springboot整合shiro、JWT实现无状态认证
引入jwt和shiro依赖包
<!-- shiro依赖 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring-boot-web-starter</artifactId>
<version>1.4.0</version>
</dependency>
<!-- JWT依赖 -->
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>3.9.0</version>
</dependency>
二、JWT工具类
package com.xzht.uitls;
import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.interfaces.DecodedJWT;
import java.util.Date;
/**
* JWT工具类
*/
public class JWTUtil {
// 过期时间
private static final long EXPIRE_TIME = 60 * 5 * 1000;
// 私钥
private static final String SECRET = "secret";
/**
* 生成token
* @param time 用户自定义过期时间
* @param username 用户姓名
* @return
*/
public static String createToken (String username) {
time = (time == 0) ? EXPIRE_TIME : time;
try {
// 过期时间
Date date = new Date(System.currentTimeMillis() + time);
// 加密
Algorithm algorithm = Algorithm.HMAC256(SECRET);
return JWT.create()
.withClaim("username", username)
// 到期时间
.withExpiresAt(date)
//创建一个新的JWT,并使用给定的算法进行标记
.sign(algorithm);
} catch (Exception e) {
return null;
}
}
/**
* 校验token是否正确
* @param token
* @param
* @return
*/
public static boolean verify(String token) {
try {
Algorithm algorithm = Algorithm.HMAC256(SECRET);
// 在token中附带了username信息
JWTVerifier verifier = JWT.require(algorithm).build();
// 验证token
verifier.verify(token);
return true;
} catch (Exception e) {
return false;
}
}
/**
* 获得token中的信息,无需secret解密也能获得
*/
public static String getUsername(String token) {
try {
DecodedJWT jwt = JWT.decode(token);
return jwt.getClaim("username").asString();
} catch (JWTDecodeException e) {
return null;
}
}
}
三、自定义token包装类
package com.xzht.bean;
import org.apache.shiro.authc.AuthenticationToken;
/**
* token
*/
public class JWTToken implements AuthenticationToken {
private String token;
public JWTToken(String token) {
this.token = token;
}
@Override
public Object getPrincipal() {
return token;
}
@Override
public Object getCredentials() {
return token;
}
}
四、禁用shiro默认session类
package com.xzht.handler;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.subject.SubjectContext;
import org.apache.shiro.web.mgt.DefaultWebSubjectFactory;
/**
* 禁用shiro的默认session
*/
public class StatelessDefaultSubjectFactory extends DefaultWebSubjectFactory {
@Override
public Subject createSubject(SubjectContext context) {
context.setSessionCreationEnabled(false);
return super.createSubject(context);
}
}
五、shiro配置文件
package com.xzht.configs;
import com.xzht.filter.JWTFilter;
import com.xzht.shiro.MyUserRealm;
import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;
import org.apache.shiro.mgt.DefaultSubjectDAO;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import com.xzht.handler.StatelessDefaultSubjectFactory;
import javax.servlet.Filter;
import java.util.LinkedHashMap;
import java.util.Map;
@Configuration
public class ShiroConfig {
@Bean(name = "userRealm")
public MyUserRealm userRealm(@Qualifier("hashedCredentialsMatcher")
CredentialsMatcher matcher) {
MyUserRealm userRealm = new MyUserRealm();
//userRealm.setCredentialsMatcher(matcher);
return userRealm;
}
/**
* 密码校验
*/
@Bean(name = "hashedCredentialsMatcher")
public CredentialsMatcher hashedCredentialsMatcher() {
CredentialsMatcher credentialsMatcher =
new CredentialsMatcher();
return credentialsMatcher;
}
/**
* 先经过token过滤器,如果检测到请求头存在 token,则用 token 去 login,接着走 Realm 去验证
*/
@Bean
public ShiroFilterFactoryBean shiroFilter(DefaultWebSecurityManager securityManager) {
ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
// 添加自己的过滤器并且取名为jwt
Map<String, Filter> jwtFilterMap = new LinkedHashMap<>();
//设置我们自定义的JWT过滤器
jwtFilterMap.put("jwt", new JWTFilter());
bean.setFilters(jwtFilterMap);
// 设置 SecurityManager
bean.setSecurityManager(securityManager);
// 设置登录成功跳转Url
//bean.setSuccessUrl("/main");
// 设置登录跳转Url
//bean.setLoginUrl("/toLogin");
// 设置未授权提示Url
//bean.setUnauthorizedUrl("/error/unAuth");
/**
* anon:匿名用户可访问
* authc:认证用户可访问
* user:使用rememberMe可访问
* perms:对应权限可访问
* role:对应角色权限可访问
**/
Map<String, String> filterMap = new LinkedHashMap<>();
filterMap.put("/*.html","anon");
filterMap.put("/login","anon"); // 放行登录接口
// 所有请求通过我们自己的JWT Filter
filterMap.put("/**", "jwt");
bean.setFilterChainDefinitionMap(filterMap);
return bean;
}
/**
* 注入 securityManager
*/
@Bean(name = "securityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm") MyUserRealm userRealm) {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
// 关联realm.
