shiro用来认证用户及权限控制,jwt用来生成一个token,暂存用户信息。为什么不使用session而使用jwt?传统情况下是只有一个服务器,用户登陆后将一些信息以session的形式存储服务器上,然后将sessionid存储在本地cookie中,当用户下次请求时将会将sessionid传递给服务器,用于确认身份。但如果是分布式的情况下会出现问题,在服务器集群中,需要一个session数据库来存储每一个session,提供给集群中所有服务使用,且无法跨域(多个Ip)使用。而jwt是生成一个token存储在客户端,每次请求将其存储在header中,解决了跨域,且可以通过自定义的方法进行验证,解决了分布式验证的问题。缺点:无法在服务器注销、比sessionid大占带宽、一次性(想修改里面的内容,就必须签发一个新的jwt)
大体流程:
1.用户使用username和secret登陆,将sercret通过MD5加密,通过username查询库中是否有该条记录,并比较加密后的密码是否相同,登陆成功后利用JWTutil生成带过期时间的token,以后发送请求时都需要在header中添加Authorization字段附加该token信息;
2.结合程序实现一个JWTutil,在其中实现利用登陆信息生成token,根据token获取username,token验证等方法;
3.实现一个JWTFilter继承BasicHttpAuthenticationFilter类,该拦截器需要拦截所有请求除(除登陆、注册等请求),用于判断请求是否带有token,并获取token的值传递给shiro的登陆认证方法作为参数,用于获取token;
4.定义ShiroRealm继承AuthorizingRealm类,在其中实现登陆验证及权限获取的方法;
5. 定义ShiroConfig配置类,用于生成ShiroManage及将shiroRealm付给ShiroManage,并将jwtFilter添加进shiro的拦截器链中
6.controller中可以使用@RequiresPermissions来对用户权限进行拦截;
7.数据库表设计(user、role、menu表)项目中页面、按钮需要在菜单控制中进行添加,包括对应的请求链接、权限控制代码,前端也需要对按钮进行权限限制,使用v-hasPermission,控制代码与配置需一致。
数据库示例:
CREATE TABLE `sys_user` (
`user_id` bigint(20) NOT NULL AUTO_INCREMENT,
`username` varchar(50) NOT NULL DEFAULT '' COMMENT '用户名',
`password` varchar(100) NOT NULL DEFAULT '' COMMENT '密码',
`salt` varchar(20) NOT NULL DEFAULT '' COMMENT '盐',
`email` varchar(100) NOT NULL DEFAULT '' COMMENT '邮箱',
`mobile` varchar(100) NOT NULL DEFAULT '' COMMENT '手机号',
`status` tinyint(4) NOT NULL DEFAULT '0' COMMENT '状态 0:禁用 1:正常',
`dept_id` bigint(20) NOT NULL DEFAULT '0' COMMENT '部门ID',
`create_time` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT '创建时间',
PRIMARY KEY (`user_id`),
UNIQUE KEY `username` (`username`) USING BTREE
) ENGINE=InnoDB AUTO_INCREMENT=1099883721936343043 DEFAULT CHARSET=utf8 COMMENT='系统用户';
CREATE TABLE `sys_role` (
`role_id` bigint(20) NOT NULL AUTO_INCREMENT,
`role_name` varchar(100) NOT NULL COMMENT '角色名称',
`remark` varchar(100) NOT NULL DEFAULT '' COMMENT '备注',
`dept_id` bigint(20) NOT NULL DEFAULT '0' COMMENT '部门ID',
`create_time` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT '创建时间',
PRIMARY KEY (`role_id`)
) ENGINE=InnoDB AUTO_INCREMENT=1108201334940721154 DEFAULT CHARSET=utf8 COMMENT='角色';
CREATE TABLE `sys_user_role` (
`id` bigint(20) NOT NULL AUTO_INCREMENT,
`user_id` bigint(20) NOT NULL DEFAULT '0' COMMENT '用户ID',
`role_id` bigint(20) NOT NULL DEFAULT '0' COMMENT '角色ID',
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=1108202134471532547 DEFAULT CHARSET=utf8 COMMENT='用户与角色对应关系';
CREATE TABLE `sys_menu` (
`menu_id` bigint(20) NOT NULL AUTO_INCREMENT,
`parent_id` bigint(20) NOT NULL DEFAULT '0' COMMENT '父菜单ID,一级菜单为0',
`name` varchar(50) NOT NULL DEFAULT '' COMMENT '菜单名称',
`url` varchar(200) NOT NULL DEFAULT '' COMMENT '菜单URL',
`perms` varchar(500) NOT NULL DEFAULT '' COMMENT '授权(多个用逗号分隔,如:user:list,user:create)',
`type` int(11) NOT NULL DEFAULT '0' COMMENT '类型 0:目录 1:菜单 2:按钮',
`icon` varchar(50) NOT NULL DEFAULT '' COMMENT '菜单图标',
`order_num` int(11) NOT NULL DEFAULT '0' COMMENT '排序',
PRIMARY KEY (`menu_id`)
) ENGINE=InnoDB AUTO_INCREMENT=1134014411321700355 DEFAULT CHARSET=utf8 COMMENT='菜单管理';
CREATE TABLE `sys_role_menu` (
