一、前情提要
上一次我们做了Redis
的相关配置,这一次我们来做Shiro
的配置,这次的配置基于CSDN博主@Starrk__
的文章
《基于SpringBoot整合redis及shiro》配置的,在此先感谢博主@Starrk__
提供了这么优秀的文章供我们学习。
二、任务详情
- 使用Maven导入Shiro
- 配置Shiro的Configuration类
- 配置Shiro生命周期Bean
- 配置shiro所要使用的所有过滤器以及映射路径
- 配置安全管理模块
- 配置认证授权模块Realm
- 配置Shiro的Redis缓存管理器
- 编写Redis的Dao类
- 配置了记住我(RememberMe)功能
三、相关介绍
1.什么是Shiro
?
Apache Shiro是用阿帕奇(Apache)公司开发的开源安全框架,提供身份验证、授权、密码学和会话管理。Shiro框架直观、易用,同时也能提供健壮的安全性。
通常,我们在项目中登录,或者限制权限的时候会使用到Shiro
,它能够帮助我们简单快捷地管理登录状态,还有限制某些权限角色禁止访问敏感接口等。
四、实践操作
1.通过Maven
导入Shiro
在pom.xml
中编写以下代码导入Shiro
<!-- shiro -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
</dependency>
2.配置Shiro生命周期Bean
在com.repairsystem.config.shiro
中创建Shiro匹配类ShiroConfig
,并且配置Shiro生命周期处理器
private static final Logger LOGGER = LoggerFactory.getLogger(ShiroConfig.class);
/**
* shiro管理生命周期的东西
* @return
*/
@Bean(name = "lifecycleBeanPostProcessor")
public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
3.配置shiro相关的映射路径以及过滤器
首先在数据表role
中添加相应的角色
- 普通管理员
- 超级管理员
在配置类ShiroConfig
中配置相应的映射路径以及过滤器
由于账户登出过滤器MySignOutFilter
还没写,所以在这里出现错误是正常的,等下会补上。
@Bean(name = "shiroFilter")
public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager, RedisTemplate redisTemplate) {
//定义shiroFilterFactoryBean
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
//设置自定义的 securityManager
shiroFilterFactoryBean.setSecurityManager(securityManager);
// 设置默认登录的 URL,身份认证失败会访问该 URL;配置拦截需要user/authc身份的跳转路径。
shiroFilterFactoryBean.setLoginUrl("/login");
// 设置成功之后要跳转的链接
shiroFilterFactoryBean.setSuccessUrl("/main");
// 设置未授权界面,权限认证失败会访问该 URL
shiroFilterFactoryBean.setUnauthorizedUrl("/unauthorized");
Map<String, Filter> filters = new LinkedHashMap<String, Filter>();
filters.put("logout", new MySignOutFilter(redisTemplate));
shiroFilterFactoryBean.setFilters(filters);
// LinkedHashMap 是有序的,进行顺序拦截器配置
Map<String,String> filterChainMap = new LinkedHashMap<String, String>();
// TODO 配置可以匿名访问的地址,可以根据实际情况自己添加,放行一些静态资源等,anon 表示放行
filterChainMap.put("/css/**", "anon");
filterChainMap.put("/imgs/**", "anon");
filterChainMap.put("/js/**", "anon");
filterChainMap.put("/swagger-ui.html", "anon");
filterChainMap.put("/swagger-*/**", "anon");
filterChainMap.put("/swagger-ui.html/**", "anon");
// 登录 URL 放行
filterChainMap.put("/admin/login", "anon");
filterChainMap.put("/login","anon");
filterChainMap.put("/orders/saveOrders","anon");
filterChainMap.put("/orders/uploadImage","anon");
//需要认证的接口
filterChainMap.put("/building/**","authc");
filterChainMap.put("/class/**","authc");
filterChainMap.put("/completeOrders/**","authc");
filterChainMap.put("/orders/**","authc");
filterChainMap.put("/QRCode/**","authc");
// 配置 logout 过滤器
filterChainMap.put("/admin/logout", "logout");
//管理员接口只有超级管理员才能使用
filterChainMap.put("/admin/**","authc,roles[超级管理员]");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainMap);
LOGGER.info("====shiroFilterFactoryBean注册完成====");
return shiroFilterFactoryBean;
}
4.配置安全管理模块
在配置类ShiroConfig
中配置安全管理模块,出现一些类或者方法缺失错误是正常的,之后会补上。
/**
* 注入安全管理器
*
* @return
*/
@Bean(name = "securityManager")
public SecurityManager getSecurityManager(@Qualifier("myShiroRealm") MyShiroRealm adminRealm, RedisTemplate redisTemplate) {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(adminRealm);
//自定义session管理 使用redis
