1、功能实现
1.会话管理、会话持久化(redis缓存)
2.会话监听,超时清除孤立会话
2、shiro05子工程
本篇以 缓存篇 为基础
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>com.yzm</groupId>
<artifactId>shiro</artifactId>
<version>0.0.1-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath> <!-- lookup parent from repository -->
</parent>
<artifactId>shiro05</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<name>shiro05</name>
<description>Demo project for Spring Boot</description>
<dependencies>
<dependency>
<groupId>com.yzm</groupId>
<artifactId>common</artifactId>
<version>0.0.1-SNAPSHOT</version>
</dependency>
<!-- redis -->
<dependency>
<groupId>org.crazycake</groupId>
<artifactId>shiro-redis</artifactId>
<version>3.2.3</version>
<exclusions>
<exclusion>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- 可以解决会话调度验证会话失效无法循环执行的问题 -->
<dependency>
<groupId>redis.clients</groupId>
<artifactId>jedis</artifactId>
<version>2.9.0</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
application.yml
spring:
datasource:
driver-class-name: com.mysql.cj.jdbc.Driver
url: jdbc:mysql://192.168.192.128:3306/testdb2?useUnicode=true&characterEncoding=utf8&useSSL=false&allowMultiQueries=true&zeroDateTimeBehavior=convertToNull&serverTimezone=Asia/Shanghai
username: root
password: 1234
mybatis-plus:
mapper-locations: classpath:/mapper/*Mapper.xml
type-aliases-package: com.yzm.shiro05.entity
configuration:
map-underscore-to-camel-case: true
log-impl: org.apache.ibatis.logging.stdout.StdOutImpl
3、认证和授权
package com.yzm.shiro02.config;
import com.yzm.shiro02.entity.Permissions;
import com.yzm.shiro02.entity.Role;
import com.yzm.shiro02.entity.User;
import com.yzm.shiro02.service.PermissionsService;
import com.yzm.shiro02.service.RoleService;
import com.yzm.shiro02.service.UserService;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
/**
* 自定义Realm,实现认证和授权
* AuthorizingRealm 继承 AuthorizingRealm
* AuthorizingRealm 提供 授权方法 doGetAuthorizationInfo
* AuthorizingRealm 提供 认证方法 doGetAuthenticationInfo
*/
public class MyShiroRealm extends AuthorizingRealm {
private final UserService userService;
private final RoleService roleService;
private final PermissionsService permissionsService;
public MyShiroRealm(UserService userService, RoleService roleService, PermissionsService permissionsService) {
this.userService = userService;
this.roleService = roleService;
this.permissionsService = permissionsService;
}
@Override
public boolean supports(AuthenticationToken token) {
return token instanceof UsernamePasswordToken;
}
/**
* 授权
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
String username = (String) principalCollection.getPrimaryPrincipal();
// 查询用户,获取角色ids
User user = userService.lambdaQuery().eq(User::getUsername, username).one();
List<Integer> roleIds = Arrays.stream(user.getRIds().split(","))
.map(Integer::parseInt)
.collect(Collectors.toList());
// 查询角色,获取角色名、权限ids
List<Role> roles = roleService.listByIds(roleIds);
Set<String> roleNames = new HashSet<>(roles.size());
Set<Integer> permIds = new HashSet<>();
roles.forEach(role -> {
roleNames.add(role.getRName());
Set<Integer> collect = Arrays.stream(
role.getPIds().split(",")).map(Integer::parseInt).collect(Collectors.toSet());
permIds.addAll(collect);
});
// 获取权限名称