`id` bigint(20) NOT NULL AUTO_INCREMENT,
`role_id` bigint(20) NOT NULL DEFAULT '0' COMMENT '角色ID',
`menu_id` bigint(20) NOT NULL DEFAULT '0' COMMENT '菜单ID',
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=1121623728103362562 DEFAULT CHARSET=utf8 COMMENT='角色与菜单对应关系';
代码示例
public class JWTUtil {
private static final long EXPIRE_TIME = BraveConstant.JWT_TIME_OUT * 1000;
/**
* 校验 token是否正确
*
* @param token 密钥
* @param secret 用户的密码
* @return 是否正确
*/
public static boolean verify(String token, TokenDto tokenDto, String secret) {
try {
Algorithm algorithm = Algorithm.HMAC256(secret);
JWTVerifier verifier = JWT.require(algorithm)
.withClaim("tokenDto", JsonUtils.writeToJson(tokenDto))
.build();
verifier.verify(token);
log.info("token is valid");
return true;
} catch (Exception e) {
log.info("token is invalid{}", e.getMessage());
return false;
}
}
/**
* 从 获取用户信息
*
* @return token中包含的用户名
*/
public static TokenDto getUserTokenDto(String token ) {
try {
DecodedJWT jwt = JWT.decode(token);
return JsonUtils.readFromJson(jwt.getClaim("tokenDto").asString(),TokenDto.class);
} catch (JWTDecodeException e) {
log.error("error:{}", e.getMessage());
return null;
}
}
/**
* 生成 token
*
* @param secret 用户的密码
* @return token
*/
public static String sign(TokenDto tokenDto, String secret) {
try {
Date date = new Date(System.currentTimeMillis() + EXPIRE_TIME);
Algorithm algorithm = Algorithm.HMAC256(secret);
return JWT.create()
.withClaim("tokenDto", JsonUtils.writeToJson(tokenDto))
.withExpiresAt(date)
.sign(algorithm);
} catch (Exception e) {
log.error("error:{}", e);
return null;
}
}
}
public class JWTFilter extends BasicHttpAuthenticationFilter {
private static final String TOKEN = "Authentication";
private AntPathMatcher pathMatcher = new AntPathMatcher();
@Override
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws UnauthorizedException {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
String[] anonUrl = StringUtils.splitByWholeSeparatorPreserveAllTokens(BraveConstant.ANON_URL, StringPool.COMMA);
boolean match = false;
for (String u : anonUrl) {
if (pathMatcher.match(u, httpServletRequest.getRequestURI()))
match = true;
}
if (match) return true;
if (isLoginAttempt(request, response)) {
return executeLogin(request, response);
}
return false;
}
@Override
protected boolean isLoginAttempt(ServletRequest request, ServletResponse response) {
HttpServletRequest req = (HttpServletRequest) request;
String token = req.getHeader(TOKEN);
return token != null;
}
@Override
protected boolean executeLogin(ServletRequest request, ServletResponse response) {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
String token = httpServletRequest.getHeader(TOKEN);
JWTToken jwtToken = new JWTToken(BraveUtil.decryptToken(token));
try {
//将token传递给shiroRealm
getSubject(request, response).login(jwtToken);
return true;
} catch (Exception e) {
log.error(e.getMessage());
return false;
}
}
/**
* 对跨域提供支持
*/
@Override
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
httpServletResponse.setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin"));
httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS,PUT,DELETE");
