shiro在springboot中一般为统一配置,每个需要的请求都可以用注解拦截和认证。在springcloud中,你可以单拉一个shiro模块,每个模块pom文件引入这个shiro模块,也可以只在网关模块配置shiro。
如果只是实现请求拦截,spring拦截器和注解AOP也方便实现。但本文拉入了shiro,原理是同spirng拦截器实现的,具体如下。
引入shiro/jwt/session实现所需依赖:
<dependency>
<groupId>org.crazycake</groupId>
<artifactId>shiro-redis-spring-boot-starter</artifactId>
<version>3.2.1</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session-data-redis</artifactId>
</dependency>jwt工具类:
@Slf4j
@Data
@Component
@ConfigurationProperties(prefix = "xzc.jwt")
public class JwtUtils {
private String secret;
private long expire;
private String header;
/**
* 生成jwt token
*/
public String generateToken(long userId) {
Date nowDate = new Date();
//过期时间
Date expireDate = new Date(nowDate.getTime() + expire * 1000);
return Jwts.builder()
.setHeaderParam("typ", "JWT")
.setSubject(userId+"")
.setIssuedAt(nowDate)
.setExpiration(expireDate)
.signWith(SignatureAlgorithm.HS512, secret)
.compact();
}
public Claims getClaimByToken(String token) {
return Jwts.parser()
.setSigningKey(secret)
.parseClaimsJws(token)
.getBody();
}
/**
* token是否过期
* @return true:过期
*/
public boolean isTokenExpired(Date expiration) {
return expiration.before(new Date());
}
}shiroConfig配置:
@Configuration
public class ShiroConfig {
@Autowired
JwtFilter jwtFilter;
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(DefaultWebSecurityManager defaultWebSecurityManager,
ShiroFilterChainDefinition shiroFilterChainDefinition) {
ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
bean.setSecurityManager(defaultWebSecurityManager);
Map<String, String> map = shiroFilterChainDefinition.getFilterChainMap();
// map.put("/user/test", "perms[user:add]"); 这里不用,而采用AuthParams列表。
bean.setFilterChainDefinitionMap(map);
Map<String, Filter> filters = new HashMap<>();
filters.put("jwt", jwtFilter);
bean.setFilters(filters);
bean.setLoginUrl("/user/goLogin");
bean.setUnauthorizedUrl("/user/noauth");
return bean;
}
@Bean
public ShiroFilterChainDefinition shiroFilterChainDefinition() {
DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
Map<String, String> filterMap = new LinkedHashMap<>();
filterMap.put("/user/test", "jwt");
filterMap.put("/user/test2", "jwt");
chainDefinition.addPathDefinitions(filterMap);
return chainDefinition;
}
@Bean
public DefaultWebSecurityManager defaultWebSecurityManager(AccountRealm accountRealm) {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(accountRealm);
return securityManager;
}
@Bean
public AccountRealm accountRealm() {
return new AccountRealm();
}
}
AccountRealm配置在本篇中没什么作用,所以public class AccountRealm extends AuthorizingRealm 简单实现一下就行。
实现逻辑在shiroConfig所引入的JwtFilter类,所有要做权限拦截的路由都是在shiroFilterChainDefinition()方法通过filterMap.put("/user/test", "jwt");添加,如果嫌太多也可以用通配符"/**/t"表示所有末尾加"/t"的路径,然后shiroFilterFactoryBean()方法里filters.put("jwt", jwtFilter);实现。
@Component
public class JwtFilter extends AuthenticatingFilter {
@Autowired
JwtUtils jwtUtils;
@Autowired
AuthParams authParams;
@Autowired
RestTemplate restTemplate;
@Autowired
StringRedisTemplate stringRedisTemplate;
@Override
protected AuthenticationToken createToken(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
HttpServletRequest request = (HttpServletRequest) servletRequest;
String jwt = request.getHeader("Authorization");
if (StringUtils.isEmpty(jwt)) {
return null;
}
return new JwtToken(jwt);
}
@Override
protected boolean onAccessDenied(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
HttpServletRequest request = (HttpServletRequest) servletRequest;
String jwt = request.getHeader("Authorization");
if (StringUtils.isEmpty(jwt)) {
servletResponse.setContentType("0"); //通过返回前端type判断jwt错误类型
