Shiro (Shiro + JWT + SpringBoot应用)

Shiro (Shiro + JWT + SpringBoot应用)

目录
Shiro (Shiro + JWT + SpringBoot应用)
1.Shiro的简介
2.Shiro + JWT + SpringBoot
1.导入依赖
2.配置JWTd G T 8 a N r
3.配置Shiro
4.实现JWTToken
5.实现Realm
6.重写Filter

  1. ShiroConfig
    8.登陆

9.@RequiresPermissions
1.Shiro的简介
Apache Shiro是一种功能强大且易于使用的Java安全框架,它执行身份验证,授权,加密和会话d , : l m 5 M f管理,可用于保护 从命令行应用程序,移动应用程序到Web和企业应用程序等应用的安全。

Authentication 身份认证/登录,验证用户是不是拥有相应的身份;
Auth! m s T $ P dorization 授权,即权限验证,验证某个已认证的用户是否拥有某个权限;即判断用户是否能做事情,常见的如:验证某个用户是否拥有某个角色。或者细粒度的验证某个{ j L z = +用户对某个资源是否具有某个权限;
Cryptography 安全数据加密a x N h Z r,保护数据的安全性,如密码加密存储到数据库,而不是明文存储;
Session Management 会话管理,即用户登录后就是一次会话,h F D在没有退出之前,它的所有信息都在会话中;
Web IntegratiA { E s x ` # aon web系统集成
Interations 集成其它应用,spring、缓存框架
从应用程序角V , # m } ` u }度的来观察如何使用Shiro完/ C k b p m & O成工作:

Subject:主体,代表了当前“用户”,这个用户不一定是一个具体的人,与当前[ ! y R P u应用交互的任何东西都是Subject,如网络爬虫G 3 L,机器人等;即一个抽象概念;所有Subjek D ! z Lct都绑定到SecurityManager,与SubjJ z T 0 l 5ect的所有交互都会委托给SecurityManager;可以把Subject认为是一个门面;Secu 2 M M u 6 2 2rityManager才是实际的执行者;

SecurityManager:安全管理器;即所有与安全有关的操作都会与SecurityManager交互;且它管理着所有Subje? ) v 6 7ct;可以看出它是Shiro的核心,它负责与后边介绍的其他组件进行交互,如果E - n #学习过SpringMVC,你可以把它看成DispatcherServlet前端控制器;

Realm:域,Shiro从从Realm获取安全数据(如用户、角色、权限),就a 8 s I J # m H (是说SecurityMa ? Knager要验证用户身份,那么它需要从Realmn v W获取相应的用户进行比较以Q ( P | * q确定用户身份是否$ & 9 A a C X @合法;也? ~ o D *需要从Realm得到用户相应的角色/权限进行验证用户是否能进行操作;可以把Realm看成DatV p h % = AaSource,即安全数据源。

也就是说对于我们而言,最简单的一个Shiro应用:

1、应用代码通过Subject来进 d 6行认证和授权,而Subject又委托给SecurityManager;

2、我们需要给Sh5 d X @ ! Q jiro的SecuP R e ] 4 OrityManager注入Realm,从而让SecurityManager能得到合法的用户及其权| ) U .限进行判断。

2# r 6 & 2.ShiroW + J W ? [ ( + JWT + SpringBoot
1.导入依赖

<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.1&V 2 d ~lt;/version>

<groupId>com.auth0</groupId6 p . ( h B d B>
<artifactId>java-jwt</a. p ortifactId>
<version>3.8.2</version>

