后端服务Springboot+Shiro +Jwt中捕捉shiro返回自定义异常
坑:直接抛出无法捕捉,除非修改部分源码,但是修改源码会导致其他未知问题,非常不友好(大神另当别类),查看了无数网络资料发现在多ream的情况下跟ream的策略【AtLeastOneSuccessfulStrategy】有关
思路:直接捕捉Shiro【多realms情况】验证、授权过程中出现的异常难以实现,只能走曲线救国的路线
第一次登录时:单独处理,
使用token登录时直接响应再response里
页面登录
继承AtLeastOneSuccessfulStrategy重写afterAttempt方法
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.pam.AtLeastOneSuccessfulStrategy;
import org.apache.shiro.realm.Realm;
/**
* 多个realm时 登录就会 org.apache.shiro.authc.pam.ModularRealmAuthenticator#doMultiRealmAuthentication 通过这个方法进行执行,如果所有的对应的realm都返回认证异常或者null的话,就会出现以下错误
* 解决 Authentication token of type [class org.apache.shiro.authc.UsernamePasswordToken] could not be authenticated by any configured realms. Please ensure that at least one realm can authenticate these tokens.
*/
public class MyAtLeastOneSuccessfulStrategy extends AtLeastOneSuccessfulStrategy {
@Override
public AuthenticationInfo afterAttempt(Realm realm, AuthenticationToken token, AuthenticationInfo singleRealmInfo, AuthenticationInfo aggregateInfo, Throwable t) throws AuthenticationException {
if (t != null && t instanceof AuthenticationException) {
throw (AuthenticationException) t;
}
return super.afterAttempt(realm, token, singleRealmInfo, aggregateInfo, t);
}
}
securityManager 设置策略
@Bean
public ModularRealmAuthenticator authenticator(SysUserService sysUserService,
SysRoleService sysRoleService,
SysMenuService sysMenuService, JwtVerifyTokenAuxiliary jwtVerifyTokenAuxiliary) {
ModularRealmAuthenticator authenticator = new ModularRealmAuthenticator();
authenticator.setRealms(Arrays.asList(new ShiroRealm(sysUserService, sysRoleService, sysMenuService), new JwtShiroRealm(sysUserService, sysRoleService, sysMenuService, jwtVerifyTokenAuxiliary)));
// authenticator.setAuthenticationStrategy(new FirstSuccessfulStrategy());
//最新的realm执行成功才算成功
// authenticator.setAuthenticationStrategy(new AllSuccessfulStrategy());
authenticator.setAuthenticationStrategy(new MyAtLeastOneSuccessfulStrategy());
return authenticator;
}
/**
* 注入 securityManager
*/
@Bean
public DefaultWebSecurityManager securityManager(SysUserService sysUserService, SysRoleService sysRoleService, SysMenuService sysMenuService, JwtVerifyTokenAuxiliary jwtVerifyTokenAuxiliary) {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealms(Arrays.asList(new ShiroRealm(sysUserService, sysRoleService, sysMenuService), new JwtShiroRealm(sysUserService, sysRoleService, sysMenuService, jwtVerifyTokenAuxiliary)));
securityManager.setCacheManager(cacheManager);
securityManager.setAuthenticator(authenticator(sysUserService,sysRoleService,sysMenuService,jwtVerifyTokenAuxiliary));
/*
* 关闭shiro自带的session,详情见文档
* http://shiro.apache.org/session-management.html#SessionManagement-StatelessApplications%28Sessionless%29
*/
DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();
DefaultSessionStorageEvaluator defaultSessionStorageEvaluator = new DefaultSessionStorageEvaluator();
defaultSessionStorageEvaluator.setSessionStorageEnabled(false);
subjectDAO.setSessionStorageEvaluator(defaultSessionStorageEvaluator);
securityManager.setSubjectDAO(subjectDAO);
return securityManager;
}
登录
@PostMapping(value = "/login")
public Result login(@Valid @RequestBody LoginReqParam reqParam, HttpServletRequest request, HttpServletResponse response) {
Subject subject = SecurityUtils.getSubject();
shiroRealm.clearCachedAuthorizationInfo(reqParam.getUsername());
/**
* 密码为明码密码
*/
UsernamePasswordToken token = new UsernamePasswordToken(reqParam.getUsername(), reqParam.getPassword());
//先验证用户名密码
subject.login(token);
//用户名密码验证通过则调用数据有效性校验
// 根据需求进行数据有效性校验
//数据有效性校验通过后生成token
// 生成token
Cache cache = cacheManager.getCache(JwtConstant.CAPTCHA_CACHE_KEY);
//生成token版本号
String versionKey = JwtUtil.loginVersionKey(reqParam.getUsername());
Integer loginTokenVersion = jwtVerifyTokenAuxiliary.loginVersion(reqParam.getUsername());
