName;
}
model.addAttribute("error", error);
return "redirect:login.jsp";
}
}2.4 Realm缓存结合Redis
对UserBridgeServiceImpl的实现类里面的逻辑加入了自定义的SimpleCacheService缓存服务接口,简单来说实现了在认证和鉴权时不需要每次都去查询数据库,而是把认证和鉴权信息放入到redis缓存中,以减低数据库的访问压力 1、集成redis服务器,作为集中存储认证和鉴权信息
2、改写UserBridgeServiceImpl使其优先从缓存中读取
redission集成
添加ShiroRedisProperties,此类主要负责yaml文件的配置类
java
package com.itheima.shiro.config;
import lombok.Data;
import org.springframework.boot.context.properties.ConfigurationProperties;
import java.io.Serializable;
/**
* @Description redis配置文件
*/
@Data
@ConfigurationProperties(prefix = "itheima.framework.shiro.redis")
public class ShiroRedisProperties implements Serializable {
/**
* redis连接地址
*/
private String nodes ;
/**
* 获取连接超时时间
*/
private int connectTimeout ;
/**
* 连接池大小
*/
private int connectPoolSize;
/**
* 初始化连接数
*/
private int connectionMinimumidleSize ;
/**
* 等待数据返回超时时间
*/
private int timeout ;
/**
* 全局超时时间
*/
private long globalSessionTimeout;
}编辑ShiroConfig
集成redisson的相关配置,同时启用ShiroRedisProperties的配置
java
package com.itheima.shiro.config;
import com.itheima.shiro.core.ShiroDbRealm;
import com.itheima.shiro.core.impl.ShiroDbRealmImpl;
import com.itheima.shiro.filter.RolesOrAuthorizationFilter;
import com.itheima.shiro.properties.PropertiesUtil;
import lombok.extern.log4j.Log4j2;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.servlet.SimpleCookie;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.redisson.Redisson;
import org.redisson.api.RedissonClient;
import org.redisson.config.Config;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.DependsOn;
import javax.servlet.Filter;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
/**
* @Description 权限配置类
*/
@Configuration
@ComponentScan(basePackages = "com.itheima.shiro.core")
@EnableConfigurationProperties({ShiroRedisProperties.class})
@Log4j2
public class ShiroConfig {
@Autowired
private ShiroRedisProperties shiroRedisProperties;
/**
* @Description redission客户端
*/
@Bean("redissonClientForShiro")
public RedissonClient redissonClient() {
log.info("=====初始化redissonClientForShiro开始======");
String[] nodeList = shiroRedisProperties.getNodes().split(",");
Config config = new Config();
if (nodeList.length == 1) {
config.useSingleServer().setAddress(nodeList[0])
.setConnectTimeout(shiroRedisProperties.getConnectTimeout())
.setConnectionMinimumIdleSize(shiroRedisProperties.getConnectionMinimumidleSize())
.setConnectionPoolSize(shiroRedisProperties.getConnectPoolSize()).setTimeout(shiroRedisProperties.getTimeout());
} else {
config.useClusterServers().addNodeAddress(nodeList)
.setConnectTimeout(shiroRedisProperties.getConnectTimeout())
.setMasterConnectionMinimumIdleSize(shiroRedisProperties.getConnectionMinimumidleSize())
.setMasterConnectionPoolSize(shiroRedisProperties.getConnectPoolSize()).setTimeout(shiroRedisProperties.getTimeout());
}
RedissonClient redissonClient = Redisson.create(config);
log.info("=====初始化redissonClientForShiro完成======");
return redissonClient;
}
/**
* @Description 创建cookie对象
*/
@Bean(name="sessionIdCookie")
public SimpleCookie simpleCookie(){
SimpleCookie simpleCookie = new SimpleCookie();
simpleCookie.setName("ShiroSession");
return simpleCookie;
}
/**
* @Description 权限管理器
* @param
* @return
*/
@Bean(name="securityManager")
public DefaultWebSecurityManager defaultWebSecurityManager(){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(shiroDbRealm());
securityManager.setSessionManager(shiroSessionManager());
return securityManager;
}
/**
* @Description 自定义RealmImpl
*/
@Bean(name="shiroDbRealm")
public ShiroDbRealm shiroDbRealm(){
return new ShiroDbRealmImpl();
}
/**
* @Description 会话管理器
*/
@Bean(name="sessionManager")
public DefaultWebSessionManager shiroSessionManager(){
DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
sessionManager.setSessionValidationSchedulerEnabled(false);
sessionManager.setSessionIdCookieEnabled(true);
sessionManager.setSessionIdCookie(simpleCookie());
sessionManager.setGlobalSessionTimeout(3600000);
return sessionManager;
}
/**
* @Description 保证实现了Shiro内部lifecycle函数的bean执行
*/
@Bean(name = "lifecycleBeanPostProcessor")
public static LifecycleBeanPostProcessor getLifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
/**
* @Description AOP式方法级权限检查
*/
@Bean
@DependsOn("lifecycleBeanPostProcessor")
public DefaultAdvisorAutoProxyCreator getDefaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
defaultAdvisorAutoProxyCreator.setProxyTargetClass(true);
return defaultAdvisorAutoProxyCreator;
}
/**
* @Description 配合DefaultAdvisorAutoProxyCreator事项注解权限校验
*/
@Bean
public AuthorizationAttributeSourceAdvisor getAuthorizationAttributeSourceAdvisor() {
AuthorizationAttributeSourceAdvisor aasa = new AuthorizationAttributeSourceAdvisor();
aasa.setSecurityManager(defaultWebSecurityManager());
return new AuthorizationAttributeSourceAdvisor();
}
/**
* @Description 过滤器链
*/
private Map<String, String> filterChainDefinition(){
List<Object> list = PropertiesUtil.propertiesShiro.getKeyList();
Map<String, String> map = new LinkedHashMap<>();
for (Object object : list) {
String key = object.toString();
String value = PropertiesUtil.getShiroValue(key);
log.info("读取防止盗链控制:---key{},---value:{}",key,value);
map.put(key, value);
}
return map;
}
/**
* @Description 自定义过滤器定义
*/
private Map<String, Filter> filters() {
Map<String, Filter> map = new HashMap<String, Filter>();
map.put("roleOr", new RolesOrAuthorizationFilter());
return map;
}
/**
* @Description Shiro过滤器
*/
@Bean("shiroFilter")
public ShiroFilterFactoryBean shiroFilterFactoryBean(){
ShiroFilterFactoryBean shiroFilter = new ShiroFilterFactoryBean();
shiroFilter.setSecurityManager(defaultWebSecurityManager());
//使自定义过滤器生效
shiroFilter.setFilters(filters());
shiroFilter.setFilterChainDefinitionMap(filterChainDefinition());
shiroFilter.setLoginUrl("/login");
shiroFilter.setUnauthorizedUrl("/login");
return shiroFilter;
}
}缓存对象SimpleMapCache
java
package com.itheima.shiro.core.base;
import com.itheima.shiro.utils.EmptyUtil;
import org.apache.shiro.cache.Cache;
import org.apache.shiro.cache.CacheException;
import java.io.Serializable;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
/**
* @Description 缓存实现类, 实现序列 接口方便对象存储于第三方容器(Map存放键值对)
*/
public class SimpleMapCache implements Cache<Object, Object>, Serializable {
private final Map<Object, Object> attributes;
private final String name;
public SimpleMapCache(String name, Map<Object, Object> backingMap) {
if (name == null)
throw new IllegalArgumentException("Cache name cannot be null.");
if (backingMap == null) {
throw new IllegalArgumentException("Backing map cannot be null.");
} else {
this.name = name;
attributes = backingMap;
}
}
public Object get(Object key) throws CacheException {
return attributes.get(key);
}
public Object put(Object key, Object value) throws CacheException {
return attributes.put(key, value);
}
public Object remove(Object key) throws CacheException {
return attributes.remove(key);
}
public void clear() throws CacheException {
attributes.clear();
}
public int size() {
return attributes.size();
}
public Set<Object> keys() {
Set<Object> keys = attributes.keySet();
if (!keys.isEmpty())
return Collections.unmodifiableSet(keys);
else
return Collections.emptySet();
}
public Collection<Object> values() {
Collection<Object> values = attributes.values();
if (!EmptyUtil.isNullOrEmpty(values))
return Collections.unmodifiableCollection(values);
else
return Collections.emptySet();
}
@Override
public String toString() {
return "SimpleMapCache [attributes=" + attributes + ", name=" + name
+ ", keys()=" + keys() + ", size()=" + size() + ", values()="
+ values() + "]";
}
}ShiroRedissionSerialize序列化工具
java
package com.itheima.shiro.utils;
import lombok.extern.log4j.Log4j2;
import org.apache.shiro.codec.Base64;
import java.io.*;
/**
* @Description:实现shiro会话的序列化存储
*/
@Log4j2
public class ShiroRedissionSerialize {
public static Object deserialize(String str) {
if (EmptyUtil.isNullOrEmpty(str)) {
return null;
}
ByteArrayInputStream bis = null;
ObjectInputStream ois = null;
Object object=null;
try {
bis = new ByteArrayInputStream(EncodesUtil.decodeBase64(str));
ois = new ObjectInputStream(bis);
object = ois.readObject();
} catch (IOException |ClassNotFoundException e) {
log.error("流读取异常:{}",e);
} finally {
try {
bis.close();
ois.close();
} catch (IOException e) {
log.error("流读取异常:{}",e);
}
}
return object;
}
public static String serialize(Object obj) {
if (EmptyUtil.isNullOrEmpty(obj)) {
return null;
}
ByteArrayOutputStream bos = null;
ObjectOutputStream oos = null;
String base64String = null;
try {
bos = new ByteArrayOutputStream();
oos = new ObjectOutputStream(bos);
oos.writeObject(obj);
base64String = EncodesUtil.encodeBase64(bos.toByteArray());
} catch (IOException e) {
log.error("流写入异常:{}",e);
} finally {
try {
bos.close();
oos.close();
} catch (IOException e) {
log.error("流写入异常:{}",e);
}
}
return base64String;
}
}缓存服务接口SimpleCacheService
SimpleCacheService
java
package com.itheima.shiro.core;
import org.apache.shiro.cache.Cache;
import org.apache.shiro.cache.CacheException;
/**
* @Description 简单的缓存管理接口
*/
public interface SimpleCacheService {
/**
* <b>功能说明:</b>:新增缓存堆到管理器<br>
*/
void createCache(String cacheName, Cache<Object, Object> cache) throws CacheException;
/**
* <b>方法名:</b>:getCache<br>
* <b>功能说明:</b>:获取缓存堆<br>
*/
Cache<Object, Object> getCache(String cacheName) throws CacheException;
/**
* <b>方法名:</b>:removeCache<br>
* <b>功能说明:</b>:移除缓存堆<br>
*/
void removeCache(String cacheName) throws CacheException;
/**
* <b>方法名:</b>:updateCahce<br>
* <b>功能说明:</b>:更新缓存堆<br>
*/
void updateCahce(String cacheName, Cache<Object, Object> cache) throws CacheException;
}SimpleCacheServiceImpl 调用RedissonClient去实现缓存,同时使用ShiroRedissionSerialize实现序列化
java
package com.itheima.shiro.core.impl;
import com.itheima.shiro.constant.CacheConstant;
import com.itheima.shiro.core.SimpleCacheService;
import com.itheima.shiro.utils.ShiroRedissionSerialize;
import lombok.extern.log4j.Log4j2;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.cache.Cache;
import org.apache.shiro.cache.CacheException;
import org.redisson.api.RBucket;
import org.redisson.api.RedissonClient;
import org.springframework.stereotype.Component;
import javax.annotation.Resource;
import java.util.concurrent.TimeUnit;
/**
*
* @Description 简单的缓存管理接口的实现
*/
@Log4j2
@Component
public class SimpleCacheServiceImpl implements SimpleCacheService {
@Resource(name = "redissonClientForShiro")
RedissonClient redissonClient;
@Override
public void createCache(String name, Cache<Object, Object> cache){
RBucket<String> bucket = redissonClient.getBucket(CacheConstant.GROUP_CAS+name);
bucket.trySet(ShiroRedissionSerialize.serialize(cache), SecurityUtils.getSubject().getSession().getTimeout()/1000, TimeUnit.SECONDS);
}
@SuppressWarnings("unchecked")
@Override
public Cache<Object, Object> getCache(String name) throws CacheException {
RBucket<String> bucket = redissonClient.getBucket(CacheConstant.GROUP_CAS+name);
return (Cache<Object, Object>) ShiroRedissionSerialize.deserialize(bucket.get());
}
@Override
public void removeCache(String name) throws CacheException {
RBucket<String> bucket = redissonClient.getBucket(CacheConstant.GROUP_CAS+name);
bucket.delete();
}
@Override
public void updateCahce(String name, Cache<Object, Object> cache){
RBucket<String> bucket = redissonClient.getBucket(CacheConstant.GROUP_CAS+name);
bucket.set(ShiroRedissionSerialize.serialize(cache), SecurityUtils.getSubject().getSession().getTimeout()/1000, TimeUnit.MILLISECONDS);
}
}桥接器BridgeService
java
package com.itheima.shiro.core.bridge;
import com.itheima.shiro.core.base.ShiroUser;
import com.itheima.shiro.pojo.User;
import org.apache.shiro.authz.AuthorizationInfo;
import java.util.List;
/**
* @Description:用户信息桥接(后期会做缓存)
*/
public interface UserBridgeService {
/**
* @Description 查找用户信息
* @param loginName 用户名称
* @return user对象
*/
User findUserByLoginName(String loginName);
/**
* @Description 鉴权方法
* @param shiroUser 令牌对象
* @return 鉴权信息
*/
AuthorizationInfo getAuthorizationInfo(ShiroUser shiroUser);
/**
* @Description 查询用户对应角色标识list
* @param userId 用户id
* @return 角色标识集合
*/
List<String> findRoleList(String key,String userId);
/**
* @Description 查询用户对应资源标识list
* @param userId 用户id
* @return 资源标识集合
*/
List<String> findResourcesList(String key,String userId);
/**
* @Description 查询资源ids
* @param userId 用户id
* @return 资源id集合
*/
List<String> findResourcesIds(String userId);
/**
* @Description 加载缓存
* @param shiroUser 令牌对象
* @return
*/
void loadUserAuthorityToCache(ShiroUser shiroUser);
}实现类
java
package com.itheima.shiro.core.bridge.impl;
import com.itheima.shiro.constant.CacheConstant;
import com.itheima.shiro.core.SimpleCacheService;
import com.itheima.shiro.core.adapter.UserAdapter;
import com.itheima.shiro.core.base.ShiroUser;
import com.itheima.shiro.core.base.SimpleMapCache;
import com.itheima.shiro.core.bridge.UserBridgeService;
import com.itheima.shiro.pojo.Resource;
import com.itheima.shiro.pojo.Role;
import com.itheima.shiro.pojo.User;
import com.itheima.shiro.utils.EmptyUtil;
import com.itheima.shiro.utils.ShiroUtil;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.cache.Cache;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
/**
* @Description:用户信息桥接(后期会做缓存)
*/
@Component("userBridgeService")
public class UserBridgeServiceImpl implements UserBridgeService {
@Autowired
UserAdapter userAdapter;
@Autowired
SimpleCacheService simpleCacheService;
@Override
public User findUserByLoginName(String loginName) {
String key = CacheConstant.FIND_USER_BY_LOGINNAME + loginName;
//获取缓存
Cache<Object, Object> cache = simpleCacheService.getCache(key);
//缓存存在
if (!EmptyUtil.isNullOrEmpty(cache)){
return (User) cache.get(key);
}
//缓存不存在
User user = userAdapter.findUserByLoginName(loginName);
if (!EmptyUtil.isNullOrEmpty(user)){
Map<Object,Object> map = new HashMap<>();
map.put(key, user);
SimpleMapCache simpleMapCache = new SimpleMapCache(key, map);
simpleCacheService.creatCache(key, simpleMapCache);
}
return user;
}
@Override
public List<String> findResourcesIds(String userId) {
String sessionId = ShiroUtil.getShiroSessionId();
String key = CacheConstant.RESOURCES_KEY_IDS+sessionId;
List<Resource> resources = new ArrayList<>();
//获取缓存
Cache<Object, Object> cache = simpleCacheService.getCache(key);
//缓存存在
if (!EmptyUtil.isNullOrEmpty(cache)){
resources = (List<Resource>) cache.get(key);
}else {
//缓存不存在
resources = userAdapter.findResourceByUserId(userId);
if (!EmptyUtil.isNullOrEmpty(resources)){
Map<Object,Object> map = new HashMap<>();
map.put(key, resources);
SimpleMapCache simpleMapCache = new SimpleMapCache(key, map);
simpleCacheService.creatCache(key,simpleMapCache );
}
}
List<String> ids = new ArrayList<>();
for (Resource resource : resources) {
ids.add(resource.getId());
}
return ids;
}
@Override
public AuthorizationInfo getAuthorizationInfo(ShiroUser shiroUser) {
