Shiro (Shiro + JWT + SpringBoot應用)

Shiro (Shiro + JWT + SpringBoot應用)

1.Shiro的簡介

Apache Shiro是一種功能強大且易於使用的Java安全框架,它執行身份驗證,受權,加密和會話管理,可用於保護 從命令行應用程序,移動應用程序到Web和企業應用程序等應用的安全。前端

  1. Authentication 身份認證/登陸,驗證用戶是否是擁有相應的身份;
  2. Authorization 受權,即權限驗證,驗證某個已認證的用戶是否擁有某個權限;即判斷用戶是否能作事情,常見的如:驗證某個用戶是否擁有某個角色。或者細粒度的驗證某個用戶對某個資源是否具備某個權限;
  3. Cryptography 安全數據加密,保護數據的安全性,如密碼加密存儲到數據庫,而不是明文存儲;
  4. Session Management 會話管理,即用戶登陸後就是一次會話,在沒有退出以前,它的全部信息都在會話中;
  5. Web Integration web系統集成
  6. Interations 集成其它應用,spring、緩存框架

從應用程序角度的來觀察如何使用Shiro完成工做:java

Subject:主體,表明了當前「用戶」,這個用戶不必定是一個具體的人,與當前應用交互的任何東西都是Subject,如網絡爬蟲,機器人等;即一個抽象概念;全部Subject都綁定到SecurityManager,與Subject的全部交互都會委託給SecurityManager;能夠把Subject認爲是一個門面;SecurityManager纔是實際的執行者;web

SecurityManager:安全管理器;即全部與安全有關的操做都會與SecurityManager交互;且它管理着全部Subject;能夠看出它是Shiro的核心,它負責與後邊介紹的其餘組件進行交互,若是學習過SpringMVC,你能夠把它當作DispatcherServlet前端控制器;redis

Realm:域,Shiro從從Realm獲取安全數據(如用戶、角色、權限),就是說SecurityManager要驗證用戶身份,那麼它須要從Realm獲取相應的用戶進行比較以肯定用戶身份是否合法;也須要從Realm獲得用戶相應的角色/權限進行驗證用戶是否能進行操做;能夠把Realm當作DataSource,即安全數據源。spring

也就是說對於咱們而言,最簡單的一個Shiro應用:數據庫

一、應用代碼經過Subject來進行認證和受權,而Subject又委託給SecurityManager;apache

二、咱們須要給Shiro的SecurityManager注入Realm,從而讓SecurityManager能獲得合法的用戶及其權限進行判斷。json

2.Shiro + JWT + SpringBoot

1.導入依賴
<dependency>
    <groupId>org.apache.shiro</groupId>
    <artifactId>shiro-spring</artifactId>
    <version>1.4.1</version>
</dependency>
<dependency>
    <groupId>com.auth0</groupId>
    <artifactId>java-jwt</artifactId>
    <version>3.8.2</version>
</dependency>
2.配置JWT
public class JWTUtil {
    /**
     * 校驗 token是否正確
     *
     * @param token  密鑰
     * @param secret 用戶的密碼
     * @return 是否正確
     */
    public static boolean verify(String token, String username, String secret) {
        try {
            Algorithm algorithm = Algorithm.HMAC256(secret);
            JWTVerifier verifier = JWT.require(algorithm)
                    .withClaim("username", username)
                    .build();
            verifier.verify(token);
            return true;
        } catch (Exception e) {
            log.info("token is invalid{}", e.getMessage());
            return false;
        }
    }

    public static String getUsername(HttpServletRequest request) {
        // 取token
        String token = request.getHeader("Authorization");
        return getUsername(UofferUtil.decryptToken(token));
    }
    /**
     * 從 token中獲取用戶名
     * @return token中包含的用戶名
     */
    public static String getUsername(String token) {
        try {
            DecodedJWT jwt = JWT.decode(token);
            return jwt.getClaim("username").asString();
        } catch (JWTDecodeException e) {
            log.error("error:{}", e.getMessage());
            return null;
        }
    }
    
    public static Integer getUserId(HttpServletRequest request) {
        // 取token
        String token = request.getHeader("Authorization");
        return getUserId(UofferUtil.decryptToken(token));
    }
    /**
     * 從 token中獲取用戶ID
     * @return token中包含的ID
     */
    public static Integer getUserId(String token) {
        try {
            DecodedJWT jwt = JWT.decode(token);
            return Integer.valueOf(jwt.getSubject());
        } catch (JWTDecodeException e) {
            log.error("error:{}", e.getMessage());
            return null;
        }
    }


