【shiro】初识与集成

个人学习笔记分享,当前能力有限,请勿贬低,菜鸟互学,大佬绕道

如有勘误,欢迎指出和讨论,本文后期也会进行修正和补充

前言

权限管理对于一个成熟的项目是极为基础且必要的部分,我们必须知道来者何人,才能判断这个人能做什么不能做什么

而shiro正是解决方案中最常见的一种
请留意,本文主要整理shiro相关思路,为方便理解,示例代码并不完整,更谈不上严谨
若需要实际使用的demo,请直接查看整理后的代码,完整demo会传到github或码云


1.介绍

  • shiro是Apache下的一个开源项目,提供认证、授权、加密和会话管理等功能
  • shiro属于轻量级框架,相当于SpringSecurity的精简版,更加轻便,当然内容也更少,不过足以应付大量场景

2.结构

shiro的三大核心组件为Subject、SecurityManager 和 Realm

2.1.Subject:认证主体

包括两个信息,便可辨认出需要认证的身份

  • Principals:身份。用于标识登录主体,通常为用户名、手机号等等

  • Credentials:凭证。用于验证主体身份,通常为密码、数字证书等等

2.2.SecurityManager:安全管理器

为shiro的核心,负责管理所有的subject和与之先关的交互操作

2.3.Realm:数据域

即数据来源,shiro会从这里回去安全数据,用于验证身份和分配权限,通常使用缓存或者数据库来实现(数据库和redis都是常见的实现方案)

可以看出,shiro并不提供和维护安全数据,仅仅是进行验证身份和分配权限,需要开发者去维护安全数据


3.细节功能

  • Authentication:身份认证/登录(账号密码验证)。

  • Session Manager:会话管理,用户登录后的session相关管理。

  • Cryptography:加密,密码加密等。

  • Web Support:Web支持,集成Web环境。

  • Caching:缓存,用户信息、角色、权限等缓存到如redis等缓存中。

  • Concurrency:多线程并发验证,在一个线程中开启另一个线程,可以把权限自动传播过去。

  • Testing:测试支持;

  • Run As:允许一个用户假装为另一个用户(如果他们允许)的身份进行访问。

  • Remember Me:记住我,登录后,下次再来的话不用登录了。


4.主要业务

4.1.拦截

拦截器会拦截请求,并根据配置,决定下一步业务是拒绝访问重定向进入控制层/业务层

4.2.登录

流程如下:

  • 控制层/业务层根据用户传递的数据创建token,即认证主体Subject
  • 控制层/业务层发起登录行为
  • shiro根据token中的数据,查询数据库账号相关数据,生成认证信息。没有数据则认证失败
  • shiro将认证信息认证主体进行匹配,不匹配则认证失败
  • shiro通过认证主体中的信息,查询数据库里权限数据,并将其写入数据域保存

换言之,通过用户传递的数据生成认证主体,再通过查询数据库生成认证信息,对两者进行匹配,成功就再查询权限信息保存,不匹配就再见

4.3.身份验证

流程如下:

  • 根据请求头中的token在数据域查询认证信息,未查询到则认证失败
  • 对认证信息中的角色、权限或其他自定义信息进行匹配,任意一个不符合则认证失败
  • 认证成功则进入控制层/业务层,且仍可通过代码控制进行身份验证和认证数据读取

也就是,通过token查询认证相关数据,没查到就是没认证


5.集成

5.1.添加依赖

 
    org.apache.shiro
    shiro-spring
    1.5.3
 

5.2.建立相关数据库表

此处建立三张表:用户表user_info、角色表role_info、权限表permission_info,并生成对应实体类

(为方便调试,仅生成实体类,并模拟查询过程)

  • UserInfo

    @Data
    @AllArgsConstructor
    public class UserInfo {
        /**
         * 主键id
         */
        private Integer id;
    
        /**
         * 用户名
         */
        private String username;
    
        /**
         * 密码
         */
        private String password;
    
        /**
         * 外键关联role表
         */
        private Integer roleId;
    }
    
  • RoleInfo

    @Data
    @AllArgsConstructor
    public class RoleInfo {
        /**
         * 主键id
         */
        private Integer id;
    
        /**
         * 角色名称
         */
        private String roleName;
    }
    
  • PermissionInfo

    @Data
    @AllArgsConstructor
    public class PermissionInfo {
        /**
         * 主键id
         */
        private Integer id;
    
        /**
         * 权限名
         */
        private String permissionName;
    
