springboot+shiro+jwt实现token认证登录

准备:
springboot 2.5.5
jdk 1.8
没有操作刷新token功能,也没有放redis做缓存

1.先贴代码

2.后讲一下验证逻辑

1.导入依赖

        
        
            org.apache.shiro
            shiro-spring
            1.7.1
        
        
        
            com.auth0
            java-jwt
            3.2.0
        

2.创建JWTUtil工具类

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.ronsafe.wlw.mapper.UserMapper;
import org.springframework.beans.factory.annotation.Autowired;

import javax.servlet.http.HttpServletRequest;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;

public class JWTUtil {
    // 过期时间 2 小时
    private static final long EXPIRE_TIME = 2 * 60 * 60 * 1000;
    // 密钥
    private static final String SECRET = "jwt+shiro";

    @Autowired
    private UserMapper userMapper;

    /**
     * 生成 token
     */
    public static String createToken(String username) {
        try {
            Date date = new Date(System.currentTimeMillis() + EXPIRE_TIME);
            Algorithm algorithm = Algorithm.HMAC256(SECRET);
            //jwt的header部分
            Map map=new HashMap<>();
            map.put("alg","HS256");
            map.put("typ","JWT");
            // 附带username信息
            return JWT.create()
                    .withHeader(map)//jwt的header部分
                    .withClaim("username", username)//私有声明
                    .withExpiresAt(date)//过期时间
                    .withIssuedAt(new Date())//签发时间
                    .sign(algorithm);//签名
        } catch (Exception e) {
            return null;
        }
    }

    /**
     * 校验 token 是否正确
     */
    //校验token的有效性,1、token的header和payload是否没改过;2、没有过期
    public static boolean verify(String token) {
        try {
            //解密
            JWTVerifier verifier=JWT.require(Algorithm.HMAC256(SECRET)).build();
//            System.out.println("5555555->error1111111111");
            verifier.verify(token);
            return true;
        }catch (Exception e){
            return false;
        }
    }

    /**
     * 获得token中的信息,无需secret解密也能获得
     */
    public static String getUsername(String token) {
        try {
            DecodedJWT jwt = JWT.decode(token);
            return jwt.getClaim("username").asString();
        } catch (JWTDecodeException e) {
            return null;
        }
    }

    public static String getCurrentUsername(HttpServletRequest request){
        String accessToken = request.getHeader("Jmt-token");
        return getUsername(accessToken);
    }
}

3.创建类JwtToken

import org.apache.shiro.authc.AuthenticationToken;

public class JwtToken implements AuthenticationToken {

    private String token;

    public JwtToken(String token) {
        this.token = token;
    }

    @Override
    public Object getPrincipal() {
        return token;
    }

    @Override
    public Object getCredentials() {
        return token;
    }

}

4.创建ShiroRealm类

import com.ronsafe.wlw.util.JWTUtil;
import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.stereotype.Component;

@Component
@Slf4j
public class ShiroRealm extends AuthorizingRealm {
    /**
     * 根据token判断此Authenticator是否使用该realm
     * 必须重写此方法,不然会报错
     */
    @Override
    public boolean supports(AuthenticationToken token) {
        return token instanceof JwtToken;
    }

    /**
     * 默认使用此方法进行用户名正确与否验证,错误抛出异常即可。
     */
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
//        System.out.println("7777777777777777");
        String token = (String) authenticationToken.getCredentials();
        // 解密获得username,用于和数据库进行对比
        String username = null;
        try {
            username= JWTUtil.getUsername(token);
        }catch (Exception e){
            throw new AuthenticationException("token非法,不是规范的token,可能被篡改了,或者过期了");
        }
        if (username == null || !JWTUtil.verify(token)) {
//            System.out.println("5555555->error2222222222");
            throw new AuthenticationException("token认证失效,token错误或者过期,重新登陆");
        }
//        System.out.println("8888888888888888888888");
        return new SimpleAuthenticationInfo(token,token,"ShiroRealm");
    }

    /**
     * 只有当需要检测用户权限的时候才会调用此方法,例如checkRole,checkPermission之类的
     */
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
        return  null;
    }
}

5.创建类JwtFilter

import com.alibaba.fastjson.JSON;
import com.ronsafe.wlw.util.Result;
import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authz.UnauthorizedException;
import org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter;
import org.apache.shiro.web.util.WebUtils;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.RequestMethod;

import javax.servlet.ServletOutputStream;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@Slf4j
public class JwtFilter extends BasicHttpAuthenticationFilter {
    private boolean allowOrigin = true;

    public JwtFilter(){}
    public JwtFilter(boolean allowOrigin){
        this.allowOrigin = allowOrigin;
    }
    /**
     * 如果带有 token,则对 token 进行检查,否则直接通过
     */
    @Override
    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws UnauthorizedException {
//        System.out.println("555555555555555555");
        try {
            executeLogin(request, response);
        } catch (Exception e) {
//            System.out.println("5555555->error333333333333");
            //token 错误
            responseError(response);
        }
//        System.out.println("1010101010");
        return true;
    }