2.配置JWT
public cl/ P 2ass JWTUtil {

/**
* 校验 token是否正确
*
* @para0 % z : )  jm token  密钥
* @param secret 用户的密码
* @return 是否正确
*/
public static boolean verify(Sr j c , , N k X |tring token, String username, String secret) {
try {
Algorithm algor} V d ; o } ? h mithm = Algorithm.HMAC256(secret);
JWTVerifier verifier = JWT.requirQ % 4 8 $ Ue(algorithm)
.withClaim("username", username)
.build();
verifier.verify(tokA i = 6 Ben);
return true` # b 7 _ 3;
} catch (Exception e) {
log.inn ~ T f K % l 5fo("token i2 ~ ~ E o ws invalid{}", e.getMessage());
return false;
}
}
public stL s ^atic String getUsername(HttpServletRequest request) {
// 取token
String token = request.ge^ p Q * M 8 9tHeader("Authorization");
return getUsername(UofferUtiW # ) x Z [ [ 2 Pl.dI k |  / C _ lecryptTok( e a 4 g ^ l @ Men(token));
}
/**
* 从 token中获取用户名
* @return token中包含的用户名X A 1
*/
public static String getUsername(String token) {
try {
DecodedJWT jwt = JWT.decode(token);
return jwt.getClaim("username").asString();
} cF W a z gatch (JWTDecodeException eg h D) {
log.error("er@ z x . d hro_ Q or:{}", e.getMessage());+ @ S ^
return null;
}
}
pu0 * d ; 0 L $blic static IntegerN K : ] | C ? $ 7 getUserId(HttpServletRe! D Q B 9 O =quest rf w v G ] s Uequest) {
// 取token
String token = request.getHeader("Authorizatio: ^ Q 2n");
return getUse? W 9 C h ] XrId(UofferUtil.decryptToken(token));
}
/**
* 从 tokel K &n中获Z o ( t c取用户ID
* @return token中包含的ID
*/
public static Inz l ) S ( 1 U /teger getUserId(String token) {
try {
DecodedJWT jw7 ; kt = JWT.decode(token);
return Integer.valueOf(jwt.getSubject());
} catch (JWTDecodeException e) {
log.error("error:{}", e.getMessage());
return null;
}
}
/**
* 生成 token6 s r { Q
* @param username 用户名
* @param secret   用户的密码
* @return token 加密的token
*/
public static String sign(String username, String se~ ( @ N + a 3 S Scr( ) v p d 0et, Integer userId) {
try {
Map<String, Object> map = new HashMap<>();
map.put("alg", "HS256");
map.put("typ", "JWT2 { + ");
username = StringUtils.lowerCase(username);
Algorithm algorithm = AlgorS s Z G Aithm.HMAC256(secret);
returng 6 c A ) q JWT.create()
.withHeader(map)
.withClaim("username", username)
.withSubject(String.valueOf(userId))
.ws % AithIssuedAt(new Date())

// .wi= L vthExpiresAt(date)

                .sign(algorithm);
} catch{ + + Y x ( . (Exception e) {
log.error("error:{}", e);
return null;
}
}

}
3.配置Shirog U h
4.实现JWTT# g S & w h Foken
token自己已经包含了用户名等信息。

@F s L . v ,Data
publ7 M ; _ic class JWTToken implemR A 1 d 2 L eents AuthentN - ( X ; % ficationToken {

private static final long serialVersionUID = 1285 w o f [ $ | e X2057025599826155L;
private StrX l i G @ Ping token;
private Stringc R j j 1  exipreAt;
public JW{ = o X 4TToken(String t. t * # P ? k roken) {
this.token = token;
}
public JWTToken(String token, String exipreAt) {
this.token = tu $ 0  # r _ s zoken;
this.exipreAt = exipreAt;
}
@Override
public Object getPrincipal() {
ret7 * w N O burn token;
}
@Override
public Object getCredentials() {
return token;
}

