springboot shiro cas整合
springboot shiro cas整合
- pom.xml中引入如下jar
- 在application.yml中增加cas配置
- 增加ShiroCasConfig.java配置类
- 自定义MyShiroCasRealm.java继承CasRealm
- cas退出过滤器LogoutFilter.java
pom.xml中引入如下jar
org.apache.shiro
shiro-cas
1.3.2
javax.servlet
javax.servlet-api
javax.servlet
servlet-api
在application.yml中增加cas配置
#cas配置
cas:
serverUrl: http://educas1.dongao.com/cas #cas server地址,外网访问需用外网IP,可以写域名
service-project: http://springboss.dongao.com
loginSuccessUrl: /index #登录成功地址
unauthorizedUrl: /unauth #权限认证失败跳转地址
casLogoutUrl: /logout #退出登录地址
casFilterUrlPattern: / #当前项目地址,外网访问需用外网IP
session-expireTime: 30 # Session超时时间(默认30分钟)
ehCacheSwitch: true #shiro ehCache是否开启
增加ShiroCasConfig.java配置类
package com.dongao.framework.config;
import at.pollux.thymeleaf.shiro.dialect.ShiroDialect;
import com.dongao.common.utils.spring.SpringUtils;
import com.dongao.framework.config.properties.CasProperties;
import com.dongao.framework.shiro.realm.MyShiroCasRealm;
import com.dongao.framework.shiro.session.OnlineSessionDAO;
import com.dongao.framework.shiro.session.OnlineSessionFactory;
import com.dongao.framework.shiro.web.filter.LogoutFilter;
import com.dongao.framework.shiro.web.session.OnlineWebSessionManager;
import org.apache.shiro.cache.ehcache.EhCacheManager;
import org.apache.shiro.cas.CasFilter;
import org.apache.shiro.cas.CasSubjectFactory;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.jasig.cas.client.session.SingleSignOutFilter;
import org.jasig.cas.client.session.SingleSignOutHttpSessionListener;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.boot.web.servlet.ServletListenerRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.Ordered;
import org.springframework.web.filter.DelegatingFilterProxy;
import javax.servlet.Filter;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
/**
* shiro+cas配置
* @ClassName ShiroCasConfig
* @Version 1.0
* @Date 2019/6/20 0020 下午 2:04
**/
@Configuration
public class ShiroCasConfig {
/**
* 配置的ehcache进行数据的缓存
*
* @return
*/
@Bean
public EhCacheManager getEhCacheManager() {
EhCacheManager ehCacheManager = new EhCacheManager();
ehCacheManager.setCacheManagerConfigFile("classpath:ehcache/ehcache-shiro.xml");
return ehCacheManager;
}
@Bean(name = "myShiroCasRealm")
public MyShiroCasRealm myShiroCasRealm() {
MyShiroCasRealm realm = new MyShiroCasRealm();
return realm;
}
/**
* 设置单点退出的监听器,作用是将所有的过期的session将其从对应的映射关系中移除
* 注册单点登出listener
* SingleSignOutHttpSessionListener用于在Cas Client应用中的Session过期时将其从对应的映射关系中移除。
*
* @return
*/
@Bean
public ServletListenerRegistrationBean singleSignOutHttpSessionListener() {
ServletListenerRegistrationBean bean = new ServletListenerRegistrationBean();
bean.setListener(new SingleSignOutHttpSessionListener());
//bean.setName(""); //默认为bean name
bean.setEnabled(true);
//设置优先级
bean.setOrder(Ordered.HIGHEST_PRECEDENCE);
return bean;
}
/**
* 注册单点登出filter
* 设置单点退出的拦截器,在登录的时候,客户端会去服务端进行认证,此时认证成功之后,
* 服务端会将地址和ST返回给客户端,而在此时该拦截器会将session跟ST绑定在一起,
* 如果访问退出的时候,此时服务端也会将服务地址和ST返回,此时的监听器会将所有的session全部变为失效。
*
* SingleSignOutFilter需要配置在所有Filter之前,当Cas Client通过Cas Server登录成功,
* Cas Server会携带生成的Service Ticket回调Cas Client,
* 此时SingleSignOutFilter会将Service Ticket与当前的Session绑定在一起。
* 当Cas Server在进行logout后回调Cas Client应用时也会携带该Service Ticket,
* 此时Cas Client配置的SingleSignOutFilter将会使对应的Session失效,进而达到登出的目的。
*
* @return
*/
@Bean
public FilterRegistrationBean singleSignOutFilter() {
FilterRegistrationBean bean = new FilterRegistrationBean();
bean.setName("singleSignOutFilter");
bean.setFilter(new SingleSignOutFilter());
//拦截所有的请求
bean.addUrlPatterns("/*");
bean.setEnabled(true);
//设置优先级
bean.setOrder(10);
return bean;
}
/**
* 退出过滤器