        /**
         * 外键关联role
         */
        private Integer roleId;
    }
    
  • 查询方法(模拟查询,方便调试)

        public UserInfo getUserInfo(String userName) {
            UserInfo userInfo;
            switch (userName) {
                case "user1":
                    userInfo = new UserInfo(1, "user1", "pwd1", 1);
                    break;
                case "user2":
                    userInfo = new UserInfo(2, "user2", "pwd2", 2);
                    break;
                case "user3":
                    userInfo = new UserInfo(3, "user3", "pwd3", 3);
                    break;
                default:
                    userInfo = null;
                    break;
            }
            return userInfo;
        }
    
        public List getPermissionList(String userName) {
            List list = new ArrayList<>();
            list.add(new PermissionInfo(1, "student", 1));
            list.add(new PermissionInfo(2, "teacher", 2));
            list.add(new PermissionInfo(3, "teacher", 3));
            list.add(new PermissionInfo(4, "student", 3));
    
            UserInfo userInfo = getUserInfo(userName);
            List result = new ArrayList<>();
            for (PermissionInfo permissionInfo : list) {
                if (permissionInfo.getRoleId() == userInfo.getRoleId()) {
                    result.add(permissionInfo);
                }
            }
            return result;
        }
    

    如上述数据中

    • user1拥有student权限
    • user2拥有teacher权限
    • user3拥有两种权限student&teacher

5.3.自定义Realm

集成AuthorizingRealm类,重写两个方法

  • doGetAuthenticationInfo() 方法:用来验证当前登录的用户,获取认证信息。
  • doGetAuthorizationInfo() 方法:为当前登录成功的用户授予权限和分配角色。
package com.yezi_tool.basic_project.shiro;

import com.yezi_tool.basic_project.commons.model.UserRealmInfo;
import com.yezi_tool.basic_project.entity.PermissionInfo;
import com.yezi_tool.basic_project.entity.RoleInfo;
import com.yezi_tool.basic_project.entity.UserInfo;
import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;

import java.util.ArrayList;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;

/**
 * @author Echo_Ye
 * @title 自定义realm
 * @description 自定义数据域
 * @date 2020/8/17 9:25
 * @email [email protected]
 */
@Slf4j
public class MyRealm extends AuthorizingRealm {
    /**
     * 分配权限
     *
     * @param principalCollection 数据源
     * @return 权限和角色信息
     */
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        log.info("-----------------访问授权---------------------");
        //认证信息未登录,可能是用户非正常退出
        if (!SecurityUtils.getSubject().isAuthenticated()) {
            doClearCache(principalCollection);
            SecurityUtils.getSubject().logout();
            return null;
        }
        //获取认证主体
        String username = (String) principalCollection.getPrimaryPrincipal();
        if (username == null) {
            //认证错误
            return null;
        }
        //添加角色和权限
        SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
        List permissionInfoList = getPermissionList(username);
        Set permissionSet = permissionInfoList.stream().map(m -> m.getPermissionName()).collect(Collectors.toSet());
        simpleAuthorizationInfo.setStringPermissions(permissionSet);
        return simpleAuthorizationInfo;
    }

    /**
     * 进行认证
     *
     * @param authenticationToken 数据源
     * @return 认证结果
     */
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) {
        // 根据 Token 获取数据
        String username = (String) authenticationToken.getPrincipal();
        // 根据用户名从数据库中查询该用户
        UserInfo user = getUserInfo(username);
        if (user != null) {
            // 把当前用户存到 Session 中
            SecurityUtils.getSubject().getSession().setAttribute("user", user);
            // 传入用户名和密码进行身份认证,并返回认证信息
            AuthenticationInfo authInfo = new SimpleAuthenticationInfo(user.getUsername(), user.getPassword(), this.getName());
            return authInfo;
        } else {
            //未查找到用户信息,认证失败
            return null;
        }
    }
}

5.4.配置shiro

package com.yezi_tool.basic_project.config;

import com.yezi_tool.basic_project.shiro.MyRealm;
import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;

import java.util.LinkedHashMap;
import java.util.Map;

/**
 * @author Echo_Ye
 * @title shiro配置
 * @description shiro相关配置
 * @date 2020/8/17 11:28
 * @email [email protected]
 */
@Slf4j
@Configuration
public class ShiroConfig {
    @Bean
    public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) {
        // 定义bean
        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
        // 必须设置 SecurityManager
        shiroFilterFactoryBean.setSecurityManager(securityManager);
        // 登录url,默认会自动寻找Web工程根目录下的"/login.jsp"页面 或 "/login" 映射
        shiroFilterFactoryBean.setLoginUrl("/login.html");
        // 认证失败url
        shiroFilterFactoryBean.setUnauthorizedUrl("/notRole");