securityManager.setSessionManager(sessionManager(redisTemplate));
//注入记住我管理器;
securityManager.setRememberMeManager(rememberMeManager());
LOGGER.info("====securityManager注册完成====");
return securityManager;
}
5.创建权限角色服务RoleService
在配置认证授权模块之前,需要先写好权限角色服务,方便权限角色分辨;此次权限角色分为两个:
- 普通管理员
- 超级管理员
首先在com.repairsystem.service
创建接口RoleService
package com.repairsystem.service;
import com.repairsystem.entity.Role;
import java.util.List;
/**
* @author CheungChingYin
* @date 2019/1/14
* @time 14:11
*/
public interface RoleService {
/**
* 获得全部角色信息
* @return
*/
List<Role> searchAllRole();
/**
* 通过角色ID获取角色信息
* @param id
* @return
*/
Role searchRoleById(Integer id);
}
实现接口类RoleServiceImpl
在com.repairsystem.service.Impl
创建实现类RoleServiceImpl
package com.repairsystem.service.Impl;
import com.repairsystem.dao.RoleMapper;
import com.repairsystem.entity.Role;
import com.repairsystem.service.RoleService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Propagation;
import org.springframework.transaction.annotation.Transactional;
import java.util.List;
/**
* @author CheungChingYin
* @date 2019/1/14
* @time 14:14
*/
@Service
public class RoleServiceImpl implements RoleService {
@Autowired
private RoleMapper roleMapper;
@Transactional(propagation = Propagation.SUPPORTS)
@Override
public List<Role> searchAllRole() {
return roleMapper.selectAll();
}
@Transactional(propagation = Propagation.SUPPORTS)
@Override
public Role searchRoleById(Integer id) {
return roleMapper.selectByPrimaryKey(id);
}
}
6.配置认证授权模块(Realm)
这个认证授权模块是需要自己手动编写,用于判断你所使用的加密方式,权限角色等。你只需要继承类AuthorizingRealm
,然后按照自己的需求直接重写里面的方法即可。
在com.repairsystem.config.shiro
下创建类MyShiroRealm
package com.repairsystem.config.shiro;
import com.repairsystem.entity.Administrator;
import com.repairsystem.entity.Role;
import com.repairsystem.service.AdministratorService;
import com.repairsystem.service.RoleService;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
import java.util.HashSet;
import java.util.Set;
/**
* @author CheungChingYin
* @date 2019/1/14
* @time 14:22
*/
public class MyShiroRealm extends AuthorizingRealm {
@Autowired
private AdministratorService adminService;
@Autowired
private RoleService roleService;
public MyShiroRealm() {
}
/**
* 为当前登录成功的用户授予权限和分配角色
*
* @param principalCollection
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("======授权认证=======");
//获得用户手机
String phoneNum = (String) principalCollection.getPrimaryPrincipal();
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
Administrator admin = adminService.searchAdministratorByPhoneNum(phoneNum);
//获得该用户角色
Role role = roleService.searchRoleById(admin.getRoleId());
//需要将 role 封装到 Set 作为 info.setRoles() 的参数
Set<String> set = new HashSet<>();
set.add(role.getRoleName());
//设置该用户拥有的角色
info.addRoles(set);
return info;
}
/**
* 用来验证当前登录的用户,获取认证信息
*
* @param authenticationToken
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
System.out.println("————身份认证方法————");
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
//从数据库获得对应的信息
Administrator admin = adminService.searchAdministratorByPhoneNum(token.getUsername());
if(null == admin){
throw new AccountException("管理员手机号不正确");
}else if(admin.getAdminPassword().equals(token.getPassword())){
throw new AccountException("密码不正确");
}