*/
public LogoutFilter logoutFilter()
{
LogoutFilter logoutFilter = new LogoutFilter();
CasProperties casProperties = SpringUtils.getBean(CasProperties.class);
String logoutUrl = casProperties.getCasServerUrl() + casProperties.getCasLogoutUrl()
+ "?service="+casProperties.getCasServiceProject() + casProperties.getCasFilterUrlPattern();
logoutFilter.setRedirectUrl(logoutUrl);
return logoutFilter;
}
/**
* 设置shiro的拦截器工厂类
* 在设置拦截器的时候,需要先执行cas的拦截器,再执行shiro的拦截器
*
* @param securityManager
* @param casFilter
* @return
*/
@Bean(name = "shiroFilter")
public ShiroFilterFactoryBean getShiroFilterFactoryBean(DefaultWebSecurityManager securityManager,
CasFilter casFilter) {
CasProperties casProperties = SpringUtils.getBean(CasProperties.class);
String loginUrl = casProperties.getCasServerUrl() + "/login?service="
+ casProperties.getCasServiceProject() + casProperties.getCasFilterUrlPattern();
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
// 必须设置 SecurityManager
shiroFilterFactoryBean.setSecurityManager(securityManager);
// 如果不设置默认会自动寻找Web工程根目录下的"/login.jsp"页面
shiroFilterFactoryBean.setLoginUrl(loginUrl);
// 登录成功后要跳转的连接
shiroFilterFactoryBean.setSuccessUrl(casProperties.getLoginSuccessUrl());
shiroFilterFactoryBean.setUnauthorizedUrl(casProperties.getUnauthorizedUrl());
// 添加casFilter到shiroFilter中,注意,casFilter需要放到shiroFilter的前面
Map filters = new HashMap();
filters.put("casFilter", casFilter);
filters.put("logout",logoutFilter());
shiroFilterFactoryBean.setFilters(filters);
loadShiroFilterChain(shiroFilterFactoryBean);
return shiroFilterFactoryBean;
}
/**
* 设置配置的触发的地方:用于设置shiro的拦截器,和将每一个拦截器的生命周期交给spring去管理
* 注册DelegatingFilterProxy(Shiro)注册DelegatingFilterProxy(shiro) 是一个代理类,用于管理拦截器的生命周期,
* 所有的请求都会拦截 ,在创建的时候,filter的执行会优先于bean的执行,所以需要使用该类先来管理bean
*
* 该步只是将当前的的生命周期交给了spring管理,具体的管理还是需要下面的LifecycleBeanPostProcessor的对象去进行操作
*
* @return
*/
@Bean
public FilterRegistrationBean delegatingFilterProxy() {
FilterRegistrationBean filterRegistration = new FilterRegistrationBean();
filterRegistration.setFilter(new DelegatingFilterProxy("shiroFilter"));
// 该值缺省为false,表示生命周期由SpringApplicationContext管理,设置为true则表示由ServletContainer管理
//targetFilterLifecycle 指明作用于filter的所有生命周期
filterRegistration.addInitParameter("targetFilterLifecycle", "true");
filterRegistration.setEnabled(true);
//拦截所有的请求
filterRegistration.addUrlPatterns("/*");
return filterRegistration;
}
/**
* 上面设置了声明周期,下面进行设置生命周期的自动化
* 设置方法的自动初始化和销毁,init和destory方法被自动调用。
* 注意,如果使用了该类,则不需要手动初始化方法和销毁方法,否则出错
*
* @return
*/
@Bean(name = "lifecycleBeanPostProcessor")
public LifecycleBeanPostProcessor getLifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
/**
* 开启注解声明:
* 开启shiro aop 的注解支持,使用代理的方式,所以需要开启代码的支持
*
* @return
*/
@Bean
public DefaultAdvisorAutoProxyCreator getDefaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator proxyCreator = new DefaultAdvisorAutoProxyCreator();
//设置代理方式,true是cglib的代理方式,false是普通的jdk代理方式
proxyCreator.setProxyTargetClass(true);
return proxyCreator;
}
/**
* 开启注解声明:
*
* @param securityManager
* @return
*/
@Bean
public AuthorizationAttributeSourceAdvisor getAuthorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();
advisor.setSecurityManager(securityManager);
return advisor;
}
/**
* 自定义sessionDAO会话
*/
@Bean
public OnlineSessionDAO sessionDAO()
{
OnlineSessionDAO sessionDAO = new OnlineSessionDAO();
return sessionDAO;
}
/**
* 自定义sessionFactory会话
*/
@Bean
public OnlineSessionFactory sessionFactory()
{
OnlineSessionFactory sessionFactory = new OnlineSessionFactory();
return sessionFactory;
}
/**
* 会话管理器
*/
@Bean
public OnlineWebSessionManager sessionManager()
{
OnlineWebSessionManager manager = new OnlineWebSessionManager();