        // 设置拦截器
        Map filterChainDefinitionMap = new LinkedHashMap<>();
        // 开放静态资源权限
        filterChainDefinitionMap.put("/webjars/**", "anon");
        filterChainDefinitionMap.put("/assets/**", "anon");
        filterChainDefinitionMap.put("/img/**", "anon");
        filterChainDefinitionMap.put("/js/**", "anon");
        filterChainDefinitionMap.put("/css/**", "anon");
        // 开放swagger页面权限
        filterChainDefinitionMap.put("/swagger-ui.html/**", "anon");
        filterChainDefinitionMap.put("/swagger-ui.html", "anon");
        // 开放登陆接口
        filterChainDefinitionMap.put("/index", "anon");
        filterChainDefinitionMap.put("/login", "anon");
        filterChainDefinitionMap.put("/logout", "logout");
        // 开放公共接口
        filterChainDefinitionMap.put("/mongodbFile/getImage", "anon");
        filterChainDefinitionMap.put("/sms/**", "anon");

        // 其他页面权限限制
        // 其余全部接口必须进行身份验证,此处方便测试限制到shiroTest开头
        filterChainDefinitionMap.put("/shiroTest/**", "authc");
        // "/teacher/"相关接口必须有teacher权限
        filterChainDefinitionMap.put("/shiroTest/teacher/**", "perms[teacher]");
        // "/student/"相关接口必须有student权限
        filterChainDefinitionMap.put("/shiroTest/student/**", "perms[student]");

        //设置拦截器
        shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);

        log.info("-----------------shiro配置注入完成---------------------");
        return shiroFilterFactoryBean;
    }

    /**
     * 注入 securityManager
     */
    @Bean
    public SecurityManager securityManager() {
        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
        // 设置realm
        securityManager.setRealm(customRealm());
        return securityManager;
    }

    /**
     * 自定义身份认证 realm
     */
    @Bean
    public MyRealm customRealm() {
        return new MyRealm();
    }

    /**
     * 开启Shiro的注解(如@RequiresRoles,@RequiresPermissions)
     */
    @Bean
    public DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator() {
        DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
        advisorAutoProxyCreator.setProxyTargetClass(true);
        return advisorAutoProxyCreator;
    }

    /**
     * 开启aop注解支持
     */
    @Bean
    public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
        AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
        authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
        return authorizationAttributeSourceAdvisor;
    }

}

拦截器常用权限参数列表

  • anon:开放权限,可直接访问
  • authc:需要认证
  • logout:注销,执行后跳转至登录页面,即shiroFilterFactoryBean.setLoginUrl()所设置的页面
  • roles[role1, role2...]:所需角色。若有多个角色,则需满足所有角色才可放行。
  • perms[permission1, permission2...]:所需权限。若有多个权限,则需满足所有权限才可放行。


6.使用样例

仅供参考思路,正常使用请参考贴在后面的整理后的核心代码

6.1.登录接口(正常使用请勿返回账号数据)

package com.yezi_tool.basic_project.controller;

import com.yezi_tool.basic_project.commons.model.ReturnMsg;
import com.yezi_tool.basic_project.entity.UserInfo;
import lombok.Data;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.UnauthorizedException;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.*;

/**
 * @author Echo_Ye
 * @title 登录接口
 * @description 用于登录相关接口
 * @date 2020/8/17 9:39
 * @email [email protected]
 */
@Controller
@RequestMapping("/login")
public class LoginController {

    @Data
    public static class LoginRequest {
        private String username;
        private String password;
    }


    @PostMapping("/login")
    @ResponseBody
    public ReturnMsg login(@RequestBody LoginRequest loginRequest) {
        ReturnMsg returnMsg = new ReturnMsg();
        //组装token
        Subject subject = SecurityUtils.getSubject();
        UsernamePasswordToken token = new UsernamePasswordToken(loginRequest.username, loginRequest.password);
        try {
            //执行登录
            subject.login(token);
            //获取验证后的对象
            UserInfo userInfo = (UserInfo) subject.getPrincipal();
            //检查权限,无权限将会抛出异常
//            subject.checkPermission("teacher");
            returnMsg.setData(userInfo);
        } catch (UnknownAccountException e) {
            returnMsg = ReturnMsg.error("账号不存在");
        } catch (IncorrectCredentialsException e) {
            returnMsg = ReturnMsg.error("密码错误");
        } catch (LockedAccountException e) {
            returnMsg = ReturnMsg.error("账号被锁定");
        } catch (AuthenticationException e) {
            returnMsg = ReturnMsg.error("认证错误");
        } catch (UnauthorizedException e) {
            returnMsg = ReturnMsg.error("权限错误");
        }

        return returnMsg;
    }
}

6.2.测试权限接口

package com.yezi_tool.basic_project.controller;

import com.yezi_tool.basic_project.commons.model.ReturnMsg;
import org.apache.shiro.SecurityUtils;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;

import javax.servlet.http.HttpServletRequest;

