前后端分离项目中SpringBoot整合Shiro

在前后端分离项目中，前端使用Angular，后端使用SpringBoot整合Shiro。

1.SpringBoot的设置

SpringBoot添加跨域设置

@SpringBootApplication
public class PostfinanceApplication {

	@Configuration
	@EnableWebMvc
	public class WebMvcConfg implements WebMvcConfigurer {

		@Override
		public void addCorsMappings(CorsRegistry registry) {
			WebMvcConfigurer.super.addCorsMappings(registry);
			registry.addMapping("/**")//需要跨域访问的Map路径
			.allowedOrigins("http://localhost:4200")//允许跨域访问的ip及端口
			.allowedHeaders("*")//允许跨域访问的Headers内容
			.allowedMethods("POST", "GET", "PUT", "OPTIONS", "DELETE")//允许跨域访问的方法，OPTIONS必须设置Shiro中用到
			.allowCredentials(true);
		}
	}

	public static void main(String[] args) {
		SpringApplication.run(PostfinanceApplication.class, args);
	}
}

2.Shiro的设置

现代浏览器在进行跨域请求时会先发送一条OPTIONS方法的请求，验证服务器是否支持跨域，随后发放正式请求获取相应数据。
Shiro默认会对所有请求进行验证，因此第一条OPTIONS请求会返回失败，浏览器据此认定服务器不支持跨域，不再进行第二次的正式请求。因此需要配置Shiro的拦截器fiter中对第一条OPTIONS方法的请求进行放行
。具体功能在MyPassThruAuthenticationFilter的onPreHandle方法中。第一条OPTIONS请求执行成功，浏览器接着发送正式请求获取数据。
如果正式请求为非法访问（未登录）时，Shiro会对请求进行重定向到设置的loginUrl，若不设置默认loginUrl则重定向到login.jsp。
在重定向过程中Shiro会清空请求头内的所有信息，再次引起跨域问题，此时需要在拦截器内重新设置请求头：MyPassThruAuthenticationFilter的onAccessDenied方法。

1.整体ShiroConfig的配置

package xyz.linkq.postfinance.sec.shiro;

import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;

import javax.servlet.Filter;

import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.session.mgt.SessionManager;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;


@Configuration
public class ShiroConfig {

	/**
	 * 请求拦截
	 * @param securityManager
	 * @return
	 */
	@Bean
	public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
		ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
		shiroFilterFactoryBean.setSecurityManager(securityManager);
		Map<String, Filter> filtersMap = new HashMap<>();
		MyPassThruAuthenticationFilter authFilter = new MyPassThruAuthenticationFilter();
		filtersMap.put("authc", authFilter);
		shiroFilterFactoryBean.setFilters(filtersMap);
		// 拦截器.
		Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>();
		filterChainDefinitionMap.put("/login", "anon");
		filterChainDefinitionMap.put("/**", "authc");
		shiroFilterFactoryBean.setLoginUrl("/unauth");
		/*
		 * 注意过滤器配置顺序 不能颠倒 
		 * anon. 配置不会被拦截的请求 顺序判断
		 * authc. 配置拦截的请求
		 * 配置shiro默认登录界面地址，前后端分离中登录界面跳转应由前端路由控制，后台仅返回json数据
         * 所有非法请求被重定向到/unauth，该请求返回一个json数据
		 * shiroFilterFactoryBean.setLoginUrl("/unauth");
		 */
		shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
		return shiroFilterFactoryBean;
	}

	/**
	 * @Title: securityManager
	 * @Description: SecurityManager，权限管理，这个类组合了登陆，登出，权限，session的处理
	 * @return SecurityManager
	 */
	@Bean
	public SecurityManager securityManager() {
		DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
		securityManager.setRealm(myShiroRealm());
		securityManager.setSessionManager(sessionManager());
		return securityManager;
	}

	/**
	 * 自定义认证
	 * @Title: myShiroRealm
	 * @Description: ShiroRealm，这是个自定义的认证类，继承自AuthorizingRealm，负责用户的认证和权限的处理
	 * @return MyShiroRealm
	 */
	@Bean
	public MyShiroRealm myShiroRealm() {
		MyShiroRealm myShiroRealm = new MyShiroRealm();
		myShiroRealm.setCredentialsMatcher(hashedCredentialsMatcher());
		return myShiroRealm;
	}

	/**
	 * 密码凭证匹配器，作为自定义认证的基础 （由于我们的密码校验交给Shiro的SimpleAuthenticationInfo进行处理了 ）
	 * 
	 * @return
	 */
	@Bean
	public HashedCredentialsMatcher hashedCredentialsMatcher() {
		HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher();
		hashedCredentialsMatcher.setHashAlgorithmName("MD5");// 散列算法:这里使用MD5算法;
		hashedCredentialsMatcher.setHashIterations(1024);// 散列的次数，比如散列两次，相当于 md5(md5(""));
		hashedCredentialsMatcher.setStoredCredentialsHexEncoded(true);
		return hashedCredentialsMatcher;
	}

