springboot+shiro+jwt实现多端用户登录

shiro中是通过realm进行权限认证的,本身shiro是支持多realm进行权限认证的。

现有场景如下。

平台分管理角色和互联网角色,分别存储在sys_user和student表中。sys_user当然是通过管理后台来进行创建。student表中的用户是允许前端注册的,不走后台权限角色体系。

但是提供的接口均需要实现token的安全验证,毕竟不能裸奔不是。所以需要在基础框架基础上,实现多realm认证,并且使用相同token。主要是不想拆分两个后台api项目。

首先项目pom中需要导入相应的包。

<dependency>
	<groupId>org.springframework.boot</groupId>
	<artifactId>spring-boot-starter-aop</artifactId>
</dependency>
<dependency>
	<groupId>org.apache.shiro</groupId>
	<artifactId>shiro-spring</artifactId>
	<version>1.4.0</version>
</dependency>
<dependency>
	<groupId>com.auth0</groupId>
	<artifactId>java-jwt</artifactId>
	<version>3.2.0</version>
</dependency>

这里根据需要自己导。

因为需要token区分认证用户,所以JWTToken需要增加个标志

    private String loginType;

    public JWTToken(String token,String loginType) {
    
        this.token = token;
        this.loginType=loginType;
    }

    public String getLoginType() {
    
        return loginType;
    }

    public void setLoginType(String loginType) {
    
        this.loginType = loginType;
    }

createToken的时候需要根据loginType进行下处理

public static String createAccessToken(String username, String password,String loginType) {
        Date date = new Date(System.currentTimeMillis() + JeePlusProperites.newInstance().getEXPIRE_TIME());
        Algorithm algorithm = Algorithm.HMAC256(password);
        // 附带username信息
        return JWT.create()
                .withClaim("username", username+"_"+loginType)
                .withExpiresAt(date)
                .sign(algorithm);
    }

public static String createRefreshToken(String username, String password,String loginType) {
        Date date = new Date(System.currentTimeMillis() + 3*JeePlusProperites.newInstance().getEXPIRE_TIME());
        Algorithm algorithm = Algorithm.HMAC256(password);
        // 附带username信息
        return JWT.create()
                .withClaim("username", username+"_"+loginType)
                .withExpiresAt(date)
                .sign(algorithm);
    }

public static String getLoginName(String token) {
        try {
            DecodedJWT jwt = JWT.decode(token);
            String userName = jwt.getClaim("username").asString();
            if(userName.contains("_")){
                userName = userName.substring(0,userName.lastIndexOf("_"));
            }

            return userName;
        } catch (JWTDecodeException e) {
            return null;
        }
    }

public static int verify(String token,String loginType) {
        try {
            String loginName = JWTUtil.getLoginName(token);
            String userName = JWTUtil.getUserName(token);
            String password = "";
            if(loginType.equals(UserConstant.SYS)){
                // UserUtils里面使用loginName进行的redis缓存,这里不能加logintype后缀
                password = UserUtils.getByLoginName(loginName).getPassword();
            }
            else if(loginType.equals(UserConstant.STUDENT)){
                password = UserUtils.getStudentByPhone(loginName).getPassword();
            }

            Algorithm algorithm = Algorithm.HMAC256(password);
            JWTVerifier verifier = JWT.require(algorithm)
                    .withClaim("username", userName)
                    .build();
            DecodedJWT jwt = verifier.verify(token);
            return 0;
        } catch (TokenExpiredException e){
            return 1;
        }
        catch (Exception exception) {
            return 2;
        }
    }

主要是缓存的username中进行了扩展,这里通过"_"+loginType进行了扩展。

相应的如果做了redis缓存要注意key值用的那个。

同时处理了刷新token和验证token的方法。具体参考上述代码

shiro是支持多realm的,但是大多数框架中,都是只用的default的默认的realm进行认证。想要启用多realm支持,需要自己重写ModularRealmAuthenticator实现。

public class ModularRealm extends ModularRealmAuthenticator {

    @Override
    protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {
        // 判断getRealms()是否返回为空
        assertRealmsConfigured();
        // 所有Realm
        Collection<Realm> realms = getRealms();
        // 登录类型对应的所有Realm
        HashMap<String, Realm> realmHashMap = new HashMap<>(realms.size());
        for (Realm realm : realms) {
            // 这里使用的realm中定义的Name属性来进行区分,注意realm中要加上
            realmHashMap.put(realm.getName(), realm);
        }
        JWTToken token = (JWTToken) authenticationToken;
        // 登录类型
        String type = token.getLoginType();
        if (realmHashMap.get(type) != null) {
            return doSingleRealmAuthentication(realmHashMap.get(type), token);
        } else {
            return doMultiRealmAuthentication(realms, token);
        }
    }
}