String sessionId = ShiroUtil.getShiroSessionId();
String roleKey = CacheConstant.ROLE_KEY+sessionId;
String resourcesKey = CacheConstant.RESOURCES_KEY+sessionId;
//查询用户对应的角色标识
List<String> roleList = this.findRoleList(roleKey,shiroUser.getId());
//查询用户对于的资源标识
List<String> resourcesList = this.findResourcesList(resourcesKey,shiroUser.getId());
//构建鉴权信息对象
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
simpleAuthorizationInfo.addRoles(roleList);
simpleAuthorizationInfo.addStringPermissions(resourcesList);
return simpleAuthorizationInfo;
}
@Override
public List<String> findRoleList(String key,String userId){
List<Role> roles = new ArrayList<>();
//获得缓存
Cache<Object, Object> cache = simpleCacheService.getCache(key);
//缓存存在
if (!EmptyUtil.isNullOrEmpty(cache)){
roles = (List<Role>) cache.get(key);
}else {
//缓存不存在
roles = userAdapter.findRoleByUserId(userId);
if (!EmptyUtil.isNullOrEmpty(roles)){
Map<Object,Object> map = new HashMap<>();
map.put(key, roles);
SimpleMapCache simpleMapCache = new SimpleMapCache(key, map);
simpleCacheService.creatCache(key,simpleMapCache );
}
}
List<String> roleLabel = new ArrayList<>();
for (Role role : roles) {
roleLabel.add(role.getLabel());
}
return roleLabel;
}
@Override
public List<String> findResourcesList(String key,String userId){
List<Resource> resources = new ArrayList<>();
//获得缓存
Cache<Object, Object> cache = simpleCacheService.getCache(key);
//缓存存在
if (!EmptyUtil.isNullOrEmpty(cache)){
resources = (List<Resource>) cache.get(key);
}else {
//缓存不存在
resources = userAdapter.findResourceByUserId(userId);
if (!EmptyUtil.isNullOrEmpty(resources)){
Map<Object,Object> map = new HashMap<>();
map.put(key, resources);
SimpleMapCache simpleMapCache = new SimpleMapCache(key, map);
simpleCacheService.creatCache(key,simpleMapCache );
}
}
List<String> resourceLabel = new ArrayList<>();
for (Resource resource : resources) {
resourceLabel.add(resource.getLabel());
}
return resourceLabel;
}
@Override
public void loadUserAuthorityToCache(ShiroUser shiroUser) {
String sessionId = ShiroUtil.getShiroSessionId();
String roleKey = CacheConstant.ROLE_KEY+sessionId;
String resourcesKey = CacheConstant.RESOURCES_KEY+sessionId;
//查询用户对应的角色标识
List<String> roleList = this.findRoleList(roleKey,shiroUser.getId());
//查询用户对于的资源标识
List<String> resourcesList = this.findResourcesList(resourcesKey,shiroUser.getId());
}
}缓存清理
用户在点击退出时候,我们还没有清理缓存!如果不清理,在用户量大的时候,可能会有大量的垃圾信息在redis中存在。 重写ShiroConfig
java
package com.itheima.shiro.core.impl;
import com.itheima.shiro.constant.CacheConstant;
import com.itheima.shiro.constant.SuperConstant;
import com.itheima.shiro.core.ShiroDbRealm;
import com.itheima.shiro.core.SimpleCacheService;
import com.itheima.shiro.core.base.ShiroUser;
import com.itheima.shiro.core.base.SimpleToken;
import com.itheima.shiro.core.bridge.UserBridgeService;
import com.itheima.shiro.pojo.User;
import com.itheima.shiro.utils.BeanConv;
import com.itheima.shiro.utils.EmptyUtil;
import com.itheima.shiro.utils.ShiroUtil;
import org.apache.shiro.authc.*;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
import org.springframework.beans.factory.annotation.Autowired;
/**
* @Description:自定义realm的抽象类实现
*/
public class ShiroDbRealmImpl extends ShiroDbRealm {
@Autowired
UserBridgeService userBridgeService;
@Autowired
SimpleCacheService simpleCacheService;
@Override
public AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
//token令牌信息
SimpleToken simpleToken = (SimpleToken) token;
//查询user对象
User user = userBridgeService.findUserByLoginName(simpleToken.getUsername());
if (EmptyUtil.isNullOrEmpty(user)){
throw new UnknownAccountException("账号不存在!");
}
//构建认证令牌对象
ShiroUser shiroUser = BeanConv.toBean(user, ShiroUser.class);
shiroUser.setResourceIds(userBridgeService.findResourcesIds(shiroUser.getId()));
String slat = shiroUser.getSalt();
String password = shiroUser.getPassWord();
//构建认证信息对象:1、令牌对象 2、密文密码 3、加密因子 4、当前realm的名称
return new SimpleAuthenticationInfo(shiroUser, password, ByteSource.Util.bytes(slat), getName());
}
@Override
public AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
ShiroUser shiroUser = (ShiroUser) principals.getPrimaryPrincipal();
return userBridgeService.getAuthorizationInfo(shiroUser);
}
@Override
protected void doClearCache(PrincipalCollection principals) {
ShiroUser shiroUser = (ShiroUser) principals.getPrimaryPrincipal();
String sessionId = ShiroUtil.getShiroSessionId();
String roleKey = CacheConstant.ROLE_KEY+sessionId;
String resourcesKey = CacheConstant.RESOURCES_KEY+sessionId;
String loginNamekey = CacheConstant.FIND_USER_BY_LOGINNAME + shiroUser.getLoginName();
String resourcesIdKey = CacheConstant.RESOURCES_KEY_IDS+sessionId;
simpleCacheService.removeCache(roleKey);
simpleCacheService.removeCache(resourcesKey);
simpleCacheService.removeCache(loginNamekey);
simpleCacheService.removeCache(resourcesIdKey);
super.doClearCache(principals);
}
@Override
public void initCredentialsMatcher() {
//指定密码算法
HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher(SuperConstant.HASH_ALGORITHM);
//指定迭代次数
hashedCredentialsMatcher.setHashIterations(SuperConstant.HASH_INTERATIONS);
//生效密码比较器
setCredentialsMatcher(hashedCredentialsMatcher);
}
}2.5 限制密码重试次数
实现原理
保证原子性:
单系统:AtomicLong计数 集群系统:RedissionClient提供的RAtomicLong计数 1、获取系统中是否已有登录次数缓存,缓存对象结构预期为:"用户名--登录次数"。 2、如果之前没有登录缓存,则创建一个登录次数缓存。 3、如果缓存次数已经超过限制,则驳回本次登录请求。 4、将缓存记录的登录次数加1,设置指定时间内有效 5、验证用户本次输入的帐号密码,如果登录登录成功,则清除掉登录次数的缓存
自定义密码比较器
RetryLimitCredentialsMatcher
java
package com.itheima.shiro.core.impl;
import com.itheima.shiro.core.base.ShiroUser;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.ExcessiveAttemptsException;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.redisson.api.RAtomicLong;
import org.redisson.api.RedissonClient;
import java.util.concurrent.TimeUnit;
/**
* @Description:密码重试比较器
*/
public class RetryLimitCredentialsMatcher extends HashedCredentialsMatcher {
private RedissonClient redissonClient;
private static Long RETRY_LIMIT_NUM = 4L;
/**
* @Description 构造函数
* @param hashAlgorithmName 匹配次数
* @return
*/
public RetryLimitCredentialsMatcher(String hashAlgorithmName,RedissonClient redissonClient) {
super(hashAlgorithmName);
this.redissonClient = redissonClient;
}
@Override
public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
//获得登录吗
String loginName = (String) token.getPrincipal();
//获得缓存
RAtomicLong atomicLong = redissonClient.getAtomicLong(loginName);
long retryFlag = atomicLong.get();
//判断次数
if (retryFlag>RETRY_LIMIT_NUM){
//超过次数设计10分钟后重试
atomicLong.expire(10, TimeUnit.MICROSECONDS);
throw new ExcessiveAttemptsException("密码错误5次,请10分钟以后再试");
}
//累加次数
atomicLong.incrementAndGet();
atomicLong.expire(10, TimeUnit.MICROSECONDS);
//密码校验
boolean flag = super.doCredentialsMatch(token, info);
if (flag){
//校验成功删除限制
atomicLong.delete();
}
return flag;
}
}重写ShiroDbRealmImpl 修改initCredentialsMatcher方法,使用RetryLimitCredentialsMatcher
java
package com.itheima.shiro.core.impl;
import com.itheima.shiro.constant.CacheConstant;
import com.itheima.shiro.constant.SuperConstant;
import com.itheima.shiro.core.SimpleCacheManager;
import com.itheima.shiro.core.base.ShiroUser;
import com.itheima.shiro.core.base.SimpleToken;
import com.itheima.shiro.core.ShiroDbRealm;
import com.itheima.shiro.core.bridge.UserBridgeService;
import com.itheima.shiro.pojo.User;
import com.itheima.shiro.utils.*;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
import org.redisson.api.RedissonClient;
import org.springframework.beans.factory.annotation.Autowired;
import javax.annotation.Resource;
/**
* @Description:自定义shiro的实现
*/
public class ShiroDbRealmImpl extends ShiroDbRealm {
@Autowired
private UserBridgeService userBridgeService;
@Autowired
private SimpleCacheManager simpleCacheManager;
@Resource(name = "redissonClientForShiro")
private RedissonClient redissonClient;
/**
* @Description 认证方法
* @param authcToken 校验传入令牌
* @return AuthenticationInfo
*/
@Override
public AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) {
SimpleToken token = (SimpleToken)authcToken;
User user = userBridgeService.findUserByLoginName(token.getUsername());
if(EmptyUtil.isNullOrEmpty(user)){
throw new UnknownAccountException("账号不存在");
}
ShiroUser shiroUser = BeanConv.toBean(user, ShiroUser.class);
String sessionId = ShiroUserUtil.getShiroSessionId();
String cacheKeyResourcesIds = CacheConstant.RESOURCES_KEY_IDS+sessionId;
shiroUser.setResourceIds(userBridgeService.findResourcesIdsList(cacheKeyResourcesIds,user.getId()));
String salt = user.getSalt();
String password = user.getPassWord();
return new SimpleAuthenticationInfo(shiroUser, password, ByteSource.Util.bytes(salt), getName());
}
/**
* @Description 授权方法
* @param principals SimpleAuthenticationInfo对象第一个参数
* @return
*/
@Override
public AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
ShiroUser shiroUser = (ShiroUser) principals.getPrimaryPrincipal();
return userBridgeService.getAuthorizationInfo(shiroUser);
}
/**
* @Description 清理缓存
*/
@Override
public void doClearCache(PrincipalCollection principalcollection) {
String sessionId = ShiroUtil.getShiroSessionId();
simpleCacheManager.removeCache(CacheConstant.ROLE_KEY+sessionId);
simpleCacheManager.removeCache(CacheConstant.RESOURCES_KEY+sessionId);
simpleCacheManager.removeCache(CacheConstant.TOKEN+sessionId);
}
/**
* @Description 加密方式
*/
@Override
public void initCredentialsMatcher() {
RetryLimitCredentialsMatcher matcher = new RetryLimitCredentialsMatcher(SuperConstant.HASH_ALGORITHM,redissonClient);
matcher.setHashIterations(SuperConstant.HASH_INTERATIONS);
setCredentialsMatcher(matcher);
}
}2.6 在线并发登录人数控制
实现原理
在实际开发中,我们可能会遇到这样的需求,一个账号只允许同时一个在线,当账号在其他地方登陆的时候,会踢出前面登陆的账号,那我们怎么实现
- 自定义过滤器:继承AccessControlFilter
- 使用redis队列控制账号在线数目
1、只针对登录用户处理,首先判断是否登录 2、使用RedissionClien创建队列 3、判断当前sessionId是否存在于此用户的队列=key:登录名 value:多个sessionId 4、不存在则放入队列尾端==>存入sessionId 5、判断当前队列大小是否超过限定此账号的可在线人数 6、超过: *从队列头部拿到用户sessionId *从sessionManger根据sessionId拿到session *从sessionDao中移除session会话 7、未超过:放过操作
代码实现
KickedOutAuthorizationFilter
java
package com.itheima.shiro.filter;
import com.itheima.shiro.core.impl.RedisSessionDao;
import com.itheima.shiro.utils.EmptyUtil;
import com.itheima.shiro.utils.ShiroUserUtil;
import lombok.extern.log4j.Log4j2;
import org.apache.shiro.session.ExpiredSessionException;
import org.apache.shiro.session.Session;
import org.apache.shiro.session.UnknownSessionException;
import org.apache.shiro.session.mgt.DefaultSessionKey;
import org.apache.shiro.session.mgt.eis.SessionDAO;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.AccessControlFilter;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.redisson.api.RDeque;
import org.redisson.api.RedissonClient;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import javax.annotation.Resource;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
/**
* @Description:
*/
@Log4j2
public class KickedOutAuthorizationFilter extends AccessControlFilter {
private RedissonClient redissonClient;
private SessionDAO redisSessionDao;
private DefaultWebSessionManager sessionManager;
public KickedOutAuthorizationFilter(RedissonClient redissonClient, SessionDAO redisSessionDao, DefaultWebSessionManager sessionManager) {
this.redissonClient = redissonClient;
this.redisSessionDao = redisSessionDao;
this.sessionManager = sessionManager;
}
@Override
protected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse, Object o) throws Exception {
return false;
}
@Override
protected boolean onAccessDenied(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
Subject subject = getSubject(servletRequest, servletResponse);
if (!subject.isAuthenticated()) {
//如果没有登录,直接进行之后的流程
return true;
}
//存放session对象进入队列
String sessionId = ShiroUserUtil.getShiroSessionId();
String LoginName = ShiroUserUtil.getShiroUser().getLoginName();
RDeque<String> queue = redissonClient.getDeque("KickedOutAuthorizationFilter:"+LoginName);
//判断sessionId是否存在于此用户的队列中
boolean flag = queue.contains(sessionId);
if (!flag) {
queue.addLast(sessionId);
}
//如果此时队列大于1,则开始踢人
if (queue.size() > 1) {
sessionId = queue.getFirst();
queue.removeFirst();
Session session = null;
try {
session = sessionManager.getSession(new DefaultSessionKey(sessionId));
}catch (UnknownSessionException ex){
log.info("session已经失效");
}catch (ExpiredSessionException expiredSessionException){
log.info("session已经过期");
}
if (!EmptyUtil.isNullOrEmpty(session)){
redisSessionDao.delete(session);
}
}
return true;
}
}修改ShiroConfig
java
/**
* @Description 自定义过滤器定义
*/
private Map<String, Filter> filters() {
Map<String, Filter> map = new HashMap<String, Filter>();
map.put("roleOr", new RolesOrAuthorizationFilter());
map.put("kickedOut", new KickedOutAuthorizationFilter(redissonClient(), redisSessionDao(), shiroSessionManager()));
return map;
}修改authentication.properties
properties
#静态资源不过滤
/static/**=anon
#登录链接不过滤
/login/**=anon
#访问/resource/**需要有admin的角色
/resource/**=role-or[MangerRole,SuperAdmin]
#其他链接是需要登录的
/**=kickedOut,auth2.7 Springboot+Shiro+Jwt前后端分离鉴权
方案
1、用户登陆之后,获得此时会话的sessionId,使用JWT根据sessionId颁发签名并设置过期时间(与session过期时间相同)返回token 2、将token保存到客户端本地,并且每次发送请求时都在header上携带JwtToken 3、ShiroSessionManager继承DefaultWebSessionManager,重写getSessionId方法,从header上检测是否携带JwtToken,如果携带,则进行解码JwtToken,使用JwtToken中的jti作为SessionId。 4、重写shiro的默认过滤器,使其支持jwtToken有效期校验、及对JSON的返回支持 JwtAuthcFilter:实现是否需要登录的过滤,拒绝时如果header上携带JwtToken,则返回对应json JwtPermsFilter:实现是否有对应资源的过滤,拒绝时如果header上携带JwtToken,则返回对应json JwtRolesFilter:实现是否有对应角色的过滤,拒绝时如果header上携带JwtToken,则返回对应json
集成jwt
JwtProperties用于支持yaml文件配置的配置类
java
package com.itheima.shiro.config;
import lombok.Data;
import org.springframework.boot.context.properties.ConfigurationProperties;
import java.io.Serializable;
/**
* @Description:jw配置文件
*/
@Data
@ConfigurationProperties(prefix = "itheima.framework.jwt")
public class JwtProperties implements Serializable {
/**
* @Description 签名密码
*/
private String hexEncodedSecretKey;
}JwtTokenManager 负责令牌的颁发、解析、校验
java
package com.itheima.shiro.core.impl;
import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.itheima.shiro.config.JwtProperties;
import com.itheima.shiro.utils.EncodesUtil;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.stereotype.Service;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.UUID;
@Service("jwtTokenManager")
@EnableConfigurationProperties({JwtProperties.class})
public class JwtTokenManager {
@Autowired
JwtProperties jwtProperties;
/**
* @Description 签发令牌
* jwt字符串包括三个部分
* 1. header
* -当前字符串的类型,一般都是“JWT”
* -哪种算法加密,“HS256”或者其他的加密算法
* 所以一般都是固定的,没有什么变化
* 2. payload
* 一般有四个最常见的标准字段(下面有)
* iat:签发时间,也就是这个jwt什么时候生成的
* jti:JWT的唯一标识
* iss:签发人,一般都是username或者userId
* exp:过期时间
* @param iss 签发人
* @param ttlMillis 有效时间
* @param claims jwt中存储的一些非隐私信息
* @return
*/
public String IssuedToken(String iss, long ttlMillis,String sessionId, Map<String, Object> claims) {
if (claims == null) {
claims = new HashMap<>();
}