List<Permissions> permissions = permissionsService.listByIds(permIds);
List<String> permNames = permissions.stream().map(Permissions::getPName).collect(Collectors.toList());
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
authorizationInfo.addRoles(roleNames);
authorizationInfo.addStringPermissions(permNames);
return authorizationInfo;
}
/**
* 认证
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
// 获取用户名跟密码
UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) authenticationToken;
String username = usernamePasswordToken.getUsername();
// 查询用户是否存在
User user = userService.lambdaQuery().eq(User::getUsername, username).one();
if (user == null) {
throw new UnknownAccountException();
}
return new SimpleAuthenticationInfo(
user.getUsername(),
user.getPassword(),
// 用户名 + 盐
ByteSource.Util.bytes(user.getUsername() + user.getSalt()),
getName()
);
}
}
4、ShiroConfig 配置类
package com.yzm.shiro05.config;
import com.yzm.shiro05.service.PermissionsService;
import com.yzm.shiro05.service.RoleService;
import com.yzm.shiro05.service.UserService;
import com.yzm.shiro05.utils.EncryptUtils;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.session.mgt.SessionManager;
import org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator;
import org.apache.shiro.session.mgt.eis.SessionDAO;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.servlet.SimpleCookie;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.crazycake.shiro.RedisCacheManager;
import org.crazycake.shiro.RedisManager;
import org.crazycake.shiro.RedisSessionDAO;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.handler.SimpleMappingExceptionResolver;
import java.util.Collections;
import java.util.Properties;
@Configuration
public class ShiroConfig {
private final UserService userService;
private final RoleService roleService;
private final PermissionsService permissionsService;
public ShiroConfig(UserService userService, RoleService roleService, PermissionsService permissionsService) {
this.userService = userService;
this.roleService = roleService;
this.permissionsService = permissionsService;
}
/**
* 凭证匹配器
*/
@Bean
public HashedCredentialsMatcher hashedCredentialsMatcher() {
HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher();
hashedCredentialsMatcher.setHashAlgorithmName(EncryptUtils.ALGORITHM_NAME);
hashedCredentialsMatcher.setHashIterations(EncryptUtils.HASH_ITERATIONS);
return hashedCredentialsMatcher;
}
/**
* 自定义Realm
*/
@Bean
public MyShiroRealm simpleShiroRealm() {
MyShiroRealm myShiroRealm = new MyShiroRealm(userService, roleService, permissionsService);
myShiroRealm.setCredentialsMatcher(hashedCredentialsMatcher());
// 开启缓存
myShiroRealm.setCachingEnabled(true);
//启用身份验证缓存,即缓存AuthenticationInfo信息,默认false
myShiroRealm.setAuthenticationCachingEnabled(true);
//缓存AuthenticationInfo信息的缓存名称 在ehcache-shiro.xml中有对应缓存的配置
myShiroRealm.setAuthenticationCacheName("authenticationCache");
//启用授权缓存,即缓存AuthorizationInfo信息,默认false
myShiroRealm.setAuthorizationCachingEnabled(true);
//缓存AuthorizationInfo信息的缓存名称 在ehcache-shiro.xml中有对应缓存的配置
myShiroRealm.setAuthorizationCacheName("authorizationCache");
return myShiroRealm;
}
/**
* redis缓存
*/
@Bean
public RedisManager redisManager() {
RedisManager redisManager = new RedisManager();