// 加入缓存管理器
CasProperties casProperties = SpringUtils.getBean(CasProperties.class);
if (casProperties.isEhCacheSwitch()){
manager.setCacheManager(getEhCacheManager());
}
// 删除过期的session
manager.setDeleteInvalidSessions(true);
// 设置全局session超时时间
manager.setGlobalSessionTimeout(casProperties.getSessionExpireTime() * 60 * 1000);
// 去掉 JSESSIONID
manager.setSessionIdUrlRewritingEnabled(false);
// 定义要使用的无效的Session定时调度器
// manager.setSessionValidationScheduler(SpringUtils.getBean(SpringSessionValidationScheduler.class));
// 是否定时检查session
manager.setSessionValidationSchedulerEnabled(true);
// 自定义SessionDao
manager.setSessionDAO(sessionDAO());
// 自定义sessionFactory
manager.setSessionFactory(sessionFactory());
return manager;
}
/**
* @param myShiroCasRealm
* @return
*/
@Bean(name = "securityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(MyShiroCasRealm myShiroCasRealm) {
DefaultWebSecurityManager dwsm = new DefaultWebSecurityManager();
dwsm.setRealm(myShiroCasRealm);
//用户授权/认证信息Cache, 采用EhCache 缓存
CasProperties casProperties = SpringUtils.getBean(CasProperties.class);
if (casProperties.isEhCacheSwitch()){
dwsm.setCacheManager(getEhCacheManager());
}
// 指定 SubjectFactory
dwsm.setSubjectFactory(new CasSubjectFactory());
// dwsm.setSessionManager(sessionManager());
return dwsm;
}
/**
* thymeleaf模板引擎和shiro框架的整合
*/
@Bean
public ShiroDialect shiroDialect() {
return new ShiroDialect();
}
/**
* CAS过滤器
*
* @return
*/
@Bean(name = "casFilter")
public CasFilter getCasFilter() {
CasProperties casProperties = SpringUtils.getBean(CasProperties.class);
String loginUrl = casProperties.getCasServerUrl() + "/login?service=" +
casProperties.getCasServiceProject() + casProperties.getCasFilterUrlPattern();
CasFilter casFilter = new CasFilter();
//自动注入拦截器的名称
casFilter.setName("casFilter");
//是否自动的将当前的拦截器进行注入
casFilter.setEnabled(true);
// 登录失败后跳转的URL,也就是 Shiro 执行 CasRealm 的 doGetAuthenticationInfo 方法向CasServer验证tiket
// 我们选择认证失败后重新登录
casFilter.setFailureUrl(loginUrl);
return casFilter;
}
/**
* 加载shiroFilter权限控制规则(从数据库读取然后配置),角色/权限信息由MyShiroCasRealm对象提供doGetAuthorizationInfo实现获取来的
*
* @param shiroFilterFactoryBean
*/
private void loadShiroFilterChain(ShiroFilterFactoryBean shiroFilterFactoryBean) {
Map filterChainDefinitionMap = new LinkedHashMap();
// authc:该过滤器下的页面必须登录后才能访问,它是Shiro内置的一个拦截器org.apache.shiro.web.filter.authc.FormAuthenticationFilter
// anon: 可以理解为不拦截
// user: 登录了就不拦截
// roles["admin"] 用户拥有admin角色
// perms["permission1"] 用户拥有permission1权限
// filter顺序按照定义顺序匹配,匹配到就验证,验证完毕结束。
// url匹配通配符支持:? * **,分别表示匹配1个,匹配0-n个(不含子路径),匹配下级所有路径
//1.shiro集成cas后,首先添加该规则
CasProperties casProperties = SpringUtils.getBean(CasProperties.class);
filterChainDefinitionMap.put(casProperties.getCasFilterUrlPattern(), "casFilter");
//logut请求采用logout filter
//2.不拦截的请求 对静态资源设置匿名访问
filterChainDefinitionMap.put("/favicon.ico**", "anon");
filterChainDefinitionMap.put("/dongao.png**", "anon");
filterChainDefinitionMap.put("/css/**", "anon");
filterChainDefinitionMap.put("/docs/**", "anon");
filterChainDefinitionMap.put("/fonts/**", "anon");
filterChainDefinitionMap.put("/img/**", "anon");
filterChainDefinitionMap.put("/ajax/**", "anon");
filterChainDefinitionMap.put("/js/**", "anon");
filterChainDefinitionMap.put("/dongao/**", "anon");
filterChainDefinitionMap.put("/druid/**", "anon");
filterChainDefinitionMap.put("/captcha/captchaImage**", "anon");
filterChainDefinitionMap.put("/error", "anon");
// 退出 logout地址,shiro去清除session
// 此处将logout页面设置为anon,而不是logout,因为logout被单点处理,而不需要再被shiro的logoutFilter进行拦截
filterChainDefinitionMap.put("/logout", "logout");
// 不需要拦截的访问