return new SimpleAuthenticationInfo(token.getUsername(),admin.getAdminPassword(),"adminRealm");
}
}
7.将认证授权模块放入config中
在com.repairsystem.config.shiro.ShiroConfig
写入以下代码
@Bean(name = "myShiroRealm")
@DependsOn(value = {"lifecycleBeanPostProcessor", "ShiroRedisCacheManager"})
public MyShiroRealm myShiroRealm(RedisTemplate redisTemplate) {
MyShiroRealm shiroRealm = new MyShiroRealm();
shiroRealm.setCacheManager(redisCacheManager(redisTemplate));
shiroRealm.setCachingEnabled(true);
//设置认证密码算法及迭代复杂度
// shiroRealm.setCredentialsMatcher(credentialsMatcher());
//认证
shiroRealm.setAuthenticationCachingEnabled(false);
//授权
shiroRealm.setAuthorizationCachingEnabled(false);
return shiroRealm;
}
配置认证算法
/**
* realm的认证算法
* @return
*/
@Bean(name = "hashedCredentialsMatcher")
public HashedCredentialsMatcher credentialsMatcher() {
HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher("md5");
//迭代次数
credentialsMatcher.setHashIterations(2);
credentialsMatcher.setStoredCredentialsHexEncoded(true);
return credentialsMatcher;
}
8.配置session缓存管理器
将Shiro
的session交由Redis进行管理
由于是使用Redis,所以我们需要手动编写来实现该功能。
首先是个性化缓存,重写Cache
接口
创建类ShiroRedisCache
注意:写入后会显示缺少SerializeUtil,下面会讲到
package com.repairsystem.config.shiro;
import org.apache.shiro.cache.Cache;
import org.apache.shiro.cache.CacheException;
import org.springframework.data.redis.core.RedisTemplate;
import java.util.*;
/**
* @author CheungChingYin
* @date 2019/1/14
* @time 14:42
*/
public class ShiroRedisCache<K,V> implements Cache<K,V> {
private RedisTemplate redisTemplate;
private String prefix = "shiro_redis:";
public String getPrefix() {
return prefix;
}
public void setPrefix(String prefix) {
this.prefix = prefix;
}
public ShiroRedisCache(RedisTemplate redisTemplate){
this.redisTemplate = redisTemplate;
}
public ShiroRedisCache(RedisTemplate redisTemplate, String prefix){
this(redisTemplate);
this.prefix = prefix;
}
@Override
public V get(K k) throws CacheException {
if (k == null) {
return null;
}
byte[] bytes = getBytesKey(k);
return (V)redisTemplate.opsForValue().get(bytes);
}
@Override
public V put(K k, V v) throws CacheException {
if (k== null || v == null) {
return null;
}
byte[] bytes = getBytesKey(k);
redisTemplate.opsForValue().set(bytes, v);
return v;
}
@Override
public V remove(K k) throws CacheException {
if(k==null){
return null;
}
byte[] bytes =getBytesKey(k);
V v = (V)redisTemplate.opsForValue().get(bytes);
redisTemplate.delete(bytes);
return v;
}
@Override
public void clear() throws CacheException {
redisTemplate.getConnectionFactory().getConnection().flushDb();
}
@Override
public int size() {
return redisTemplate.getConnectionFactory().getConnection().dbSize().intValue();
}
@Override
public Set<K> keys() {
byte[] bytes = (prefix+"*").getBytes();
Set<byte[]> keys = redisTemplate.keys(bytes);
Set<K> sets = new HashSet<>();
for (byte[] key:keys) {
sets.add((K)key);
}
return sets;
}
@Override
public Collection<V> values() {
Set<K> keys = keys();
List<V> values = new ArrayList<>(keys.size());
for(K k :keys){
values.add(get(k));
}
return values;
}
private byte[] getBytesKey(K key){
if(key instanceof String){
String prekey = this.prefix + key;
return prekey.getBytes();
}else {
return SerializeUtil.serialize(key);
}
}
}
在com.repairsystem.utils
创建序列化工具SerializeUtil
,用于内存中的对象状态保存到Redis数据库中
package com.repairsystem.utils;