    /**
     * 生成 token
     * @param username 用戶名
     * @param secret   用戶的密碼
     * @return token 加密的token
     */
    public static String sign(String username, String secret, Integer userId) {
        try {
            Map<String, Object> map = new HashMap<>();
            map.put("alg", "HS256");
            map.put("typ", "JWT");
            username = StringUtils.lowerCase(username);
            Algorithm algorithm = Algorithm.HMAC256(secret);
            return JWT.create()
                    .withHeader(map)
                    .withClaim("username", username)
                    .withSubject(String.valueOf(userId))
                    .withIssuedAt(new Date())
//                    .withExpiresAt(date)
                    .sign(algorithm);
        } catch (Exception e) {
            log.error("error:{}", e);
            return null;
        }
    }
}
3.配置Shiro
4.實現JWTToken

token本身已經包含了用戶名等信息。跨域

@Data
public class JWTToken implements AuthenticationToken {

    private static final long serialVersionUID = 1282057025599826155L;

    private String token;

    private String exipreAt;

    public JWTToken(String token) {
        this.token = token;
    }

    public JWTToken(String token, String exipreAt) {
        this.token = token;
        this.exipreAt = exipreAt;
    }

    @Override
    public Object getPrincipal() {
        return token;
    }

    @Override
    public Object getCredentials() {
        return token;
    }

}
5.實現Realm

自定義實現 ShiroRealm,包含認證和受權兩大模塊。緩存

public class ShiroRealm extends AuthorizingRealm {

    @Resource
    private RedisUtil redisUtil;

    @Autowired
    private ISysUserService userService;

    @Autowired
    private ISysRoleService roleService;

    @Autowired
    private ISysMenuService menuService;

    // 必須重寫此方法,否則Shiro會報錯
    @Override
    public boolean supports(AuthenticationToken token) {
        return token instanceof JWTToken;
    }

    /**
     * 只有當須要檢測用戶權限的時候纔會調用此方法
     * 受權模塊,獲取用戶角色和權限。
     * @param token token
     * @return AuthorizationInfo 權限信息
     */
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection token) {
        Integer userId = JWTUtil.getUserId(token.toString());

        SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();

        // 獲取用戶角色集
        Set<String> roleSet = roleService.selectRolePermissionByUserId(userId);
        simpleAuthorizationInfo.setRoles(roleSet);

        // 獲取用戶權限集
        Set<String> permissionSet = menuService.findUserPermissionsByUserId(userId);
        simpleAuthorizationInfo.setStringPermissions(permissionSet);
        return simpleAuthorizationInfo;
    }

    /**
     * 用戶認證:編寫shiro判斷邏輯,進行用戶認證
     * @param authenticationToken 身份認證 token
     * @return AuthenticationInfo 身份認證信息
     * @throws AuthenticationException 認證相關異常
     */
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        // 這裏的 token是從 JWTFilter 的 executeLogin 方法傳遞過來的,已經通過了解密
        String token = (String) authenticationToken.getCredentials();
        String encryptToken = UofferUtil.encryptToken(token); //加密token
        String username = JWTUtil.getUsername(token); //從token中獲取username
        Integer userId = JWTUtil.getUserId(token);    //從token中獲取userId

        // 經過redis查看token是否過時
        HttpServletRequest request = HttpContextUtil.getHttpServletRequest();
        String ip = IPUtil.getIpAddr(request);
        String encryptTokenInRedis = redisUtil.get(Constant.RM_TOKEN_CACHE + encryptToken + StringPool.UNDERSCORE + ip);
        if (!token.equalsIgnoreCase(UofferUtil.decryptToken(encryptTokenInRedis))) {
            throw new AuthenticationException("token已通過期");
        }

        // 若是找不到,說明已經失效
        if (StringUtils.isBlank(encryptTokenInRedis)) {
            throw new AuthenticationException("token已通過期");
        }

        if (StringUtils.isBlank(username)) {
            throw new AuthenticationException("token校驗不經過");
        }

        // 經過用戶id查詢用戶信息
        SysUser user = userService.getById(userId);

        if (user == null) {
            throw new AuthenticationException("用戶名或密碼錯誤");
        }
        if (!JWTUtil.verify(token, username, user.getPassword())) {
            throw new AuthenticationException("token校驗不經過");
        }
        return new SimpleAuthenticationInfo(token, token, "febs_shiro_realm");
    }
}
6.重寫Filter