long nowMillis = System.currentTimeMillis();
String base64EncodedSecretKey = EncodesUtil.encodeHex(jwtProperties.getBase64EncodedSecretKey().getBytes());
JwtBuilder builder = Jwts.builder()
.setClaims(claims)
.setId(sessionId)//2. 这个是JWT的唯一标识,一般设置成唯一的,这个方法可以生成唯一标识,此时存储的为sessionId,登录成功后回写
.setIssuedAt(new Date(nowMillis))//1. 这个地方就是以毫秒为单位,换算当前系统时间生成的iat
.setSubject(iss)//3. 签发人,也就是JWT是给谁的(逻辑上一般都是username或者userId)
.signWith(SignatureAlgorithm.HS256, base64EncodedSecretKey);//这个地方是生成jwt使用的算法和秘钥
if (ttlMillis >= 0) {
long expMillis = nowMillis + ttlMillis;
Date exp = new Date(expMillis);//4. 过期时间,这个也是使用毫秒生成的,使用当前时间+前面传入的持续时间生成
builder.setExpiration(exp);
}
return builder.compact();
}
/**
* @Description 解析令牌
* @param jwtToken 令牌
* @return
*/
public Claims decodeToken(String jwtToken) {
String base64EncodedSecretKey = EncodesUtil.encodeHex(jwtProperties.getBase64EncodedSecretKey().getBytes());
// 得到 DefaultJwtParser
return Jwts.parser()
// 设置签名的秘钥
.setSigningKey(base64EncodedSecretKey)
// 设置需要解析的 jwt
.parseClaimsJws(jwtToken)
.getBody();
}
/**
* @Description 判断令牌是否合法
* @param jwtToken 令牌
* @return
*/
public boolean isVerifyToken(String jwtToken) {
String base64EncodedSecretKey = EncodesUtil.encodeHex(jwtProperties.getBase64EncodedSecretKey().getBytes());
//这个是官方的校验规则,这里只写了一个”校验算法“,可以自己加
Algorithm algorithm = Algorithm.HMAC256(EncodesUtil.decodeBase64(base64EncodedSecretKey));
JWTVerifier verifier = JWT.require(algorithm).build();
verifier.verify(jwtToken); // 校验不通过会抛出异常
//判断合法的标准:1. 头部和荷载部分没有篡改过。2. 没有过期
return true;
}
}重写DefaultWebSessionManager
ShiroSessionManager主要是添加jwtToken的jti作为会话的唯一标识
java
package com.itheima.shiro.core.impl;
import com.itheima.shiro.utils.EmptyUtil;
import io.jsonwebtoken.Claims;
import org.apache.shiro.web.servlet.ShiroHttpServletRequest;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.apache.shiro.web.util.WebUtils;
import org.springframework.beans.factory.annotation.Autowired;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import java.io.Serializable;
/**
* @Description 重写Jwt会话管理
*/
public class ShiroSessionManager extends DefaultWebSessionManager {
private static final String AUTHORIZATION = "jwtToken";
private static final String REFERENCED_SESSION_ID_SOURCE = "Stateless request";
public ShiroSessionManager(){
super();
}
@Autowired
JwtTokenManager jwtTokenManager;
@Override
protected Serializable getSessionId(ServletRequest request, ServletResponse response){
String jwtToken = WebUtils.toHttp(request).getHeader(AUTHORIZATION);
if(EmptyUtil.isNullOrEmpty(jwtToken)){
//如果没有携带id参数则按照父类的方式在cookie进行获取
return super.getSessionId(request, response);
}else{
//如果请求头中有 authToken 则其值为jwtToken,然后解析出会话session
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE,REFERENCED_SESSION_ID_SOURCE);
Claims decode = jwtTokenManager.decodeToken(jwtToken);
String id = (String) decode.get("jti");
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID,id);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID,Boolean.TRUE);
return id;
}
}
}重写默认过滤器
BaseResponse返回统一json的对象
java
package com.itheima.shiro.core.base;
import com.itheima.shiro.utils.ToString;
import lombok.AllArgsConstructor;
import lombok.Data;
/**
* @Description 基础返回封装
*/
@Data
public class BaseResponse extends ToString {
private Integer code ;
private String msg ;
private String date;
private static final long serialVersionUID = -1;
public BaseResponse(Integer code, String msg) {
this.code = code;
this.msg = msg;
}
public BaseResponse(Integer code, String msg, String date) {
this.code = code;
this.msg = msg;
this.date = date;
}
}JwtAuthcFilter 使用wtTokenManager.isVerifyToken(jwtToken)校验颁发jwtToken是否合法,同时在拒绝的时候返回对应的json数据格式
java
package com.itheima.shiro.core.filter;
import com.alibaba.fastjson.JSONObject;
import com.itheima.shiro.constant.ShiroConstant;
import com.itheima.shiro.core.base.BaseResponse;
import com.itheima.shiro.core.impl.JwtTokenManager;
import com.itheima.shiro.core.impl.ShiroSessionManager;
import com.itheima.shiro.utils.EmptyUtil;
import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
import org.apache.shiro.web.util.WebUtils;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
/**
* @Description:自定义登录验证过滤器
*/
public class JwtAuthcFilter extends FormAuthenticationFilter {
private JwtTokenManager jwtTokenManager;
public JwtAuthcFilter(JwtTokenManager jwtTokenManager) {
this.jwtTokenManager = jwtTokenManager;
}
/**
* @Description 是否允许访问
*/
@Override
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
//判断当前请求头中是否带有jwtToken的字符串
String jwtToken = WebUtils.toHttp(request).getHeader("jwtToken");
//如果有:走jwt校验
if (!EmptyUtil.isNullOrEmpty(jwtToken)){
boolean verifyToken = jwtTokenManager.isVerifyToken(jwtToken);
if (verifyToken){
return super.isAccessAllowed(request, response, mappedValue);
}else {
return false;
}
}
//没有没有:走原始校验
return super.isAccessAllowed(request, response, mappedValue);
}
/**
* @Description 访问拒绝时调用
*/
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
//判断当前请求头中是否带有jwtToken的字符串
String jwtToken = WebUtils.toHttp(request).getHeader("jwtToken");
//如果有:返回json的应答
if (!EmptyUtil.isNullOrEmpty(jwtToken)){
BaseResponse baseResponse = new BaseResponse(ShiroConstant.NO_LOGIN_CODE,ShiroConstant.NO_LOGIN_MESSAGE);
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json; charset=utf-8");
response.getWriter().write(JSONObject.toJSONString(baseResponse));
return false;
}
//如果没有:走原始方式
return super.onAccessDenied(request, response);
}
}JwtPermsFilter
java
package com.itheima.shiro.core.filter;
import com.alibaba.fastjson.JSONObject;
import com.itheima.shiro.constant.ShiroConstant;
import com.itheima.shiro.core.base.BaseResponse;
import com.itheima.shiro.utils.EmptyUtil;
import org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter;
import org.apache.shiro.web.util.WebUtils;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import java.io.IOException;
/**
* @Description:自定义jwt的资源校验
*/
public class JwtPermsFilter extends PermissionsAuthorizationFilter {
/**
* @Description 访问拒绝时调用
*/
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException {
//判断当前请求头中是否带有jwtToken的字符串
String jwtToken = WebUtils.toHttp(request).getHeader("jwtToken");
//如果有:返回json的应答
if (!EmptyUtil.isNullOrEmpty(jwtToken)){
BaseResponse baseResponse = new BaseResponse(ShiroConstant.NO_AUTH_CODE,ShiroConstant.NO_AUTH_MESSAGE);
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json; charset=utf-8");
response.getWriter().write(JSONObject.toJSONString(baseResponse));
return false;
}
//如果没有:走原始方式
return super.onAccessDenied(request, response);
}
}JwtRolesFilter
java
package com.itheima.shiro.core.filter;
import com.alibaba.fastjson.JSONObject;
import com.itheima.shiro.constant.ShiroConstant;
import com.itheima.shiro.core.base.BaseResponse;
import com.itheima.shiro.utils.EmptyUtil;
import org.apache.shiro.web.filter.authz.RolesAuthorizationFilter;
import org.apache.shiro.web.util.WebUtils;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import java.io.IOException;
/**
* @Description:自定义jwt角色校验
*/
public class JwtRolesFilter extends RolesAuthorizationFilter {
/**
* @Description 访问拒绝时调用
*/
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException {
//判断当前请求头中是否带有jwtToken的字符串
String jwtToken = WebUtils.toHttp(request).getHeader("jwtToken");
//如果有:返回json的应答
if (!EmptyUtil.isNullOrEmpty(jwtToken)){
BaseResponse baseResponse = new BaseResponse(ShiroConstant.NO_ROLE_CODE,ShiroConstant.NO_ROLE_MESSAGE);
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json; charset=utf-8");
response.getWriter().write(JSONObject.toJSONString(baseResponse));
return false;
}
//如果没有:走原始方式
return super.onAccessDenied(request, response);
}
}重写ShiroConfig
1、ShiroSessionManager替换DefaultWebSessionManager 2、生效过滤器
java
package com.itheima.shiro.config;
import com.itheima.shiro.core.ShiroDbRealm;
import com.itheima.shiro.core.impl.*;
import com.itheima.shiro.filter.*;
import com.itheima.shiro.properties.PropertiesUtil;
import lombok.extern.log4j.Log4j2;
import org.apache.shiro.session.mgt.eis.SessionDAO;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.servlet.SimpleCookie;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.redisson.Redisson;
import org.redisson.api.RedissonClient;
import org.redisson.config.Config;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.DependsOn;
import javax.servlet.Filter;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
/**
* @Description 权限配置类
*/
@Configuration
@ComponentScan(basePackages = {"com.itheima.shiro.core"})
@EnableConfigurationProperties({ShiroRedisProperties.class})
@Log4j2
public class ShiroConfig {
@Autowired
private ShiroRedisProperties shiroRedisProperties;
@Autowired
JwtTokenManager jwtTokenManager;
/**
* @Description redission客户端
*/
@Bean("redissonClientForShiro")
public RedissonClient redissonClient() {
log.info("=====初始化redissonClientForShiro开始======");
String[] nodeList = shiroRedisProperties.getNodes().split(",");
Config config = new Config();
if (nodeList.length == 1) {
config.useSingleServer().setAddress(nodeList[0])
.setConnectTimeout(shiroRedisProperties.getConnectTimeout())
.setConnectionMinimumIdleSize(shiroRedisProperties.getConnectionMinimumidleSize())
.setConnectionPoolSize(shiroRedisProperties.getConnectPoolSize()).setTimeout(shiroRedisProperties.getTimeout());
} else {
config.useClusterServers().addNodeAddress(nodeList)
.setConnectTimeout(shiroRedisProperties.getConnectTimeout())
.setMasterConnectionMinimumIdleSize(shiroRedisProperties.getConnectionMinimumidleSize())
.setMasterConnectionPoolSize(shiroRedisProperties.getConnectPoolSize()).setTimeout(shiroRedisProperties.getTimeout());
}
RedissonClient redissonClient = Redisson.create(config);
log.info("=====初始化redissonClientForShiro完成======");
return redissonClient;
}
/**
* @Description 创建cookie对象
*/
@Bean(name="sessionIdCookie")
public SimpleCookie simpleCookie(){
SimpleCookie simpleCookie = new SimpleCookie();
simpleCookie.setName("ShiroSession");
return simpleCookie;
}
/**
* @Description 缓存管理器
* @param
* @return
*/
@Bean(name="shiroCacheManager")
public ShiroCacheManager shiroCacheManager(){
return new ShiroCacheManager();
}
/**
* @Description 权限管理器
* @param
* @return
*/
@Bean(name="securityManager")
public DefaultWebSecurityManager defaultWebSecurityManager(){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(shiroDbRealm());
securityManager.setSessionManager(shiroSessionManager());
securityManager.setCacheManager(shiroCacheManager());
return securityManager;
}
/**
* @Description 自定义RealmImpl
*/
@Bean(name="shiroDbRealm")
public ShiroDbRealm shiroDbRealm(){
return new ShiroDbRealmImpl();
}
/**
* @Description 自定义session会话存储的实现类 ,使用Redis来存储共享session,达到分布式部署目的
*/
@Bean("redisSessionDao")
public SessionDAO redisSessionDao(){
RedisSessionDao sessionDAO = new RedisSessionDao();
sessionDAO.setGlobalSessionTimeout(shiroRedisProperties.getGlobalSessionTimeout());
return sessionDAO;
}
/**
* @Description 会话管理器
*/
@Bean(name="sessionManager")
public ShiroSessionManager shiroSessionManager(){
ShiroSessionManager sessionManager = new ShiroSessionManager();
sessionManager.setSessionDAO(redisSessionDao());
sessionManager.setSessionValidationSchedulerEnabled(false);
sessionManager.setSessionIdCookieEnabled(true);
sessionManager.setSessionIdCookie(simpleCookie());
sessionManager.setGlobalSessionTimeout(shiroRedisProperties.getGlobalSessionTimeout());
return sessionManager;
}
/**
* @Description 保证实现了Shiro内部lifecycle函数的bean执行
*/
@Bean(name = "lifecycleBeanPostProcessor")
public static LifecycleBeanPostProcessor getLifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
/**
* @Description AOP式方法级权限检查
*/
@Bean
@DependsOn("lifecycleBeanPostProcessor")
public DefaultAdvisorAutoProxyCreator getDefaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
defaultAdvisorAutoProxyCreator.setProxyTargetClass(true);
return defaultAdvisorAutoProxyCreator;
}
/**
* @Description 配合DefaultAdvisorAutoProxyCreator事项注解权限校验
*/
@Bean
public AuthorizationAttributeSourceAdvisor getAuthorizationAttributeSourceAdvisor() {
AuthorizationAttributeSourceAdvisor aasa = new AuthorizationAttributeSourceAdvisor();
aasa.setSecurityManager(defaultWebSecurityManager());
return new AuthorizationAttributeSourceAdvisor();
}
/**
* @Description 过滤器链
*/
private Map<String, String> filterChainDefinition(){
List<Object> list = PropertiesUtil.propertiesShiro.getKeyList();
Map<String, String> map = new LinkedHashMap<>();
for (Object object : list) {
String key = object.toString();
String value = PropertiesUtil.getShiroValue(key);
log.info("读取防止盗链控制:---key{},---value:{}",key,value);
map.put(key, value);
}
return map;
}
/**
* @Description 自定义过滤器定义
*/
private Map<String, Filter> filters() {
Map<String, Filter> map = new HashMap<String, Filter>();
map.put("roleOr", new RolesOrAuthorizationFilter());
map.put("kicked-out", new KickedOutAuthorizationFilter(redissonClient(), redisSessionDao(), shiroSessionManager()));
map.put("jwt-authc", new JwtAuthcFilter(jwtTokenManager));
map.put("jwt-perms", new JwtPermsFilter());
map.put("jwt-roles", new JwtRolesFilter());
return map;
}
/**
* @Description Shiro过滤器
*/
@Bean("shiroFilter")
public ShiroFilterFactoryBean shiroFilterFactoryBean(){
ShiroFilterFactoryBean shiroFilter = new ShiroFilterFactoryBean();
shiroFilter.setSecurityManager(defaultWebSecurityManager());
//使自定义过滤器生效
shiroFilter.setFilters(filters());
shiroFilter.setFilterChainDefinitionMap(filterChainDefinition());
shiroFilter.setLoginUrl("/login");
shiroFilter.setUnauthorizedUrl("/login");
return shiroFilter;
}
}业务代码
LoginAction 添加LoginForJwt方法
java
/**
* @Description jwt的json登录方式
* @param loginVo
* @return
*/
@RequestMapping("login-jwt")
@ResponseBody
public BaseResponse LoginForJwt(@RequestBody LoginVo loginVo){
return loginService.routeForJwt(loginVo);
}LoginService 添加routeForJwt方法
java
package com.itheima.shiro.service;
import com.itheima.shiro.core.base.BaseResponse;
import com.itheima.shiro.vo.LoginVo;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import java.util.Map;
/**
* @Description 登陆业务接口
*/
public interface LoginService {
/**
* @Description 登陆路由
* @param loginVo 登录参数
* @return
*/
public Map<String, String> route(LoginVo loginVo) throws UnknownAccountException,IncorrectCredentialsException;
/**
* @Description jwt方式登录
@param loginVo 登录参数
* @return
*/
public BaseResponse routeForJwt(LoginVo loginVo) throws UnknownAccountException,IncorrectCredentialsException;
}LoginServiceImpl
java
package com.itheima.shiro.service.impl;
import com.alibaba.fastjson.JSONObject;
import com.itheima.shiro.constant.CacheConstant;
import com.itheima.shiro.constant.ShiroConstant;
import com.itheima.shiro.core.base.BaseResponse;
import com.itheima.shiro.core.base.ShiroUser;
import com.itheima.shiro.core.base.SimpleToken;
import com.itheima.shiro.core.bridge.UserBridgeService;
import com.itheima.shiro.core.impl.JwtTokenManager;