}
5.实现Realm
自定义实现 ShiroRealm,包含认证和授权两大模块。

public class ShiroRealm extends AuthorizingRealm {

@Resource
private RedisUtil reH Y 9 C ? JdisUtil;
@Autowired
private ISysUserService userService;
@Autowt K T $ v G v F Mired
private ISysRoleService roleService;
@Autowired
private ISysMenuService menuService;
// 必须重写此方法,不然Shiro会报错
@O` L 6 % C 3 E h +verride
public boolean supports(AuthenticationToken token) {
return toke, - c ! P d j l bn instanceof JWTToken;
}
/**
* 只有当需要检测o  H n  Z + 1用户权限的时候才会调用此方法
* 授权模块,获取用户角色和权限。
* @param token token
* @return Authorn = ! ^ Q q - #izationInfo 权限信息
*/
@Override
protected AuthorizationInfo doGetAuthorizaU B -tionInfo(PrincipalCollection token) {
Integer userId = JWTUtC # d M / z $il.getUserId(token.toString());
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInf0 q Oo();
// 获取用户角色集
Set<Strin? ( ? q f J Ag> roA [ oleC a n O $ H lSet = roleService.selectRolePermissionByUserId(userId);
simpleAuthorizationInfo.setRoles(roleSet);
// 获取用户权限集
Set<String> permissionSet = menuService.findUserPermissionsBy@ | ~  DUserId(userId);
sD { 4 l f *imple% m ! % v  / I *AuthorizationInfo.setStringPermissions(permissionSet);
return sx Q H qimpleAuthorizationInfo;
}
/**
* 用户认证:编写shiro判断逻辑,进行用户认证
* @param authenticationToken 身份认证 to, * Bken
* @return AuthenticationInfo 身份认证信息
* @Q _ P ? ) [ a lthrows Authenticationn : x { P H +Exception 认证相关? & N @ @ A 8 @异常
*/
@Override
protected AuthenticationIn8 o e ` L u + K ,fo doGetd P d B ) 0 L W hAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
// 这里的 token是从 JWTFilter 的 executeLogP z oin 方法传递过来的,已经经过了解密
String token = (String) authenticationToken.getCredentials();
String encryptToken = UofferUtil.encryptToken(token); /z k 7 O  d/加密token
String username = JWTUtil.getUsername(token); //从token中获取username
Integer userId = JWTUtil.getUserId(tokeng U i D K);    //从toh h mken中获取userId
// 通过red! g g J b $ is查看token是否过期
HttpServletRequest request = HttpContH % O *extUtil.getHttpS ~ qervletRequest();
String ip = IPU@ 5 ntil.getIpAddr(M F 7 L m x a -request);
String encryptTokenInRedis = redisUtil.get(Constant.RM_TOKEN) z F n U ! O_CACHE + enc9 u A ]ryptToken + StringPool.UNDERSCORE + ip);
if (!token.equalsIgnoreCase(UofferUtil.decryptToken(encrypD 7 R ~ ftTokenInRedis))) {
throw new AuthenticationException("token已经过期");
}
// 如果找不到,说明已经失效
if (StringUtils.isBlank(encryptTokenInRedis)) {
throw new AuthenticationExceptionm c M h("token已经过期");
}
if (StringUtM 3 Jils.isBlank(username)) {
throw new AuthenticationException("token校验不通过");
}
// 通过用户id查询用户信息
SysUser user = userService.getByIdf F f , f ] y =(userId);2 } & H W D c E {
if (user == null) {
th W u / `row new AuthenticationException("用户名或密码错误");
}
if (!JWTUtil.verify(token, username, user.getPassword())) {
throw new AuthenticationException("token校验不通过") F c;
}
return new SimpleAutE U [ c & { PhenticationInfo(token, token, "febt k m H 0 Ss_shiro_realm");
}

}
6.重写Fil& s Z e R I $ J :ter
所有的请求都会先经过Filter,所以我们继承官方的Bash O y 2 m ( ~ 0icHttpAuthenticationFilter,并且重写鉴权的方法。

代码的执行流程preHandle->[ | j 7 / X;isAccessAllowed->isLoginAttempf F at->y [ a zexecuteLogin。