全部的請求都會先通過 Filter,因此咱們繼承官方的 BasicHttpAuthenticationFilter ,而且重寫鑑權的方法。

代碼的執行流程 preHandle -> isAccessAllowed -> isLoginAttempt -> executeLogin

@Slf4j
public class JWTFilter extends BasicHttpAuthenticationFilter {

    private static final String TOKEN = "Authorization";

    private AntPathMatcher pathMatcher = new AntPathMatcher();

    /**
     * 對跨域提供支持
     */
    @Override
    protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
        HttpServletResponse httpServletResponse = (HttpServletResponse) response;
        httpServletResponse.setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin"));
        httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS,PUT,DELETE");
        httpServletResponse.setHeader("Access-Control-Allow-Headers", httpServletRequest.getHeader("Access-Control-Request-Headers"));
        // 跨域時會首先發送一個 option請求,這裏咱們給 option請求直接返回正常狀態
        if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) {
            httpServletResponse.setStatus(HttpStatus.OK.value());
            return false;
        }
        return super.preHandle(request, response);
    }
    
    @Override
    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws UnauthorizedException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
        UofferProperties UofferProperties = SpringContextUtil.getBean(UofferProperties.class);
        // 獲取免認證接口 url 
        // 在application.yml中配置/adminApi/auth/doLogin/**,/adminApi/auth/register/**, ...
        String[] anonUrl = StringUtils.splitByWholeSeparatorPreserveAllTokens(UofferProperties.getShiro().getAnonUrl(), ",");

        boolean match = false;
        for (String u : anonUrl) {
            if (pathMatcher.match(u, httpServletRequest.getRequestURI())) {
                match = true;
            }
        }
        if (match) {
            return true;
        }
        if (isLoginAttempt(request, response)) {
            return executeLogin(request, response);
        }
        return false;
    }

    /**
     * 判斷用戶是否想要登入。
     * 檢測header裏面是否包含Authorization字段便可
     */
    @Override
    protected boolean isLoginAttempt(ServletRequest request, ServletResponse response) {
        HttpServletRequest req = (HttpServletRequest) request;
        String token = req.getHeader(TOKEN);
        return token != null;
    }

    @Override
    protected boolean executeLogin(ServletRequest request, ServletResponse response) {
        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
        String token = httpServletRequest.getHeader(TOKEN); //獲得token
        JWTToken jwtToken = new JWTToken(UofferUtil.decryptToken(token)); // 解密token
        try {
            // 提交給realm進行登入,若是錯誤他會拋出異常並被捕獲
            getSubject(request, response).login(jwtToken);
            // 若是沒有拋出異常則表明登入成功,返回true
            return true;
        } catch (Exception e) {
            log.error(e.getMessage());
            return false;
        }
    }

    @Override
    protected boolean sendChallenge(ServletRequest request, ServletResponse response) {
        log.debug("Authentication required: sending 401 Authentication challenge response.");
        HttpServletResponse httpResponse = WebUtils.toHttp(response);
//        httpResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
        httpResponse.setCharacterEncoding("utf-8");
        httpResponse.setContentType("application/json; charset=utf-8");
        final String message = "未認證,請在前端系統進行認證";
        final Integer status = 401;
        try (PrintWriter out = httpResponse.getWriter()) {
//            String responseJson = "{\"message\":\"" + message + "\"}";
            JSONObject responseJson = new JSONObject();
            responseJson.put("msg", message);
            responseJson.put("status", status);
            out.print(responseJson);
        } catch (IOException e) {
            log.error("sendChallenge error:", e);
        }
        return false;
    }



}
7. ShiroConfig
@Configuration
public class ShiroConfig {

    @Bean
    public ShiroRealm shiroRealm() {
        // 配置 Realm
        return new ShiroRealm();
    }
    
    // 建立DefaultWebSecurityManager
    @Bean("securityManager")
    public SecurityManager securityManager() {
        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
        // 配置 SecurityManager,並注入 shiroRealm
        securityManager.setRealm(shiroRealm());
        return securityManager;
    }
    
    // 建立ShiroFilterFactoryBean
    @Bean
    public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {
        
        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
        // 設置 securityManager
        shiroFilterFactoryBean.setSecurityManager(securityManager);

       	//添加Shiro過濾器
		/**
		 * Shiro內置過濾器,能夠實現權限相關的攔截器
		 *    經常使用的過濾器:
		 *       anon: 無需認證(登陸)能夠訪問
		 *       authc: 必須認證才能夠訪問
		 *       user: 若是使用rememberMe的功能能夠直接訪問
		 *       perms: 該資源必須獲得資源權限才能夠訪問
		 *       role: 該資源必須獲得角色權限才能夠訪問
		 */
        