然后就是是先具体的realm了

package com.jeeplus.modules.sys.security;

import com.jeeplus.common.utils.CacheUtils;
import com.jeeplus.modules.sys.entity.StudentUser;
import com.jeeplus.modules.sys.entity.User;
import com.jeeplus.modules.sys.security.shiro.JWTToken;
import com.jeeplus.modules.sys.security.util.JWTUtil;
import com.jeeplus.modules.sys.service.StudentUserService;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;

public class StudentRealm  extends AuthorizingRealm {
    @Autowired
    private StudentUserService stuService;
//    @Autowired
//    private RedisUtil redisUtil;

    /**
     * 使用JWT替代原生Token
     *
     * @param token
     * @return
     */
    @Override
    public boolean supports(AuthenticationToken token) {
        return token instanceof JWTToken;
    }

    private static final String ADMIN_LOGIN_TYPE = UserConstant.STUDENT;
    {
        super.setName("student");    //设置realm的名字,和上面管理器对应起来
    }

    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
        return null;
    }

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) throws AuthenticationException {
        String token = (String) authcToken.getCredentials();
        // 解密获得username,用于和数据库进行对比
        String loginName = JWTUtil.getLoginName(token);
        if (loginName == null) {
            throw new AuthenticationException("无效的token");
        }
        StudentUser cachedUser = (StudentUser) CacheUtils.get("LoginStudent", loginName);
        if(cachedUser == null){
            throw new AuthenticationException("用户信息已过期,请重新登陆.");
        }
        // 使用手机号进行用户判定
        StudentUser user = stuService.getStudentByPhone(loginName);
        if(user == null){
            throw new AuthenticationException("用户不存在.");
        }

        int rtn = JWTUtil.verify(token, UserConstant.STUDENT);
        if (rtn == 1) {
            throw new AuthenticationException("token已经过期");
        }else if (rtn == 2) {
            throw new AuthenticationException("用户名或者密码错误");
        }

        return new SimpleAuthenticationInfo(token, token, getName());
    }
}
/**
 * Copyright &copy; 2015-2020 <a href="http://www.jeeplus.org/">JeePlus</a> All rights reserved.
 */
package com.jeeplus.modules.sys.security;

import com.jeeplus.common.utils.CacheUtils;
import com.jeeplus.common.utils.SpringContextHolder;
import com.jeeplus.config.properties.JeePlusProperites;
import com.jeeplus.config.web.Servlets;
import com.jeeplus.modules.sys.entity.LogType;
import com.jeeplus.modules.sys.entity.Menu;
import com.jeeplus.modules.sys.entity.Role;
import com.jeeplus.modules.sys.entity.User;
import com.jeeplus.modules.sys.security.shiro.JWTToken;
import com.jeeplus.modules.sys.security.util.JWTUtil;
import com.jeeplus.modules.sys.service.UserService;
import com.jeeplus.modules.sys.utils.LogUtils;
import com.jeeplus.modules.sys.utils.UserUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.Permission;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;

import java.util.Collection;
import java.util.List;

/**
 * 系统安全认证实现类
 * @author jeeplus
 * @version 2017-7-5
 */
@Service
public class SystemAuthorizingRealm extends AuthorizingRealm {

	private Logger logger = LoggerFactory.getLogger(getClass());

	private UserService userService;

	@Autowired
	private JeePlusProperites jeePlusProperites;

	/**
	 * 大坑!,必须重写此方法,不然Shiro会报错
	 */
	@Override
	public boolean supports(AuthenticationToken token) {
		return token instanceof JWTToken;
	}

	/**
	 * 认证回调函数, 登录时调用
	 */
	@Override
	protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) {