String jwtToken = JwtUtil.sign(reqParam.getUsername(), loginTokenVersion);
// 版本号放入缓存
cache.put(versionKey, loginTokenVersion);
response.setHeader(JwtConstant.TOKEN_HEADER_NAME, jwtToken);
return Result.success("登录成功!");
}
shiroRealm
/**
* 身份认证方法
* 默认使用此方法进行用户名正确与否验证,错误抛出异常即可。
*
* @param authenticationToken
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken userpasswordToken = (UsernamePasswordToken) authenticationToken;
String loginName = userpasswordToken.getUsername();
SysUser sysUser = sysUserService.getByLoginName(loginName);
if (sysUser == null) {
throw new UnknownAccountException("用户不存在!");
}
/**
* 各种自定义验证
*/
AuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(loginName, MD5Util.md5(sysUser.getPassword()), getName());
//如果验证通过,那么清除上次授权的缓存
if (StringUtils.equals(loginName, sysUser.getLoginName())) {
clearCache(authenticationInfo.getPrincipals());
clearCachedAuthorizationInfo(authenticationInfo.getPrincipals());
}
return authenticationInfo;
}
全局异常处理
import com.gxy.learn.common.Result;
import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.ResponseStatus;
import org.springframework.web.bind.annotation.RestControllerAdvice;
import org.springframework.web.servlet.NoHandlerFoundException;
import javax.servlet.http.HttpServletRequest;
@Slf4j
@RestControllerAdvice
public class GlobalExceptionHandler {
private static final String url = "url";
private static final String errorMsg = "errorMsg";
/**
* 捕捉404异常
*
* @return
*/
@ResponseStatus(HttpStatus.NOT_FOUND)
@ExceptionHandler(NoHandlerFoundException.class)
public Result handle(HttpServletRequest req, NoHandlerFoundException ex) {
log.error("{}:{},{}:{}", url,req.getRequestURI(), errorMsg,ex.getMessage(), ex);
return Result.error("未知的请求!");
}
/**
* 捕捉其他所有异常
*
* @param req
* @param ex
* @return
*/
@ResponseStatus(HttpStatus.INTERNAL_SERVER_ERROR)
@ExceptionHandler(Exception.class)
public Result globalException(HttpServletRequest req, Throwable ex) {
log.error("{}:{},{}:{}", url,req.getRequestURI(), errorMsg,ex.getMessage(), ex);
return Result.error("请求出现异常!");
}
/**
* login登录时 捕捉异常
* 捕捉500异常
*
* @return
*/
@ResponseStatus(HttpStatus.INTERNAL_SERVER_ERROR)
@ExceptionHandler(IncorrectCredentialsException.class)
public Result handle(HttpServletRequest req, IncorrectCredentialsException ex) {
log.error("{}:{},{}:{}", url,req.getRequestURI(), errorMsg,ex.getMessage(), ex);
return Result.error("登录失败!用户名密码错误!");
}
/**
* login登录时 捕捉异常
* 捕捉500异常
*
* @return
*/
@ResponseStatus(HttpStatus.INTERNAL_SERVER_ERROR)
@ExceptionHandler(UnknownAccountException.class)
public Result handle(HttpServletRequest req, UnknownAccountException ex) {
log.error("{}:{},{}:{}", url,req.getRequestURI(), errorMsg,ex.getMessage(), ex);
return Result.error("登录失败!未知的用户!");
}
}
具体效果
接口请求Token验证
JwtAuthFilter
在这里进行异常异步返回
/**
* 无需转发,直接返回Response信息
*/
private void response401(ServletRequest request, ServletResponse response, String msg) {
HttpServletResponse httpServletResponse = WebUtils.toHttp(response);
httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
httpServletResponse.setCharacterEncoding("UTF-8");
httpServletResponse.setContentType("application/json; charset=utf-8");
HttpServletRequest req = (HttpServletRequest) request;
log.error("url:{},errorMsg:{}", req.getRequestURI(), msg);
try (PrintWriter out = httpServletResponse.getWriter()) {
out.append(JSONObject.toJSONString(Result.error("无权访问(Unauthorized):" + msg)));
} catch (IOException e) {
log.error("直接返回Response信息出现IOException异常:{}", e.getMessage());
throw new BusinessException("直接返回Response信息出现IOException异常:" + e.getMessage());
}
}
完整代码
import com.alibaba.fastjson.JSONObject;
import com.gxy.learn.common.CommonConsts;
import com.gxy.learn.common.Result;
import com.gxy.learn.common.exception.BusinessException;
import com.gxy.learn.entity.SysMenu;
import com.gxy.learn.service.SysMenuService;
import com.gxy.learn.service.SysUserService;
import com.gxy.learn.shiro.config.JwtToken;