import com.itheima.shiro.pojo.User;
import com.itheima.shiro.service.LoginService;
import com.itheima.shiro.utils.BeanConv;
import com.itheima.shiro.utils.ShiroUserUtil;
import com.itheima.shiro.utils.ShiroUtil;
import com.itheima.shiro.vo.LoginVo;
import lombok.extern.log4j.Log4j2;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.subject.Subject;
import org.redisson.api.RedissonClient;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import javax.annotation.Resource;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.TimeUnit;
/**
* @Description 登陆业务实现
*/
@Service("loginService")
@Log4j2
public class LoginServiceImpl implements LoginService {
@Resource(name = "redissonClientForShiro")
RedissonClient redissonClient;
@Autowired
UserBridgeService userBridgeService;
@Autowired
JwtTokenManager jwtTokenManager;
/* (non-Javadoc)
* @see LoginService#route(com.yz.commons.vo.LoginVo)
*/
@Override
public Map<String, String> route(LoginVo loginVo) throws UnknownAccountException, IncorrectCredentialsException {
Map<String, String> map = new HashMap<>();
try {
SimpleToken token = new SimpleToken(null, loginVo.getLoginName(), loginVo.getPassWord());
Subject subject = SecurityUtils.getSubject();
subject.login(token);
//创建缓存
this.loadAuthorityToCache();
} catch (UnknownAccountException ex) {
log.error("登陆异常:{}", ex);
throw new UnknownAccountException(ex);
} catch (IncorrectCredentialsException ex) {
log.error("登陆异常:{}", ex);
throw new IncorrectCredentialsException(ex);
}
return map;
}
@Override
public BaseResponse routeForJwt(LoginVo loginVo) throws UnknownAccountException, IncorrectCredentialsException {
Map<String, String> map = new HashMap<>();
String jwtToken = null;
try {
SimpleToken token = new SimpleToken(null, loginVo.getLoginName(), loginVo.getPassWord());
Subject subject = SecurityUtils.getSubject();
subject.login(token);
String shiroSessionId = ShiroUserUtil.getShiroSessionId();
//登录后颁发的令牌
ShiroUser shiroUser = ShiroUserUtil.getShiroUser();
Map<String, Object> claims = new HashMap<>();
claims.put("shiroUser", JSONObject.toJSONString(shiroUser));
jwtToken = jwtTokenManager.IssuedToken("system", subject.getSession().getTimeout(),shiroSessionId,claims);
map.put("jwtToken",jwtToken );
log.info("jwtToken:{}",map.toString());
//创建缓存
this.loadAuthorityToCache();
} catch (Exception ex) {
BaseResponse baseResponse = new BaseResponse(ShiroConstant.LOGIN_FAILURE_CODE, ShiroConstant.LOGIN_FAILURE_MESSAGE);
return baseResponse;
}
BaseResponse baseResponse = new BaseResponse(ShiroConstant.LOGIN_SUCCESS_CODE,ShiroConstant.LOGIN_SUCCESS_MESSAGE,jwtToken);
return baseResponse;
}
/**
*
* <b>方法名:</b>:loadAuthorityToCache<br>
* <b>功能说明:</b>:加载缓存<br>
*/
private void loadAuthorityToCache(){
//登陆成功后缓存用户的权限信息进入缓存
ShiroUser shiroUser = ShiroUserUtil.getShiroUser();
User user = BeanConv.toBean(shiroUser, User.class);
userBridgeService.loadUserAuthorityToCache(user);
}
}authentication.properties
properties
#静态资源不过滤
/static/**=anon
#登录链接不过滤
/login/**=anon
#访问/resource/**需要有admin的角色
#/resource/**=roleOr[MangerRole,SuperAdmin]
/role/** =jwt-roles[SuperAdmin]
/resource/** =jwt-perms[role:listInitialize]
#其他链接是需要登录的
/**=kicked-out,jwt-authc三、核心知识
3.1 认证
ini配置实现
配置ini文件
ini
# 认证配置
<NolebasePageProperties />
# 验证 直接定义用户名密码方式 用户名=密码 没有自定义realm方式时使用
# 默认使用自带的IniRealm,IniRealm从ini配置文件中读取用户的信息
[users]
# “用户名=密码,角色1,角色2” “角色=权限1,权限2”
zhangsan=1111,role1,role2
lisi=1111,role1
[roles]
# 资源标识符:标识角色对哪个资源的哪个实例具有什么操作,“:”是资源/操作/实例的分割符,权限字符串也可以使用*通配符。
role1=user:create,user:update
role2=user:create,user:delete
########################
#自定义 realm方式
#定义凭证匹配器
credentialsMatcher=org.apache.shiro.authc.credential.HashedCredentialsMatcher
#散列算法
credentialsMatcher.hashAlgorithmName=md5
#散列次数
credentialsMatcher.hashIterations=2
#将凭证匹配器设置到realm
#自定义 realm
userRealm=cn.siggy.realm.UserRealm
userRealm.credentialsMatcher=$credentialsMatcher
#将realm设置到securityManager
securityManager.realms=$userRealm代码实现
java
//用户登录和退出
@Test
public void testAuthenticator(){
// 构建SecurityManager工厂,IniSecurityManagerFactory可以从ini文件中初始化SecurityManager环境
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
//通过工厂获得SecurityManager实例
SecurityManager securityManager = factory.getInstance();
//将securityManager设置到运行环境中
SecurityUtils.setSecurityManager(securityManager);
//获取subject实例
Subject subject = SecurityUtils.getSubject();
//创建用户名,密码身份验证Token
UsernamePasswordToken token = new UsernamePasswordToken("zhangsan", "1111");
try {
//登录,即身份验证
subject.login(token);
} catch (AuthenticationException e) {
e.printStackTrace();
//身份认证失败
}
//断言用户已经登录
Assert.assertEquals(true, subject.isAuthenticated());
//判断拥有角色:role1
Assert.assertTrue(subject.hasRole("role1"));
//判断拥有角色:role1 and role2
Assert.assertTrue(subject.hasAllRoles(Arrays.asList("role1", "role2")));
//判断拥有角色:role1 and role2 and !role3
boolean[] result = subject.hasRoles(Arrays.asList("role1", "role2", "role3"));
Assert.assertEquals(true, result[0]);
Assert.assertEquals(true, result[1]);
Assert.assertEquals(false, result[2]);
//判断拥有权限:user:create
Assert.assertTrue(subject.isPermitted("user:create"));
//判断拥有权限:user:update and user:delete
Assert.assertTrue(subject.isPermittedAll("user:update", "user:delete"));
//判断没有权限:user:view
Assert.assertFalse(subject.isPermitted("user:view"));
//退出
subject.logout();
}Realm实现类
实现类
java
/**
*
* 最基础的是Realm接口,CachingRealm负责缓存处理,AuthenticationRealm负责认证,AuthorizingRealm负责授权,通常自定义的realm继承AuthorizingRealm。
*/
public class UserRealm extends AuthorizingRealm {
@Override
public String getName() {
return "UserRealm";
}
//用于认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken token) throws AuthenticationException {
//从token中获取身份信息
String username = (String)token.getPrincipal();
//根据用户名到数据库中取出用户信息 如果查询不到 返回null
String password = "1111";//假如从数据库中获取密码为1111
//返回认证信息
// ByteSource.Util.bytes("siggy")是使用散列算法,可省略,散列算法类型需在ini配置文件中配置
SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(username, password, ByteSource.Util.bytes("siggy"),this.getName());
return simpleAuthenticationInfo;
}
//用于授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(
PrincipalCollection principals) {
//获取身份信息
String username = (String)principals.getPrimaryPrincipal();
//根据身份信息获取权限数据
//模拟
List<String> permissions = new ArrayList<String>();
permissions.add("user:save");
permissions.add("user:delete");
//将权限信息保存到AuthorizationInfo中
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
for(String permission:permissions){
simpleAuthorizationInfo.addStringPermission(permission);
}
return simpleAuthorizationInfo;
}
}代码实现
java
//判断授权
// 方式一
Subject subject = SecurityUtils.getSubject();
if(subject.hasRole(“admin”)) {
//有权限
} else {
//无权限
}
// 方式二
@RequiresRoles("admin")
public void hello() {
//有权限
}
//没有权限将抛出相应的异常;
// 方式3 jsp验权
<shiro:hasRole name="admin">
<!— 有权限—>
</shiro:hasRole>继承AuthorizingRealm
一般在真实的项目中,不会直接实现Realm接口,一般的情况就是直接继承AuthorizingRealm,能够继承到认证与授权功能。它需要强制重写两个方法
java
package com.itheima.shiro.realm;
import com.itheima.shiro.service.SecurityService;
import com.itheima.shiro.service.impl.SecurityServiceImpl;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
/**
* @Description:声明自定义realm
*/
public class DefinitionRealm extends AuthorizingRealm {
/**
* @Description 认证接口
* @param token 传递登录token
* @return
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
//从AuthenticationToken中获得登录名称
String loginName = (String) token.getPrincipal();
SecurityService securityService = new SecurityServiceImpl();
// 通过用户名查询密码
String password = securityService.findPasswordByLoginName(loginName);
if ("".equals(password)||password==null){
throw new UnknownAccountException("账户不存在");
}
//传递账号和密码
return new SimpleAuthenticationInfo(loginName,password,getName());
}
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
return null;
}
}编辑shiro.ini 还有spring配置文件、配置类方式。
ini
#声明自定义的realm,且为安全管理器指定realms
[main]
definitionRealm=com.itheima.shiro.realm.DefinitionRealm
securityManager.realms=$definitionRealm
#声明用户账号
#[users]
#jay=1233.2 编码
Shiro提供了base64和16进制字符串编码/解码的API支持,方便一些编码解码操作。 Shiro内部的一些数据的【存储/表示】都使用了base64和16进制字符串
编码工具类
java
package com.itheima.shiro.tools;
import org.apache.shiro.codec.Base64;
import org.apache.shiro.codec.Hex;
/**
* @Description:封装base64和16进制编码解码工具类
*/
public class EncodesUtil {
/**
* @Description HEX-byte[]--String转换
* @param input 输入数组
* @return String
*/
public static String encodeHex(byte[] input){
return Hex.encodeToString(input);
}
/**
* @Description HEX-String--byte[]转换
* @param input 输入字符串
* @return byte数组
*/
public static byte[] decodeHex(String input){
return Hex.decode(input);
}
/**
* @Description Base64-byte[]--String转换
* @param input 输入数组
* @return String
*/
public static String encodeBase64(byte[] input){
return Base64.encodeToString(input);
}
/**
* @Description Base64-String--byte[]转换
* @param input 输入字符串
* @return byte数组
*/
public static byte[] decodeBase64(String input){
return Base64.decode(input);
}
}3.3 散列算法
散列算法一般用于生成数据的摘要信息,是一种不可逆的算法,一般适合存储密码之类的数据,常见的散列算法如MD5、SHA等。一般进行散列时最好提供一个salt(盐),比如加密密码“admin”,产生的散列值是“21232f297a57a5a743894a0e4a801fc3”,可以到一些md5解密网站很容易的通过散列值得到密码“admin”,即如果直接对密码进行散列相对来说破解更容易,此时我们可以加一些只有系统知道的干扰数据,如salt(即盐);这样散列的对象是“密码+salt”,这样生成的散列值相对来说更难破解。
shiro支持的散列算法: Md2Hash、Md5Hash、Sha1Hash、Sha256Hash、Sha384Hash、Sha512Hash
工具类
java
package com.itheima.shiro.tools;
import com.sun.org.apache.bcel.internal.generic.NEW;
import org.apache.shiro.crypto.SecureRandomNumberGenerator;
import org.apache.shiro.crypto.hash.SimpleHash;
import sun.security.util.Password;
import java.util.HashMap;
import java.util.Map;
/**
* @Description:摘要
*/
public class DigestsUtil {
private static final String SHA1 = "SHA-1";
private static final Integer ITERATIONS =512;
/**
* @Description sha1方法
* @param input 需要散列字符串
* @param salt 盐字符串
* @return
*/
public static String sha1(String input, String salt) {
return new SimpleHash(SHA1, input, salt,ITERATIONS).toString();
}
/**
* @Description 随机获得salt字符串
* @return
*/
public static String generateSalt(){
SecureRandomNumberGenerator randomNumberGenerator = new SecureRandomNumberGenerator();
return randomNumberGenerator.nextBytes().toHex();
}
/**
* @Description 生成密码字符密文和salt密文
* @param
* @return
*/
public static Map<String,String> entryptPassword(String passwordPlain) {
Map<String,String> map = new HashMap<>();
String salt = generateSalt();
String password =sha1(passwordPlain,salt);
map.put("salt", salt);
map.put("password", password);
return map;
}
}Realm使用散列算法
为DefinitionRealm类添加构造方法如下:
java
/**
* @Description 构造函数
*/
public DefinitionRealm() {
//指定密码匹配方式为sha1
HashedCredentialsMatcher matcher = new HashedCredentialsMatcher(DigestsUtil.SHA1);
//指定密码迭代次数
matcher.setHashIterations(DigestsUtil.ITERATIONS);
//使用父亲方法使匹配方式生效
setCredentialsMatcher(matcher);
}修改DefinitionRealm类的认证doGetAuthenticationInfo方法如下
java
/**
* @Description 认证接口
* @param token 传递登录token
* @return
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
//从AuthenticationToken中获得登录名称
String loginName = (String) token.getPrincipal();
SecurityService securityService = new SecurityServiceImpl();
Map<String, String> map = securityService.findPasswordByLoginName(loginName);
if (map.isEmpty()){
throw new UnknownAccountException("账户不存在");
}
String salt = map.get("salt");
String password = map.get("password");
//传递账号和密码:参数1:缓存对象,参数2:明文密码,参数三:字节salt,参数4:当前DefinitionRealm名称
return new SimpleAuthenticationInfo(loginName,password, ByteSource.Util.bytes(salt),getName());
}3.4 授权
修改DefinitionRealm类的授权doGetAuthorizationInfo方法 此方法的传入的参数PrincipalCollection principals,是一个包装对象,它表示"用户认证凭证信息"。包装的是认证doGetAuthenticationInfo()方法的返回值的第一个参数loginName。可以通过这个包装对象的getPrimaryPrincipal()方法拿到此值,然后再从数据库中拿到对应的角色和资源,构建SimpleAuthorizationInfo。
授权方法
java
/**
* @Description 授权方法
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
//拿到用户认证凭证信息
String loginName = (String) principals.getPrimaryPrincipal();
//从数据库中查询对应的角色和资源
SecurityService securityService = new SecurityServiceImpl();
List<String> roles = securityService.findRoleByloginName(loginName);
List<String> permissions = securityService.findPermissionByloginName(loginName);
//构建资源校验
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
authorizationInfo.addRoles(roles);
authorizationInfo.addStringPermissions(permissions);
return authorizationInfo;
}授权校验
java
public void testPermissionRealm() {
Subject subject = shiroLogin("jay", "123");
//判断用户是否已经登录
System.out.println("是否登录成功:" + subject.isAuthenticated());
//---------检查当前用户的角色信息------------
System.out.println("是否有管理员角色:"+subject.hasRole("admin"));
//---------如果当前用户有此角色,无返回值。若没有此权限,则抛 UnauthorizedException------------
try {
subject.checkRole("coder");
System.out.println("有coder角色");
}catch (Exception e){
System.out.println("没有coder角色");
}
//---------检查当前用户的权限信息------------
System.out.println("是否有查看订单列表资源:"+subject.isPermitted("order:list"));
//---------如果当前用户有此权限,无返回值。若没有此权限,则抛 UnauthorizedException------------
try {
subject.checkPermissions("order:add", "order:del");
System.out.println("有添加和删除订单资源");
}catch (Exception e){
System.out.println("没有有添加和删除订单资源");
}
}基于代码授权
登录相关
| Subject 登录相关方法 | 描述 |
|---|---|
| isAuthenticated() | 返回true 表示已经登录,否则返回false。 |
角色相关
| Subject 角色相关方法 | 描述 |
|---|---|
| hasRole(String roleName) | 返回true 如果Subject 被分配了指定的角色,否则返回false。 |
hasRoles(List<String> roleNames) | 返回true 如果Subject 被分配了所有指定的角色,否则返回false。 |
hasAllRoles(Collection<String>roleNames) | 返回一个与方法参数中目录一致的hasRole 结果的集合。有性能的提高如果许多角色需要执行检查(例如,当自定义一个复杂的视图)。 |
| checkRole(String roleName) | 安静地返回,如果Subject 被分配了指定的角色,不然的话就抛出AuthorizationException。 |
checkRoles(Collection<String>roleNames) | 安静地返回,如果Subject 被分配了所有的指定的角色,不然的话就抛出AuthorizationException。 |
| checkRoles(String… roleNames) | 与上面的checkRoles 方法的效果相同,但允许Java5 的var-args 类型的参数 |
资源相关
| Subject 资源相关方法 | 描述 |
|---|---|
| isPermitted(Permission p) | 返回true 如果该Subject 被允许执行某动作或访问被权限实例指定的资源,否则返回false |
isPermitted(List<Permission> perms) | 返回一个与方法参数中目录一致的isPermitted 结果的集合。 |
isPermittedAll(Collection<Permission>perms) | 返回true 如果该Subject 被允许所有指定的权限,否则返回false有性能的提高如果需要执行许多检查(例如,当自定义一个复杂的视图) |
| isPermitted(String perm) | 返回true 如果该Subject 被允许执行某动作或访问被字符串权限指定的资源,否则返回false。 |
| isPermitted(String…perms) | 返回一个与方法参数中目录一致的isPermitted 结果的数组。有性能的提高如果许多字符串权限检查需要被执行(例如,当自定义一个复杂的视图)。 |
| isPermittedAll(String…perms) | 返回true 如果该Subject 被允许所有指定的字符串权限,否则返回false。 |
| checkPermission(Permission p) | 安静地返回,如果Subject 被允许执行某动作或访问被特定的权限实例指定的资源,不然的话就抛出AuthorizationException 异常。 |
| checkPermission(String perm) | 安静地返回,如果Subject 被允许执行某动作或访问被特定的字符串权限指定的资源,不然的话就抛出AuthorizationException 异常。 |
checkPermissions(Collection<Permission> perms) | 安静地返回,如果Subject 被允许所有的权限,不然的话就抛出AuthorizationException 异常。有性能的提高如果需要执行许多检查(例如,当自定义一个复杂的视图) |
| checkPermissions(String… perms) | 和上面的checkPermissions 方法效果相同,但是使用的是基于字符串的权限。 |
基于JSP授权
使用方式
Shiro提供了一套JSP标签库来实现页面级的授权控制, 在使用Shiro标签库前,首先需要在JSP引入shiro标签:
html
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>相关标签
| 标签 | 说明 |
|---|---|