		String token = (String) authcToken.getCredentials();
		// 解密获得username,用于和数据库进行对比
		String loginName = JWTUtil.getLoginName(token);
		if (loginName == null) {
			throw new AuthenticationException("无效的token");
		}
		User cachedUser = (User) CacheUtils.get("LoginUser", loginName);
		if(cachedUser == null){
			throw new AuthenticationException("用户信息已过期,请重新登陆.");
		}
		// 校验用户
		User user = getUserService().getUserByLoginName(loginName);
		if(user == null){
			throw new AuthenticationException("用户不存在.");
		}

		int rtn = JWTUtil.verify(token, UserConstant.SYS);
		if (rtn == 1) {
			throw new AuthenticationException("token已经过期");
		}else if (rtn == 2) {
			throw new AuthenticationException("用户名或者密码错误");
		}

		// 校验用户名密码
			if (JeePlusProperites.NO.equals(user.getLoginFlag())){
				throw new AuthenticationException("该已帐号禁止登录.");
			}
			return new SimpleAuthenticationInfo(token, token, getName());
	}

	/**
	 * 授权查询回调函数, 进行鉴权但缓存中无用户的授权信息时调用
	 */
	@Override
	protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {

		String username = JWTUtil.getLoginName(principals.toString());
		// 获取当前已登录的用户
		User user = getUserService().getUserByLoginName(username);
		if (user != null) {
			SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
			List<Menu> list = UserUtils.getMenuList();
			for (Menu menu : list){
				if (StringUtils.isNotBlank(menu.getPermission())){
					// 添加基于Permission的权限信息
					for (String permission : StringUtils.split(menu.getPermission(),",")){
						info.addStringPermission(permission);
					}
				}
			}
			// 添加用户权限
			info.addStringPermission("user");
			// 添加用户角色信息
			for (Role role : user.getRoleList()){
				info.addRole(role.getEnname());
			}
			// 更新登录IP和时间
			getUserService().updateUserLoginInfo(user);
			// 记录登录日志
			LogUtils.saveLog(Servlets.getRequest(), "系统登录", LogType.LOGIN.getType());
			return info;
		} else {
			return null;
		}
	}



}

代码不全,仅供参考

接下来配置过滤器

package com.jeeplus.modules.sys.security.shiro;

import com.jeeplus.common.utils.CookieUtils;
import com.jeeplus.common.utils.StringUtils;
import com.jeeplus.config.properties.JeePlusProperites;
import com.jeeplus.core.web.GlobalErrorController;
import com.jeeplus.modules.sys.security.util.JWTUtil;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.RequestMethod;

import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class JWTFilter extends BasicHttpAuthenticationFilter {

    private Logger LOGGER = LoggerFactory.getLogger(this.getClass());

    @Autowired
    private JeePlusProperites jeePlusProperites;

    /**
     * 判断用户是否想要登入。
     * 检测header里面是否包含Token字段即可
     */
    @Override
    protected boolean isLoginAttempt(ServletRequest request, ServletResponse response) {
        HttpServletRequest req = (HttpServletRequest) request;
        String authorization = getToken(req);
        return authorization != null && !"null".equals(authorization)&& !"".equals(authorization);
    }

    /**
     *
     */
    @Override
    protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception {
        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
        String authorization = getToken(httpServletRequest);
        String loginType=httpServletRequest.getHeader("loginType");
        JWTToken token = new JWTToken(authorization,loginType);
        // 提交给realm进行登入,如果错误他会抛出异常并被捕获
        getSubject(request, response).login(token);
        // 如果没有抛出异常则代表登入成功,返回true
        return true;
    }

    /**
     * 获取token,支持三种方式, 请求参数、header、cookie, 优先级依次降低,以请求参数中的优先级最高。
     * @param httpServletRequest
     * @return
     */
    private String getToken(HttpServletRequest httpServletRequest){
        String token0 = httpServletRequest.getParameter(JWTUtil.TOKEN);
        String token1 = httpServletRequest.getHeader(JWTUtil.TOKEN);
        String token2 = CookieUtils.getCookie(httpServletRequest, JWTUtil.TOKEN);
        if(StringUtils.isNotBlank(token0)){
            return token0;
        }
        if(StringUtils.isNotBlank(token1)){
            return token1;
        }
        if(StringUtils.isNotBlank(token2)){
            return token2;
        }
       return null;
    }