import com.gxy.learn.shiro.config.JwtVerifyTokenAuxiliary;
import com.gxy.learn.shiro.utils.JwtUtil;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authz.UnauthorizedException;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter;
import org.apache.shiro.web.util.WebUtils;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.RequestMethod;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
/**
* jwt 过滤器 用以验证用户登录
*/
@Slf4j
public class JwtAuthFilter extends BasicHttpAuthenticationFilter {
private JwtVerifyTokenAuxiliary jwtVerifyTokenAuxiliary;
private SysUserService sysUserService;
private SysMenuService sysMenuService;
public JwtAuthFilter(JwtVerifyTokenAuxiliary jwtVerifyTokenAuxiliary, SysUserService sysUserService, SysMenuService sysMenuService) {
this.jwtVerifyTokenAuxiliary = jwtVerifyTokenAuxiliary;
this.sysUserService = sysUserService;
this.sysMenuService = sysMenuService;
}
/**
* 判断是否需要登录 需要则进入登录方法 不需要则返回true
*
* @param request ServletRequest
* @param response ServletResponse
* @param mappedValue mappedValue
* @return 是否成功
*/
@Override
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws UnauthorizedException {
if (!isLoginAttempt(request, response)) {
response401(request, response, "请先登录!");
return false;
}
//如果存在,则进入 executeLogin 方法执行登入,检查 token 是否正确(这里指用户名和密码)
try {
return executeLogin(request, response);
} catch (Exception e) {
this.sendChallenge(request, response);
response401(request, response, e.getMessage());
return false;
}
}
/**
*
* 重新 onAccessDenied 去除executeLogin 放置循环调用doGetAuthenticationInfo方法
*/
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
this.sendChallenge(request, response);
return false;
}
/**
* 重写executeLogin 进行AccessToken登录认证授权
*/
@Override
protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception {
// 拿到当前Header中Authorization的AccessToken(Shiro中getAuthzHeader方法已经实现)
JwtToken token = new JwtToken(this.getAuthzHeader(request));
Subject subject = this.getSubject(request, response);
// 提交给UserRealm进行认证,如果错误他会抛出异常并被捕获
this.getSubject(request, response).login(token);
// 如果没有抛出异常则代表登入成功,返回true
return onLoginSuccess(token, subject, request, response);
}
/**
* 检测header里是否包含token
*
* @param request
* @param response
* @return true 包含 false 不包含
*/
@Override
protected boolean isLoginAttempt(ServletRequest request, ServletResponse response) {
String token = getAuthzHeader(request);
return StringUtils.isNotBlank(token);
}
//
// /**
// * 刷新token
// * @param issueAt
// * @return
// */
// protected boolean shouldTokenRefresh(Date issueAt){
// LocalDateTime issueTime = LocalDateTime.ofInstant(issueAt.toInstant(), ZoneId.systemDefault());
// return LocalDateTime.now().minusSeconds(JwtUtil.EXPIRE_TIME).isAfter(issueTime);
// }
@Override
protected String getAuthzHeader(ServletRequest request) {
HttpServletRequest httpRequest = WebUtils.toHttp(request);
return httpRequest.getHeader("Authorization");
}
/**
* 对跨域提供支持 拦截前进行执行
*/
@Override
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
httpServletResponse.setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin"));
httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS,PUT,DELETE");
httpServletResponse.setHeader("Access-Control-Allow-Headers", httpServletRequest.getHeader("Access-Control-Request-Headers"));
// 跨域时会首先发送一个option请求,这里我们给option请求直接返回正常状态
if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) {
httpServletResponse.setStatus(HttpStatus.OK.value());
return false;
}
return super.preHandle(request, response);
}
/**
* 重写生成shiro生成token的方法
*
* @param servletRequest
* @param servletResponse
* @return
*/
@Override
protected AuthenticationToken createToken(ServletRequest servletRequest, ServletResponse servletResponse) {
String jwtToken = getAuthzHeader(servletRequest);
if (StringUtils.isBlank(jwtToken) || JwtUtil.isTokenExpired(jwtToken)) {
return null;
}
return new JwtToken(jwtToken);
}
/**
* 登录成功!
