springboot+shiro+jwt实现token认证登录
准备:
springboot 2.5.5
jdk 1.8
没有操作刷新token功能,也没有放redis做缓存
1.先贴代码
2.后讲一下验证逻辑
1.导入依赖
org.apache.shiro
shiro-spring
1.7.1
com.auth0
java-jwt
3.2.0
2.创建JWTUtil工具类
import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.ronsafe.wlw.mapper.UserMapper;
import org.springframework.beans.factory.annotation.Autowired;
import javax.servlet.http.HttpServletRequest;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
public class JWTUtil {
// 过期时间 2 小时
private static final long EXPIRE_TIME = 2 * 60 * 60 * 1000;
// 密钥
private static final String SECRET = "jwt+shiro";
@Autowired
private UserMapper userMapper;
/**
* 生成 token
*/
public static String createToken(String username) {
try {
Date date = new Date(System.currentTimeMillis() + EXPIRE_TIME);
Algorithm algorithm = Algorithm.HMAC256(SECRET);
//jwt的header部分
Map map=new HashMap<>();
map.put("alg","HS256");
map.put("typ","JWT");
// 附带username信息
return JWT.create()
.withHeader(map)//jwt的header部分
.withClaim("username", username)//私有声明
.withExpiresAt(date)//过期时间
.withIssuedAt(new Date())//签发时间
.sign(algorithm);//签名
} catch (Exception e) {
return null;
}
}
/**
* 校验 token 是否正确
*/
//校验token的有效性,1、token的header和payload是否没改过;2、没有过期
public static boolean verify(String token) {
try {
//解密
JWTVerifier verifier=JWT.require(Algorithm.HMAC256(SECRET)).build();
// System.out.println("5555555->error1111111111");
verifier.verify(token);
return true;
}catch (Exception e){
return false;
}
}
/**
* 获得token中的信息,无需secret解密也能获得
*/
public static String getUsername(String token) {
try {
DecodedJWT jwt = JWT.decode(token);
return jwt.getClaim("username").asString();
} catch (JWTDecodeException e) {
return null;
}
}
public static String getCurrentUsername(HttpServletRequest request){
String accessToken = request.getHeader("Jmt-token");
return getUsername(accessToken);
}
}
3.创建类JwtToken
import org.apache.shiro.authc.AuthenticationToken;
public class JwtToken implements AuthenticationToken {
private String token;
public JwtToken(String token) {
this.token = token;
}
@Override
public Object getPrincipal() {
return token;
}
@Override
public Object getCredentials() {
return token;
}
}
4.创建ShiroRealm类
import com.ronsafe.wlw.util.JWTUtil;
import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.stereotype.Component;
@Component
@Slf4j
public class ShiroRealm extends AuthorizingRealm {
/**
* 根据token判断此Authenticator是否使用该realm
* 必须重写此方法,不然会报错
*/
@Override
public boolean supports(AuthenticationToken token) {
return token instanceof JwtToken;
}
/**
* 默认使用此方法进行用户名正确与否验证,错误抛出异常即可。
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
// System.out.println("7777777777777777");
String token = (String) authenticationToken.getCredentials();
// 解密获得username,用于和数据库进行对比
String username = null;
try {
username= JWTUtil.getUsername(token);
}catch (Exception e){
throw new AuthenticationException("token非法,不是规范的token,可能被篡改了,或者过期了");
}
if (username == null || !JWTUtil.verify(token)) {
// System.out.println("5555555->error2222222222");
throw new AuthenticationException("token认证失效,token错误或者过期,重新登陆");
}
// System.out.println("8888888888888888888888");
return new SimpleAuthenticationInfo(token,token,"ShiroRealm");
}
/**
* 只有当需要检测用户权限的时候才会调用此方法,例如checkRole,checkPermission之类的
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
return null;
}
}
5.创建类JwtFilter
import com.alibaba.fastjson.JSON;
import com.ronsafe.wlw.util.Result;
import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authz.UnauthorizedException;
import org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter;
import org.apache.shiro.web.util.WebUtils;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.RequestMethod;
import javax.servlet.ServletOutputStream;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Slf4j
public class JwtFilter extends BasicHttpAuthenticationFilter {
private boolean allowOrigin = true;
public JwtFilter(){}
public JwtFilter(boolean allowOrigin){
this.allowOrigin = allowOrigin;
}
/**
* 如果带有 token,则对 token 进行检查,否则直接通过
*/
@Override
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws UnauthorizedException {
// System.out.println("555555555555555555");
try {
executeLogin(request, response);
} catch (Exception e) {
// System.out.println("5555555->error333333333333");
//token 错误
responseError(response);
}
// System.out.println("1010101010");
return true;
}
/**
* 判断用户是否想要登入。
* 检测 header 里面是否包含 token 字段
*/
@Override
protected boolean isLoginAttempt(ServletRequest request, ServletResponse response) {
HttpServletRequest req = (HttpServletRequest) request;
String token = req.getHeader("Jmt-token");
return token != null;
}
/**
* 执行登陆操作
*/
@Override
protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception {
// System.out.println("6666666666666");
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
String token = httpServletRequest.getHeader("Jmt-token");
JwtToken jwtToken = new JwtToken(token);
// 提交给realm进行登入,如果错误它会抛出异常并被捕获
getSubject(request, response).login(jwtToken);
// 如果没有抛出异常则代表登入成功,返回true
// System.out.println("9999999999999999999");
return true;
}
/**
* 对跨域提供支持
*/
@Override
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
httpServletResponse.setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin"));
httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS,PUT,DELETE");
httpServletResponse.setHeader("Access-Control-Allow-Headers", httpServletRequest.getHeader("Access-Control-Request-Headers"));
//前后端分离,shiro过滤器配置引起的跨域问题
// 是否允许发送Cookie,默认Cookie不包括在CORS请求之中。设为true时,表示服务器允许Cookie包含在请求中。
httpServletResponse.setHeader("Access-Control-Allow-Credentials", "true");
//前后端分离,shiro过滤器配置引起的跨域问题
// 跨域时会首先发送一个option请求,这里我们给option请求直接返回正常状态
if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) {
httpServletResponse.setStatus(HttpStatus.OK.value());
return false;
}
return super.preHandle(request, response);
}
/**
* 非法请求返回401,前端拦截到登录页
*/
private void responseError(ServletResponse response) {
HttpServletResponse httpServletResponse = WebUtils.toHttp(response);
httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
httpServletResponse.setCharacterEncoding("UTF-8");
httpServletResponse.setContentType("application/json; charset=utf-8");
try (ServletOutputStream out = httpServletResponse.getOutputStream()) {
// System.out.println("5555555->error444444444444444");
out.write(JSON.toJSONString(Result.fail(401,"身份验证失败,请重新登陆!")).getBytes("utf-8"));
} catch (IOException e) {
throw new AuthenticationException("直接返回Response信息出现IOException异常:" + e.getMessage());
}
}
}
6.创建类ShiroConfig
import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;
import org.apache.shiro.mgt.DefaultSubjectDAO;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import javax.servlet.Filter;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
@Slf4j
@Configuration
public class ShiroConfig {
/**
* 先经过token过滤器,如果检测到请求头存在 token,则用 token 去 login,接着走 Realm 去验证
*/
@Bean
public ShiroFilterFactoryBean factory(@Qualifier("securityManager")DefaultWebSecurityManager securityManager) {
// System.out.println("1111111111111");
ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
factoryBean.setSecurityManager(securityManager);
Map filterMap = new LinkedHashMap<>();
// 添加自己的过滤器并且取名为jwt
filterMap.put("jwt", new JwtFilter());
factoryBean.setFilters(filterMap);
// 设置无权限时跳转的 url;
factoryBean.setUnauthorizedUrl("/unauthorized/relogin");
Map filterRuleMap = new HashMap<>();
//添加不需要拦截的url
filterRuleMap.put("/unauthorized/**","anon");
// //登录不需要拦截
filterRuleMap.put("/login","anon");
// //处理swagger不能访问问题
filterRuleMap.put("/swagger-ui.html", "anon");
filterRuleMap.put("/swagger**/**", "anon");
filterRuleMap.put("/webjars/**", "anon");
filterRuleMap.put("/v2/**", "anon");
//这个需要放到最下面
// 所有请求通过我们自己的JWT Filter
filterRuleMap.put("/**", "jwt");
factoryBean.setFilterChainDefinitionMap(filterRuleMap);
// System.out.println("2222222222222222222222");
return factoryBean;
}
/**
* 注入 securityManager
*/
@Bean(name = "securityManager")
public DefaultWebSecurityManager securityManager(ShiroRealm customRealm) {
// System.out.println("333333333333333");
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
//设置自定义realm.