import java.io.*;
/**
* @author CheungChingYin
* @date 2019/1/14
* @time 14:55
*/
public class SerializeUtil {
public static Object deserialize(byte[] bytes) {
Object result = null;
if (isEmpty(bytes)) {
return null;
}
try {
ByteArrayInputStream byteStream = new ByteArrayInputStream(bytes);
try {
ObjectInputStream objectInputStream = new ObjectInputStream(byteStream);
try {
result = objectInputStream.readObject();
} catch (ClassNotFoundException ex) {
throw new Exception("Failed to deserialize object type", ex);
}
} catch (Throwable ex) {
throw new Exception("Failed to deserialize", ex);
}
} catch (Exception e) {
e.printStackTrace();
}
return result;
}
public static boolean isEmpty(byte[] data) {
return data == null || data.length == 0;
}
/**
* serialize
*
* @param object
* @return
*/
public static byte[] serialize(Object object) {
byte[] result = null;
if (object == null) {
return new byte[0];
}
try {
ByteArrayOutputStream byteStream = new ByteArrayOutputStream(128);
try {
if (!(object instanceof Serializable)) {
throw new IllegalArgumentException(
SerializeUtil.class.getSimpleName() + " requires a Serializable payload "
+ "but received an object of type [" + object.getClass().getName() + "]");
}
ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteStream);
objectOutputStream.writeObject(object);
objectOutputStream.flush();
result = byteStream.toByteArray();
} catch (Throwable ex) {
throw new Exception("Failed to serialize", ex);
}
} catch (Exception ex) {
ex.printStackTrace();
}
return result;
}
}
在com.repairsystem.config.shiro.ShiroConfig
写入以下代码,以配置Shiro的Redis缓存管理器
/**
* 缓存管理器的配置
* @param redisTemplate
* @return
*/
@Bean(name = "ShiroRedisCacheManager")
public ShiroRedisCacheManager redisCacheManager(RedisTemplate redisTemplate) {
ShiroRedisCacheManager redisCacheManager = new ShiroRedisCacheManager(redisTemplate);
//name是key的前缀,可以设置任何值,无影响,可以设置带项目特色的值
redisCacheManager.createCache("shiro_redis");
return redisCacheManager;
}
9.实现Redis的增删改查MyRedisSessionDao
由于我们需要对Redis进行增删改查,所以需要创建一个专属于Redis的Dao类MyRedisSessionDao
在com.repairsystem.config.shiro
下创建类MyRedisSessionDao
package com.repairsystem.config.shiro;
import org.apache.shiro.session.Session;
import org.apache.shiro.session.mgt.SimpleSession;
import org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO;
import org.springframework.data.redis.core.RedisTemplate;
import java.io.*;
/**
* @author CheungChingYin
* @date 2019/1/10
* @time 14:14
*/
public class MyRedisSessionDao extends EnterpriseCacheSessionDAO {
private RedisTemplate<byte[],byte[]> redisTemplate;
public MyRedisSessionDao(RedisTemplate redisTemplate){
this.redisTemplate = redisTemplate;
}
@Override
protected Serializable doCreate(Session session) {
Serializable sessionId = super.doCreate(session);
redisTemplate.opsForValue().set(sessionId.toString().getBytes(),sessionToByte(session));
return sessionId;
}
@Override
protected Session doReadSession(Serializable sessionId) {
Session session = super.doReadSession(sessionId);
if(session == null){
byte[] bytes = redisTemplate.opsForValue().get(sessionId.toString().getBytes());
if(bytes != null && bytes.length > 0){
session = byteToSession(bytes);
}
}
return session;
}
//设置session的最后一次访问时间
@Override
protected void doUpdate(Session session) {
