1 什么是shiro?
《官方解释》:“Apache Shiro™ is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.”
shiro是一个强大的java安全框架,支持认证、授权、加密、会话管理等。
2 为什么使用shiro?
使用shiro能够简化开发,使开发人员不必在鉴权上付出大量的精力,而去更多的进行核心业务的开发。学习shiro很有必要,可以为之后学习spirng security打下基础。并且shiro提供了很多强大的功能且开箱即用,开发人员只需要必要的一些配置便能够享受shiro带来的便利。
3 shiro整合springboot
3.1 shiro获取用户-角色-权限数据
一般来说,后台数据库层面会使用RBAC的思想(用户+角色+权限的表设计),而为了能够让shiro进行鉴权,需要为其提供认证和授权的数据接入。我们需要自定义Realm,来获取用户角色权限信息。
自定义Realm:
import com.jgerp.pojo.User;
import com.jgerp.service.IUserService;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import java.util.Date;
/**
* @author: theTian
*/
public class UserRealm extends AuthorizingRealm {
private static Logger logger = LoggerFactory.getLogger(UserRealm.class);
@Autowired
private IUserService userService;
/**
* 授权操作
*
* @param principalCollection
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
Subject subject = SecurityUtils.getSubject();
User curUser = (User) subject.getPrincipal();
info.setRoles(userService.getRolesById(curUser.getUserId()));
info.setStringPermissions(userService.getPermsById(curUser.getUserId()));
return info;
}
/**
* 认证操作
*
* @param token
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken userToken = (UsernamePasswordToken) token;
User user = userService.selectByUsername(userToken.getUsername());
if (user == null) return null;
// 更新用户登陆时间
user.setLastLoginTime(new Date());
User updUser = new User();
updUser.setUserId(user.getUserId());
updUser.setLastLoginTime(user.getLastLoginTime());
userService.updateUserLoginTime(updUser);
return new SimpleAuthenticationInfo(user, user.getPassword(), "");
}
}
3.2 shiro会话管理
shiro的会话管理是从cookies中获取jsessionid找到对应的session,一般来说在前后端分离的项目中,由于跨域请求默认不会携带cookies,此时后端可以将登陆成功后的jsessionid打包成参数返回给前端,前端将其放到header中,后端每次先从header中获取jsessionid,如果获取不到再从cookies中寻找。
自定义会话管理:
import org.apache.shiro.web.servlet.ShiroHttpServletRequest;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.apache.shiro.web.util.WebUtils;
import org.springframework.util.StringUtils;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import java.io.Serializable;
/**
* 自定义sessionId获取
*/
public class MySessionManager extends DefaultWebSessionManager {
private static final String AUTHORIZATION = "Authorization";
private static final String REFERENCED_SESSION_ID_SOURCE = "Stateless request";
public MySessionManager () {
super();
}
@Override
protected Serializable getSessionId(ServletRequest request, ServletResponse response) {
String id = WebUtils.toHttp(request).getHeader(AUTHORIZATION);
//如果请求头中有 Authorization 则其值为sessionId
if (!StringUtils.isEmpty(id)) {
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE, REFERENCED_SESSION_ID_SOURCE);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, id);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE);
return id;
} else {
//否则按默认规则从cookie取sessionId
return super.getSessionId(request, response);
}
}
}
3.3 将自定义配置加载到shiro
完成了自定义的realm和session manager后通过配置类的方式将其加载进shiro中使其生效。
ShiroConfig:
import org.apache.shiro.session.mgt.SessionManager;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.LinkedHashMap;
import java.util.Map;
/**
* @author: theTian
*/
@Configuration
public class ShiroConfig {
@Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(){
ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
bean.setSecurityManager(getDefaultWebSecurityManager());
bean.getFilters().put("authc", new AuthcFilter());
bean.getFilters().put("roles", new RoleFilter());
// 添加shiro的内置过滤器
Map<String, String> map = new LinkedHashMap<>();
// 自定义拦截uri
// map.put("/**", "anon");
/**
* 跳转登录(未认证时跳转)
*/
bean.setLoginUrl("/toLogin");
/**
* 未授权时跳转
*/
bean.setUnauthorizedUrl("/unAuth");
bean.setFilterChainDefinitionMap(map);
return bean;
}
@Bean
public DefaultWebSecurityManager getDefaultWebSecurityManager(){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(userRealm());
securityManager.setSessionManager(sessionManager());
return securityManager;
}
@Bean
public UserRealm userRealm(){
return new UserRealm();
}
@Bean
public SessionManager sessionManager() {
MySessionManager mySessionManager = new MySessionManager();
return mySessionManager;
}
}
3.4 shiro配置过滤器解决跨域问题
在前后端分离的项目中,前端的非简单请求(preflight)不会携带jsessionid,从而被302。需要配置对应类型接口的过滤器来处理这个options请求。
AuthcFilter:
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
import org.apache.shiro.web.util.WebUtils;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
/**
* 解决认证接口跨域
* @author: theTian
*/
public class AuthcFilter extends FormAuthenticationFilter {
@Override
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
boolean allowed = super.isAccessAllowed(request, response, mappedValue);
if (!allowed) {
String method = WebUtils.toHttp(request).getMethod();
if (StringUtils.equalsIgnoreCase("OPTIONS", method)) {
return true;
}
}
return allowed;
}
}
RoleFilter:
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.web.filter.authz.RolesAuthorizationFilter;
import org.apache.shiro.web.util.WebUtils;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import java.io.IOException;
/**
* 解决权限接口跨域
* @author: theTian
*/
public class RoleFilter extends RolesAuthorizationFilter {
@Override
public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException {
boolean allowed = super.isAccessAllowed(request, response, mappedValue);
if (!allowed) {
String method = WebUtils.toHttp(request).getMethod();
if (StringUtils.equalsIgnoreCase("OPTIONS", method)) {
return true;
}
}
return allowed;
}
}
3.5 配置跨域
解决前后端分离跨域问题
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import javax.servlet.*;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* @author: theTian
* @date: 2020/5/28 0:08
*/
@Configuration
public class CorsConfig implements WebMvcConfigurer,Filter {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("*")
.allowedMethods("GET", "HEAD", "POST", "PUT", "DELETE", "OPTIONS")
.allowCredentials(true)
.maxAge(3600)
.allowedHeaders("*");
}
private CorsConfiguration buildConfig() {
CorsConfiguration corsConfiguration = new CorsConfiguration();
corsConfiguration.addAllowedOrigin("*"); //允许任何域名
corsConfiguration.addAllowedHeader("*"); //允许任何头
corsConfiguration.addAllowedMethod("*"); //允许任何方法
return corsConfiguration;
}
@Bean
public CorsFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", buildConfig()); //注册
return new CorsFilter(source);
}
@Override
public void doFilter(ServletRequest arg0, ServletResponse arg1, FilterChain arg2)
throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) arg1;
response.setHeader("Access-Control-Allow-Origin","*");
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Methods", "*");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "*");
response.setHeader("Access-Control-Request-Headers", "*");
response.setHeader("Access-Control-Expose-Headers", "*");
arg2.doFilter(arg0,arg1);
}
}