securityManager.setRealm(customRealm);
//关闭shiro自带的session
DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();
DefaultSessionStorageEvaluator defaultSessionStorageEvaluator = new DefaultSessionStorageEvaluator();
defaultSessionStorageEvaluator.setSessionStorageEnabled(false);
subjectDAO.setSessionStorageEvaluator(defaultSessionStorageEvaluator);
securityManager.setSubjectDAO(subjectDAO);
// System.out.println("444444444444444");
return securityManager;
}
/**
* 添加注解支持
*/
@Bean
public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
// 强制使用cglib,防止重复代理和可能引起代理出错的问题
defaultAdvisorAutoProxyCreator.setProxyTargetClass(true);
return defaultAdvisorAutoProxyCreator;
}
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(@Qualifier("securityManager") DefaultWebSecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();
advisor.setSecurityManager(securityManager);
return advisor;
}
@Bean
public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
}
7.创建类LoginController
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.ronsafe.wlw.entity.SysUser;
import com.ronsafe.wlw.service.UserService;
import com.ronsafe.wlw.util.JWTUtil;
import com.ronsafe.wlw.util.PasswordUtil;
import com.ronsafe.wlw.util.Result;
import com.ronsafe.wlw.util.StatusCode;
import com.ronsafe.wlw.vo.UserVO;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import org.springframework.beans.BeanUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.*;
import java.util.HashMap;
/**
* @Author R0137 csy
* @Date 2021/11/9 14:46
*/
@RestController
@Api(tags = "系统管理")
public class LoginController {
@Autowired
private UserService userService;
@CrossOrigin
@PostMapping("/login")
@ApiOperation("登录")
public Result login(String username,String password){
QueryWrapper wrapper=new QueryWrapper<>();
wrapper.eq("username",username);
SysUser user = userService.getOne(wrapper);
if (user==null) return Result.fail(StatusCode.LOGINERROR,"用户不存在!");
password = PasswordUtil.encrypt(username,password,user.getSalt());
if(!user.getPassword().equals(password)) return Result.fail(StatusCode.LOGINERROR,"密码错误!");
String token = JWTUtil.createToken(username);
HashMap result = new HashMap<>();
UserVO userVO = new UserVO();
BeanUtils.copyProperties(user,userVO);
result.put("token",token);
result.put("user",userVO);
return Result.success(result);
}
}
至此所有集成代码都粘贴完毕,下面粘一下工具类
public class Result {
//是否成功
private boolean flag;
//返回的状态码
private Integer code;
//返回信息
private String message;
//返回数据
private Object data;
//全参构造方法
public Result(boolean flag, Integer code, String message, Object data) {
//super();
this.flag = flag;
this.code = code;
this.message = message;
this.data = data;
}
//无参构造方法
public Result() {
}
//没有返回数据的方法
public Result(boolean flag, Integer code, String message) {
super();
this.flag = flag;
this.code = code;
this.message = message;
}
// 通用的成功 无返回结果
public static Result success() {
return new Result(true, StatusCode.OK, "OK", null);
}
// 通用的成功 有返回结果
public static Result success(Object data) {
return new Result(true, StatusCode.OK, "OK", data);
}
// 通用的失败创建接口 没有返回结果
public static Result fail(int statusCode, String message) {
return new Result(false, statusCode, message, null);
}
// 通用的失败创建接口 有返回结果
public static Result fail(int statusCode, String message, Object data) {
return new Result(false, statusCode, message, data);
}
public boolean isFlag() {
return flag;
}
public void setFlag(boolean flag) {
this.flag = flag;
}
public Integer getCode() {
return code;
}
public void setCode(Integer code) {
this.code = code;
}
public String getMessage() {
return message;
}
public void setMessage(String message) {
this.message = message;
}
public Object getData() {
return data;
}
public void setData(Object data) {
this.data = data;
}
}
package com.ronsafe.wlw.util;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.PBEParameterSpec;
import java.security.Key;
import java.security.SecureRandom;
import java.util.Random;
public class PasswordUtil {
/**
* 随机数
* @param place 定义随机数的位数
*/
public static String randomGen(int place) {
String base = "qwertyuioplkjhgfdsazxcvbnmQAZWSXEDCRFVTGBYHNUJMIKLOP0123456789";
StringBuffer sb = new StringBuffer();
Random rd = new Random();
for(int i=0;i代码粘完了,讲一下流程
一些问题
1.没有登出?
目前没有结合redis存token,也不存在token在线操作刷新的问题,所以后端不需要做什么,如果用户主动登出,前端删除用户信息,回到登录界面即可,如果是token过期的话,用户带着过期的token过来会给前端返回401,前端拦截,再执行退出操作即可
2.获取当前登录用户
通过jwtUtil工具类中的getCurrentUsername方法拿到用户名,即可以拿到用户