	/**
	 * 自定义sessionManager，用户的唯一标识，即Token或Authorization的认证
	 */
	@Bean
	public SessionManager sessionManager() {
		MySessionManager mySessionManager = new MySessionManager();
		return mySessionManager;
	}

}

2. MySessionManager

MySessionManage的作用是从后端服务器收到的请求头中根据Authorization获取SessionID

package xyz.linkq.postfinance.sec.shiro;

import java.io.Serializable;

import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;

import org.apache.shiro.web.servlet.ShiroHttpServletRequest;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.apache.shiro.web.util.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.StringUtils;

public class MySessionManager extends DefaultWebSessionManager {
	private Logger logger = LoggerFactory.getLogger(this.getClass());
    private static final String AUTHORIZATION = "Authorization";
    private static final String REFERENCED_SESSION_ID_SOURCE = "Stateless request";
    
    public MySessionManager() {  
        super();  
    }  
  
    @Override  
    protected Serializable getSessionId(ServletRequest request, ServletResponse response) {  
    	//前端ajax的headers中必须传入Authorization的值
        String id = WebUtils.toHttp(request).getHeader(AUTHORIZATION); 
        //如果请求头中有 Authorization 则其值为sessionId  
        if (!StringUtils.isEmpty(id)) {  
        	request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE, REFERENCED_SESSION_ID_SOURCE);
            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, id);  
            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE); 
            logger.info("调用MySessionManager获取sessionId="+id);
            return id;  
        } else {  
            //否则按默认规则从cookie取sessionId  
            logger.info("调用MySessionManager使用默认模式从cookie获取sessionID为"+id);
            return super.getSessionId(request, response);  
        }  
    }  
}

3.过滤器MyPassThruAuthenticationFilter

在ShiroConfig配置类的shiroFilter方法中配置使用MyPassThruAuthenticationFilter过滤器
系统重定向会默认把请求头清空，通过在MyPassThruAuthenticationFilter的onAccessDenied方法中重新设置请求头，解决跨域问题 。当Shiro判定当前请求为非法请求（未登录）时，会调用该onAccessDenied方法，若当前请求地址是设定的loginUrl则放行继续执行之后的方法，在我们的配置中是执行/unauth请求的方法，返回json数据。若当前请求不是loginUrl方法则重定向到loginUrl方法。

package xyz.linkq.postfinance.sec.shiro;

import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter;
import org.apache.shiro.web.util.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.RequestMethod;

public class MyPassThruAuthenticationFilter extends PassThruAuthenticationFilter {

	private Logger log = LoggerFactory.getLogger(this.getClass());

        //获取请求方法，若为OPTIONS请求直接返回True放行
	@Override
	public boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {

		log.info("进入MyPassThruAuthenticationFilter");

		HttpServletRequest req = (HttpServletRequest) request;
		HttpServletResponse res = (HttpServletResponse) response;
		if (req.getMethod().equals(RequestMethod.OPTIONS.name())) {
			log.info("OPTIONS方法直接返回True");
			return true;
		}
		return super.onPreHandle(request, response, mappedValue);
	}
	
	
	@Override
	protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
		HttpServletResponse httpResp = WebUtils.toHttp(response);
		HttpServletRequest httpReq = WebUtils.toHttp(request);

		/** 系统重定向会默认把请求头清空，这里通过拦截器重新设置请求头，解决跨域问题 */
		httpResp.addHeader("Access-Control-Allow-Origin", httpReq.getHeader("Origin"));
		httpResp.addHeader("Access-Control-Allow-Headers", "*");
		httpResp.addHeader("Access-Control-Allow-Methods", "*");
		httpResp.addHeader("Access-Control-Allow-Credentials", "true");

		if (isLoginRequest(request, response)) {
			return true;
		} else {
			saveRequestAndRedirectToLogin(request, response);
			return false;
		}
	}
}

3.Angular中的配置

前端发送登录请求进行登录后，服务器返回当前登录的sessionId，前端获取到sessionId之后保存到sessionStorage中

{"resultCode":"SUCCESS","data":{"sessionId":"3ab87ebe-df53-4054-b9f6-996ce5c8aa7c"},"message":"登录成功！"}

sessionStorage.setItem("sessionId",data.data.sessionId)

登录后向服务器发送请求时需添加Authorization请求头并设置withCredentials为true

   httpOptions = {
    headers: new HttpHeaders({
      'Authorization': sessionStorage.getItem("sessionId")
    }),
    withCredentials:true
  };

  public getDailyReportDatas(): Observable<any> {

    return this.hc.get(this.apiURL.dailyreportdatas,this.httpOptions);

  }

若请求为未登录状态则返回前端重定向到登录页
Angular中页面跳转

        if(datas.resultCode=="FAIL"){
          alert(datas.message);
          this.router.navigateByUrl("/login")
          return;
        }