        // 在 Shiro過濾器鏈上加入 自定義過濾器JWTFilter 並取名爲jwt
        LinkedHashMap<String, Filter> filters = new LinkedHashMap<>();
        filters.put("jwt", new JWTFilter());
        shiroFilterFactoryBean.setFilters(filters);

        // 自定義url規則
        LinkedHashMap<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
        // 全部請求都要通過 jwt過濾器
        filterChainDefinitionMap.put("/**", "jwt");
        shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
        return shiroFilterFactoryBean;
    }

    /**
     * 下面的代碼是添加註解支持
     */
    @Bean
    @DependsOn({"lifecycleBeanPostProcessor"})
    public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
        // 設置代理類
        DefaultAdvisorAutoProxyCreator creator = new DefaultAdvisorAutoProxyCreator();
        creator.setProxyTargetClass(true);

        return creator;
    }

    /**
     * 開啓aop註解支持
     *
     * @param securityManager
     * @return
     */
    @Bean("authorizationAttributeSourceAdvisor")
    public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
        AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
        authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
        return authorizationAttributeSourceAdvisor;
    }

    
    // Shiro生命週期處理器
    @Bean
    public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
        return new LifecycleBeanPostProcessor();
    }

}
8.登錄
/**
     * 登陸方法
     *
     * @param username 用戶名
     * @param password 密碼
     * @param code     驗證碼
     * @param uuid     惟一標識
     * @return 結果
     */
    @PostMapping("/doLogin")
    public ResultVo login(String username, String password, String code, String uuid, HttpServletRequest request) throws UofferException {

        String verifyKey = Constant.RM_CAPTCHA_CODE_KEY + uuid;
        String captcha = redisUtil.getCacheObject(verifyKey);
        redisUtil.del(verifyKey);

        if (captcha == null) {
            return ResultVo.failed(201, "驗證碼失效");
        }
        if (!code.equalsIgnoreCase(captcha)) {
            return ResultVo.failed(201, "驗證碼錯誤");
        }

        username = StringUtils.lowerCase(username);
        password = MD5Util.encrypt(username, password);

        final String errorMessage = "用戶名或密碼錯誤";
        SysUser user = userManager.getUser(username);

        if (user == null) {
            return ResultVo.failed(201, errorMessage);
        }
        if (!StringUtils.equalsIgnoreCase(user.getPassword(), password)) {
            return ResultVo.failed(201, errorMessage);
        }
        if (Constant.STATUS_LOCK.equals(user.getStatus())) {
            return ResultVo.failed(201, "帳號已被鎖定,請聯繫管理員!");
        }


        Integer userId = user.getUserId();
        String ip = IPUtil.getIpAddr(request);
        String address = AddressUtil.getCityInfo(ip);
        // 更新用戶登陸時間
        SysUser sysUser = new SysUser();
        sysUser.setUserId(userId);
        sysUser.setLastLoginTime(new Date());
        sysUser.setLastLoginIp(ip);
        userService.updateById(sysUser);


        // 拿到token以後加密
        String sign = JWTUtil.sign(username, password, userId);
        String token = UofferUtil.encryptToken(sign);
        LocalDateTime expireTime = LocalDateTime.now().plusSeconds(properties.getShiro().getJwtTimeOut());
        String expireTimeStr = DateUtil.formatFullTime(expireTime);
        JWTToken jwtToken = new JWTToken(token, expireTimeStr);

        // 將登陸日誌存入日誌表中
        SysLoginLog loginLog = new SysLoginLog();
        loginLog.setIp(ip);
        loginLog.setAddress(address);
        loginLog.setLoginTime(new Date());
        loginLog.setUsername(username);
        loginLog.setUserId(userId);
        loginLogService.save(loginLog);

        saveTokenToRedis(username, jwtToken, ip, address);
        JSONObject data = new JSONObject();
        data.put("Authorization", token);

        // 將用戶配置及權限存入redis中
        userManager.loadOneUserRedisCache(userId);
        return ResultVo.oK(data);
    }
9.@RequiresPermissions

要求subject中必須含有bus:careerTalk:query的權限才能執行方法someMethod()。不然拋出異常AuthorizationException

@RequiresPermissions("bus:careerTalk:query")
public void someMethod() {
}

引用:
https://www.iteye.com/blog/jinnianshilongnian-2018398
https://www.jianshu.com/p/f37f8c295057

相關文章
相關標籤/搜索