super.doUpdate(session);
redisTemplate.opsForValue().set(session.getId().toString().getBytes(),sessionToByte(session));
}
// 删除session
@Override
protected void doDelete(Session session) {
super.doDelete(session);
redisTemplate.delete(session.getId().toString().getBytes());
}
private byte[] sessionToByte(Session session){
if (null == session){
return null;
}
ByteArrayOutputStream bo = new ByteArrayOutputStream();
byte[] bytes = null;
ObjectOutputStream oo ;
try {
oo = new ObjectOutputStream(bo);
oo.writeObject(session);
bytes = bo.toByteArray();
}catch (Exception e){
e.printStackTrace();
}
return bytes;
}
private Session byteToSession(byte[] bytes){
if(0==bytes.length){
return null;
}
ByteArrayInputStream bi = new ByteArrayInputStream(bytes);
ObjectInputStream in;
SimpleSession session = null;
try {
in = new ObjectInputStream(bi);
session = (SimpleSession) in.readObject();
}catch (Exception e){
e.printStackTrace();
}
return session;
}
}
10.配置Session管理器
在com.repairsystem.config.shiro.ShiroConfig
写入以下代码
/**
* 配置sessionmanager,由redis存储数据
*/
@Bean(name = "sessionManager")
@DependsOn(value = "lifecycleBeanPostProcessor")
public DefaultWebSessionManager sessionManager(RedisTemplate redisTemplate) {
DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
MyRedisSessionDao redisSessionDao = new MyRedisSessionDao(redisTemplate);
//这个name的作用也不大,只是有特色的cookie的名称。
redisSessionDao.setSessionIdGenerator(sessionIdGenerator("starrkCookie"));
sessionManager.setSessionDAO(redisSessionDao);
sessionManager.setDeleteInvalidSessions(true);
SimpleCookie cookie = new SimpleCookie();
cookie.setName("starrkCookie");
sessionManager.setSessionIdCookie(cookie);
sessionManager.setSessionIdCookieEnabled(true);
return sessionManager;
}
11.配置Session Id生成器
创建Session ID生成器MySessionIdGenerator
在com.repairsystem.config.shiro
创建类MySessionIdGenerator
package com.repairsystem.config.shiro;
import org.apache.shiro.session.Session;
import org.apache.shiro.session.mgt.eis.SessionIdGenerator;
import java.io.Serializable;
import java.util.UUID;
/**
* @author CheungChingYin
* @date 2019/1/14
* @time 15:10
*/
public class MySessionIdGenerator implements SessionIdGenerator {
private String name;
public MySessionIdGenerator(String name){
this.name = name;
}
@Override
public Serializable generateId(Session session) {
System.out.println("generator生成的sessionhost:"+session.getHost());
return name+ UUID.randomUUID().toString()+session.getHost();
}
}
在ShiroConfig
中配置SessionID生成器
/**
* 自定义的SessionId生成器
* @param name
* @return
*/
public MySessionIdGenerator sessionIdGenerator(String name) {
return new MySessionIdGenerator(name);
}
12.实现记住我功能
由于需要设置Cookie的有效市场,所以一般都会写一个常量类来记录这些方法,以便日后修改。
在com.repairsystem.utils
创建工具类ConstantUtils
package com.repairsystem.utils;
/**
* @author CheungChingYin
* @date 2019/1/14
* @time 15:23
*/
public interface ConstantUtils {
class Cookie{
//Cookie最长存活时间(单位:秒)
public static final int COOKIE_MAX_TIME = 3*24*3600;
}
}
在com.repairsystem.config.shiro.ShiroConfig
写入以下代码
/**
* 这个参数是RememberMecookie的名称,随便起。
* remenberMeCookie是一个实现了将用户名保存在客户端的一个cookie,与登陆时的cookie是两个simpleCookie。
* 登陆时会根据权限去匹配,如是user权限,则不会先去认证模块认证,而是先去搜索cookie中是否有rememberMeCookie,
* 如果存在该cookie,则可以绕过认证模块,直接寻找授权模块获取角色权限信息。
* 如果权限是authc,则仍会跳转到登陆页面去进行登陆认证.