| < shiro:guest > | 验证当前用户是否为“访客”,即未认证(包含未记住)的用户 |
| < shiro:user > | 认证通过或已记住的用户 |
| < shiro:authenticated > | 已认证通过的用户。不包含已记住的用户,这是与user标签的区别所在 |
| < shiro:notAuthenticated > | 未认证通过用户。与guest标签的区别是,该标签包含已记住用户 |
| < shiro:principal /> | 输出当前用户信息,通常为登录帐号信息 |
| < shiro:hasRole name="角色"> | 验证当前用户是否属于该角色 |
| < shiro:lacksRole name="角色"> | 与hasRole标签逻辑相反,当用户不属于该角色时验证通过 |
| < shiro:hasAnyRoles name="a,b"> | 验证当前用户是否属于以下任意一个角色 |
| <shiro:hasPermission name=“资源”> | 验证当前用户是否拥有制定权限 |
| <shiro:lacksPermission name="资源"> | 与permission标签逻辑相反,当前用户没有制定权限时,验证通过 |
四、分布式统一权限系统
4.1架构设计
springboot-shiro-gateway-handler 1、dubbo业务服务转换http通讯 2、认证与鉴权服务化消费者 3、生成业务服务化消费者
springboot-shiro-producer 认证与鉴权服务化的生成者
springboot-shiro-mgt 认证与鉴权服务化消费者
springboot-shiro-dubbo-app-handler 生产业务服务化生产者
4.2 认证服务
定义UserAdapterFace
模块springboot-shiro-face中的接口定义UserAdapterFace
java
package com.itheima.shiro.face;
import com.itheima.shiro.vo.ResourceVo;
import com.itheima.shiro.vo.RoleVo;
import com.itheima.shiro.vo.UserVo;
import java.util.List;
/**
* @Description:用户服务接口定义
*/
public interface UserAdapterFace {
/**
* @Description 按用户名查找用户
* @param loginName 登录名
* @return
*/
UserVo findUserByLoginName(String loginName);
/**
* @Description 查找用户所有角色
* @param userId 用户Id
* @return
*/
List<RoleVo> findRoleByUserId(String userId);
/**
* @Description 查询用户有那些资源
* @param userId 用户Id
* @return
*/
List<ResourceVo> findResourceByUserId(String userId);
}定义生产者UserAdapterFaceImpl
springboot-shiro-producer模块中的生产者UserAdapterFaceImpl
java
package com.itheima.shiro.faceImpl;
import com.itheima.shiro.adapter.UserAdapter;
import com.itheima.shiro.face.UserAdapterFace;
import com.itheima.shiro.pojo.Resource;
import com.itheima.shiro.pojo.Role;
import com.itheima.shiro.pojo.User;
import com.itheima.shiro.utils.BeanConv;
import com.itheima.shiro.utils.EmptyUtil;
import com.itheima.shiro.vo.ResourceVo;
import com.itheima.shiro.vo.RoleVo;
import com.itheima.shiro.vo.UserVo;
import org.apache.dubbo.config.annotation.Service;
import org.springframework.beans.factory.annotation.Autowired;
import java.util.List;
/**
* @Description:
*/
@Service(version = "1.0.0", retries = 3,timeout = 5000)
public class UserAdapterFaceImpl implements UserAdapterFace {
@Autowired
UserAdapter userAdapter;
@Override
public UserVo findUserByLoginName(String loginName) {
User user = userAdapter.findUserByLoginName(loginName);
if (!EmptyUtil.isNullOrEmpty(user)){
return BeanConv.toBean(user,UserVo.class);
}
return null;
}
@Override
public List<RoleVo> findRoleByUserId(String userId) {
List<Role> list = userAdapter.findRoleByUserId(userId);
if (!EmptyUtil.isNullOrEmpty(list)){
return BeanConv.toBeanList(list, RoleVo.class);
}
return null;
}
@Override
public List<ResourceVo> findResourceByUserId(String userId) {
List<Resource> list = userAdapter.findResourceByUserId(userId);
if (!EmptyUtil.isNullOrEmpty(list)){
return BeanConv.toBeanList(list, ResourceVo.class);
}
return null;
}
}定义消费者UserBridgeServiceImpl
springboot-shiro-handler模块下的消费者UserBridgeServiceImpl
java
package com.itheima.shiro.client;
import com.itheima.shiro.constant.CacheConstant;
import com.itheima.shiro.core.SimpleCacheManager;
import com.itheima.shiro.core.base.ShiroUser;
import com.itheima.shiro.core.base.SimpleMapCache;
import com.itheima.shiro.core.base.SimpleToken;
import com.itheima.shiro.core.bridge.UserBridgeService;
import com.itheima.shiro.face.UserAdapterFace;
import com.itheima.shiro.utils.BeanConv;
import com.itheima.shiro.utils.EmptyUtil;
import com.itheima.shiro.utils.ShiroUserUtil;
import com.itheima.shiro.vo.ResourceVo;
import com.itheima.shiro.vo.RoleVo;
import com.itheima.shiro.vo.UserVo;
import lombok.extern.slf4j.Slf4j;
import org.apache.dubbo.config.annotation.Reference;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.util.ByteSource;
import org.redisson.api.RBucket;
import org.redisson.api.RedissonClient;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
/**
* @Description 权限桥接器
*/
@Slf4j
@Component("userBridgeService")
public class UserBridgeServiceImpl implements UserBridgeService {
@Reference(version = "1.0.0")
private UserAdapterFace userAdapterFace;
@Autowired
private SimpleCacheManager simpleCacheManager;
@javax.annotation.Resource(name = "redissonClientForShiro")
private RedissonClient redissonClient;
public AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken,String realmName) {
SimpleToken token = (SimpleToken)authcToken;
UserVo user = this.findUserByLoginName(token.getUsername());
if(EmptyUtil.isNullOrEmpty(user)){
throw new UnknownAccountException("账号不存在");
}
ShiroUser shiroUser = BeanConv.toBean(user, ShiroUser.class);
String sessionId = ShiroUserUtil.getShiroSessionId();
String cacheKeyResourcesIds = CacheConstant.RESOURCES_KEY_IDS+sessionId;
shiroUser.setResourceIds(this.findResourcesIdsList(cacheKeyResourcesIds,user.getId()));
String salt = user.getSalt();
String password = user.getPassWord();
return new SimpleAuthenticationInfo(shiroUser, password, ByteSource.Util.bytes(salt), realmName);
}
@Override
public SimpleAuthorizationInfo getAuthorizationInfo(ShiroUser shiroUser) {
UserVo user = BeanConv.toBean(shiroUser, UserVo.class);
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
String sessionId = ShiroUserUtil.getShiroSessionId();
//查询用户拥有的角色
String cacheKeyRole = CacheConstant.ROLE_KEY + sessionId;
info.addRoles(this.findRoleList(cacheKeyRole, user.getId()));
//查询用户拥有的资源
String cacheKeyResources = CacheConstant.RESOURCES_KEY + sessionId;
info.addStringPermissions(this.findResourcesList(cacheKeyResources, user.getId()));
return info;
}
@Override
public List<String> findRoleList(String cacheKeyRole, String userId) {
List<RoleVo> roles = new ArrayList<RoleVo>();
if (simpleCacheManager.getCache(cacheKeyRole) != null) {
roles = (List<RoleVo>) simpleCacheManager.getCache(cacheKeyRole).get(cacheKeyRole);
} else {
roles = userAdapterFace.findRoleByUserId(userId);
if (roles.size() > 0) {
//用户角色存放到map
Map<Object, Object> mapRole = new HashMap<Object, Object>();
mapRole.put(cacheKeyRole, roles);
//新建SimpleMapCache实例并放入缓存管理器
SimpleMapCache cacheRole = new SimpleMapCache(cacheKeyRole, mapRole);
simpleCacheManager.createCache(cacheKeyRole, cacheRole);
}
}
List<String> rolesLabel = new ArrayList<String>();
for (RoleVo role : roles) {
rolesLabel.add(role.getLabel());
}
return rolesLabel;
}
@Override
public List<String> findResourcesList(String cacheKeyResources,String userId) {
List<ResourceVo> resourcesList = new ArrayList<ResourceVo>();
if (simpleCacheManager.getCache(cacheKeyResources) != null) {
resourcesList = (List<ResourceVo>) simpleCacheManager.getCache(cacheKeyResources).get(cacheKeyResources);
} else {
resourcesList = userAdapterFace.findResourceByUserId(userId);
if (resourcesList.size() > 0) {
//用户资源存放到map
Map<Object, Object> mapResource = new HashMap<Object, Object>();
mapResource.put(cacheKeyResources, resourcesList);
//新建SimpleMapCache实例并放入缓存管理器
SimpleMapCache cacheResource = new SimpleMapCache(cacheKeyResources, mapResource);
simpleCacheManager.createCache(cacheKeyResources, cacheResource);
}
}
List<String> resourcesLabel = new ArrayList<String>();
for (ResourceVo resources : resourcesList) {
resourcesLabel.add(resources.getLabel());
}
return resourcesLabel;
}
@Override
public UserVo findUserByLoginName(String loginName) {
String key = CacheConstant.FIND_USER_BY_LOGINNAME+loginName;
RBucket<UserVo> rBucket = redissonClient.getBucket(key);
UserVo user = rBucket.get();
if (!EmptyUtil.isNullOrEmpty(user)) {
return user;
}else {
user = userAdapterFace.findUserByLoginName(loginName);
if (!EmptyUtil.isNullOrEmpty(user)) {
rBucket.set(user, 300, TimeUnit.SECONDS);
return user;
}
}
rBucket.set(new UserVo(), 3, TimeUnit.SECONDS);
return null;
}
@Override
public List<String> findResourcesIdsList(String cacheKeyResources,String userId) {
List<ResourceVo> resourcesList = new ArrayList<ResourceVo>();
if (simpleCacheManager.getCache(cacheKeyResources) != null) {
resourcesList = (List<ResourceVo>) simpleCacheManager.getCache(cacheKeyResources).get(cacheKeyResources);
} else {
resourcesList = userAdapterFace.findResourceByUserId(userId);
if (resourcesList.size() > 0) {
//用户资源存放到map
Map<Object, Object> mapResource = new HashMap<Object, Object>();
mapResource.put(cacheKeyResources, resourcesList);
//新建SimpleMapCache实例并放入缓存管理器
SimpleMapCache cacheResource = new SimpleMapCache(cacheKeyResources, mapResource);
simpleCacheManager.createCache(cacheKeyResources, cacheResource);
}
}
List<String> resourcesLabel = new ArrayList<String>();
for (ResourceVo resources : resourcesList) {
resourcesLabel.add(resources.getId());
}
return resourcesLabel;
}
@Override
public void loadUserAuthorityToCache(ShiroUser user) {
String sessionId = user.getSessionId();
List<RoleVo> roles = userAdapterFace.findRoleByUserId(user.getId());
//创建角色cachaeKey
String cacheKeyRole = CacheConstant.ROLE_KEY + sessionId;
//用户角色存放到map
Map<Object, Object> mapRole = new HashMap<Object, Object>();
mapRole.put(cacheKeyRole, roles);
//新建SimpleMapCache实例并放入缓存管理器
SimpleMapCache cacheRole = new SimpleMapCache(cacheKeyRole, mapRole);
simpleCacheManager.createCache(cacheKeyRole, cacheRole);
List<ResourceVo> resourcesList = userAdapterFace.findResourceByUserId(user.getId());
if (resourcesList.size() > 0) {
//创建资源cachaeKey
String cacheKeyResources = CacheConstant.RESOURCES_KEY + sessionId;
//用户资源存放到map
Map<Object, Object> mapResource = new HashMap<Object, Object>();
mapResource.put(cacheKeyResources, resourcesList);
//新建SimpleMapCache实例并放入缓存管理器
SimpleMapCache cacheResource = new SimpleMapCache(cacheKeyResources, mapResource);
simpleCacheManager.createCache(cacheKeyResources, cacheResource);
}
}
}用户在认证与鉴权时走的都是dubbo的服务,而在实际业务项目中不会再去操作鉴权相关的内容
4.3 动态过滤器链
实现动态过滤器链,需要保证以下几个特性:
1、持久化:原有的properties内容放入数据库, 2、有序性:因过滤器链有序加载的特性,读取过滤器链的时保证其有序性 3、服务化:过滤器链的服务做成dubbo服务,做到集中式管理 4、同步性:不同业务系统对于过滤器链的加载需要同步 5、热加载:过滤器链修改之后,各个业务系统不需要重启服务,以达到热加载的目的
服务化
服务化过滤器链加载
properties
FilterChainFace:过滤器链桥接器dubbo接口层
FilterChainFaceImpl:过滤器链桥接器dubbo接口层实现FilterChainFace接口
java
package com.itheima.shiro.face;
import com.itheima.shiro.vo.FilterChainVo;
import java.util.List;
/**
* @Description:过滤器查询接口
*/
public interface FilterChainFace {
public List<FilterChainVo> findFilterChainList();
}FilterChainFaceImpl
java
package com.itheima.shiro.faceImpl;
import com.itheima.shiro.face.FilterChainFace;
import com.itheima.shiro.pojo.FilterChain;
import com.itheima.shiro.service.FilterChainService;
import com.itheima.shiro.utils.BeanConv;
import com.itheima.shiro.utils.EmptyUtil;
import com.itheima.shiro.vo.FilterChainVo;
import org.apache.dubbo.config.annotation.Service;
import org.springframework.beans.factory.annotation.Autowired;
import java.util.List;
/**
* @Description:
*/
@Service(version = "1.0.0", retries = 3,timeout = 5000)
public class FilterChainFaceImpl implements FilterChainFace {
@Autowired
FilterChainService filterChainService;
@Override
public List<FilterChainVo> findFilterChainList() {
List<FilterChain> filterChainList = filterChainService.findFilterChainList();
if (!EmptyUtil.isNullOrEmpty(filterChainList)){
return BeanConv.toBeanList(filterChainList, FilterChainVo.class);
}
return null;
}
}同步性
定义启动加载过滤器链服务同步:
properties
FilterChainBridgeService:过滤器链桥接器service接口层
FilterChainBridgeServiceImpl:过滤器链桥接器service接口层实现
ShiroFilerChainService:shiro过滤器链服务加载接口
ShiroFilerChainService:shiro过滤器链服务加载接口实现FilterChainBridgeService
java
package com.itheima.shiro.core.bridge;
import com.itheima.shiro.vo.FilterChainVo;
import java.lang.reflect.InvocationTargetException;
import java.util.List;
/**
* @Description 过滤器链service接口层
*/
public interface FilterChainBridgeService {
/**
* @Description 查询所有有效的过滤器链
* @return
*/
List<FilterChainVo> findFilterChainList();
}FilterChainBridgeServiceImpl
java
package com.itheima.shiro.client;
import com.itheima.shiro.core.bridge.FilterChainBridgeService;
import com.itheima.shiro.face.FilterChainFace;
import com.itheima.shiro.vo.FilterChainVo;
import org.apache.dubbo.config.annotation.Reference;
import org.springframework.stereotype.Component;
import java.util.List;
/**
* @Description:
*/
@Component("filterChainBridgeService")
public class FilterChainBridgeServiceImpl implements FilterChainBridgeService {
@Reference(version = "1.0.0")
private FilterChainFace filterChainFace;
@Override
public List<FilterChainVo> findFilterChainList() {
return filterChainFace.findFilterChainList();
}
}ShiroFilerChainService过滤器链同步接口
java
package com.itheima.shiro.service;
import com.itheima.shiro.vo.FilterChainVo;
import javax.annotation.PostConstruct;
import java.util.List;
/**
* @Description:过滤器链同步接口
*/
public interface ShiroFilerChainService {
/**
* @Description 启动时加载数据库中的过滤器链
*/
void init();
/**
* @Description 初始化过滤器链
* @param
* @return
*/
void initFilterChains(List<FilterChainVo> FilterChainVos);
}ShiroFilerChainServiceImpl过滤器链同步接口实现
java
package com.itheima.shiro.service.impl;
import com.itheima.shiro.core.impl.CustomDefaultFilterChainManager;
import com.itheima.shiro.service.ShiroFilerChainService;
import com.itheima.shiro.core.bridge.FilterChainBridgeService;
import com.itheima.shiro.vo.FilterChainVo;
import lombok.extern.log4j.Log4j2;
import org.apache.shiro.web.filter.mgt.DefaultFilterChainManager;
import org.apache.shiro.web.filter.mgt.NamedFilterList;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import javax.annotation.PostConstruct;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
/**
* @Description:过滤器链同步接口实现
*/
@Service("shiroFilerChainManager")
@Log4j2
public class ShiroFilerChainServiceImpl implements ShiroFilerChainService {
//此时注入的为CustomDefaultFilterChainManager
@Autowired
private CustomDefaultFilterChainManager filterChainManager;
@Autowired
FilterChainBridgeService filterChainBridgeService;
private Map<String, NamedFilterList> defaultFilterChains;
private ScheduledExecutorService executor = Executors.newScheduledThreadPool(1);
/**
* @Description 启动定时器,间隔2分钟同步数据库的过滤器链
*/
@Override
@PostConstruct
public void init() {
defaultFilterChains = new LinkedHashMap<>();
executor.scheduleAtFixedRate(new Runnable() {
@Override
public void run() {
try {
initFilterChains(filterChainBridgeService.findFilterChainList());
} catch (Exception e) {
log.error(e.getMessage(), e);
}
}
}, 0, 120, TimeUnit.SECONDS);
}
@Override
public void initFilterChains(List<FilterChainVo> FilterChainVos) {
//1、首先删除以前老的filter chain并注册默认的
filterChainManager.getFilterChains().clear();
//2、循环URL Filter 注册filter chain
for (FilterChainVo urlFilterVo : FilterChainVos) {
String url = urlFilterVo.getUrl();
String filterName = urlFilterVo.getFilterName();
String[] filterNames = filterName.split(",");
for (String name : filterNames) {
//注册所有filter,包含自定义的过滤器
switch(name){
case "anon":
filterChainManager.addToChain(url, name);
break;
case "authc":
filterChainManager.addToChain(url, name);
break;
case "roles":
filterChainManager.addToChain(url, name, urlFilterVo.getRoles());
