springboot整合shiro、JWT实现无状态认证

引入jwt和shiro依赖包

<!-- shiro依赖 -->
<dependency>
    <groupId>org.apache.shiro</groupId>
    <artifactId>shiro-spring-boot-web-starter</artifactId>
    <version>1.4.0</version>
</dependency>

<!-- JWT依赖 -->
<dependency>
    <groupId>com.auth0</groupId>
    <artifactId>java-jwt</artifactId>
    <version>3.9.0</version>
</dependency>

二、JWT工具类

package com.xzht.uitls;

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.interfaces.DecodedJWT;

import java.util.Date;

/**
 * JWT工具类
 */
public class JWTUtil {

    // 过期时间
    private static final long EXPIRE_TIME = 60 * 5 * 1000;

    // 私钥
    private static final String SECRET = "secret";

    /**
     * 生成token
     * @param time 用户自定义过期时间
     * @param username 用户姓名
     * @return
     */
    public static String createToken (String username) {
        time = (time == 0) ? EXPIRE_TIME : time;

        try {
            // 过期时间
            Date date = new Date(System.currentTimeMillis() + time);
            // 加密
            Algorithm algorithm = Algorithm.HMAC256(SECRET);
            return JWT.create()
                    .withClaim("username", username)
                    // 到期时间
                    .withExpiresAt(date)
                    //创建一个新的JWT,并使用给定的算法进行标记
                    .sign(algorithm);
        } catch (Exception e) {
            return null;
        }
    }

    /**
     * 校验token是否正确
     * @param token
     * @param
     * @return
     */
    public static boolean verify(String token) {
        try {
            Algorithm algorithm = Algorithm.HMAC256(SECRET);
            // 在token中附带了username信息
            JWTVerifier verifier = JWT.require(algorithm).build();
            // 验证token
            verifier.verify(token);
            return true;
        } catch (Exception e) {
            return false;
        }
    }

    /**
     * 获得token中的信息,无需secret解密也能获得
     */
    public static String getUsername(String token) {
        try {
            DecodedJWT jwt = JWT.decode(token);
            return jwt.getClaim("username").asString();
        } catch (JWTDecodeException e) {
            return null;
        }
    }


}

三、自定义token包装类

package com.xzht.bean;

import org.apache.shiro.authc.AuthenticationToken;

/**
 * token
 */
public class JWTToken implements AuthenticationToken {

    private String token;

    public JWTToken(String token) {
        this.token = token;
    }

    @Override
    public Object getPrincipal() {
        return token;
    }

    @Override
    public Object getCredentials() {
        return token;
    }
}

四、禁用shiro默认session类

package com.xzht.handler;

import org.apache.shiro.subject.Subject;
import org.apache.shiro.subject.SubjectContext;
import org.apache.shiro.web.mgt.DefaultWebSubjectFactory;

/**
 * 禁用shiro的默认session
 */
public class StatelessDefaultSubjectFactory extends DefaultWebSubjectFactory {
    @Override
    public Subject createSubject(SubjectContext context) {
        context.setSessionCreationEnabled(false);
        return super.createSubject(context);
    }
}

五、shiro配置文件


package com.xzht.configs;

import com.xzht.filter.JWTFilter;
import com.xzht.shiro.MyUserRealm;
import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;
import org.apache.shiro.mgt.DefaultSubjectDAO;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import com.xzht.handler.StatelessDefaultSubjectFactory;

import javax.servlet.Filter;
import java.util.LinkedHashMap;
import java.util.Map;

@Configuration
public class ShiroConfig {

    @Bean(name = "userRealm")
    public MyUserRealm userRealm(@Qualifier("hashedCredentialsMatcher")
                                         CredentialsMatcher matcher) {

        MyUserRealm userRealm = new MyUserRealm();
        //userRealm.setCredentialsMatcher(matcher);
        return userRealm;
    }