/**
 * @author Echo_Ye
 * @title shiro测试接口
 * @description 用于shiro相关测试
 * @date 2020/8/17 11:54
 * @email [email protected]
 */
@Controller
@RequestMapping("/shiroTest")
public class ShiroTestController {

    @GetMapping("teacher/testShiro")
    @ResponseBody
    public ReturnMsg teacherTest(HttpServletRequest request) {
        return ReturnMsg.success();
    }

    @GetMapping("student/testShiro")
    @ResponseBody
    public ReturnMsg studentTest(HttpServletRequest request) {
        return ReturnMsg.success();
    }

    @GetMapping("checkPermission")
    @ResponseBody
    public ReturnMsg checkPermission(HttpServletRequest request, String permission) {
        SecurityUtils.getSubject().checkPermission(permission);
        return ReturnMsg.success();
    }
    
    @GetMapping("checkSuperAdmin")
    @ResponseBody
    @RequiresPermissions({"teacher","student"})
    public ReturnMsg checkSuperAdmin(HttpServletRequest request) {
        return ReturnMsg.success();
    }
}

6.3.进行测试

使用postman,每次使用同一个token进行测试,操作和结果如下

  • 发起请求/shiroTest/student/testShiro,结果为404的ModelAndView对象,提示/login.html不存在

    未进行登录,故跳转至登录页面,而测试项目并没有这个页面

    [图片上传失败...(image-668f54-1599041285905)]

  • 发起请求LoginController/login,结果为用户信息,即登录成功

    [图片上传失败...(image-d3481b-1599041285906)]

  • 再次发起请求/shiroTest/student/testShiro,结果为请求成功,则证明权限验证有效

    [图片上传失败...(image-70fa4-1599041285906)]

  • 发起请求/shiroTest/checkSuperAdmin,结果为操作失败,后端报错Subject does not have permission [teacher]

    该接口使用了注解,需要studentteacher两个权限,缺少任意一个则会抛出异常

    [图片上传失败...(image-4172e2-1599041285906)]

[图片上传失败...(image-3199e3-1599041285906)]

7.补充

7.1.SimpleAuthorizationInfo权限信息常用操作

  • addRole(String role)addRoles(Collection roles)setRoles(Set roles):添加/批量添加/批量设置角色
  • addStringPermission(String permission)addStringPermissions(Collection permissions)setStringPermissions(Set roles):添加/批量添加/批量设置权限

7.2.认证主体Subject常用操作

  • login(AuthenticationToken var1):登录,失败会抛出异常
  • logout():登出,注销认证信息
  • getPrincipal():获取认证身份信息,通常读取账号或者全部账号数据
  • getSession().setAttribute(Object var1, Object var2)getSession().getAttribute(Object var1):设置/获取session缓存数据
  • getSession().setTimeout(long var1)getSession().getTimeout():设置/获取session有限时限
  • isPermitted(String var1):是否满足权限,参数也可为Permission var1String... var1List var1
  • isPermittedAll(String... var1):是否满足全部权限,参数也可为Collection var1
  • checkPermission(String var1):检查权限,权限不足时抛出异常,参数也可为Permission var1String... var1Collection var1
  • hasRole(String var1):是否满足角色,参数也可为List var1
  • hasAllRoles(Collection var1):是否满足全部角色
  • checkRole(String var1):检查角色,角色不足时抛出异常
  • checkRoles(String... var1):检查角色,角色不足时抛出异常,参数也可为Collection var1
  • isRemembered():是否记住登录状态
  • isAuthenticated():是否已认证,没错,认证主体并不一定已被认证

7.3.拦截器常用权限参数列表(再重提一遍,很重要)

Filter 解释
anon 无参,开放权限,可以理解为匿名用户或游客
authc 无参,需要认证
logout 无参,注销,执行后会直接跳转到shiroFilterFactoryBean.setLoginUrl();设置的 url
authcBasic 无参,表示 httpBasic 认证
user 无参,表示必须存在用户,当登入操作时不做检查
ssl 无参,表示安全的URL请求,协议为 https
perms[user] 参数可写多个,表示需要某个或某些权限才能通过,多个参数时写 perms["user, admin"],当有多个参数时必须每个参数都通过才算通过
roles[admin] 参数可写多个,表示是某个或某些角色才能通过,多个参数时写 roles["admin,user"],当有多个参数时必须每个参数都通过才算通过
rest[user] 根据请求的方法,相当于 perms[user:method],其中 method 为 post,get,delete 等
port[8081] 当请求的URL端口不是8081时,跳转到schemal://serverName:8081?queryString 其中 schmal 是协议 http 或 https 等等,serverName 是你访问的 Host,8081 是 Port 端口,queryString 是你访问的 URL 里的 ? 后面的参数