    /**
     * 判断用户是否想要登入。
     * 检测 header 里面是否包含 token 字段
     */
    @Override
    protected boolean isLoginAttempt(ServletRequest request, ServletResponse response) {
        HttpServletRequest req = (HttpServletRequest) request;
        String token = req.getHeader("Jmt-token");
        return token != null;
    }

    /**
     * 执行登陆操作
     */
    @Override
    protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception {
//        System.out.println("6666666666666");
        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
        String token = httpServletRequest.getHeader("Jmt-token");
        JwtToken jwtToken = new JwtToken(token);
        // 提交给realm进行登入,如果错误它会抛出异常并被捕获
        getSubject(request, response).login(jwtToken);
        // 如果没有抛出异常则代表登入成功,返回true
//        System.out.println("9999999999999999999");
        return true;
    }

    /**
     * 对跨域提供支持
     */
    @Override
    protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
        HttpServletResponse httpServletResponse = (HttpServletResponse) response;
        httpServletResponse.setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin"));
        httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS,PUT,DELETE");
        httpServletResponse.setHeader("Access-Control-Allow-Headers", httpServletRequest.getHeader("Access-Control-Request-Headers"));
        //前后端分离,shiro过滤器配置引起的跨域问题
        // 是否允许发送Cookie,默认Cookie不包括在CORS请求之中。设为true时,表示服务器允许Cookie包含在请求中。
        httpServletResponse.setHeader("Access-Control-Allow-Credentials", "true");
        //前后端分离,shiro过滤器配置引起的跨域问题
        // 跨域时会首先发送一个option请求,这里我们给option请求直接返回正常状态
        if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) {
            httpServletResponse.setStatus(HttpStatus.OK.value());
            return false;
        }
        return super.preHandle(request, response);
    }

    /**
     * 非法请求返回401,前端拦截到登录页
     */
    private void responseError(ServletResponse response) {
        HttpServletResponse httpServletResponse = WebUtils.toHttp(response);
        httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
        httpServletResponse.setCharacterEncoding("UTF-8");
        httpServletResponse.setContentType("application/json; charset=utf-8");
        try (ServletOutputStream out = httpServletResponse.getOutputStream()) {
//            System.out.println("5555555->error444444444444444");
            out.write(JSON.toJSONString(Result.fail(401,"身份验证失败,请重新登陆!")).getBytes("utf-8"));
        } catch (IOException e) {
            throw new AuthenticationException("直接返回Response信息出现IOException异常:" + e.getMessage());
        }
    }
}

6.创建类ShiroConfig

import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;
import org.apache.shiro.mgt.DefaultSubjectDAO;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import javax.servlet.Filter;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;

@Slf4j
@Configuration
public class ShiroConfig {
    /**
     * 先经过token过滤器,如果检测到请求头存在 token,则用 token 去 login,接着走 Realm 去验证
     */
    @Bean
    public ShiroFilterFactoryBean factory(@Qualifier("securityManager")DefaultWebSecurityManager securityManager) {
//        System.out.println("1111111111111");
        ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
        factoryBean.setSecurityManager(securityManager);

        Map filterMap = new LinkedHashMap<>();
        // 添加自己的过滤器并且取名为jwt
        filterMap.put("jwt", new JwtFilter());
        factoryBean.setFilters(filterMap);

        // 设置无权限时跳转的 url;
        factoryBean.setUnauthorizedUrl("/unauthorized/relogin");

        Map filterRuleMap = new HashMap<>();
        //添加不需要拦截的url
        filterRuleMap.put("/unauthorized/**","anon");
//        //登录不需要拦截
        filterRuleMap.put("/login","anon");
//        //处理swagger不能访问问题
        filterRuleMap.put("/swagger-ui.html", "anon");
        filterRuleMap.put("/swagger**/**", "anon");
        filterRuleMap.put("/webjars/**", "anon");
        filterRuleMap.put("/v2/**", "anon");
        //这个需要放到最下面
        // 所有请求通过我们自己的JWT Filter
        filterRuleMap.put("/**", "jwt");

        factoryBean.setFilterChainDefinitionMap(filterRuleMap);
//        System.out.println("2222222222222222222222");
        return factoryBean;

    }

    /**
     * 注入 securityManager
     */
    @Bean(name = "securityManager")
    public DefaultWebSecurityManager securityManager(ShiroRealm customRealm) {
//        System.out.println("333333333333333");
        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
        //设置自定义realm.
        securityManager.setRealm(customRealm);
        //关闭shiro自带的session
        DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();
        DefaultSessionStorageEvaluator defaultSessionStorageEvaluator = new DefaultSessionStorageEvaluator();
        defaultSessionStorageEvaluator.setSessionStorageEnabled(false);
        subjectDAO.setSessionStorageEvaluator(defaultSessionStorageEvaluator);
        securityManager.setSubjectDAO(subjectDAO);
//        System.out.println("444444444444444");
        return securityManager;
    }

    /**
     * 添加注解支持
     */
    @Bean
    public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
        DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
        // 强制使用cglib,防止重复代理和可能引起代理出错的问题
        defaultAdvisorAutoProxyCreator.setProxyTargetClass(true);
        return defaultAdvisorAutoProxyCreator;
    }