httpServletResponse.setHeader("Access-Control-Allow-Headers", httpServletRequest.getHeader("Access-Control-Request-Headers"));
// 跨域时会首先发送一个 option请求,这里我们给 option请求直接返回正常状态
if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) {
httpServletResponse.setStatus(HttpStatus.OK.value());
return false;
}
return super.preHandle(request, response);
}
}
public class ShiroRealm extends AuthorizingRealm {
@Autowired
private RedisService redisService;
@Autowired
private BrUserManager brUserManager;
@Override
public boolean supports(AuthenticationToken token) {
return token instanceof JWTToken;
}
/**`
* 授权模块,获取用户角色和权限
*
* @param token token
* @return AuthorizationInfo 权限信息
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection token) {
long userId = JWTUtil.getUserTokenDto(token.toString()).getUserId();
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
// 获取用户权限集
Set<String> permissionSet = brUserManager.getUserPermissions(userId);
simpleAuthorizationInfo.setStringPermissions(permissionSet);
return simpleAuthorizationInfo;
}
/**
* 用户认证
*
* @param authenticationToken 身份认证 token
* @return AuthenticationInfo 身份认证信息
* @throws AuthenticationException 认证相关异常
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
// 这里的 token是从 JWTFilter 的 executeLogin 方法传递过来的
String token = (String) authenticationToken.getCredentials();
TokenDto tokenDto = JWTUtil.getUserTokenDto(token);
if (tokenDto == null)
throw new AuthenticationException("token校验不通过");
// 通过用户名查询用户信息
BrUser user = brUserManager.getUser(tokenDto.getUserId());
if (user == null)
throw new AuthenticationException("用户名或密码错误");
TokenDto tokenDtoNew = new TokenDto();
tokenDtoNew.setUserName(user.getUsername());
if (!JWTUtil.verify(token, tokenDtoNew,user.getPassword()))
throw new AuthenticationException("token校验不通过");
return new SimpleAuthenticationInfo(token, token, "shiro_realm");
}
}
public class ShiroConfig {
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
// 设置 securityManager
shiroFilterFactoryBean.setSecurityManager(securityManager);
// 在 Shiro过滤器链上加入 JWTFilter
LinkedHashMap<String, Filter> filters = new LinkedHashMap<>();
filters.put("jwt", new JWTFilter());
shiroFilterFactoryBean.setFilters(filters);
LinkedHashMap<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
// 所有请求都要经过 jwt过滤器
filterChainDefinitionMap.put("/**", "jwt");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroFilterFactoryBean;
}
@Bean
public SecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
// 配置 SecurityManager,并注入 shiroRealm
securityManager.setRealm(shiroRealm());
return securityManager;
}
@Bean
public ShiroRealm shiroRealm() {
// 配置 Realm
return new ShiroRealm();
}
//开启注解
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}
}
public class JWTToken implements AuthenticationToken {
private static final long serialVersionUID = 1282057025599826155L;
private String token;
private String exipreAt;
public JWTToken(String token) {
this.token = token;
}
public JWTToken(String token, String exipreAt) {
this.token = token;
this.exipreAt = exipreAt;
}
@Override
public Object getPrincipal() {
return token;
}
@Override
public Object getCredentials() {
return token;
}
}