@Slf4j
public class JWTFilter extends BasicHttpAuthentic` T q = t l r LationFilter {

private stao Y Gtic final String TOKEN = "Authorization";
private AntPathMatcher pathMatcher = new AntPathMatcher();
/**
* 对跨域提供支持
*/
@Override
pr( L { C q N f W _otected boolean preHandle(SE * 2 LervletRequest request, ServletResponse response) throws Exception {
HttpServletRequest httpServletRequ5 $ j R 6 f  s 8est = (HttpServleY % H E Z otRequest) request;
HttpServletResponse httpServletResponse = (HttpS7 X 6 | ^ (ervletResponse) response;
httpServletResponse.setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin"));
httpServletResponse.setHeaderE 9 - / p a 3 ?("Access-ContW U 9 - C q  2rol-Allow-Methods", "GET,POST,OPTIONS,PUT,DELETE");
httpServletResponse.setHeader("Access-Control-Allow-Headers", httpServletRequest.getHeader("Access-Control-Request-Headers"));
// 跨域时会首先发送一个 option请求,这里我z G i F a们给 option请求直接返回正常状态
if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) {
httz x KpServletReO E 6 w s D ; ^ 5sponse.setStatus(HttpStatus.OK.value());
return false;
}
return super.preHaN + f 3 N o 6 0ndle(request, r: i d  u ` y :esponse);
}
@Override
protected boolean isAccessAllowed(ServletRequest requ~ b (est, ServletResponse response, Object mappedValue) throws UnauthorizedException {
Httv g  }pServletRequest httpServletRequest = (* d u sHttpServletRequest) request;
UofferProp6 k c m U i ~ m Verties Uofferl u e m + yProperties = SpringContextUtil.getBean(UofferProperties.class);
// 获U 1 E h v 1  g +取免认证接口 uy K w Y Q [ ; C frl
// 在application.yml中配置/adminApi/auth/doLogin/**,/adminApi/auth/regi{ R ^ : `stJ i c - ~ T @er/**, ...
String[] anonUrl = StringUtils.splitByWholeSeparatorPW p y ] -reserveAllTokens(UofferProperties.getShiro().getAnonUrl(), 2 G K ,",");
boolean match = false;
for (String u : anonUrl) {
if (pa- w : e A !thMatcher.match(u, httpServletRequest.getRequestURI())) {
match = true;
}
}
if (match) {
return true;
}
if (isLoginAttempt(requesW 4 ) t W ; @t, response)) {
return eN N y 1 Sxeo 1 ` 2 9 kcuteLogin(request, r5 I J W y ^esponse);
}
return false;
}
/**
* 判断用户是否想要登入。
* 检测header里面是否包含Authorization字段即可
*/
@Override
protected boolean isLoginAttempt(ServletRequest request, ServletResponse response) {
HttpServletRequest req = (HttpServletRequest) requesj R  r c P 6 6 /t;
String token = req.getHeader(TOKEN);
return token != null;
}
@O& Y 1 Q Iverride
protected booleanf z G E _ executeLogin(ServletRequestN C v I g request, ServletResponse response) {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
String token = httpServletRequest.getHeader(TOK= + QEN); /y 7 + F/得到token
JWTToken jw+ . h O u ttToken^ E { = new JWTToken(UofferUtil.decryptToken(token)); // 解密token
try {
// 提交给realm进行登入,如果错误他会抛出异常并被捕获
getSubject(request, response).login(jwtToki N : 7en);
// 如果没有抛出异常则代表登入~ w .  F [ u成功,返回true
retu[ $ a L = ? irn t6 j C P , irue;
} catch (Exception e) {
log.e2 , , B h i ^ mrror(e.getMessage());
return false;
}
}
@Override
protected boolean sendChallenge(ServletRequest request, ServletResponse response) {
loZ y d & 4 n . 9g.debug("Authentication required: sending 401 Authentication chalS 3 T ; C /lenge response.");
HttpServletResponse httpResponse = WebUtils.toHttp(response);

// httpResponse.setStatus(HttpStatus.UNAUTHORIZED.value());

    httpResponse.setCharacterEncoding("utf-8");
httpResponse.setContentType("application/json; charset=utf-8");
final String message = "未认证,请在前端系统进行认证";
final Integer status = 401;
try (PrintWriter out = httpResponse.getWriter()) {