break;
case "perms":
filterChainManager.addToChain(url, name,urlFilterVo.getPermissions());
break;
case "role-or":
filterChainManager.addToChain(url, name,urlFilterVo.getRoles());
break;
case "kicked-out":
filterChainManager.addToChain(url, name);
break;
case "jwt-authc":
filterChainManager.addToChain(url, name);
break;
case "jwt-roles":
filterChainManager.addToChain(url, name, urlFilterVo.getRoles());
break;
case "jwt-perms":
filterChainManager.addToChain(url, name,urlFilterVo.getPermissions());
break;
default:
break;
}
}
}
}
}热加载
为了实现热加载需要定义以下3个类
properties
CustomDefaultFilterChainManager:自定义的默认过滤器链管理者
CustomPathMatchingFilterChainResolver:自定义的路径匹配过滤器链解析器
CustomShiroFilterFactoryBean:自定义shiro过滤器工厂beanCustomDefaultFilterChainManager
java
package com.itheima.shiro.core.impl;
import org.apache.shiro.config.Ini;
import org.apache.shiro.util.CollectionUtils;
import org.apache.shiro.util.Nameable;
import org.apache.shiro.util.StringUtils;
import org.apache.shiro.web.config.IniFilterChainResolverFactory;
import org.apache.shiro.web.filter.AccessControlFilter;
import org.apache.shiro.web.filter.authc.AuthenticationFilter;
import org.apache.shiro.web.filter.authz.AuthorizationFilter;
import org.apache.shiro.web.filter.mgt.DefaultFilterChainManager;
import org.apache.shiro.web.filter.mgt.NamedFilterList;
import org.apache.shiro.web.filter.mgt.SimpleNamedFilterList;
import javax.annotation.PostConstruct;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
/**
* @Description:自定义默认过滤器管理者
*/
public class CustomDefaultFilterChainManager extends DefaultFilterChainManager {
//登录地址
private String loginUrl;
//登录成功后默认跳转地址
private String successUrl;
//未授权跳转地址
private String unauthorizedUrl;
public CustomDefaultFilterChainManager() {
//构建过滤器
setFilters(new LinkedHashMap<String, Filter>());
//构建过滤器链
setFilterChains(new LinkedHashMap<String, NamedFilterList>());
//构建默认过滤器
addDefaultFilters(true);
}
/**
* @Description 注册我们自定义的过滤器,相当于ShiroFilterFactoryBean的filters属性
* @param customFilters 过滤器
* @return
*/
public void setCustomFilters(Map<String, Filter> customFilters) {
for(Map.Entry<String, Filter> entry : customFilters.entrySet()) {
addFilter(entry.getKey(), entry.getValue(), false);
}
}
/**
* @Description Spring容器启动时调用
*/
@PostConstruct
public void init() {
//配置默认过滤器
Map<String, Filter> filters = getFilters();
//为过滤器链配置全局URL处理属性
for (Filter filter : filters.values()) {
applyGlobalPropertiesIfNecessary(filter);
}
}
/**
* @Description 此时交于spring容器出事化,这里忽略
*/
@Override
protected void initFilter(Filter filter) {
}
private void applyGlobalPropertiesIfNecessary(Filter filter) {
applyLoginUrlIfNecessary(filter);
applySuccessUrlIfNecessary(filter);
applyUnauthorizedUrlIfNecessary(filter);
}
private void applyLoginUrlIfNecessary(Filter filter) {
String loginUrl = getLoginUrl();
if (StringUtils.hasText(loginUrl) && (filter instanceof AccessControlFilter)) {
AccessControlFilter acFilter = (AccessControlFilter) filter;
//only apply the login url if they haven't explicitly configured one already:
String existingLoginUrl = acFilter.getLoginUrl();
if (AccessControlFilter.DEFAULT_LOGIN_URL.equals(existingLoginUrl)) {
acFilter.setLoginUrl(loginUrl);
}
}
}
private void applySuccessUrlIfNecessary(Filter filter) {
String successUrl = getSuccessUrl();
if (StringUtils.hasText(successUrl) && (filter instanceof AuthenticationFilter)) {
AuthenticationFilter authcFilter = (AuthenticationFilter) filter;
//only apply the successUrl if they haven't explicitly configured one already:
String existingSuccessUrl = authcFilter.getSuccessUrl();
if (AuthenticationFilter.DEFAULT_SUCCESS_URL.equals(existingSuccessUrl)) {
authcFilter.setSuccessUrl(successUrl);
}
}
}
private void applyUnauthorizedUrlIfNecessary(Filter filter) {
String unauthorizedUrl = getUnauthorizedUrl();
if (StringUtils.hasText(unauthorizedUrl) && (filter instanceof AuthorizationFilter)) {
AuthorizationFilter authzFilter = (AuthorizationFilter) filter;
//only apply the unauthorizedUrl if they haven't explicitly configured one already:
String existingUnauthorizedUrl = authzFilter.getUnauthorizedUrl();
if (existingUnauthorizedUrl == null) {
authzFilter.setUnauthorizedUrl(unauthorizedUrl);
}
}
}
public String getLoginUrl() {
return loginUrl;
}
public void setLoginUrl(String loginUrl) {
this.loginUrl = loginUrl;
}
public String getSuccessUrl() {
return successUrl;
}
public void setSuccessUrl(String successUrl) {
this.successUrl = successUrl;
}
public String getUnauthorizedUrl() {
return unauthorizedUrl;
}
public void setUnauthorizedUrl(String unauthorizedUrl) {
this.unauthorizedUrl = unauthorizedUrl;
}
}CustomDefaultFilterChainManager:主要是把原来对象的创建交于spring容器,同时指定过滤器,然后构建过滤器链
java
package com.itheima.shiro.core.impl;
import org.apache.shiro.config.Ini;
import org.apache.shiro.util.CollectionUtils;
import org.apache.shiro.util.Nameable;
import org.apache.shiro.util.StringUtils;
import org.apache.shiro.web.config.IniFilterChainResolverFactory;
import org.apache.shiro.web.filter.AccessControlFilter;
import org.apache.shiro.web.filter.authc.AuthenticationFilter;
import org.apache.shiro.web.filter.authz.AuthorizationFilter;
import org.apache.shiro.web.filter.mgt.DefaultFilterChainManager;
import org.apache.shiro.web.filter.mgt.NamedFilterList;
import org.apache.shiro.web.filter.mgt.SimpleNamedFilterList;
import javax.annotation.PostConstruct;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
/**
* @Description:自定义默认过滤器管理者
*/
public class CustomDefaultFilterChainManager extends DefaultFilterChainManager {
//登录地址
private String loginUrl;
//登录成功后默认跳转地址
private String successUrl;
//未授权跳转地址
private String unauthorizedUrl;
public CustomDefaultFilterChainManager() {
//构建过滤器
setFilters(new LinkedHashMap<String, Filter>());
//构建过滤器链
setFilterChains(new LinkedHashMap<String, NamedFilterList>());
//构建默认过滤器
addDefaultFilters(true);
}
/**
* @Description 注册我们自定义的过滤器,相当于ShiroFilterFactoryBean的filters属性
* @param customFilters 过滤器
* @return
*/
public void setCustomFilters(Map<String, Filter> customFilters) {
for(Map.Entry<String, Filter> entry : customFilters.entrySet()) {
addFilter(entry.getKey(), entry.getValue(), false);
}
}
/**
* @Description Spring容器启动时调用
*/
@PostConstruct
public void init() {
//配置默认过滤器
Map<String, Filter> filters = getFilters();
if (!CollectionUtils.isEmpty(filters)) {
//注册过滤器
for (Map.Entry<String, Filter> entry : filters.entrySet()) {
//过滤器名称
String name = entry.getKey();
//过滤器
Filter filter = entry.getValue();
if (filter instanceof Nameable) {
((Nameable) filter).setName(name);
}
//配置3个URL
applyGlobalPropertiesIfNecessary(filter);
}
}
}
/**
* @Description 此时交于spring容器出事化,这里忽略
*/
@Override
protected void initFilter(Filter filter) {
}
private void applyGlobalPropertiesIfNecessary(Filter filter) {
applyLoginUrlIfNecessary(filter);
applySuccessUrlIfNecessary(filter);
applyUnauthorizedUrlIfNecessary(filter);
}
private void applyLoginUrlIfNecessary(Filter filter) {
String loginUrl = getLoginUrl();
if (StringUtils.hasText(loginUrl) && (filter instanceof AccessControlFilter)) {
AccessControlFilter acFilter = (AccessControlFilter) filter;
//only apply the login url if they haven't explicitly configured one already:
String existingLoginUrl = acFilter.getLoginUrl();
if (AccessControlFilter.DEFAULT_LOGIN_URL.equals(existingLoginUrl)) {
acFilter.setLoginUrl(loginUrl);
}
}
}
private void applySuccessUrlIfNecessary(Filter filter) {
String successUrl = getSuccessUrl();
if (StringUtils.hasText(successUrl) && (filter instanceof AuthenticationFilter)) {
AuthenticationFilter authcFilter = (AuthenticationFilter) filter;
//only apply the successUrl if they haven't explicitly configured one already:
String existingSuccessUrl = authcFilter.getSuccessUrl();
if (AuthenticationFilter.DEFAULT_SUCCESS_URL.equals(existingSuccessUrl)) {
authcFilter.setSuccessUrl(successUrl);
}
}
}
private void applyUnauthorizedUrlIfNecessary(Filter filter) {
String unauthorizedUrl = getUnauthorizedUrl();
if (StringUtils.hasText(unauthorizedUrl) && (filter instanceof AuthorizationFilter)) {
AuthorizationFilter authzFilter = (AuthorizationFilter) filter;
//only apply the unauthorizedUrl if they haven't explicitly configured one already:
String existingUnauthorizedUrl = authzFilter.getUnauthorizedUrl();
if (existingUnauthorizedUrl == null) {
authzFilter.setUnauthorizedUrl(unauthorizedUrl);
}
}
}
public String getLoginUrl() {
return loginUrl;
}
public void setLoginUrl(String loginUrl) {
this.loginUrl = loginUrl;
}
public String getSuccessUrl() {
return successUrl;
}
public void setSuccessUrl(String successUrl) {
this.successUrl = successUrl;
}
public String getUnauthorizedUrl() {
return unauthorizedUrl;
}
public void setUnauthorizedUrl(String unauthorizedUrl) {
this.unauthorizedUrl = unauthorizedUrl;
}
}CustomPathMatchingFilterChainResolver
java
package org.apache.shiro.web.filter.mgt;
import javax.servlet.FilterChain;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
public interface FilterChainResolver {
//根据请求获得对应的过滤器链
FilterChain getChain(ServletRequest request, ServletResponse response, FilterChain originalChain);
}CustomPathMatchingFilterChainResolver 这里主要核心内容是:指定使用过滤器链管理器为自己定的过滤器管理器
java
package com.itheima.shiro.core.impl;
import org.apache.shiro.web.filter.mgt.FilterChainManager;
import org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver;
import org.springframework.beans.factory.annotation.Autowired;
import javax.servlet.FilterChain;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import java.util.ArrayList;
import java.util.List;
public class CustomPathMatchingFilterChainResolver extends PathMatchingFilterChainResolver {
private CustomDefaultFilterChainManager customDefaultFilterChainManager;
public void setCustomDefaultFilterChainManager(CustomDefaultFilterChainManager customDefaultFilterChainManager) {
this.customDefaultFilterChainManager = customDefaultFilterChainManager;
}
public CustomDefaultFilterChainManager getCustomDefaultFilterChainManager() {
return customDefaultFilterChainManager;
}
@Override
public FilterChain getChain(ServletRequest request, ServletResponse response, FilterChain originalChain) {
//指定使用过滤器链管理器为自己定的过滤器管理器
FilterChainManager filterChainManager = getCustomDefaultFilterChainManager();
if (!filterChainManager.hasChains()) {
return null;
}
String requestURI = getPathWithinApplication(request);
List<String> chainNames = new ArrayList<String>();
//the 'chain names' in this implementation are actually path patterns defined by the user. We just use them
//as the chain name for the FilterChainManager's requirements
for (String pathPattern : filterChainManager.getChainNames()) {
// If the path does match, then pass on to the subclass implementation for specific checks:
if (pathMatches(pathPattern, requestURI)) {
return filterChainManager.proxy(originalChain, pathPattern);
}
}
return null;
}
}CustomShiroFilterFactoryBean
java
protected AbstractShiroFilter createInstance() throws Exception {
log.debug("Creating Shiro Filter instance.");
SecurityManager securityManager = getSecurityManager();
if (securityManager == null) {
String msg = "SecurityManager property must be set.";
throw new BeanInitializationException(msg);
}
if (!(securityManager instanceof WebSecurityManager)) {
String msg = "The security manager does not implement the WebSecurityManager interface.";
throw new BeanInitializationException(msg);
}
FilterChainManager manager = createFilterChainManager();
//Expose the constructed FilterChainManager by first wrapping it in a
// FilterChainResolver implementation. The AbstractShiroFilter implementations
// do not know about FilterChainManagers - only resolvers:
PathMatchingFilterChainResolver chainResolver = new PathMatchingFilterChainResolver();
chainResolver.setFilterChainManager(manager);
//Now create a concrete ShiroFilter instance and apply the acquired SecurityManager and built
//FilterChainResolver. It doesn't matter that the instance is an anonymous inner class
//here - we're just using it because it is a concrete AbstractShiroFilter instance that accepts
//injection of the SecurityManager and FilterChainResolver:
return new SpringShiroFilter((WebSecurityManager) securityManager, chainResolver);
}ShiroFilterFactoryBean源码发现PathMatchingFilterChainResolver未暴露set方法
java
package com.itheima.shiro.core.impl;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.filter.mgt.FilterChainManager;
import org.apache.shiro.web.filter.mgt.FilterChainResolver;
import org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver;
import org.apache.shiro.web.mgt.WebSecurityManager;
import org.apache.shiro.web.servlet.AbstractShiroFilter;
import org.springframework.beans.factory.BeanInitializationException;
/**
* @Description:
*/
public class CustomShiroFilterFactoryBean extends ShiroFilterFactoryBean {
PathMatchingFilterChainResolver chainResolver ;
public void setChainResolver(PathMatchingFilterChainResolver chainResolver) {
this.chainResolver = chainResolver;
}
@Override
protected AbstractShiroFilter createInstance() throws Exception {
SecurityManager securityManager = getSecurityManager();
if (securityManager == null) {
String msg = "SecurityManager property must be set.";
throw new BeanInitializationException(msg);
}
if (!(securityManager instanceof WebSecurityManager)) {
String msg = "The security manager does not implement the WebSecurityManager interface.";
throw new BeanInitializationException(msg);
}
FilterChainManager manager = createFilterChainManager();
chainResolver.setFilterChainManager(manager);
//Now create a concrete ShiroFilter instance and apply the acquired SecurityManager and built
//FilterChainResolver. It doesn't matter that the instance is an anonymous inner class
//here - we're just using it because it is a concrete AbstractShiroFilter instance that accepts
//injection of the SecurityManager and FilterChainResolver:
return new SpringShiroFilter((WebSecurityManager) securityManager, chainResolver);
}
private static final class SpringShiroFilter extends AbstractShiroFilter {
protected SpringShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver resolver) {
super();
if (webSecurityManager == null) {
throw new IllegalArgumentException("WebSecurityManager property cannot be null.");
}
setSecurityManager(webSecurityManager);
if (resolver != null) {
setFilterChainResolver(resolver);
}
}
}
}ShiroConfig改造
java
package com.itheima.shiro.config;
import com.itheima.shiro.constant.SuperConstant;
import com.itheima.shiro.core.ShiroDbRealm;
import com.itheima.shiro.core.filter.*;
import com.itheima.shiro.core.impl.*;
import lombok.extern.log4j.Log4j2;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.session.mgt.eis.SessionDAO;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.servlet.SimpleCookie;
import org.redisson.Redisson;
import org.redisson.api.RedissonClient;