    @Override
    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
        if (isLoginAttempt(request, response)) {
            try {
               return executeLogin(request, response);
            } catch (AuthenticationException e) {
                GlobalErrorController.response401(request, response);//登录超时,需要刷新token
            }catch (Exception e){
               GlobalErrorController.response4021(request, response);//没有登录,需要登录
            }
        }else {
            GlobalErrorController.response4021(request, response);//没有登录,需要登录
        }

        return false;

    }

    /**
     * 对跨域提供支持
     */
    @Override
    protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
        HttpServletResponse httpServletResponse = (HttpServletResponse) response;
        httpServletResponse.setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin"));
        httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS,PUT,DELETE");
        httpServletResponse.setHeader("Access-Control-Allow-Headers", httpServletRequest.getHeader("Access-Control-Request-Headers"));
        // 跨域时会首先发送一个option请求,这里我们给option请求直接返回正常状态
        if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) {
            httpServletResponse.setStatus(HttpStatus.OK.value());
            return false;
        }
        return super.preHandle(request, response);
    }


}

然后是shiroconfig


    @Bean
    public SystemAuthorizingRealm SystemAuthorizingRealm() {
        SystemAuthorizingRealm backRealm = new SystemAuthorizingRealm();
        backRealm.setName(UserConstant.SYS);
        return backRealm;
    }

    @Bean
    public StudentRealm StudentRealm() {
        StudentRealm backRealm = new StudentRealm();
        backRealm.setName(UserConstant.STUDENT);
        return backRealm;
    }

    @Bean
    public Authenticator authenticator() {
        ModularRealm modularRealm = new ModularRealm();
        modularRealm.setRealms(Arrays.asList(SystemAuthorizingRealm(), StudentRealm()));
        modularRealm.setAuthenticationStrategy(new AtLeastOneSuccessfulStrategy());
        return modularRealm;
    }

    @Bean(name = "securityManager")
    public DefaultWebSecurityManager defaultWebSecurityManager(
            SystemAuthorizingRealm systemAuthorizingRealm,
            WxUserRealm wxUserRealm,
            SessionManager sessionManager,
            CacheManager cacheManager) {
        DefaultWebSecurityManager defaultWebSecurityManager = new DefaultWebSecurityManager();

        defaultWebSecurityManager.setSessionManager(sessionManager);
        defaultWebSecurityManager.setCacheManager(cacheManager);

        //多realm
        Set<Realm> realms = new HashSet<Realm>();
        realms.add(SystemAuthorizingRealm());
        realms.add(StudentRealm());
        defaultWebSecurityManager.setRealms(realms);

        defaultWebSecurityManager.setAuthenticator(authenticator());//注意这里要配置上
        return defaultWebSecurityManager;
    }

然后后台Login方法

/**
     * PC登录
     * @param userName
     * @param password
     * @return
     * @throws Exception
     */
    @PostMapping("/sys/login")
    @ApiOperation("登录接口")
    public AjaxJson login(@RequestParam("userName") String userName,
                          @RequestParam("password") String password
    ) throws Exception {
        AjaxJson j = new AjaxJson();
        User user = UserUtils.getByLoginName(userName);
//        if (user != null && UserService.validatePassword(password, user.getPassword())) {
        if (user != null && MD5.md5validate(password, user.getPassword())) {

            if (JeePlusProperites.NO.equals(user.getLoginFlag())){
                j.setSuccess(false);
                j.setMsg("该用户已经被禁止登陆!");
            }else {
                CacheUtils.put("LoginUser", userName, user);
                j.setSuccess(true);
                j.put(JWTUtil.TOKEN, JWTUtil.createAccessToken(userName, user.getPassword(), UserConstant.SYS));
                j.put(JWTUtil.REFRESH_TOKEN, JWTUtil.createRefreshToken(userName, user.getPassword(), UserConstant.SYS));
            }

        } else {
            j.setSuccess(false);
            j.setMsg("用户名或者密码错误!");
        }
        j.put("pwdIsOk", PasswordUtils.pwdIsOk(password));
        return j;
    }