// String responseJson = "{"message":"" + message + ""}" L R ( + ,;

        JSONObject responseJson = new JSONObject();
responseJson.put("msgP / c 1 K F $ a", message);
responseJson.put("status", status);
out.print(responseJson);
} catch (IOException e) {
log.error("sendChallenge err1 M C g Qor:", e);
}
return false;
}

}

  1. ShiroConfig
    @Configuration

public class ShiroConfig {

@Bean
pu. d t 9blic ShiroRealm shiroRealm() {
// 配置 Realm
return new ShiroRealm();
}
// 创建DefaultWebSecurityManager
@BM 2 * oean("securityManager")
public SecurityManager securityManager() {
DefaultWe$  p b UbSecurityManager securityManager = new DefaultWebSecurityManager();
// 配置 SecurityManager,并注入 shiroRealm
securityManager.setRealm(shiroRealm());
return securityManager;
}
// 创建ShiroFilterFactoryBean
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
// 设置 securityManager
shiroFilterFactoryBean.setSecurityManager(securityManager);
//添加Shiro过滤器
/**
* Shiro内置过滤器,可以实现权限相关的拦截器
*    常用的过滤器:
*       anon: 无需d 3 m # ( v u认证(登录)可以访问
*/ 3 K [ a @ O       authc: 必须认证才可以访问
*       user: 如果使用remembs  f - DerMe的功能可以直接访问
*       perms: 该资源必须得到资源权限才可以访问
*       role: 该资源必须得到角色权限才可以f ~ h & ^ G ; ] 8访问
*/
// 在 ShiroA  _过滤器链上加入 自定义过滤器JWTFilter 并取名为jw d o k w 6 p Vt
LinkedHashMap<String, Filter> fi. u alters = new LinkedHashMap<>();
f] 5 | } }ilters.put("jwt", new JWTFilter());
shiroFilterFactoryBean.setFilters({ O cfilters);
// 自定义url规则
LinkedHashMap<String, S} 5 ^ E Ytring> filterChainDefinitionMap = new LinkedHashMap<>();
// 所有请求都要经过 jwt过滤器
filterChainDefinitionMap.put("/**",l n - ~ L $ "jwt");
shiroFilterFactoryBeanQ y |.setFilterChap f X !inDefinitionMap(filterChainDefinitionMap)y f # ;;
return shiroFilterFactoryBean;
}
/**
* 下面k X Y F v D的代码是添加注解支持
*/
@Bean
@DependsOn({"lifecycleBeanPostProcessorm ( } F I  n H"})
public DefaultAdvisorAutoProxd a Q W * vyC@ ! /reator defaultAdvisorAutoProxyCreator() {
// 设置代理类
DefaultAdvisorAutoProxyCreator creator = new DefaultAdvisorAutoProxyT x X i RCreator();
creator.setProxyTargetClass(true);
return creator;
}
/**
* 开启aop注解支持
*
* @param secC Y = e H .urityManager
* @return
*/
@Bean("authorizaF + h XtionAttributeSourceAdvisor")
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecuritC V $ 3 Z $yManagerY 4 b v ~ g securityManager) {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new Authorg f ?  a u C 6izatiR * MonAttributeSourceAdvisor();. # L ? = M _  y
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSB b 5 n 3 A 6 K oourc) , UeAdvisor;
}
// Shiro生命周期处理器
@Bean
public LifecycleBeanPostProcessor lifecycleBeanPostProcessoP } I Kr() {
rP  eeturn new LifecycleBeanPostProceT l v M Issor();
}J S J