redisManager.setHost("127.0.0.1:6379");
redisManager.setPassword("1234");
redisManager.setDatabase(0);
return redisManager;
}
@Bean
public RedisCacheManager redisCacheManager() {
RedisCacheManager redisCacheManager = new RedisCacheManager();
redisCacheManager.setRedisManager(redisManager());
// redis中针对不同用户缓存
redisCacheManager.setPrincipalIdFieldName("username");
// 用户认证权限信息缓存时间
redisCacheManager.setExpire(200);
return redisCacheManager;
}
/**
* SessionDAO的作用是为Session提供CRUD并进行持久化的一个shiro组件
* MemorySessionDAO 直接在内存中进行会话维护
* EnterpriseCacheSessionDAO 提供了缓存功能的会话维护,默认情况下使用MapCache实现,内部使用ConcurrentHashMap保存缓存的会话。
*/
@Bean
public SessionDAO sessionDAO() {
RedisSessionDAO redisSessionDAO = new RedisSessionDAO();
redisSessionDAO.setRedisManager(redisManager());
// SessionId生成器
redisSessionDAO.setSessionIdGenerator(new JavaUuidSessionIdGenerator());
//session在redis中的保存时间,最好大于session会话超时时间
redisSessionDAO.setExpire(300);
// ehcache
// EnterpriseCacheSessionDAO enterpriseCacheSessionDAO = new EnterpriseCacheSessionDAO();
// enterpriseCacheSessionDAO.setCacheManager(cacheManager());
// // 设置session缓存的名字 默认为 shiro-activeSessionCache
// enterpriseCacheSessionDAO.setActiveSessionsCacheName("shiro-activeSessionCache");
// enterpriseCacheSessionDAO.setSessionIdGenerator(new JavaUuidSessionIdGenerator());
return redisSessionDAO;
}
/**
* 配置保存sessionId的cookie
* 注意:这里的cookie 不是上面的记住我 cookie 记住我需要一个cookie session管理 也需要自己的cookie
*/
@Bean
public SimpleCookie sessionIdCookie() {
SimpleCookie simpleCookie = new SimpleCookie("sid");
simpleCookie.setHttpOnly(true);
simpleCookie.setPath("/");
//maxAge=-1表示浏览器关闭时失效此Cookie
simpleCookie.setMaxAge(-1);
return simpleCookie;
}
/**
* 配置会话管理器,设定会话超时及保存
*/
@Bean
public SessionManager sessionManager() {
DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
// 自定义监听器
sessionManager.setSessionListeners(Collections.singletonList(new MySessionListener()));
sessionManager.setSessionIdCookieEnabled(true);
sessionManager.setSessionIdCookie(sessionIdCookie());
// 设不设置setCacheManager都可以,暂时不知道该属性的具体作用
//sessionManager.setCacheManager(redisCacheManager());
sessionManager.setSessionDAO(sessionDAO());
//如果用户如果不点注销,直接关闭浏览器,不能够进行session的清空处理,所以为了防止这样的问题,还需要增加有一个会话的验证调度。
//全局会话超时时间(单位毫秒),默认30分钟
sessionManager.setGlobalSessionTimeout(120 * 1000L);
//定时调度器进行检测过期session 默认为true
sessionManager.setSessionValidationSchedulerEnabled(true);
//设置session失效的扫描时间, 清理用户直接关闭浏览器造成的孤立会话 默认为 1个小时,会在控制台打印日志
sessionManager.setSessionValidationInterval(60 * 1000L);
//删除无效的session对象 默认为true
sessionManager.setDeleteInvalidSessions(true);
// 取消 JSESSIONID cookie
sessionManager.setSessionIdUrlRewritingEnabled(false);
return sessionManager;
}
/**
* 安全管理
*/
@Bean
public SecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
// 配置单个realm
securityManager.setRealm(simpleShiroRealm());
// 缓存
securityManager.setCacheManager(redisCacheManager());
// session
securityManager.setSessionManager(sessionManager());
SecurityUtils.setSecurityManager(securityManager);
return securityManager;
}
/**
* 开启注解
*/
@Bean
public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator defaultAAP = new DefaultAdvisorAutoProxyCreator();
defaultAAP.setProxyTargetClass(true);
return defaultAAP;
}