/**
     * 学生登陆
     * @param phone
     * @param password
     * @return
     * @throws Exception
     */
    @PostMapping("/student/login")
    @ApiOperation("登录接口")
    public AjaxJson studentLogin(@RequestParam("phone") String phone,
                          @RequestParam("password") String password
    ) throws Exception {
        AjaxJson j = new AjaxJson();
        StudentUser user = UserUtils.getStudentByPhone(phone);
//        if (user != null && UserService.validatePassword(password, user.getPassword())) {
        if (user != null && passwordEncoder.matches(password, user.getPassword())) {

            CacheUtils.put("LoginStudent", phone, user);
            j.setSuccess(true);
            j.put(JWTUtil.TOKEN, JWTUtil.createAccessToken(phone, user.getPassword(), UserConstant.STUDENT));
            j.put(JWTUtil.REFRESH_TOKEN, JWTUtil.createRefreshToken(phone, user.getPassword(),UserConstant.STUDENT));

        } else {
            j.setSuccess(false);
            j.setMsg("用户名或者密码错误!");
        }
        j.put("pwdIsOk", PasswordUtils.pwdIsOk(password));
        return j;
    }
/**
     * 学生退出登录
     * @throws IOException
     */
    @ApiOperation("学生用户退出")
    @GetMapping("/student/logout")
    public AjaxJson studentLogout() {
        AjaxJson j = new AjaxJson();
        String token = UserUtils.getToken();
        if (StringUtils.isNotBlank(token)) {
            UserUtils.clearStudentCache();
            UserUtils.getSubject().logout();
        }
        j.setMsg("退出成功");
        return j;
    }

    @GetMapping("/student/refreshToken")
    @ApiOperation("刷新token")
    public AjaxJson studentAccessTokenRefresh(String refreshToken, HttpServletRequest request, HttpServletResponse response){

        int rtn = JWTUtil.verify(refreshToken,UserConstant.STUDENT);
        if (rtn == 1) {
            GlobalErrorController.response4022(request, response);
        }else if (rtn == 2) {
            return AjaxJson.error("用户名密码错误");
        }

//        String loginName = JWTUtil.getLoginName(refreshToken);
        String loginName = JWTUtil.getLoginName(refreshToken);
        String userName = JWTUtil.getUserName(refreshToken);

        String password = UserUtils.getStudentByPhone(loginName).getPassword();
        //创建新的accessToken
        String accessToken = JWTUtil.createAccessToken(userName, password,UserConstant.STUDENT);

        //下面判断是否刷新 REFRESH_TOKEN,如果refreshToken 快过期了 需要重新生成一个替换掉
        long minTimeOfRefreshToken = 2*JeePlusProperites.newInstance().getEXPIRE_TIME();//REFRESH_TOKEN 有效时长是应该为accessToken有效时长的2倍
        Long refreshTokenExpirationTime = JWT.decode(refreshToken).getExpiresAt().getTime();//refreshToken创建的起始时间点
        //(refreshToken过期时间- 当前时间点) 表示refreshToken还剩余的有效时长,如果小于2倍accessToken时长 ,则刷新 REFRESH_TOKEN
        if(refreshTokenExpirationTime - System.currentTimeMillis() <= minTimeOfRefreshToken){
            //刷新refreshToken
            refreshToken = JWTUtil.createRefreshToken(userName, password,UserConstant.STUDENT);
        }

        return AjaxJson.success().put(JWTUtil.TOKEN, accessToken).put(JWTUtil.REFRESH_TOKEN, refreshToken);
    }

前端请求

    // 请求头带上token
    config.headers.token = Vue.cookie.get('token')
    config.headers.loginType = "sys"

请求头需要token和loginType两部分

if (token) {
		header.token = token; // 获取token值
		header.loginType = "student"
	}

一般都会有同一的request.js进行处理,自己对着调整

到这里基本就可以了,想要了解完整流程的,可以自己debug跟一遍。

总的来说,是请求过去,先被拦截器拦截,然后根据请求头的logintype,分别走不通的realm进行认证和验证。不同的realm中,可以走不通的表进行验证。这样就可以一套jwt系统同时支持后台系统用户,移动端用户,web端用户了。

代码不全,领会精神

  • 1
    点赞
  • 13
    收藏
    觉得还不错? 一键收藏
  • 2
    评论
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值