shiro(6)分布式应用鉴权方式之Shiro整合SpringBoot下自定义SessionId

  • Shiro 默认的sessionid生成 类名 SessionIdGenerator

  • 创建一个类,实现 SessionIdGenerator 接口的方法

public class RandomSessionIdGenerator implements SessionIdGenerator {

    private static final Logger log = LoggerFactory.getLogger(RandomSessionIdGenerator.class);

    private static final String RANDOM_NUM_GENERATOR_ALGORITHM_NAME = "SHA1PRNG";
    private Random random;

    public RandomSessionIdGenerator() {
        try {
            this.random = java.security.SecureRandom.getInstance(RANDOM_NUM_GENERATOR_ALGORITHM_NAME);
        } catch (java.security.NoSuchAlgorithmException e) {
            log.debug("The SecureRandom SHA1PRNG algorithm is not available on the current platform.  Using the " +
                    "platform's default SecureRandom algorithm.", e);
            this.random = new java.security.SecureRandom();
        }
    }

    public Random getRandom() {
        return this.random;
    }

    public void setRandom(Random random) {
        this.random = random;
    }

    /**
     * Returns the String value of the configured {@link Random}'s {@link Random#nextLong() nextLong()} invocation.
     *
     * @param session the {@link Session} instance to which the ID will be applied.
     * @return the String value of the configured {@link Random}'s {@link Random#nextLong()} invocation.
     */
    public Serializable generateId(Session session) {
        //ignore the argument - just call the Random:
        return Long.toString(getRandom().nextLong());
    }
}
public class JavaUuidSessionIdGenerator implements SessionIdGenerator {

    /**
     * Ignores the method argument and simply returns
     * {@code UUID}.{@link java.util.UUID#randomUUID() randomUUID()}.{@code toString()}.
     *
     * @param session the {@link Session} instance to which the ID will be applied.
     * @return the String value of the JDK's next {@link UUID#randomUUID() randomUUID()}.
     */
    public Serializable generateId(Session session) {
        return UUID.randomUUID().toString();
    }
}
    /**
     * 自定义session持久化
     * @return
     */
    public RedisSessionDAO redisSessionDAO(){
        RedisSessionDAO redisSessionDAO = new RedisSessionDAO();
        redisSessionDAO.setRedisManager(getRedisManager());

        //设置sessionid生成器
        redisSessionDAO.setSessionIdGenerator(new CustomSessionIdGenerator());

        return redisSessionDAO;
    }

 

 

  • 没有100%可靠的算法,暴力破解,穷举

    • 限制时间内ip登录错误次数
    • 增加图形验证码,不能过于简单,常用的OCR可以识别验证码
  • 建议:微服务里面,特别是对C端用户的应用,不要做过于复杂的权限校验,特别是影响性能这块

你可能感兴趣的:(shiro)