	/**
	 * 密码校验
	 */
    @Bean(name = "hashedCredentialsMatcher")
    public CredentialsMatcher hashedCredentialsMatcher() {
        CredentialsMatcher credentialsMatcher =
                new CredentialsMatcher();

        return credentialsMatcher;
    }

    /**
     * 先经过token过滤器,如果检测到请求头存在 token,则用 token 去 login,接着走 Realm 去验证
     */
    @Bean
    public ShiroFilterFactoryBean shiroFilter(DefaultWebSecurityManager securityManager) {
        ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
        // 添加自己的过滤器并且取名为jwt
        Map<String, Filter> jwtFilterMap = new LinkedHashMap<>();
        //设置我们自定义的JWT过滤器
        jwtFilterMap.put("jwt", new JWTFilter());
        bean.setFilters(jwtFilterMap);

        // 设置 SecurityManager
        bean.setSecurityManager(securityManager);

        // 设置登录成功跳转Url
        //bean.setSuccessUrl("/main");
        // 设置登录跳转Url
        //bean.setLoginUrl("/toLogin");
        // 设置未授权提示Url
        //bean.setUnauthorizedUrl("/error/unAuth");

        /**
         * anon:匿名用户可访问
         * authc:认证用户可访问
         * user:使用rememberMe可访问
         * perms:对应权限可访问
         * role:对应角色权限可访问
         **/

        Map<String, String> filterMap = new LinkedHashMap<>();
        filterMap.put("/*.html","anon");
        filterMap.put("/login","anon"); // 放行登录接口    

        // 所有请求通过我们自己的JWT Filter
        filterMap.put("/**", "jwt");

        bean.setFilterChainDefinitionMap(filterMap);
        return bean;
    }

    /**
     * 注入 securityManager
     */
    @Bean(name = "securityManager")
    public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm") MyUserRealm userRealm) {

        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
        // 关联realm.
        securityManager.setRealm(userRealm);

        // 关闭shiro自带的session
        DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();
        DefaultSessionStorageEvaluator defaultSessionStorageEvaluator = new DefaultSessionStorageEvaluator();
        defaultSessionStorageEvaluator.setSessionStorageEnabled(false);
        subjectDAO.setSessionStorageEvaluator(defaultSessionStorageEvaluator);
        securityManager.setSubjectDAO(subjectDAO);
        securityManager.setSubjectFactory(subjectFactory());

        return securityManager;
    }

    /**
     * <因为只有开启了AOP才执行doGetAuthorizationInfo(),也就权限拦截>
     * @param securityManager
     * @return
     */
    @Bean
    public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(@Qualifier("securityManager") DefaultWebSecurityManager securityManager) {
        AuthorizationAttributeSourceAdvisor aasa = new AuthorizationAttributeSourceAdvisor();
        aasa.setSecurityManager(securityManager);
        return aasa;
    }

    /**
     * 添加注解支持
     * @return
     */
    @Bean
    public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
        DefaultAdvisorAutoProxyCreator daap = new DefaultAdvisorAutoProxyCreator();
        // 强制使用cglib,防止重复代理和可能引起代理出错的问题
        daap.setProxyTargetClass(true);
        return daap;
    }

    @Bean(name = "lifecycleBeanPostProcessor")
    public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
        return new LifecycleBeanPostProcessor();
    }

    @Bean
    public StatelessDefaultSubjectFactory subjectFactory() {
        StatelessDefaultSubjectFactory statelessDefaultSubjectFactory = new StatelessDefaultSubjectFactory();
        return statelessDefaultSubjectFactory;
    }

}


六、自定义JWTtoken过滤器

package com.xzht.filter;

import com.xzht.bean.JWTToken;
import com.xzht.uitls.JWTUtil;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter;
import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.RequestMethod;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.net.URLEncoder;

/**
 * 自定义过滤器,处理token BasicHttpAuthenticationFilter
 */
public class JWTFilter extends FormAuthenticationFilter {

    private Logger logger = LoggerFactory.getLogger(JWTFilter.class);

    /**
     * 如果带有token,则对token进行检查,否则直接通过
     * @param request
     * @param response
     * @param mappedValue
     * @return
     */
    @Override
    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {

        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
        // 从请求头中获取token
        String token = httpServletRequest.getHeader("token");

        // 判断请求头是否带有token
        if (token != null) {
            try {
                executeLogin(request, response);
            } catch (Exception e) {
                // 如果token错误,返回false,进入onAccessDenied方法
                return false;
            }
        } else {
            return false;
        }
        // 如果请求头不存在token,则可能是执行登录操作或游客访问状态,无需检查token,直接返回true
        return true;
    }

    /**
     * 执行登录操作
     * @param request
     * @param response
     * @return
     * @throws Exception
     */
   @Override
    protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception {
        
        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
        // 从请求头获取token
        String token = httpServletRequest.getHeader("token");
        JWTToken jwtToken = new JWTToken(token);
        // 提交给realm进行认证登录,如果错误会抛出异常并被捕获
        getSubject(request, response).login(jwtToken);
        // 如果没有异常则代表登录成功,返回true
        return true;
    }

    /**
     * 对跨域提供支持
     * @param request
     * @param response
     * @return
     * @throws Exception
     */
    @Override
    protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
        HttpServletResponse httpServletResponse = (HttpServletResponse) response;
        httpServletResponse.setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin"));
        httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS,PUT,DELETE");
        httpServletResponse.setHeader("Access-Control-Allow-Headers", httpServletRequest.getHeader("Access-Control-Request-Headers"));
        // 跨域时会首先发送一个option请求,这里我们给option请求直接返回正常状态
        if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) {
            httpServletResponse.setStatus(HttpStatus.OK.value());
            return false;
        }
        return super.preHandle(httpServletRequest, httpServletResponse);
    }

    @Override
    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
        System.out.println("isAccessAllowed为false进入此方法");
        HttpServletResponse httpServletResponse = (HttpServletResponse)response;
        httpServletResponse.getWriter().write("{\"code:401\"}");
        return false;
    }

}

七、realm

package com.xzht.shiro;

import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.xzht.bean.JWTToken;
import com.xzht.entity.User;
import com.xzht.service.UserService;
import com.xzht.uitls.JWTUtil;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
public class MyUserRealm extends AuthorizingRealm {
    private Logger logger = LoggerFactory.getLogger(MyUserRealm.class);

    @Autowired
    private UserService userService;

    /**
     * 必须重写此方法,否则会报错
     * @param token
     * @return
     */
    @Override
    public boolean supports(AuthenticationToken token) {
        return token instanceof JWTToken;
    }

    /**
     * 授权
     * @param principals
     * @return
     */
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
        logger.info("授权方法未实现");
        String username = JWTUtil.getUsername(principals.toString());
        SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();

        return null;
    }

    /**
     * 认证
     * @param authenticationToken
     * @return
     * @throws AuthenticationException
     */
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
     
        String token = (String)authenticationToken.getCredentials();
        // 从token中解密获得username,用于和数据库对比
        String username = JWTUtil.getUsername(token);
        if (username == null || !JWTUtil.verify(token)) {
            throw new AuthenticationException("token认证失败");
        }
		
        User user = userService.getOne(new QueryWrapper<User>().eq("username", username));

        if (!user.getUsername().equals(username)) {
            System.out.println("账号不存在");
            return null;
        }

        SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(token, token, getName());

        return authenticationInfo;
    }
}

八、登录

	@Autowired
    private UserService userService;

    /**
     * 登录
     * @param username
     * @param password
     * @return
     */
    @RequestMapping("/login")
    public ResultUtil login (String username, String password) {

        User user = userService.getOne(new QueryWrapper<User>().eq("username", username));

        if (user.getPassword() == null) {
            return ResultUtil.error(1,"用户名错误");
        } else if (!BCrypt.checkpw(password, user.getPassword())) {
            return ResultUtil.error(1,"密码错误");
        } else {
            String token = JWTUtil.createToken(username);
            logger.info("生成token:" + token);
            // 将token返回客户端
            return ResultUtil.success(token);
        }

    }

如果对小伙伴们有帮助,欢迎留言告诉我哦

你可能感兴趣的:(Shiro)