此外,权限参数可以自定义,详情请自行查阅资料,或者等我啥时候有空了整理。。。

7.4.控制层注解

  • @RequiresAuthentication

    验证用户是否登录,等同于方法subject.isAuthenticated() 结果为true时。

  • @RequiresUser

    验证用户是否被记忆,user有两种含义:

    一种是成功登录的(subject.isAuthenticated() 结果为true);

    另外一种是被记忆的(subject.isRemembered()结果为true)。

  • @RequiresGuest

    验证是否是一个guest的请求,与@RequiresUser完全相反。

    换言之,RequiresUser == !RequiresGuest。

    此时subject.getPrincipal() 结果为null.

  • @RequiresRoles

    例如:

    • @RequiresRoles("roleA")
    • @RequiresRoles({"roleA", “roleB"})

    验证角色,任意一个不符合则抛出异常

  • @RequiresPermissions

    例如:

    • @RequiresPermissions("file")

    • @RequiresPermissions({"file:read", "file:write"} )

    验证权限,任意一个不符合则抛出异常

8.整理后代码

8.1.整理内容

  • 优化代码结构
  • 查询账号方法修正为从数据库查询(使用mybatisPlus)
  • 密码改为密文(MD5加密+盐)
  • 登录结果仅提示成功或失败
  • shiro相关异常使用全局异常捕获
  • 自定义token对象,并添加其余参数(如验证码,登录端),并进行验证
  • 通用方法写到BaseController
  • 增加多地登录踢下线机制
  • 缓存改用redis
  • 增加RememberMe机制

相关内容会另起他文整理,此处不做赘述,有兴趣的不妨瞅一下我更新没。。。

8.2.核心源码:

ShiroConfig.java

package com.yezi_tool.basic_project.config;

import com.yezi_tool.basic_project.commons.constants.ConfigConstants;
import com.yezi_tool.basic_project.shiro.KickoutSessionControlFilter;
import com.yezi_tool.basic_project.shiro.MyRealm;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.codec.Base64;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.web.mgt.CookieRememberMeManager;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.servlet.SimpleCookie;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.crazycake.shiro.RedisCacheManager;
import org.crazycake.shiro.RedisManager;
import org.crazycake.shiro.RedisSessionDAO;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.springframework.context.annotation.DependsOn;

import java.util.LinkedHashMap;
import java.util.Map;
import javax.servlet.Filter;

/**
 * @author Echo_Ye
 * @title shiro配置
 * @description shiro相关配置
 * @date 2020/8/17 11:28
 * @email [email protected]
 */
@Slf4j
@Configuration
public class ShiroConfig {    //获取application.properties参数,此处不能加static关键字
    @Value("${spring.redis.port}")
    private String port;

    @Value("${spring.redis.host}")
    private String host;

    @Value("${spring.redis.password}")
    private String redisPassword;

    /**
     * Shiro生命周期处理器
     */
    @Bean(name = "lifecycleBeanPostProcessor")
    public static LifecycleBeanPostProcessor getLifecycleBeanPostProcessor() {
        log.info("-----------------Shiro生命周期周期处理器设置---------------------");
        return new LifecycleBeanPostProcessor();
    }

    /**
     * 开启Shiro的注解(如@RequiresRoles,@RequiresPermissions)
     */
    @Bean
    @DependsOn("lifecycleBeanPostProcessor")
    public DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator() {
        DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
        advisorAutoProxyCreator.setProxyTargetClass(true);
        return advisorAutoProxyCreator;
    }

    /**
     * 开启aop注解支持
     */
    @Bean
    @ConditionalOnMissingBean
    public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
        AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
        authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
        return authorizationAttributeSourceAdvisor;
    }

    @Bean
    public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) {
        // 定义bean
        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
        // 必须设置 SecurityManager
        shiroFilterFactoryBean.setSecurityManager(securityManager);
        // 登录url,默认会自动寻找Web工程根目录下的"/login.jsp"页面 或 "/login" 映射
        shiroFilterFactoryBean.setLoginUrl("/login.html");
        // 认证失败url
        shiroFilterFactoryBean.setUnauthorizedUrl("/notRole");
        // 登录成功url
//        shiroFilterFactoryBean.setSuccessUrl("/index");
        //当访问受限url
//        shiroFilterFactoryBean.setUnauthorizedUrl("/unauthorized");