filterChainDefinitionMap.put("/login", "anon");
//不需要登录拦截的接口
filterChainDefinitionMap.put("/system/api/**","anon");
//3.拦截的请求(从本地数据库获取或者从casserver获取(webservice,http等远程方式),看你的角色权限配置在哪里)
filterChainDefinitionMap.put("/user", "authc");
//4.登录过的不拦截
filterChainDefinitionMap.put("/**", "authc");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
}
}
代码中读取的配置文件基础内容如下classpath:ehcache/ehcache-shiro.xml
自定义MyShiroCasRealm.java继承CasRealm
package com.dongao.framework.shiro.realm;
import com.dongao.framework.config.properties.CasProperties;
import com.dongao.framework.util.RedisUtils;
import com.dongao.framework.util.ShiroUtils;
import com.dongao.system.domain.SysUser;
import com.dongao.system.service.ISysMenuService;
import com.dongao.system.service.ISysRoleService;
import com.dongao.system.service.ISysUserService;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.cas.CasRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import javax.annotation.PostConstruct;
import java.util.HashSet;
import java.util.Set;
/**
* 直接继承CasRealm类,然后CasRealm已经完成了数据的认证工作,我们直接调用父类的功能即可
* @ClassName MyShiroCasRealm
* @Version 1.0
* @Date 2019/6/20 0020 下午 1:39
**/
public class MyShiroCasRealm extends CasRealm {
private static final Logger logger = LoggerFactory.getLogger(MyShiroCasRealm.class);
@Autowired
private ISysMenuService menuService;
@Autowired
private ISysRoleService roleService;
@Autowired
private ISysUserService userService;
@Autowired
private CasProperties casProperties;
@PostConstruct
public void initProperty(){
// cas server地址
setCasServerUrlPrefix(casProperties.getCasServerUrl());
// 客户端回调地址,表示当你认证中心认证完成之后需要访问的service地址
setCasService(casProperties.getCasServiceProject() + casProperties.getCasFilterUrlPattern());
}
/**
* 权限认证,为当前登录的Subject授予角色和权限
* 本例中该方法的调用时机为需授权资源被访问时
* 并且每次访问需授权资源时都会执行该方法中的逻辑,这表明本例中默认并未启用AuthorizationCache
* 如果连续访问同一个URL(比如刷新),该方法不会被重复调用,Shiro有一个时间间隔(也就是cache时间,在ehcache-shiro.xml中配置),超过这个时间间隔再刷新页面,该方法会被执行
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
logger.info("##################Shiro权限认证##################");
// 返回null的话,就会导致任何用户访问被拦截的请求时,都会自动跳转到unauthorizedUrl指定的地址
String loginName = (String) SecurityUtils.getSubject().getPrincipal();
logger.info("授权 loginName:"+loginName);
String username = (String) super.getAvailablePrincipal(principalCollection);
logger.info("授权 username:"+username);
SysUser user = ShiroUtils.getSysUser();
if(user==null){
logger.info("ShiroUtil获取用户为空!");
user = userService.selectUserByLoginName(username);
}
// 角色列表
Set roles = new HashSet();
// 功能列表
Set menus = new HashSet();
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
// 管理员拥有所有权限
if (user.isAdmin())
{
info.addRole("admin");
info.addStringPermission("*:*:*");
}
else
{
roles = roleService.selectRoleKeys(user.getUserId());
menus = menuService.selectPermsByUserId(user.getUserId());
// 角色加入 AuthorizationInfo认证对象
info.setRoles(roles);
// 权限加入 AuthorizationInfo认证对象
info.setStringPermissions(menus);
}
RedisUtils.set("simpleAuthorizationInfo_userId_"+user.getUserId(),info);
return info;
}
/**
* 1、CAS认证 ,验证用户身份
* 2、将用户基本信息设置到会话中(不用了,随时可以获取的)
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) {
// 调用父类的认证,父类认证已经完成了
AuthenticationInfo authenticationInfo = super.doGetAuthenticationInfo(token);
if (authenticationInfo == null) {
logger.warn("authenticationInfo为空,可能是退出了!");
return null;
}
String account = (String) authenticationInfo.getPrincipals().getPrimaryPrincipal();
logger.info("认证 account:"+account);
SysUser user = userService.selectUserByLoginName(account);
if (user == null){
throw new UnknownAccountException();
}
logger.info("认证 user:"+user);
logger.info("认证 userId:"+user.getUserId());