*
* @param token
* @param subject
* @param request
* @param response
* @return
* @throws Exception
*/
@Override
protected boolean onLoginSuccess(AuthenticationToken token, Subject subject, ServletRequest request, ServletResponse response) throws Exception {
// 验证权限
log.info("登录成功! 需要实现验证权限");
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
String url = httpServletRequest.getRequestURI();
if (StringUtils.equals(CommonConsts.OUT_URL, url)) {
return Boolean.TRUE;
}
SysMenu sysMenu = sysMenuService.getSysMenuByHref(url);
if (null == sysMenu) {
log.error("未知的请求!");
throw new BusinessException("未知的请求!");
}
boolean permitted = subject.isPermitted(sysMenu.getPermission());
log.info("permitted = {}", permitted);
if (!permitted) {
log.error("暂无权限访问!");
throw new BusinessException("未知的请求!");
}
log.info("权限验证通过!");
return Boolean.TRUE;
}
/**
* 无需转发,直接返回Response信息
*/
private void response401(ServletRequest request, ServletResponse response, String msg) {
HttpServletResponse httpServletResponse = WebUtils.toHttp(response);
httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
httpServletResponse.setCharacterEncoding("UTF-8");
httpServletResponse.setContentType("application/json; charset=utf-8");
HttpServletRequest req = (HttpServletRequest) request;
log.error("url:{},errorMsg:{}", req.getRequestURI(), msg);
try (PrintWriter out = httpServletResponse.getWriter()) {
out.append(JSONObject.toJSONString(Result.error("无权访问(Unauthorized):" + msg)));
} catch (IOException e) {
log.error("直接返回Response信息出现IOException异常:{}", e.getMessage());
throw new BusinessException("直接返回Response信息出现IOException异常:" + e.getMessage());
}
}
}
JwtShiroRealm
/**
* 认证信息.(身份验证) : Authentication 是用来验证用户身份
* 默认使用此方法进行用户名正确与否验证,错误抛出异常即可。
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
JwtToken jwtToken = (JwtToken) authenticationToken;
String token = jwtToken.getToken();
/**
* 校验token
*/
if (StringUtils.isBlank(token) || !JwtUtil.verify(token)) {
throw new IncorrectCredentialsException("token错误");
}
Integer loginVersion = JwtUtil.getLoginVersion(token);
/**
* 判断登录版本号
*/
Integer currentVersion = jwtVerifyTokenAuxiliary.loginVersion(JwtUtil.getUsername(token));
if (null == loginVersion || !loginVersion.equals(currentVersion)) {
throw new AuthenticationException("token过期,请重新登录");
}
String username = JwtUtil.getUsername(token);
SysUser customerUser = sysUserService.getByLoginName(username);
if (null == customerUser) {
throw new UnknownAccountException("token错误,请重新登录");
}
//此处无需对比,对比的逻辑Shiro会做,我们只需返回一个和令牌相关的正确的验证信息
AuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(token, token, getName());
return authenticationInfo;
}
具体效果
暂时就这样
https://gitee.com/wahnn/SpringBootAll/tree/master/SpringBoot-ApacheShiro-JWT