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor() {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager());
return authorizationAttributeSourceAdvisor;
}
@Bean
public ShiroFilterFactoryBean shiroFilter() {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager());
return shiroFilterFactoryBean;
}
/**
* 问题:未登录不会自动跳转到登录页、无权访问页面不跳转
* 原因:Shiro注解模式下,登录失败与没有权限都是通过抛出异常,并且默认并没有去处理或者捕获这些异常。
* 解决:通过在SpringMVC下配置捕获相应异常来通知用户信息
*/
@Bean
public SimpleMappingExceptionResolver simpleMappingExceptionResolver() {
SimpleMappingExceptionResolver simpleMappingExceptionResolver = new SimpleMappingExceptionResolver();
Properties properties = new Properties();
// 未登录访问接口跳转到/login、登录后没有权限跳转到/401
properties.setProperty("org.apache.shiro.authz.UnauthenticatedException", "redirect:/login");
properties.setProperty("org.apache.shiro.authz.UnauthorizedException", "redirect:/401");
simpleMappingExceptionResolver.setExceptionMappings(properties);
return simpleMappingExceptionResolver;
}
}
5、会话管理
/**
* SessionDAO的作用是为Session提供CRUD并进行持久化的一个shiro组件
* MemorySessionDAO 直接在内存中进行会话维护
* EnterpriseCacheSessionDAO 提供了缓存功能的会话维护,默认情况下使用MapCache实现,内部使用ConcurrentHashMap保存缓存的会话。
*/
@Bean
public SessionDAO sessionDAO() {
RedisSessionDAO redisSessionDAO = new RedisSessionDAO();
redisSessionDAO.setRedisManager(redisManager());
// SessionId生成器
redisSessionDAO.setSessionIdGenerator(new JavaUuidSessionIdGenerator());
//session在redis中的保存时间,最好大于session会话超时时间
redisSessionDAO.setExpire(300);
// ehcache
// EnterpriseCacheSessionDAO enterpriseCacheSessionDAO = new EnterpriseCacheSessionDAO();
// enterpriseCacheSessionDAO.setCacheManager(cacheManager());
// // 设置session缓存的名字 默认为 shiro-activeSessionCache
// enterpriseCacheSessionDAO.setActiveSessionsCacheName("shiro-activeSessionCache");
// enterpriseCacheSessionDAO.setSessionIdGenerator(new JavaUuidSessionIdGenerator());
return redisSessionDAO;
}
/**
* 配置保存sessionId的cookie
* 注意:这里的cookie 不是上面的记住我 cookie 记住我需要一个cookie session管理 也需要自己的cookie
*/
@Bean
public SimpleCookie sessionIdCookie() {
SimpleCookie simpleCookie = new SimpleCookie("sid");
simpleCookie.setHttpOnly(true);
simpleCookie.setPath("/");
//maxAge=-1表示浏览器关闭时失效此Cookie
simpleCookie.setMaxAge(-1);
return simpleCookie;
}
/**
* 配置会话管理器,设定会话超时及保存
*/
@Bean
public SessionManager sessionManager() {
DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
// 自定义监听器
//sessionManager.setSessionListeners(Collections.singletonList(new MySessionListener()));
sessionManager.setSessionIdCookieEnabled(true);
sessionManager.setSessionIdCookie(sessionIdCookie());
// 设不设置setCacheManager都可以,暂时不知道该属性的具体作用
//sessionManager.setCacheManager(redisCacheManager());
sessionManager.setSessionDAO(sessionDAO());
//如果用户如果不点注销,直接关闭浏览器,不能够进行session的清空处理,所以为了防止这样的问题,还需要增加有一个会话的验证调度。
//全局会话超时时间(单位毫秒),默认30分钟
sessionManager.setGlobalSessionTimeout(120 * 1000L);
//定时调度器进行检测过期session 默认为true
sessionManager.setSessionValidationSchedulerEnabled(true);
//设置session失效的扫描时间, 清理用户直接关闭浏览器造成的孤立会话 默认为 1个小时,会在控制台打印日志
sessionManager.setSessionValidationInterval(60 * 1000L);
//删除无效的session对象 默认为true
sessionManager.setDeleteInvalidSessions(true);
// 取消 JSESSIONID cookie
sessionManager.setSessionIdUrlRewritingEnabled(false);
return sessionManager;
}
/**
* 安全管理
*/
@Bean
public SecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
...