SecurityUtils.getSubject().getSession().setAttribute("user", user);
SecurityUtils.getSubject().getSession().setAttribute("userId", user.getUserId());
SecurityUtils.getSubject().getSession().setAttribute("username", account);
return authenticationInfo;
}
/**
* 清理缓存权限
*/
public void clearCachedAuthorizationInfo()
{
this.clearCachedAuthorizationInfo(SecurityUtils.getSubject().getPrincipals());
}
}
cas退出过滤器LogoutFilter.java
package com.dongao.framework.shiro.web.filter;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import com.dongao.framework.util.RedisUtils;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.session.SessionException;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.servlet.AdviceFilter;
import org.apache.shiro.web.util.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.dongao.common.constant.Constants;
import com.dongao.common.utils.MessageUtils;
import com.dongao.common.utils.StringUtils;
import com.dongao.framework.manager.AsyncManager;
import com.dongao.framework.manager.factory.AsyncFactory;
import com.dongao.framework.util.ShiroUtils;
import com.dongao.system.domain.SysUser;
import java.util.Locale;
/**
* 退出过滤器
*
* @author dongao
*/
public class LogoutFilter extends AdviceFilter
{
private static final Logger log = LoggerFactory.getLogger(LogoutFilter.class);
public static final String DEFAULT_REDIRECT_URL = "/";
private String redirectUrl = "/";
private boolean postOnlyLogout = false;
public LogoutFilter() {
}
@Override
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
Subject subject = this.getSubject(request, response);
if(this.isPostOnlyLogout() && !WebUtils.toHttp(request).getMethod().toUpperCase(Locale.ENGLISH).equals("POST")) {
return this.onLogoutRequestNotAPost(request, response);
} else {
String redirectUrl = this.getRedirectUrl(request, response, subject);
try {
SysUser user = ShiroUtils.getSysUser();
if (StringUtils.isNotNull(user))
{
RedisUtils.del("simpleAuthorizationInfo_userId_"+user.getUserId());
RedisUtils.del("menus_userId_"+user.getUserId());
String loginName = user.getLoginName();
// 记录用户退出日志
AsyncManager.me().execute(AsyncFactory.recordLogininfor(loginName, Constants.LOGOUT, MessageUtils.message("user.logout.success")));
}
subject.logout();
} catch (SessionException var6) {
log.debug("Encountered session exception during logout. This can generally safely be ignored.", var6);
}
this.issueRedirect(request, response, redirectUrl);
return false;
}
}
protected Subject getSubject(ServletRequest request, ServletResponse response) {
return SecurityUtils.getSubject();
}
protected void issueRedirect(ServletRequest request, ServletResponse response, String redirectUrl) throws Exception {
WebUtils.issueRedirect(request, response, redirectUrl);
}
protected String getRedirectUrl(ServletRequest request, ServletResponse response, Subject subject) {
return this.getRedirectUrl();
}
public String getRedirectUrl() {
return this.redirectUrl;
}
public void setRedirectUrl(String redirectUrl) {
this.redirectUrl = redirectUrl;
}
protected boolean onLogoutRequestNotAPost(ServletRequest request, ServletResponse response) {
HttpServletResponse httpServletResponse = WebUtils.toHttp(response);
httpServletResponse.setStatus(405);
httpServletResponse.setHeader("Allow", "POST");
return false;
}
public boolean isPostOnlyLogout() {
return this.postOnlyLogout;
}
public void setPostOnlyLogout(boolean postOnlyLogout) {
this.postOnlyLogout = postOnlyLogout;
}
/**
* 退出后重定向的地址
*/
private String loginUrl;
public String getLoginUrl()
{
return loginUrl;
}
public void setLoginUrl(String loginUrl)
{
this.loginUrl = loginUrl;
}
}
注:欢迎讨论指正