import org.redisson.config.Config;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.DependsOn;
import javax.servlet.Filter;
import java.util.HashMap;
import java.util.Map;
/**
* @Description 权限配置类
*/
@Configuration
@ComponentScan(basePackages = {"com.itheima.shiro.core"})
@EnableConfigurationProperties({ShiroRedisProperties.class})
@Log4j2
public class ShiroConfig {
@Autowired
private ShiroRedisProperties shiroRedisProperties;
@Autowired
JwtTokenManager jwtTokenManager;
/**
* @Description redission客户端
*/
@Bean("redissonClientForShiro")
public RedissonClient redissonClient() {
log.info("=====初始化redissonClientForShiro开始======");
String[] nodeList = shiroRedisProperties.getNodes().split(",");
Config config = new Config();
if (nodeList.length == 1) {
config.useSingleServer().setAddress(nodeList[0])
.setConnectTimeout(shiroRedisProperties.getConnectTimeout())
.setConnectionMinimumIdleSize(shiroRedisProperties.getConnectionMinimumidleSize())
.setConnectionPoolSize(shiroRedisProperties.getConnectPoolSize()).setTimeout(shiroRedisProperties.getTimeout());
} else {
config.useClusterServers().addNodeAddress(nodeList)
.setConnectTimeout(shiroRedisProperties.getConnectTimeout())
.setMasterConnectionMinimumIdleSize(shiroRedisProperties.getConnectionMinimumidleSize())
.setMasterConnectionPoolSize(shiroRedisProperties.getConnectPoolSize()).setTimeout(shiroRedisProperties.getTimeout());
}
RedissonClient redissonClient = Redisson.create(config);
log.info("=====初始化redissonClientForShiro完成======");
return redissonClient;
}
/**
* @Description 创建cookie对象
*/
@Bean(name="sessionIdCookie")
public SimpleCookie simpleCookie(){
SimpleCookie simpleCookie = new SimpleCookie();
simpleCookie.setName("ShiroSession");
return simpleCookie;
}
/**
* @Description 缓存管理器
* @param
* @return
*/
@Bean(name="shiroCacheManager")
public ShiroCacheManager shiroCacheManager(){
return new ShiroCacheManager(shiroRedisProperties.getGlobalSessionTimeout());
}
/**
* @Description 权限管理器
* @param
* @return
*/
@Bean(name="securityManager")
public DefaultWebSecurityManager defaultWebSecurityManager(){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(shiroDbRealm());
securityManager.setSessionManager(shiroSessionManager());
securityManager.setCacheManager(shiroCacheManager());
return securityManager;
}
/**
* @Description 密码比较器
*/
@Bean
public HashedCredentialsMatcher hashedCredentialsMatcher (){
RetryLimitCredentialsMatcher matcher = new RetryLimitCredentialsMatcher(SuperConstant.HASH_ALGORITHM);
matcher.setHashIterations(SuperConstant.HASH_INTERATIONS);
return matcher;
}
/**
* @Description 自定义RealmImpl
*/
@Bean(name="shiroDbRealm")
public ShiroDbRealm shiroDbRealm(){
ShiroDbRealm shiroDbRealm =new ShiroDbRealmImpl();
shiroDbRealm.setCredentialsMatcher(hashedCredentialsMatcher());
return shiroDbRealm;
}
/**
* @Description 自定义session会话存储的实现类 ,使用Redis来存储共享session,达到分布式部署目的
*/
@Bean("redisSessionDao")
public SessionDAO redisSessionDao(){
RedisSessionDao sessionDAO = new RedisSessionDao();
sessionDAO.setGlobalSessionTimeout(shiroRedisProperties.getGlobalSessionTimeout());
return sessionDAO;
}
/**
* @Description 会话管理器
*/
@Bean(name="sessionManager")
public ShiroSessionManager shiroSessionManager(){
ShiroSessionManager sessionManager = new ShiroSessionManager();
sessionManager.setSessionDAO(redisSessionDao());
sessionManager.setSessionValidationSchedulerEnabled(false);
sessionManager.setSessionIdCookieEnabled(true);
sessionManager.setSessionIdCookie(simpleCookie());
sessionManager.setGlobalSessionTimeout(shiroRedisProperties.getGlobalSessionTimeout());
return sessionManager;
}
/**
* @Description 保证实现了Shiro内部lifecycle函数的bean执行
*/
@Bean(name = "lifecycleBeanPostProcessor")
public static LifecycleBeanPostProcessor getLifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
/**
* @Description AOP式方法级权限检查
*/
@Bean
@DependsOn("lifecycleBeanPostProcessor")
public DefaultAdvisorAutoProxyCreator getDefaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
defaultAdvisorAutoProxyCreator.setProxyTargetClass(true);
return defaultAdvisorAutoProxyCreator;
}
/**
* @Description 配合DefaultAdvisorAutoProxyCreator事项注解权限校验
*/
@Bean
public AuthorizationAttributeSourceAdvisor getAuthorizationAttributeSourceAdvisor() {
AuthorizationAttributeSourceAdvisor aasa = new AuthorizationAttributeSourceAdvisor();
aasa.setSecurityManager(defaultWebSecurityManager());
return new AuthorizationAttributeSourceAdvisor();
}
/**
* @Description 自定义拦截器定义
*/
private Map<String, Filter> filters() {
Map<String, Filter> map = new HashMap<String, Filter>();
map.put("role-or", new RolesOrAuthorizationFilter());
map.put("kicked-out", new KickedOutAuthorizationFilter(redissonClient(), redisSessionDao(), shiroSessionManager()));
map.put("jwt-authc", new JwtAuthcFilter(jwtTokenManager));
map.put("jwt-perms", new JwtPermsFilter());
map.put("jwt-roles", new JwtRolesFilter());
return map;
}
/**
* @Description Shiro过滤器
*/
@Bean("shiroFilter")
public CustomShiroFilterFactoryBean shiroFilterFactoryBean(){
CustomShiroFilterFactoryBean shiroFilter = new CustomShiroFilterFactoryBean();
shiroFilter.setSecurityManager(defaultWebSecurityManager());
shiroFilter.setChainResolver(filterChainResolver());
return shiroFilter;
}
@Bean
public CustomDefaultFilterChainManager defaultFilterChainManager(){
CustomDefaultFilterChainManager filterChainManager = new CustomDefaultFilterChainManager();
filterChainManager.setLoginUrl("/login");
filterChainManager.setUnauthorizedUrl("/login");
filterChainManager.setCustomFilters(filters());
return filterChainManager;
}
@Bean
CustomPathMatchingFilterChainResolver filterChainResolver(){
CustomPathMatchingFilterChainResolver pathMatchingFilterChainResolver = new CustomPathMatchingFilterChainResolver();
pathMatchingFilterChainResolver.setCustomDefaultFilterChainManager(defaultFilterChainManager());
return pathMatchingFilterChainResolver;
}
}4.4 shiro-client客户端
shiro-client作为jar的依赖,满足以下需求:
1、非侵入式:使用者只需要对jar依赖和做少量的配置,就可以达到统一鉴权的目标 2、可扩展性:用户除使用提供的过滤器外,可以轻松安自己的业务区定义过滤器 3、集中式管理:依赖jar之后,shiro-mgt后台可以同时管控多个平台的权限的认证、鉴权、及动态配置过滤器链
springboot-shiro-framework-client项目向上继承了springboot-shiro-framework-core项目,springboot-shiro-framework-core是主要实现认证、鉴权、过滤器定义、会话统一、realm缓存的核心项目。 springboot-shiro-framework-client项目以jar的方式被需要做权限控制的gateway项目所依赖,再由gateway通过对springboot-shiro-producer的dubbo消费,以达到统一认证、鉴权
springboot-shiro-framework-client模块实现了springboot-shiro-framework-core接口的3个类:
properties
UserBridgeServiceImpl:提供用户基本资源操作的业务实现
FilterChainBridgeServiceImpl:提供过滤器链接口的查询
ResourceBridgeServiceImpl:提供资源查询UserBridgeServiceImpl
java
package com.itheima.shiro.client;
import com.itheima.shiro.constant.CacheConstant;
import com.itheima.shiro.core.SimpleCacheManager;
import com.itheima.shiro.core.base.ShiroUser;
import com.itheima.shiro.core.base.SimpleMapCache;
import com.itheima.shiro.core.base.SimpleToken;
import com.itheima.shiro.core.bridge.UserBridgeService;
import com.itheima.shiro.face.UserAdapterFace;
import com.itheima.shiro.utils.BeanConv;
import com.itheima.shiro.utils.EmptyUtil;
import com.itheima.shiro.utils.ShiroUserUtil;
import com.itheima.shiro.vo.ResourceVo;
import com.itheima.shiro.vo.RoleVo;
import com.itheima.shiro.vo.UserVo;
import lombok.extern.slf4j.Slf4j;
import org.apache.dubbo.config.annotation.Reference;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.util.ByteSource;
import org.redisson.api.RBucket;
import org.redisson.api.RedissonClient;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
/**
* @Description 权限桥接器
*/
@Slf4j
@Component("userBridgeService")
public class UserBridgeServiceImpl implements UserBridgeService {
@Reference(version = "1.0.0")
private UserAdapterFace userAdapterFace;
@Autowired
private SimpleCacheManager simpleCacheManager;
@javax.annotation.Resource(name = "redissonClientForShiro")
private RedissonClient redissonClient;
public AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken,String realmName) {
SimpleToken token = (SimpleToken)authcToken;
UserVo user = this.findUserByLoginName(token.getUsername());
if(EmptyUtil.isNullOrEmpty(user)){
throw new UnknownAccountException("账号不存在");
}
ShiroUser shiroUser = BeanConv.toBean(user, ShiroUser.class);
String sessionId = ShiroUserUtil.getShiroSessionId();
String cacheKeyResourcesIds = CacheConstant.RESOURCES_KEY_IDS+sessionId;
shiroUser.setResourceIds(this.findResourcesIdsList(cacheKeyResourcesIds,user.getId()));
String salt = user.getSalt();
String password = user.getPassWord();
return new SimpleAuthenticationInfo(shiroUser, password, ByteSource.Util.bytes(salt), realmName);
}
@Override
public SimpleAuthorizationInfo getAuthorizationInfo(ShiroUser shiroUser) {
UserVo user = BeanConv.toBean(shiroUser, UserVo.class);
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
String sessionId = ShiroUserUtil.getShiroSessionId();
//查询用户拥有的角色
String cacheKeyRole = CacheConstant.ROLE_KEY + sessionId;
info.addRoles(this.findRoleList(cacheKeyRole, user.getId()));
//查询用户拥有的资源
String cacheKeyResources = CacheConstant.RESOURCES_KEY + sessionId;
info.addStringPermissions(this.findResourcesList(cacheKeyResources, user.getId()));
return info;
}
@Override
public List<String> findRoleList(String cacheKeyRole, String userId) {
List<RoleVo> roles = new ArrayList<RoleVo>();
if (simpleCacheManager.getCache(cacheKeyRole) != null) {
roles = (List<RoleVo>) simpleCacheManager.getCache(cacheKeyRole).get(cacheKeyRole);
} else {
roles = userAdapterFace.findRoleByUserId(userId);
if (roles.size() > 0) {
//用户角色存放到map
Map<Object, Object> mapRole = new HashMap<Object, Object>();
mapRole.put(cacheKeyRole, roles);
//新建SimpleMapCache实例并放入缓存管理器
SimpleMapCache cacheRole = new SimpleMapCache(cacheKeyRole, mapRole);
simpleCacheManager.createCache(cacheKeyRole, cacheRole);
}
}
List<String> rolesLabel = new ArrayList<String>();
for (RoleVo role : roles) {
rolesLabel.add(role.getLabel());
}
return rolesLabel;
}
@Override
public List<String> findResourcesList(String cacheKeyResources,String userId) {
List<ResourceVo> resourcesList = new ArrayList<ResourceVo>();
if (simpleCacheManager.getCache(cacheKeyResources) != null) {
resourcesList = (List<ResourceVo>) simpleCacheManager.getCache(cacheKeyResources).get(cacheKeyResources);
} else {
resourcesList = userAdapterFace.findResourceByUserId(userId);
if (resourcesList.size() > 0) {
//用户资源存放到map
Map<Object, Object> mapResource = new HashMap<Object, Object>();
mapResource.put(cacheKeyResources, resourcesList);
//新建SimpleMapCache实例并放入缓存管理器
SimpleMapCache cacheResource = new SimpleMapCache(cacheKeyResources, mapResource);
simpleCacheManager.createCache(cacheKeyResources, cacheResource);
}
}
List<String> resourcesLabel = new ArrayList<String>();
for (ResourceVo resources : resourcesList) {
resourcesLabel.add(resources.getLabel());
}
return resourcesLabel;
}
@Override
public UserVo findUserByLoginName(String loginName) {
String key = CacheConstant.FIND_USER_BY_LOGINNAME+loginName;
RBucket<UserVo> rBucket = redissonClient.getBucket(key);
UserVo user = rBucket.get();
if (!EmptyUtil.isNullOrEmpty(user)) {
return user;
}else {
user = userAdapterFace.findUserByLoginName(loginName);
if (!EmptyUtil.isNullOrEmpty(user)) {
rBucket.set(user, 300, TimeUnit.SECONDS);
return user;
}
}
rBucket.set(new UserVo(), 3, TimeUnit.SECONDS);
return null;
}
@Override
public List<String> findResourcesIdsList(String cacheKeyResources,String userId) {
List<ResourceVo> resourcesList = new ArrayList<ResourceVo>();
if (simpleCacheManager.getCache(cacheKeyResources) != null) {
resourcesList = (List<ResourceVo>) simpleCacheManager.getCache(cacheKeyResources).get(cacheKeyResources);
} else {
resourcesList = userAdapterFace.findResourceByUserId(userId);
if (resourcesList.size() > 0) {
//用户资源存放到map
Map<Object, Object> mapResource = new HashMap<Object, Object>();
mapResource.put(cacheKeyResources, resourcesList);
//新建SimpleMapCache实例并放入缓存管理器
SimpleMapCache cacheResource = new SimpleMapCache(cacheKeyResources, mapResource);
simpleCacheManager.createCache(cacheKeyResources, cacheResource);
}
}
List<String> resourcesLabel = new ArrayList<String>();
for (ResourceVo resources : resourcesList) {
resourcesLabel.add(resources.getId());
}
return resourcesLabel;
}
@Override
public void loadUserAuthorityToCache(ShiroUser user) {
String sessionId = user.getSessionId();
List<RoleVo> roles = userAdapterFace.findRoleByUserId(user.getId());
//创建角色cachaeKey
String cacheKeyRole = CacheConstant.ROLE_KEY + sessionId;
//用户角色存放到map
Map<Object, Object> mapRole = new HashMap<Object, Object>();
mapRole.put(cacheKeyRole, roles);
//新建SimpleMapCache实例并放入缓存管理器
SimpleMapCache cacheRole = new SimpleMapCache(cacheKeyRole, mapRole);
simpleCacheManager.createCache(cacheKeyRole, cacheRole);
List<ResourceVo> resourcesList = userAdapterFace.findResourceByUserId(user.getId());
if (resourcesList.size() > 0) {
//创建资源cachaeKey
String cacheKeyResources = CacheConstant.RESOURCES_KEY + sessionId;
//用户资源存放到map
Map<Object, Object> mapResource = new HashMap<Object, Object>();
mapResource.put(cacheKeyResources, resourcesList);
//新建SimpleMapCache实例并放入缓存管理器
SimpleMapCache cacheResource = new SimpleMapCache(cacheKeyResources, mapResource);
simpleCacheManager.createCache(cacheKeyResources, cacheResource);
}
}
}FilterChainBridgeServiceImpl
java
package com.itheima.shiro.client;
import com.itheima.shiro.core.bridge.FilterChainBridgeService;
import com.itheima.shiro.face.FilterChainFace;
import com.itheima.shiro.vo.FilterChainVo;
import org.apache.dubbo.config.annotation.Reference;
import org.springframework.stereotype.Component;
import java.util.List;
/**
* @Description:过滤器链查询
*/
@Component("filterChainBridgeService")
public class FilterChainBridgeServiceImpl implements FilterChainBridgeService {
@Reference(version = "1.0.0")
private FilterChainFace filterChainFace;
@Override
public List<FilterChainVo> findFilterChainList() {
return filterChainFace.findFilterChainList();
}
}ResourceBridgeServiceImpl
java
package com.itheima.shiro.client;
import com.itheima.shiro.core.bridge.ResourceBridgeService;
import com.itheima.shiro.face.ResourceAdapterFace;
import com.itheima.shiro.vo.ResourceVo;
import org.apache.dubbo.config.annotation.Reference;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import java.util.List;
/**
* @Description:查询资源
*/
@Component("resourceBridgeService")
public class ResourceBridgeServiceImpl implements ResourceBridgeService {
@Value("${itheima.resource.systemcode}")
private String systemCode;
@Reference(version = "1.0.0")
ResourceAdapterFace resourceAdapterFace;
@Override
public List<ResourceVo> findValidResourceVoAll(String systemCode) {
return resourceAdapterFace.findValidResourceVoAll(systemCode);
}
}4.5 shiro-gateway网关
1、依赖springboot-shiro-framework-client实现认证、鉴权、过滤器定义、会话统一、realm缓存等功能 2、springboot-shiro-mgt管理后台持久化网关资源 3、springboot-shiro-handler实现网关资源查询服务化 4、gateway-service依据持久化的网关资源,动态创建消费端服务
网关资源持久化