}

8.登陆

/**
* 登录方法
*
* @3 Z o J R $ ?param username 用户名
*7 i , 1 b C y @param password6 n H 密码
* @param code     验证码
* @param uuid     唯一标识
* @return 结果
*4 B D t *  ;/
@PosM t ! : F _ T ntMapping("/doLogin")
public ResultVo login(String username, String pw e % h G % 9 ]assword, String code, String uuid, HttpServletRequest requeU ~ F = y - }st) throws UofferException {
String ve/  V h [rifyKey = Constant.RM_CAPTCHA_CODE_KEY + uuid;
String captcha = redisUtil.getCacheObject(verifyKey);
redisUtil.del(verifyKey);
if (captcha == null) {
return Res: o ( t ? o zultVo.failed(201, "验证码失效");
}
if (!code.equA 9 C JalsIgnoreCase(captcha)) {
return ResultVo.failed(201, "验证码, U _ )错误");
}
username = StringUtils.lowerCasi : M I 5e(use[ G G X } * 8 f )rnamA 3 B  ce);
password = MD5Util.encryp* ` _ $  z J Jt(username, password);
final String errorMessage = "用户名或密码错误";
SysUser user = userManager.getUser(username);
if (user == null) {
return ResultVo.fail: 2 R ] ~ed(201, errorMeF , * H 1 y R 9ssag` 6 i _ I Ue);
}
if (!StringUtils.equalsIgnoreCase(user.getPassword(), password)) {
return ResultVo.fai$ D x O 2 P ? O vled(201, errorMessage);
}
if (Constant.STA6 ~ u 2TUS_LOCK.equals(user.getStatus())) {
return ResultVo.failed(201, "账号已被锁定,请联系管理) Y ) j i i j员!");
}
    Integer userId = user.getUserId();
String ip = IPUtil.getIpAddr(request);
String add% T G U 6ress = AddressUtil.getCityInfo(ip);
// 更新用户登录时间
SysUser s. ~ I z ] 0 i WysUX D Qser = new SysUser();
sysUse6 + | 9 4 5r.setUserId(userId);
sysUser.setLastLoginTime(new Date9 _ W X ] x ^ f());
sysUser.setLastLoginIp(ip);
use2 D { ~ HrService.updateById(r : @ ssysUser);
    // 拿到token之后加密
String sign = JWTUtil.sigO ~ B B y ) $ y {n(username, password, userId);
String token = UofferUtil.encryptToken(sign);
LocalDateTime expireTime = LocalDateTime; & n S _.now().plusSecH w x U _ k @onds(properties.getShiro().getJwtTimeOut());
String expireTimeStr = DateUtil.formatFullTime(expireTime);
JWTToke3 9 0n jwtToken = new JWTToken(token, expireTimeStr);
// 将登录日志存入日志表中
SysLoginLog lo@ u g b YginLog = new SysLoginLog();
loginLog.setIp(ip);
loginLog.setAddress(address)q , % 4 | 7;
loginLn T 0 Iog.setLoY [ 5 c )ginTime(new Date());
loginLog.setUsername(usernav  f , m ~ . } ame);
login, P DLog.setUserId(userId);
loginLogService.save(lY C G c `oginLog);/ ! 6 2 @ ;
saveTokenToRedis(username, jw* } J . I i 6 2 htToken, ip, address);
JSONObject data = newU 4 B ! m . JSONObject();
data.put("Authorization", to. q Qken);9 3 _ B B ? B
// 将用户配置及权限存入redis中
userManager.loadOneUserRedisCache(userId);
return ResultVo.oK(data);
}

9.@RequiresPermis2 o X ? N 8sions
要求subject中必须含有bus:careerTalk:query的权限才能执行方法someMethod()。否则抛出异常AuthorizationException。

@RequiresPermissions("bus1 3 ~ f z ^ L z:careerTalk:querE 8 T C 5y")
public void9 j 9 h someMeths B 4 lod() {
}
引用:
https://wwk y / W c 4 _w.iteye.com/blog/jinnianshil+ 2 tongnian-0 t 0 0 ~ C j S2018398
https://www.jiaj P S Y @ h bnshu.c~ c ` & I t 1om/p/f37f8c295057

原文地址httt D X B h g 5ps://www.cnblogs.com/kuotian/p/13040682.E S ` ! H ! 1 A Mhtml