SpringBoot_安全框架_Shiro
Shiro
Apache Shiro是一个强大且易用的Java安全框架,执行身份验证、授权、密码和会话管理。使用Shiro的易于理解的API,您可以快速、轻松地获得任何应用程序,从最小的移动应用程序到最大的网络和企业应用程序。
三个核心组件:
(1)Subject
当前操作人
(2)SecurityManager
Shiro框架的核心 ,并通过它来提供安全管理的各种服务
(3)Realm
当对用户执行认证和授权验证时,Shiro会从应用配置的Realm配置中查找用户及其权限信息
引入依赖
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.3.2</version>
</dependency>
Shiro配置文件
/**
* Shiro配置
*
*
* @author vander
* @date 2018年11月28日
*/
@Configuration
public class ShiroConfig {
@Bean("sessionManager")
public SessionManager sessionManager(SessionDAO sessionDAO){
DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
sessionManager.setSessionValidationSchedulerEnabled(true);
sessionManager.setSessionIdCookieEnabled(true);
sessionManager.setGlobalSessionTimeout(60000);//session过期时间
// sessionManager.setSessionDAO(sessionDAO);//自定义session存储--分布式环境
return sessionManager;
}
@Bean("securityManager")
public SecurityManager securityManager(OAuth2Realm oAuth2Realm, SessionManager sessionManager) {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(oAuth2Realm);
securityManager.setSessionManager(sessionManager);
return securityManager;
}
@Bean("shiroFilter")
public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilter = new ShiroFilterFactoryBean();
shiroFilter.setSecurityManager(securityManager);
//oauth2过滤
Map<String, Filter> filters = new HashMap<>();
filters.put("oauth2", new OAuth2Filter());
shiroFilter.setFilters(filters);
Map<String, String> filterMap = new LinkedHashMap<>();
filterMap.put("/druid/**", "anon");
filterMap.put("/base/login", "anon");
filterMap.put("/**/*.css", "anon");
filterMap.put("/**/*.js", "anon");
filterMap.put("/**/*.html", "anon");
filterMap.put("/swagger/**", "anon");
filterMap.put("/v2/api-docs", "anon");
filterMap.put("/swagger-ui.html", "anon");
filterMap.put("/swagger-resources/**", "anon");
filterMap.put("/favicon.ico", "anon");
filterMap.put("/captcha.jpg", "anon");
filterMap.put("/", "anon");
filterMap.put("/**", "oauth2");
shiroFilter.setFilterChainDefinitionMap(filterMap);
return shiroFilter;
}
@Bean("lifecycleBeanPostProcessor")
public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
@Bean
public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator proxyCreator = new DefaultAdvisorAutoProxyCreator();
proxyCreator.setProxyTargetClass(true);
return proxyCreator;
}
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();
advisor.setSecurityManager(securityManager);
return advisor;
}
}
注册shiro过滤器
/**
* Filter配置
*
*/
@Configuration
public class FilterConfig {
@Bean
public FilterRegistrationBean shiroFilterRegistration() {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setFilter(new DelegatingFilterProxy("shiroFilter"));
//该值缺省为false,表示生命周期由SpringApplicationContext管理,设置为true则表示由ServletContainer管理
registration.addInitParameter("targetFilterLifecycle", "true");
registration.setEnabled(true);
registration.setOrder(Integer.MAX_VALUE - 1);
registration.addUrlPatterns("/*");
return registration;
}
@Bean
public FilterRegistrationBean xssFilterRegistration() {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setDispatcherTypes(DispatcherType.REQUEST);
registration.setFilter(new XssFilter());
registration.addUrlPatterns("/*");
registration.setName("xssFilter");
registration.setOrder(Integer.MAX_VALUE);
return registration;
}
}
自定义认证令牌
/**
* 认证令牌
*
*
* @author vander
* @date 2018年12月15日
*/
public class MyToken implements AuthenticationToken {
private static final long serialVersionUID = 1L;
private String token;
public MyToken (String token){
this.token = token;
}
@Override
public String getPrincipal() {
return token;
}
@Override
public Object getCredentials() {
return token;
}
}
自定义Realm
/**
* 认证、授权
*
*
* @author vander
* @date 2018年11月28日
*/
@Component
public class MyRealm extends AuthorizingRealm {
@Autowired
private UserService userService;
@Override
public boolean supports(AuthenticationToken token) {
return token instanceof MyToken;
}
/**
* 授权(验证权限时调用)
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
SysUser user = (SysUser)principals.getPrimaryPrincipal();
Long userId = user.getUserId();
//用户的权限列表
Set<String> permsSet = userService.getPermissions(userId);
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
info.setStringPermissions(permsSet);
return info;
}
/**
* 认证(登录时调用)
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String token = (String) token.getPrincipal();
SysToken sysEntity = userService.queryByToken(token);
//token失效
if(sysEntity == null || sysEntity.getExpireTime().getTime() < System.currentTimeMillis()){
throw new IncorrectCredentialsException("Token已失效,请重新登录!");
}
//查询用户信息
SysUser user = userService.queryUser(sysEntity.getUserId());