// session
securityManager.setSessionManager(sessionManager());
SecurityUtils.setSecurityManager(securityManager);
return securityManager;
}
6、测试会话
启动项目,yzm登录后,打开F12
可以看到我们创建的 sid 的cookie,打开redis客户端
我们使用的是RedisSessionDAO,所以key前缀是shiro:session:
后面的 9eccf7ee-d17d-4e2f-9aab-1c94f6a5dd9d 是SessionId ,通过创建
redisSessionDAO.setSessionIdGenerator(new JavaUuidSessionIdGenerator());
缓存时间:redisSessionDAO.setExpire(300);
同样的可以看到之前的认证和授权缓存时间
@Bean
public RedisCacheManager redisCacheManager() {
RedisCacheManager redisCacheManager = new RedisCacheManager();
...
// 用户认证权限信息缓存时间
redisCacheManager.setExpire(200);
return redisCacheManager;
}
设置全局会话超时,即120秒内没有任何请求,过了120秒就会退出登录状态
//全局会话超时时间(单位毫秒),默认30分钟
sessionManager.setGlobalSessionTimeout(120 * 1000L);
设置每分钟检查session是否超时,控制台会打印信息
//定时调度器进行检测过期session 默认为true
sessionManager.setSessionValidationSchedulerEnabled(true);
//设置session失效的扫描时间, 清理用户直接关闭浏览器造成的孤立会话 默认为 1个小时,会在控制台打印日志
sessionManager.setSessionValidationInterval(60 * 1000L);
如果没有引入下面的依赖
<!-- 可以解决会话调度验证会话失效无法循环执行的问题 -->
<dependency>
<groupId>redis.clients</groupId>
<artifactId>jedis</artifactId>
<version>2.9.0</version>
</dependency>
那么这个设置,打印日志只能执行一次,无法循环执行
sessionManager.setSessionValidationInterval(60 * 1000L);
7、添加session监听,统计在线人数
package com.yzm.shiro05.config;
import org.apache.shiro.session.Session;
import org.apache.shiro.session.SessionListener;
import java.util.concurrent.atomic.AtomicInteger;
/**
* 会话监听
*/
public class MySessionListener implements SessionListener {
/**
* 统计在线人数
* 线程安全自增
*/
private final static AtomicInteger sessionCount = new AtomicInteger(0);
/**
* 会话创建时触发
*/
@Override
public void onStart(Session session) {
//会话创建,在线人数加一
sessionCount.incrementAndGet();
}
/**
* 退出会话时触发
*/
@Override
public void onStop(Session session) {
//会话退出,在线人数减一
sessionCount.decrementAndGet();
}
/**
* 会话过期时触发
*/
@Override
public void onExpiration(Session session) {
//会话过期,在线人数减一
sessionCount.decrementAndGet();
}
/**
* 获取在线人数使用
*/
public static AtomicInteger getSessionCount() {
return sessionCount;
}
}
在ShiroConfig#sessionManager中启用监听
/**
* 配置会话管理器,设定会话超时及保存
*/
@Bean
public SessionManager sessionManager() {
DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
// 自定义监听器
sessionManager.setSessionListeners(Collections.singletonList(new MySessionListener()));
...
}
在HomeController.java 增加获取人数,以及home.html
@GetMapping(value = {"/", "/home"})
public String home(ModelMap map) {
Subject subject = SecurityUtils.getSubject();
map.addAttribute("subject", subject.getPrincipals());
map.addAttribute("count", MySessionListener.getSessionCount().get());
return "home";
}
<h1>当前登录状态:<span th:text="${subject ?: '未登录 '}"></span></h1>
<h2>当前在线人数:<span th:text="${count ?: '0'}"></span></h2>
启动项目,火狐登录yzm
谷歌登录admin,刷新yzm
等待2分钟,sessionManager.setGlobalSessionTimeout(120 * 1000L);
每过一分钟就会打印一次日志 : Finished session validation. No sessions were stopped.
期间不时刷新yzm (防止yzm的会话过期)
当日志打印如下时,刷新yzm;刷新admin
在上面的过程中,admin登录成功,立即关闭admin对应的浏览器,等待2分钟的结果也是一样的
也就说明了孤立的会话在超时之后会被清除