        //自定义拦截器
        Map filtersMap = new LinkedHashMap();
        //限制同一帐号同时在线的个数。
        filtersMap.put("kickout", kickoutSessionControlFilter());
        shiroFilterFactoryBean.setFilters(filtersMap);

        // 设置拦截器
        Map filterChainDefinitionMap = new LinkedHashMap<>();
        // 开放静态资源权限
        filterChainDefinitionMap.put("/webjars/**", "anon");
        filterChainDefinitionMap.put("/assets/**", "anon");
        filterChainDefinitionMap.put("/img/**", "anon");
        filterChainDefinitionMap.put("/js/**", "anon");
        filterChainDefinitionMap.put("/css/**", "anon");
        // 开放swagger页面权限
        filterChainDefinitionMap.put("/swagger-ui.html/**", "anon");
        filterChainDefinitionMap.put("/swagger-ui.html", "anon");
        // 开放登陆接口
        filterChainDefinitionMap.put("/index", "anon");
        filterChainDefinitionMap.put("/login/**", "anon");
        filterChainDefinitionMap.put("/logout", "logout");
        // 开放公共接口
        filterChainDefinitionMap.put("/mongodbFile/getImage", "anon");
        filterChainDefinitionMap.put("/sms/**", "anon");

        // 其他页面权限限制
        // 其余全部接口必须进行身份验证,且强制下线
        filterChainDefinitionMap.put("/**", "user,kickout");
        // "/teacher/"相关接口必须有teacher权限
        filterChainDefinitionMap.put("/shiroTest/teacher/**", "perms[teacher]");
        // "/student/"相关接口必须有student权限
        filterChainDefinitionMap.put("/shiroTest/student/**", "perms[student]");
        //设置拦截器
        shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);

        log.info("-----------------shiro配置注入完成---------------------");
        return shiroFilterFactoryBean;
    }


    /**
     * 注入 securityManager
     */
    @Bean
    public SecurityManager securityManager() {
        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
        // 设置realm
        securityManager.setRealm(customRealm());
        // 自定义缓存实现 使用redis
        securityManager.setCacheManager(redisCacheManager());
        // 自定义session管理 使用redis
        securityManager.setSessionManager(sessionManager());
        // 自定义rememberMe管理
        securityManager.setRememberMeManager(rememberMeManager());
        return securityManager;
    }

    /**
     * 自定义身份认证 realm
     */
    @Bean
    public MyRealm customRealm() {
        MyRealm myRealm = new MyRealm();
        //设置加密方式
        myRealm.setCredentialsMatcher(hashedCredentialsMatcher());
        return myRealm;
    }

    /**
     * 加密策略
     */
    @Bean
    public HashedCredentialsMatcher hashedCredentialsMatcher() {
        HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher();
        //指定加密方式
        credentialsMatcher.setHashAlgorithmName(ConfigConstants.SHIRO_ENCODE_MODE);
        //加密次数
        credentialsMatcher.setHashIterations(ConfigConstants.SHIRO_ENCODE_TIMES);
        //此处的设置,true加密用的hex编码,false用的base64编码
        credentialsMatcher.setStoredCredentialsHexEncoded(true);
        return credentialsMatcher;
    }

    /**
     * cacheManager 缓存 redis实现
     * 使用的是shiro-redis开源插件
     */
    public RedisCacheManager redisCacheManager() {
        log.info("-----------------创建缓存管理器---------------------");

        RedisCacheManager redisCacheManager = new RedisCacheManager();
        redisCacheManager.setRedisManager(redisManager());
        //redis中针对不同用户缓存(此处的id需要对应user实体中的id字段,用于唯一标识)
        redisCacheManager.setPrincipalIdFieldName("id");
//        用户权限信息缓存时间
//        redisCacheManager.setExpire(200000);
        return redisCacheManager;
    }

    /**
     * Session Manager
     * 使用的是shiro-redis开源插件
     */
    @Bean
    public DefaultWebSessionManager sessionManager() {
        DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
        sessionManager.setSessionDAO(redisSessionDAO());
        return sessionManager;
    }

    /**
     * RedisSessionDAO shiro sessionDao层的实现 通过redis
     * 使用的是shiro-redis开源插件
     */
    @Bean
    public RedisSessionDAO redisSessionDAO() {
        RedisSessionDAO redisSessionDAO = new RedisSessionDAO();
        redisSessionDAO.setRedisManager(redisManager());
        return redisSessionDAO;
    }