这里在原有资源的基础上,增加的网关资源的管理: 1、定义网关systemcode,用以区分不同网关系统 2、定义访问的路径 3、定义资源的唯一标识,作为权限控制的标识 4、定义业务端dubbo服务端接口、目标方法、传入阐述、轮训算法、超时时间、重试次数等参数,这些内容会在gateway-service项目中解析
网关资源服务化
这里在原有资源的基础上,增加的网关资源的管理:
1、定义网关systemcode,用以区分不同网关系统 2、定义访问的路径 3、定义资源的唯一标识,作为权限控制的标识 4、定义业务端dubbo服务端接口、目标方法、传入阐述、轮训算法、超时时间、重试次数等参数,这些内容会在gateway-service项目中解析
porperties
ResourceAdapterFace:网关资源服务接口
ResourceAdapterFaceImpl:网关资源服务接口实现
ResourceBridgeService:网关资源桥接器接口
ResourceBridgeServiceImpl:网关资源桥接器接口实现ResourceAdapterFace
java
package com.itheima.shiro.face;
import com.itheima.shiro.vo.ResourceVo;
import java.util.List;
/**
* @Description:网关资源服务接口
*/
public interface ResourceAdapterFace {
/**
* @Description 获得当前系统是由有效的dubbo的资源
*/
List<ResourceVo> findValidResourceVoAll(String systemCode);
}ResourceAdapterFaceImpl
java
package com.itheima.shiro.faceImpl;
import com.itheima.shiro.face.ResourceAdapterFace;
import com.itheima.shiro.pojo.Resource;
import com.itheima.shiro.service.ResourceService;
import com.itheima.shiro.utils.BeanConv;
import com.itheima.shiro.utils.EmptyUtil;
import com.itheima.shiro.vo.ResourceVo;
import org.apache.dubbo.config.annotation.Service;
import org.springframework.beans.factory.annotation.Autowired;
import java.util.List;
/**
* @Description:网关资源服务接口实现
*/
@Service(version = "1.0.0", retries = 3,timeout = 5000)
public class ResourceAdapterFaceImpl implements ResourceAdapterFace {
@Autowired
ResourceService resourceService;
@Override
public List<ResourceVo> findValidResourceVoAll(String systemCode) {
List<Resource> resourceList = resourceService.findValidResourceVoAll(systemCode);
if (!EmptyUtil.isNullOrEmpty(resourceList)){
return BeanConv.toBeanList(resourceList, ResourceVo.class);
}
return null;
}
}ResourceBridgeService
java
package com.itheima.shiro.core.bridge;
import com.itheima.shiro.vo.ResourceVo;
import java.util.List;
/**
* @Description:网关资源桥接器接口
*/
public interface ResourceBridgeService {
/**
* @Description 查询当前系统所有有效的DUBBO类型的服务
* @param systemCode 系统编号:与mgt添加系统编号相同
* @return
*/
public List<ResourceVo> findValidResourceVoAll(String systemCode);
}ResourceBridgeServiceImpl
java
package com.itheima.shiro.client;
import com.itheima.shiro.core.bridge.ResourceBridgeService;
import com.itheima.shiro.face.ResourceAdapterFace;
import com.itheima.shiro.vo.ResourceVo;
import org.apache.dubbo.config.annotation.Reference;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import java.util.List;
/**
* @Description:网关资源桥接器接口实现
*/
@Component("resourceBridgeService")
public class ResourceBridgeServiceImpl implements ResourceBridgeService {
@Value("${itheima.resource.systemcode}")
private String systemCode;
@Reference(version = "1.0.0")
ResourceAdapterFace resourceAdapterFace;
@Override
public List<ResourceVo> findValidResourceVoAll(String systemCode) {
return resourceAdapterFace.findValidResourceVoAll(systemCode);
}
}动态消费端
properties
CacheWare:缓存仓库
CacheWareService:缓存仓库服务接口
CacheWareServiceImpl:缓存仓库服务接口实现
CacheWareSyncService:缓存仓库同步服务接口
CacheWareSyncServiceImpl:缓存仓库同步服务接口实现
LoginAction:登录相应接口
GateWayController:相应层的统一入口CacheWareService
其主要负责: 1、缓存的清除 2、向map容器中创建缓存 3、获得缓存仓库执行对象
java
package com.itheima.shiro.cache;
import com.google.common.collect.Multimap;
import com.itheima.shiro.pojo.CacheWare;
/**
* @Description:缓存仓库服务
*/
public interface CacheWareService {
/**
* @Description 清除缓存
*/
void clearCacheWare();
/**
* @Description 向map容器中创建缓存
* @param CacheWareMap
*/
void createCacheWare(Multimap<String, CacheWare> CacheWareMap);
/**
* @Description 获得缓存仓库执行对象
* @param serviceName 服务名
* @param methodName 方法名
* @return {@link CacheWare}
*
*/
CacheWare queryCacheWare(String serviceName, String methodName);
}CacheWareServiceImpl
java
package com.itheima.shiro.cache.impl;
import com.google.common.collect.ArrayListMultimap;
import com.google.common.collect.Multimap;
import com.itheima.shiro.cache.CacheWareService;
import com.itheima.shiro.pojo.CacheWare;
import com.itheima.shiro.utils.EmptyUtil;
import org.springframework.stereotype.Service;
import java.util.Collection;
import java.util.concurrent.locks.ReentrantLock;
/**
* @Description:
*/
@Service("cacheWareService")
public class CacheWareServiceImpl implements CacheWareService {
private Multimap<String, CacheWare> cacheWareMaps = ArrayListMultimap.create();
/**
* 数据锁
*/
private static ReentrantLock reentrantLock = new ReentrantLock();
@Override
public void clearCacheWare() {
try {
reentrantLock.lock();
cacheWareMaps.clear();
} finally {
reentrantLock.unlock();
}
}
@Override
public void createCacheWare(Multimap<String, CacheWare> CacheWareMap) {
try {
reentrantLock.lock();
this.cacheWareMaps = CacheWareMap;
} finally {
reentrantLock.unlock();
}
}
@Override
public CacheWare queryCacheWare(String serviceName, String methodName) {
if (EmptyUtil.isNullOrEmpty(serviceName) || EmptyUtil.isNullOrEmpty(serviceName)) {
return null;
}
StringBuffer serviceNameStringBuffer = new StringBuffer(serviceName);
StringBuffer methodNameStringBuffer = new StringBuffer(methodName);
String key = serviceNameStringBuffer.append(":").append(methodName).toString();
Collection<CacheWare> cacheWares = cacheWareMaps.get(key);
return EmptyUtil.isNullOrEmpty(cacheWares) ? null : cacheWares.iterator().next();
}
}CacheWareSyncService
其主要职责: 1、启动时、调用CacheWareService的创建缓存方法初始化缓存仓库 2、同步缓存仓库 3、网关资源转化缓存仓库可执行对象 4、从dubbo中,初始化代理对象 注意:为了在多个网关系统下,接口转换的无干扰,读取的只是本网关所对应的资源
java
package com.itheima.shiro.cache;
import com.itheima.shiro.pojo.CacheWare;
import com.itheima.shiro.vo.ResourceVo;
/**
* @Description:缓存仓库同步刷新
*/
public interface CacheWareSyncService {
/**
* @Description 初始化缓存仓库
*/
void initCacheWare();
/**
* @Description 同步缓存仓库
*/
void refreshCacheWare();
/**
* @Description 资源转换缓存仓库对象
*/
CacheWare resourceConvCacheWare(ResourceVo resource);
/**
* @Description 初始化代理对象
* @param interfaceClass 接口
* @param loadbalance 算法
* @param version 版本
* @param timeout 超时时间
* @param retries 重试次数
*/
Object initProxy(Class<?> interfaceClass,
String loadbalance,
String version,
Integer timeout,
Integer retries);
/**
* @Description 回收资源
*/
void destoryCacheWare();
}CacheWareSyncServiceImpl
java
package com.itheima.shiro.cache.impl;
import com.google.common.collect.ArrayListMultimap;
import com.google.common.collect.Multimap;
import com.itheima.shiro.cache.CacheWareService;
import com.itheima.shiro.cache.CacheWareSyncService;
import com.itheima.shiro.core.bridge.ResourceBridgeService;
import com.itheima.shiro.face.ResourceAdapterFace;
import com.itheima.shiro.pojo.CacheWare;
import com.itheima.shiro.utils.EmptyUtil;
import com.itheima.shiro.vo.ResourceVo;
import lombok.extern.log4j.Log4j2;
import org.apache.dubbo.config.ApplicationConfig;
import org.apache.dubbo.config.ReferenceConfig;
import org.apache.dubbo.config.RegistryConfig;
import org.apache.dubbo.config.annotation.Reference;
import org.apache.dubbo.config.utils.ReferenceConfigCache;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
import org.springframework.util.CollectionUtils;
import javax.annotation.PostConstruct;
import javax.annotation.PreDestroy;
import java.lang.reflect.Method;
import java.util.List;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
/**
* @Description:
*/
@Service("cacheWareSyncService")
@Log4j2
public class CacheWareSyncServiceImpl implements CacheWareSyncService {
@Value("${itheima.resource.systemcode}")
private String systemCode;
@Autowired
ResourceBridgeService resourceBridgeService;
@Autowired
CacheWareService cacheWareService;
@Autowired
private ApplicationConfig applicationConfig;
@Autowired
private RegistryConfig registryConfig;
private ScheduledExecutorService executor = Executors.newScheduledThreadPool(1);
@Override
@PostConstruct
public void initCacheWare() {
executor.scheduleAtFixedRate(new Runnable() {
@Override
public void run() {
try {
refreshCacheWare();
} catch (Exception e) {
log.error(e.getMessage(), e);
}
}
}, 0, 2, TimeUnit.MINUTES);
}
@Override
public void refreshCacheWare() {
List<ResourceVo> resources = resourceBridgeService.findValidResourceVoAll(systemCode);
//如果当前系统没有资源,则清空
if (CollectionUtils.isEmpty(resources)) {
log.warn("No apis can be used.");
cacheWareService.clearCacheWare();
return;
}
//构建执行集合
Multimap<String, CacheWare> cacheWareMaps = ArrayListMultimap.create();
for (ResourceVo resource : resources) {
if (EmptyUtil.isNullOrEmpty(resource.getServiceName())
||EmptyUtil.isNullOrEmpty(resource.getMethodName())){
log.warn("{} not found serviceName or methodName",resources.toString());
continue;
}
CacheWare cacheWare = resourceConvCacheWare(resource);
if (!EmptyUtil.isNullOrEmpty(cacheWare)){
cacheWareMaps.put(cacheWare.getServiceName()+":"+cacheWare.getMethodName(), cacheWare);
}
}
cacheWareService.createCacheWare(cacheWareMaps);
}
@Override
public CacheWare resourceConvCacheWare(ResourceVo resource) {
//获得类型
Class<?> serviceClass = null;
try {
serviceClass = Class.forName(resource.getServiceName());
} catch (ClassNotFoundException e) {
log.error("容器中未发现:{}接口类",resource.getServiceName());
return null;
}
String serviceName = resource.getServiceName().substring(resource.getServiceName().lastIndexOf(".")+1).toLowerCase();
Method[] methods = serviceClass.getDeclaredMethods();
Method methodTarget = null;
//获得方法
for (Method method : methods) {
if (method.getName().equals(resource.getMethodName())) {
methodTarget = method;
break;
}
}
// 未在接口类中找到方法
if (methodTarget == null) {
log.warn("{} not found in {}", resource.getMethodName(), resource.getServiceName());
return null;
}
//获得方法上的参数
Class<?>[] methodParamsClasss = methodTarget.getParameterTypes();
Class<?> methodParamClasssTarget = null;
for (Class<?> methodParamsClass : methodParamsClasss) {
if (methodParamsClass.getName().equals(resource.getMethodParam())) {
methodParamClasssTarget = methodParamsClass;
break;
}
}
//初始化代理类
Object proxy = initProxy(serviceClass, resource.getLoadbalance(), resource.getDubboVersion(), resource.getTimeout(), resource.getRetries());
if (proxy == null) {
log.warn("{} not found in proxy", resource.getServiceName());
return null;
}
//构建CacheWare对象
CacheWare cacheWare = CacheWare.builder()
.serviceName(serviceName)
.methodName(resource.getMethodName())
.method(methodTarget)
.methodParamsClass(methodParamClasssTarget)
.proxy(proxy)
.build();
return cacheWare;
}
@Override
public Object initProxy(Class<?> interfaceClass,
String loadbalance,
String version,
Integer timeout,
Integer retries) {
ReferenceConfig<Object> reference = new ReferenceConfig<Object>();
reference.setApplication(applicationConfig);
reference.setRegistry(registryConfig);
reference.setLoadbalance(EmptyUtil.isNullOrEmpty(loadbalance)?"random":loadbalance);
reference.setInterface(interfaceClass);
reference.setVersion(version);
reference.setTimeout(EmptyUtil.isNullOrEmpty(timeout)?20000:timeout);
reference.setCheck(false);
reference.setRetries(EmptyUtil.isNullOrEmpty(retries)?0:retries);
ReferenceConfigCache cache = ReferenceConfigCache.getCache();
return cache.get(reference);
}
@Override
@PreDestroy
public void destoryCacheWare() {
executor.shutdownNow();
}
}网关资源解析
其主要负责: 1、传入参数处理 2、获得可执行缓存仓库 3、执行远程服务 4、处理返回结果
java
package com.itheima.shiro.web;
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONObject;
import com.itheima.shiro.base.BaseRequest;
import com.itheima.shiro.cache.CacheWareService;
import com.itheima.shiro.constant.GateWayConstant;
import com.itheima.shiro.pojo.CacheWare;
import com.itheima.shiro.response.MultiResponse;
import com.itheima.shiro.response.PageResponse;
import com.itheima.shiro.response.SingleResponse;
import com.itheima.shiro.utils.EmptyUtil;
import com.itheima.shiro.view.JsonResult;
import lombok.extern.log4j.Log4j2;
import org.springframework.beans.BeanUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.*;
import javax.servlet.http.HttpServletRequest;
import javax.websocket.server.PathParam;
import java.lang.reflect.Method;
/**
* @Description:网关统一入口
*/
@Controller
@Log4j2
public class GateWayController {
@Autowired
CacheWareService cacheWareService;
@RequestMapping(value = "{serviceName}/{methodName}", method = RequestMethod.POST)
@ResponseBody
public JsonResult postGateWay(@PathVariable("serviceName") String serviceName,
@PathVariable("methodName") String methodName,
@RequestBody BaseRequest baseRequest) throws Exception {
Object datas = baseRequest.getDatas();
JsonResult jsonResult = null;
if (EmptyUtil.isNullOrEmpty(serviceName)||EmptyUtil.isNullOrEmpty(methodName)){
jsonResult = JsonResult.builder()
.result(GateWayConstant.FAIL)
.msg("参数缺失")
.code(GateWayConstant.PARAMETERS_MISSING)
.build();
return jsonResult;
}
//1、传入参数处理
JSONObject datasJson = null;
if (!EmptyUtil.isNullOrEmpty(datas)){
datasJson = JSONObject.parseObject(JSONObject.toJSONString(datas));
}
//2、获得可执行缓存仓库可执行对象
CacheWare cacheWare = cacheWareService.queryCacheWare(serviceName, methodName);
if (EmptyUtil.isNullOrEmpty(serviceName)||EmptyUtil.isNullOrEmpty(methodName)){
jsonResult = JsonResult.builder()
.result(GateWayConstant.FAIL)
.msg("请求链接异常")
.code(GateWayConstant.URL_MISSING)
.build();
return jsonResult;
}
//3、执行远程服务
Object proxy = cacheWare.getProxy();
Method method = cacheWare.getMethod();
Class<?> methodParamsClass = cacheWare.getMethodParamsClass();
Object result;
if (EmptyUtil.isNullOrEmpty(methodParamsClass)){
result = method.invoke(proxy);
}else {
Object arguments = JSONObject.toJavaObject(datasJson, methodParamsClass);
result = method.invoke(proxy,arguments);
}
//4、处理返回结果
return convResult(result);
}
/**
* @Description 处理请求结果
*/
private JsonResult convResult(Object result) {
JsonResult jsonResult = JsonResult.builder()
.result(GateWayConstant.SUCCEED)
.msg("相应正常")
.code(GateWayConstant.SUCCEED_CODE)
.build();
if (EmptyUtil.isNullOrEmpty(result)) {
jsonResult = JsonResult.builder()
.result(GateWayConstant.FAIL)
.msg("返回结果为空")
.code(GateWayConstant.RESULT_ISNULLOREMPTY)
.build();
return jsonResult;
}
if (result instanceof SingleResponse) {
BeanUtils.copyProperties(result, jsonResult);
@SuppressWarnings("rawtypes")
SingleResponse singleResponse = (SingleResponse) result;
jsonResult.setDatas(singleResponse.getValue());
} else if (result instanceof MultiResponse) {
BeanUtils.copyProperties(result, jsonResult);
@SuppressWarnings("rawtypes")
MultiResponse multiResponse = (MultiResponse) result;
jsonResult.setDatas(multiResponse.getValues());
} else if (result instanceof PageResponse) {
BeanUtils.copyProperties(result, jsonResult);
PageResponse pageResponse = (PageResponse)result;
jsonResult.setDatas( pageResponse.getValues());
} else {
jsonResult = JsonResult.builder()
.result(GateWayConstant.FAIL)
.msg("返回结果格式不正确")
.code(GateWayConstant.RESULT_MISSING)
.build();
return jsonResult;
}
return jsonResult;
}
}4.6 shiro-mgt管理平台
shiro-mgt管理平台也是依赖springboot-shiro-framework-client项目实现权限的校验,而他本身主要是负责对角色、资源、用户、过滤器链的CRUD,来实现各个网关平台的权限控制。
1、定义了网关systemcode,用以区分不同网关、系统 2、定义了访问的路径 3、定义了资源的唯一标识,作为过滤器过滤的标记 4、定义dubbo服务端接口的解析、同时为每个服务定义:轮训算法、超时时间、重试次数等参数,这些参数会在shiro-gateway中解析