return false;
} else {
Claims claim = jwtUtils.getClaimByToken(jwt);
if (claim == null || jwtUtils.isTokenExpired(claim.getExpiration())) {
servletResponse.setContentType("1");
throw new ExpiredCredentialsException("token已过期,请重新登录");
}
String requestURI = ((HttpServletRequest) servletRequest).getRequestURI();
String param = authParams.GetPerms().get(requestURI);
String userId = claim.getSubject();
HttpSession httpSession = ((ShiroHttpServletRequest) servletRequest).getSession();
Object userObj = httpSession.getAttribute("user");
Map<String, Object> userMap;
if (userObj == null) {
User user = restTemplate.postForObject("http://user/getbyid", Long.valueOf(userId), User.class);
if (user == null) {
servletResponse.setContentType("2");
return false;
}
String jsonStr = JSONObject.toJSONString(user);
userMap = JSONObject.parseObject(jsonStr, Map.class);
httpSession.setAttribute("user", user);
} else {
userMap = JSONObject.parseObject(userObj.toString(), Map.class);
}
if (param == null) {
return true;
}
if (userMap.get("promission").indexOf(param)==-1) {
servletResponse.setContentType("3");
return false;
}
return true;
}
}
@Override
protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e, ServletRequest request, ServletResponse response) {
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
Throwable throwable = e.getCause() == null ? e : e.getCause();
Result result = Result.error(throwable.getMessage());
String json = JSONUtil.toJsonStr(result);
try {
httpServletResponse.getWriter().print(json);
} catch (IOException ioException) {
}
return false;
}
@Override
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
HttpServletRequest httpServletRequest = WebUtils.toHttp(request);
HttpServletResponse httpServletResponse = WebUtils.toHttp(response);
httpServletResponse.setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin"));
httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS,PUT,DELETE");
httpServletResponse.setHeader("Access-Control-Allow-Headers", httpServletRequest.getHeader("Access-Control-Request-Headers"));
// 跨域时会首先发送一个OPTIONS请求,这里我们给OPTIONS请求直接返回正常状态
if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) {
httpServletResponse.setStatus(org.springframework.http.HttpStatus.OK.value());
return false;
}
return super.preHandle(request, response);
}
}
public class JwtToken implements AuthenticationToken {
private String token;
public JwtToken(String token) {
this.token = token;
}
@Override
public Object getPrincipal() {
return token;
}
@Override
public Object getCredentials() {
return token;
}
}
@Component
public class AuthParams {
public Map<String,String> GetPerms(){
Map<String,String> map=new HashMap<>();
map.put("/user/test","user:add");
map.put("/order/test2","order:delete");
return map;
}
}
onAccessDenied()判断逻辑:每个登录用户在请求中都会携带一个“Authorization”请求头,如果没有servletResponse.setContentType("0"),作用是约定“0”代表token为空,“1”表示已过期,“2”表示用户不存在,“3”代表没有操作权限。这个ContentType可给前端返回值的头部信息中获得,而实现相关的控制逻辑。
尝试通过httpSession获取当前用户,如果为空则通过token获取用户id,然后通过id重新获取该用户信息,并写入httpSession。
权限列表写在AuthParams里,通过判断当前用户权限列表里是否包含该请求路径权限值,验证是否具有操作权限。
当然也能用角色管理权限,例如map.put("/user/test","admin,student");不过可以用mysql管理,登录时把所有请求路径权限处理成("/user/test","admin,student")map集合,保存在httpSession里。那么判断就要改成:
if(param.indexOf(userMap.get("role"))==-1){
servletResponse.setContentType("3");
return false;
}方便操作的实现还是第一种,因为让mysql维护请求路径不太现实。没添加在AuthParams里的请求路径直接放行,而当程序员把请求权限写入后,也需要在添加请求权限的页面上添加入库。添加页面包括请求名称/权限值,以及父级路由,这样在编辑角色权限时,也能在权限路由子级下显示细粒度的权限请求。那么未指定父级路由的,可在编辑角色权限页面单独显示即可,全选全不选或点选。注册用户应该有个默认角色,通常只有管理员可以分配角色,用户登录时就可以根据角色加载promission的集合了。
扫一扫
6061
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