    /**
     * 配置shiro redisManager
     * 使用的是shiro-redis开源插件
     */
    public RedisManager redisManager() {
        log.info("-----------------创建RedisManager,连接Redis..URL= " + host + ":" + port + "---------------------");
        RedisManager redisManager = new RedisManager();
        redisManager.setHost(host + ":" + port);//老版本是分别setHost和setPort,新版本只需要setHost就可以了
        if (!StringUtils.isEmpty(redisPassword)) {
            redisManager.setPassword(redisPassword);
        }
        return redisManager;
    }

    /**
     * 限制同一账号登录同时登录人数控制
     */
    @Bean
    public KickoutSessionControlFilter kickoutSessionControlFilter() {
        KickoutSessionControlFilter kickoutSessionControlFilter = new KickoutSessionControlFilter();
        kickoutSessionControlFilter.setCacheManager(redisCacheManager());
        kickoutSessionControlFilter.setSessionManager(sessionManager());
        kickoutSessionControlFilter.setKickoutAfter(false);
        kickoutSessionControlFilter.setMaxSession(ConfigConstants.SHIRO_SESSION_KICKOUT_MAX_SESSION);
        kickoutSessionControlFilter.setKickoutUrl("/auth/kickout");
        return kickoutSessionControlFilter;
    }

    /**
     * Cookie
     */
    @Bean
    public SimpleCookie rememberMeCookie() {
        //这个参数是cookie的名称,对应前端的checkbox的name = rememberMe
        SimpleCookie simpleCookie = new SimpleCookie(ConfigConstants.SHIRO_COOKIE_KEY_REMEMBER_ME);
        //如果httpOnly设置为true,则客户端不会暴露给客户端脚本代码,使用HttpOnly cookie有助于减少某些类型的跨站点脚本攻击;
        simpleCookie.setHttpOnly(true);
        //记住我cookie生效时间,单位是秒
        simpleCookie.setMaxAge(600);
        return simpleCookie;
    }

    /**
     * cookie管理器;
     */
    @Bean
    public CookieRememberMeManager rememberMeManager() {
        log.info("-----------------创建RememberMe管理器---------------------");
        CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
        //rememberme cookie加密的密钥 建议每个项目都不一样 默认AES算法 密钥长度(128 256 512 位)
        byte[] cipherKey = Base64.decode(ConfigConstants.SHIRO_COOKIE_CIPHER_KEY);
        cookieRememberMeManager.setCipherKey(cipherKey);
        cookieRememberMeManager.setCookie(rememberMeCookie());
        return cookieRememberMeManager;
    }

}

MyRealm.java

package com.yezi_tool.basic_project.shiro;

import com.yezi_tool.basic_project.commons.constants.ConfigConstants;
import com.yezi_tool.basic_project.entity.UserInfo;
import com.yezi_tool.basic_project.service.IUserInfoService;
import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;

import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;

/**
 * @author Echo_Ye
 * @title 自定义realm
 * @description 自定义数据域
 * @date 2020/8/17 9:25
 * @email [email protected]
 */
@Slf4j
public class MyRealm extends AuthorizingRealm {

    /**
     * 用户信息业务层
     */
    @Autowired
    @Qualifier("userInfoService")
    private IUserInfoService userInfoService;

    /**
     * 分配权限
     *
     * @param principalCollection 数据源
     * @return 权限和角色信息
     */
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        log.info("-----------------访问授权---------------------");
        //认证信息未登录,可能是用户非正常退出
        if (!SecurityUtils.getSubject().isAuthenticated()) {
            doClearCache(principalCollection);
            SecurityUtils.getSubject().logout();
            return null;
        }
        //获取认证主体
        UserInfo userInfo = (UserInfo) principalCollection.getPrimaryPrincipal();
        if (userInfo == null) {
            //认证错误
            return null;
        }
        String username = userInfo.getUsername();
        //添加角色和权限
        SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
        List permissionInfoList = userInfoService.queryPermission(username);
        Set permissionSet = permissionInfoList.stream().collect(Collectors.toSet());
        simpleAuthorizationInfo.setStringPermissions(permissionSet);

        // 存储信息到session,根据自身需求添加
        SecurityUtils.getSubject().getSession().setAttribute(ConfigConstants.SHIRO_SESSION_KEY_USER_INFO, userInfo);
        return simpleAuthorizationInfo;
    }

    /**
     * 进行认证
     *
     * @param authenticationToken 数据源
     * @return 认证结果
     */
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) {
        //获取自定义token
        CustomAuthenticationToken token = (CustomAuthenticationToken) authenticationToken;
        // 根据 Token 获取数据
        String username = (String) token.getPrincipal();
        // 根据用户名从数据库中查询该用户
        UserInfo user = userInfoService.selectByUserName(username);
        if (user != null) {
            // 传入用户名和密码进行身份认证,并返回认证信息
            //自定义盐值
            ByteSource salt = ByteSource.Util.bytes(user.getSalt());
            AuthenticationInfo authInfo = new SimpleAuthenticationInfo(user, user.getPassword(), salt, this.getName());
            return authInfo;
        } else {
            //未查找到用户信息,认证失败
            return null;
        }
    }