securityManager.setRealm(userRealm);
// 关闭shiro自带的session
DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();
DefaultSessionStorageEvaluator defaultSessionStorageEvaluator = new DefaultSessionStorageEvaluator();
defaultSessionStorageEvaluator.setSessionStorageEnabled(false);
subjectDAO.setSessionStorageEvaluator(defaultSessionStorageEvaluator);
securityManager.setSubjectDAO(subjectDAO);
securityManager.setSubjectFactory(subjectFactory());
return securityManager;
}
/**
* <因为只有开启了AOP才执行doGetAuthorizationInfo(),也就权限拦截>
* @param securityManager
* @return
*/
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(@Qualifier("securityManager") DefaultWebSecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor aasa = new AuthorizationAttributeSourceAdvisor();
aasa.setSecurityManager(securityManager);
return aasa;
}
/**
* 添加注解支持
* @return
*/
@Bean
public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator daap = new DefaultAdvisorAutoProxyCreator();
// 强制使用cglib,防止重复代理和可能引起代理出错的问题
daap.setProxyTargetClass(true);
return daap;
}
@Bean(name = "lifecycleBeanPostProcessor")
public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
@Bean
public StatelessDefaultSubjectFactory subjectFactory() {
StatelessDefaultSubjectFactory statelessDefaultSubjectFactory = new StatelessDefaultSubjectFactory();
return statelessDefaultSubjectFactory;
}
}
六、自定义JWTtoken过滤器
package com.xzht.filter;
import com.xzht.bean.JWTToken;
import com.xzht.uitls.JWTUtil;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter;
import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.RequestMethod;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.net.URLEncoder;
/**
* 自定义过滤器,处理token BasicHttpAuthenticationFilter
*/
public class JWTFilter extends FormAuthenticationFilter {
private Logger logger = LoggerFactory.getLogger(JWTFilter.class);
/**
* 如果带有token,则对token进行检查,否则直接通过
* @param request
* @param response
* @param mappedValue
* @return
*/
@Override
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
// 从请求头中获取token
String token = httpServletRequest.getHeader("token");
// 判断请求头是否带有token
if (token != null) {
try {
executeLogin(request, response);
} catch (Exception e) {
// 如果token错误,返回false,进入onAccessDenied方法
return false;
}
} else {
return false;
}
// 如果请求头不存在token,则可能是执行登录操作或游客访问状态,无需检查token,直接返回true
return true;
}
/**
* 执行登录操作
* @param request
* @param response
* @return
* @throws Exception
*/
@Override
protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
// 从请求头获取token
String token = httpServletRequest.getHeader("token");
JWTToken jwtToken = new JWTToken(token);
// 提交给realm进行认证登录,如果错误会抛出异常并被捕获
getSubject(request, response).login(jwtToken);
// 如果没有异常则代表登录成功,返回true
return true;
}
/**
* 对跨域提供支持
* @param request
* @param response
* @return
* @throws Exception
*/
@Override
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
httpServletResponse.setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin"));
httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS,PUT,DELETE");
httpServletResponse.setHeader("Access-Control-Allow-Headers", httpServletRequest.getHeader("Access-Control-Request-Headers"));
// 跨域时会首先发送一个option请求,这里我们给option请求直接返回正常状态
if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) {
httpServletResponse.setStatus(HttpStatus.OK.value());
return false;
}
return super.preHandle(httpServletRequest, httpServletResponse);
}
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
System.out.println("isAccessAllowed为false进入此方法");
HttpServletResponse httpServletResponse = (HttpServletResponse)response;
httpServletResponse.getWriter().write("{\"code:401\"}");
return false;
}
}
七、realm
package com.xzht.shiro;
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.xzht.bean.JWTToken;
import com.xzht.entity.User;
import com.xzht.service.UserService;
import com.xzht.uitls.JWTUtil;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
@Component
public class MyUserRealm extends AuthorizingRealm {
private Logger logger = LoggerFactory.getLogger(MyUserRealm.class);
@Autowired
private UserService userService;
/**
* 必须重写此方法,否则会报错
* @param token
* @return
*/
@Override
public boolean supports(AuthenticationToken token) {
return token instanceof JWTToken;
}
/**
* 授权
* @param principals
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
logger.info("授权方法未实现");
String username = JWTUtil.getUsername(principals.toString());
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
return null;
}
/**
* 认证
* @param authenticationToken
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
String token = (String)authenticationToken.getCredentials();
// 从token中解密获得username,用于和数据库对比
String username = JWTUtil.getUsername(token);
if (username == null || !JWTUtil.verify(token)) {
throw new AuthenticationException("token认证失败");
}
User user = userService.getOne(new QueryWrapper<User>().eq("username", username));
if (!user.getUsername().equals(username)) {
System.out.println("账号不存在");
return null;
}
SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(token, token, getName());
return authenticationInfo;
}
}
八、登录
@Autowired
private UserService userService;
/**
* 登录
* @param username
* @param password
* @return
*/
@RequestMapping("/login")
public ResultUtil login (String username, String password) {
User user = userService.getOne(new QueryWrapper<User>().eq("username", username));
if (user.getPassword() == null) {
return ResultUtil.error(1,"用户名错误");
} else if (!BCrypt.checkpw(password, user.getPassword())) {
return ResultUtil.error(1,"密码错误");
} else {
String token = JWTUtil.createToken(username);
logger.info("生成token:" + token);
// 将token返回客户端
return ResultUtil.success(token);
}
}
如果对小伙伴们有帮助,欢迎留言告诉我哦