    @Bean
    public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(@Qualifier("securityManager") DefaultWebSecurityManager securityManager) {
        AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();
        advisor.setSecurityManager(securityManager);
        return advisor;
    }

    @Bean
    public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
        return new LifecycleBeanPostProcessor();
    }
}

7.创建类LoginController

import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.ronsafe.wlw.entity.SysUser;
import com.ronsafe.wlw.service.UserService;
import com.ronsafe.wlw.util.JWTUtil;
import com.ronsafe.wlw.util.PasswordUtil;
import com.ronsafe.wlw.util.Result;
import com.ronsafe.wlw.util.StatusCode;
import com.ronsafe.wlw.vo.UserVO;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import org.springframework.beans.BeanUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.*;

import java.util.HashMap;

/**
 * @Author R0137 csy
 * @Date 2021/11/9 14:46
 */
@RestController
@Api(tags = "系统管理")
public class LoginController {
    @Autowired
    private UserService userService;

    @CrossOrigin
    @PostMapping("/login")
    @ApiOperation("登录")
    public Result login(String username,String password){
        QueryWrapper wrapper=new QueryWrapper<>();
        wrapper.eq("username",username);
        SysUser user = userService.getOne(wrapper);

        if (user==null) return Result.fail(StatusCode.LOGINERROR,"用户不存在!");

        password = PasswordUtil.encrypt(username,password,user.getSalt());
        if(!user.getPassword().equals(password)) return Result.fail(StatusCode.LOGINERROR,"密码错误!");

        String token = JWTUtil.createToken(username);
        HashMap result = new HashMap<>();
        UserVO userVO = new UserVO();
        BeanUtils.copyProperties(user,userVO);
        result.put("token",token);
        result.put("user",userVO);
        return Result.success(result);
    }
}

至此所有集成代码都粘贴完毕,下面粘一下工具类

public class Result {
    //是否成功
    private boolean flag;
    //返回的状态码
    private Integer code;
    //返回信息
    private String message;
    //返回数据
    private Object data;

    //全参构造方法
    public Result(boolean flag, Integer code, String message, Object data) {
        //super();
        this.flag = flag;
        this.code = code;
        this.message = message;
        this.data = data;
    }

    //无参构造方法
    public Result() {
    }

    //没有返回数据的方法
    public Result(boolean flag, Integer code, String message) {
        super();
        this.flag = flag;
        this.code = code;
        this.message = message;
    }
    // 通用的成功  无返回结果
    public static Result success() {
        return new Result(true, StatusCode.OK, "OK", null);
    }

    // 通用的成功  有返回结果
    public static Result success(Object data) {
        return new Result(true, StatusCode.OK, "OK", data);
    }

    // 通用的失败创建接口  没有返回结果
    public static Result fail(int statusCode, String message) {
        return new Result(false, statusCode, message, null);
    }

    // 通用的失败创建接口  有返回结果
    public static Result fail(int statusCode, String message, Object data) {
        return new Result(false, statusCode, message, data);
    }

    public boolean isFlag() {
        return flag;
    }

    public void setFlag(boolean flag) {
        this.flag = flag;
    }

    public Integer getCode() {
        return code;
    }

    public void setCode(Integer code) {
        this.code = code;
    }

    public String getMessage() {
        return message;
    }

    public void setMessage(String message) {
        this.message = message;
    }

    public Object getData() {
        return data;
    }

    public void setData(Object data) {
        this.data = data;
    }
}
package com.ronsafe.wlw.util;

import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.PBEParameterSpec;
import java.security.Key;
import java.security.SecureRandom;
import java.util.Random;

public class PasswordUtil {
	/**
	 * 随机数
	 * @param place 定义随机数的位数
	 */
	public static String randomGen(int place) {
		String base = "qwertyuioplkjhgfdsazxcvbnmQAZWSXEDCRFVTGBYHNUJMIKLOP0123456789";
		StringBuffer sb = new StringBuffer();
		Random rd = new Random();
		for(int i=0;i

代码粘完了,讲一下流程
springboot+shiro+jwt实现token认证登录_第1张图片
springboot+shiro+jwt实现token认证登录_第2张图片

springboot+shiro+jwt实现token认证登录_第3张图片
springboot+shiro+jwt实现token认证登录_第4张图片

springboot+shiro+jwt实现token认证登录_第5张图片
springboot+shiro+jwt实现token认证登录_第6张图片
springboot+shiro+jwt实现token认证登录_第7张图片

一些问题
1.没有登出?
目前没有结合redis存token,也不存在token在线操作刷新的问题,所以后端不需要做什么,如果用户主动登出,前端删除用户信息,回到登录界面即可,如果是token过期的话,用户带着过期的token过来会给前端返回401,前端拦截,再执行退出操作即可
2.获取当前登录用户
通过jwtUtil工具类中的getCurrentUsername方法拿到用户名,即可以拿到用户

你可能感兴趣的:(springboot,jwt,shiro,spring,boot,java,spring)