* @return
*/
public SimpleCookie rememberMeCookie() {
SimpleCookie simpleCookie = new SimpleCookie("remenbermeCookie");
//<!-- 记住我cookie生效时间3天 ,单位秒;-->
simpleCookie.setMaxAge(ConstantUtils.Cookie.COOKIE_MAX_TIME);
return simpleCookie;
}
/**
* cookie管理对象;记住我功能
*/
public CookieRememberMeManager rememberMeManager() {
CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
cookieRememberMeManager.setCookie(rememberMeCookie());
//rememberMe cookie加密的密钥 建议每个项目都不一样 默认AES算法 密钥长度(128 256 512 位)
cookieRememberMeManager.setCipherKey(Base64.decode("3AvVhmFLUs0KTA3Kprsdag=="));
return cookieRememberMeManager;
}
13.实现登出功能拦截器
上面我们曾经添加了一个登出的拦截器,但是我们并没有实现它,现在我们来实现这个拦截器。
在com.repairsystem.config.shiro
添加登出类MySignOutFilter
package com.repairsystem.config.shiro;
import org.apache.shiro.session.SessionException;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authc.LogoutFilter;
import org.apache.shiro.web.util.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.data.redis.core.RedisTemplate;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import java.util.Locale;
/**
* @author CheungChingYin
* @date 2019/1/14
* @time 15:29
*/
public class MySignOutFilter extends LogoutFilter {
private static final Logger log = LoggerFactory.getLogger(MySignOutFilter.class);
private RedisTemplate redisTemplate ;
public MySignOutFilter(){
}
public MySignOutFilter(RedisTemplate redisTemplate){
this.redisTemplate = redisTemplate;
}
@Override
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
Subject subject = getSubject(request, response);
// Check if POST only logout is enabled
if (isPostOnlyLogout()) {
// check if the current request's method is a POST, if not redirect
if (!WebUtils.toHttp(request).getMethod().toUpperCase(Locale.ENGLISH).equals("POST")) {
return onLogoutRequestNotAPost(request, response);
}
}
String redirectUrl = getRedirectUrl(request, response, subject);
//try/catch added for SHIRO-298:
try {
//登出时从session获取的cookieId
String cookieId = (String) subject.getSession().getId();
System.out.println(cookieId);
Cookie[] cookies = ((HttpServletRequest)request).getCookies();
for (Cookie cookie:cookies) {
//"登出时从cookie获取得到的cookieId
if(cookieId.equals(cookie.getName())){
System.out.println(cookie.getValue());
redisTemplate.delete(cookie);
}
}
subject.logout();
} catch (SessionException ise) {
log.debug("Encountered session exception during logout. This can generally safely be ignored.", ise);
}
issueRedirect(request, response, redirectUrl);
return false;
}
}
到这里,配置权限管理器——Shiro已经完成了。如果您对次篇文章有疑问,可以在文章下方留言,谢谢您的阅读。如对【机房报修管理系统】系列文章有兴趣,可以关注或收藏我的文章,您的支持是我最大的动力,我会尽快推出下一期内容,敬请期待。