if(user.getStatus() == 0){
throw new LockedAccountException("用户账号已被锁定,请联系管理员!");
}
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user, accessToken, getName());
return info;
}
}
访问过滤器
/**
* oauth2过滤器
*
*
* @author vander
* @date 2018年11月28日
*/
public class AccessFilter extends AuthenticatingFilter {
@Override
protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) throws Exception {
String token = getRequestToken((HttpServletRequest) request);
if(StringUtils.isBlank(token)){
return null;
}
return new MyToken(token);
}
@Override
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
return false;
}
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
//获取请求token,如果token不存在,直接返回401
String token = getRequestToken((HttpServletRequest) request);
if(StringUtils.isBlank(token)){
HttpServletResponse httpResponse = (HttpServletResponse) response;
RestResult r = new RestResult();
r.codeMessage(HttpStatus.SC_UNAUTHORIZED, "invalid token");
String json = new Gson().toJson(r);
httpResponse.getWriter().print(json);
return false;
}
return executeLogin(request, response);
}
@Override
protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e, ServletRequest request, ServletResponse response) {
HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.setContentType("application/json;charset=utf-8");
try {
//处理登录失败的异常
Throwable throwable = e.getCause() == null ? e : e.getCause();
RestResult r = new RestResult();
r.codeMessage(HttpStatus.SC_UNAUTHORIZED, throwable.getMessage());
String json = new Gson().toJson(r);
httpResponse.getWriter().print(json);
} catch (IOException e) {
}
return false;
}
/**
* 获取请求的token
*/
private String getRequestToken(HttpServletRequest httpRequest){
//从header中获取token
String token = httpRequest.getHeader("token");
//从参数中获取token
if(StringUtils.isBlank(token)){
token = httpRequest.getParameter("token");
}
return token;
}
}
Shiro工具类
在项目中获取当前用户信息
/**
* Shiro工具类
*
*
* @author vander
* @date 2018年11月28日
*/
public class ShiroUtils {
public static Session getSession() {
return SecurityUtils.getSubject().getSession();
}
public static Subject getSubject() {
return SecurityUtils.getSubject();
}
public static SysUser getUserEntity() {
return (SysUser)SecurityUtils.getSubject().getPrincipal();
}
public static void setSessionAttribute(Object key, Object value) {
getSession().setAttribute(key, value);
}
public static Object getSessionAttribute(Object key) {
return getSession().getAttribute(key);
}
public static boolean isLogin() {
return SecurityUtils.getSubject().getPrincipal() != null;
}
//使用kaptcha验证码
public static String getKaptcha(String code) {
Object kaptcha = getSessionAttribute(code);
if(kaptcha == null){
throw new BException("验证码失效!");
}
getSession().removeAttribute(key);
return kaptcha.toString();
}
}
分布式Session共享(可选)
/**
*
* 基于reidsSession共享
*
* @author vander
* @date 2018年11月29日
*/
@Component
public class RedisSessionDao extends AbstractSessionDAO {
@Autowired
private ValueOperations<String, String> redisTemplate;
private static final Logger log = LoggerFactory.getLogger(RedisSessionDao.class);
@Override
public void update(Session session) throws UnknownSessionException {
log.info("更新seesion,id=[{}]", session.getId().toString());
try {
redisTemplate.set(session.getId().toString(), ObjectUtil.serialize(session));
} catch (Exception e) {
e.printStackTrace();
}
}
@Override
public void delete(Session session) {
log.info("删除seesion,id=[{}]", session.getId().toString());
try {
redisTemplate.set(session.getId().toString(), "", 0);
} catch (Exception e) {
e.printStackTrace();
}
}
@Override
public Collection<Session> getActiveSessions() {
log.info("获取存活的session");
return Collections.emptySet();
}
@Override
protected Serializable doCreate(Session session) {
Serializable sessionId = generateSessionId(session);
assignSessionId(session, sessionId);
log.info("创建seesion,id=[{}]", session.getId().toString());
try {
redisTemplate.set(sessionId.toString(), ObjectUtil.serialize(session));
} catch (Exception e) {
log.error(e.getMessage());
}
return sessionId;
}
@Override
protected Session doReadSession(Serializable sessionId) {
log.info("获取seesion,id=[{}]", sessionId.toString());
Session session = null;
try {
session = (Session) ObjectUtil.deserialize(redisTemplate.get(sessionId.toString()));
} catch (Exception e) {
log.error(e.getMessage());
}
return session;
}
}
注册用户
核心代码
//sha256加密
String salt = RandomStringUtils.randomAlphanumeric(20);
user.setPassword(new Sha256Hash(user.getPassword(), salt).toHex());
user.setSalt(salt);
登录用户
核心代码
if(user == null || !user.getPassword().equals(new Sha256Hash(password, user.getSalt()).toHex())) {
return errorMsg("账号或密码不正确!");
}