}

ConfigConstants.java

package com.yezi_tool.basic_project.commons.constants;

/**
 * @author Echo_Ye
 * @title 配置信息常量
 * @description 用于各种配置
 * @date 2020/8/19 18:13
 * @email [email protected]
 */
public class ConfigConstants {
    /**
     * 序列化相关
     */
    public static final long SERIAL_VERSION_UID     = 1L;    //序列号

    /**
     * shiro相关
     */
    public static final String SHIRO_ENCODE_MODE                    = "MD5";    //加密方式
    public static final int SHIRO_ENCODE_TIMES                      = 1;    //加密次数
    public static final String SHIRO_REDIS_PREFIX_CACHE             = "shiro_redis_cache";    //缓存前缀
    public static final String SHIRO_SESSION_PREFIX_KICKOUT         = "kickout";    //缓存前缀
    public static final int SHIRO_SESSION_KICKOUT_MAX_SESSION       = 1;    //踢下线最多人数
    public static final String SHIRO_SESSION_KEY_USER_INFO          = "user_info";    //缓存-用户信息
    public static final String SHIRO_COOKIE_KEY_REMEMBER_ME         = "rememberMe";    //cookie-记住我
    public static final String SHIRO_COOKIE_CIPHER_KEY              = "qU7b1ChYNwqbrEwTlPbO9Q==";    //cookie-加密秘钥

    /**
     * redis相关
     */
    public static final String REDIS_KEY_CAPTCHA="captcha";
}

BaseExceptionHandler.java

package com.yezi_tool.basic_project.interceptors;

import com.yezi_tool.basic_project.commons.constants.ResponseConstants;
import com.yezi_tool.basic_project.commons.exception.BaseException;
import com.yezi_tool.basic_project.commons.model.ReturnMsg;
import com.yezi_tool.basic_project.commons.utils.ObjectMapperFactory;
import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.ShiroException;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.LockedAccountException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authz.UnauthorizedException;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.ResponseStatus;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.util.NestedServletException;

import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.PrintWriter;

/**
 * @title 统一异常处理
 * @description 统一处理项目内的异常
 * @author Echo_Ye
 * @date 2020/8/24 10:42
 * @email [email protected]
 */
@Slf4j
@ControllerAdvice
public class BaseExceptionHandler {
    /**
     * 统一异常处理,仅处理NestedServletException
     */
    @ExceptionHandler({NestedServletException.class})
    @ResponseStatus(HttpStatus.OK)
    @ResponseBody
    public ModelAndView servletException(HttpServletRequest request, HttpServletResponse response, Exception exception) {
        ModelAndView mav = new ModelAndView();
        ReturnMsg message = ReturnMsg.FAIL;
        out(response, message);
        return mav;
    }


    /**
     * 统一异常处理,仅处理ShiroException
     */
    @ExceptionHandler({ShiroException.class})
    @ResponseStatus(HttpStatus.OK)
    @ResponseBody
    public ReturnMsg shiroException(HttpServletRequest request, HttpServletResponse response, Exception exception) {
        // 打印异常信息至控制台,开始处理异常
        log.error("异常统一处理-ShiroException:" + exception.getLocalizedMessage(), exception);
        //异常默认为是操作失败
        ReturnMsg message = ReturnMsg.FAIL;
        //确认错误类型
        if (exception instanceof UnknownAccountException) {
            //账号错误
            message.setMsg(ResponseConstants.SHIRO_MSG_UNKNOWN_ACCOUNT);
        } else if (exception instanceof IncorrectCredentialsException) {
            //密码错误
            message.setMsg(ResponseConstants.SHIRO_MSG_INCORRECT_CREDENTIALS);
        } else if (exception instanceof LockedAccountException) {
            //账号被锁定
            message.setMsg(ResponseConstants.SHIRO_MSG_LOCKED_ACCOUNT);
        } else if (exception instanceof AuthenticationException) {
            //认证错误
            message.setMsg(ResponseConstants.SHIRO_MSG_AUTHENTICATION_ERROR);
        } else if (exception instanceof UnauthorizedException) {
            //权限不足
            message.setMsg(ResponseConstants.SHIRO_MSG_UNAUTHORIZED);
        }
        //返回消息体
        return message;
    }


    /**
     * 统一异常处理
     */
    @ExceptionHandler({Exception.class})
    @ResponseStatus(HttpStatus.OK)
    @ResponseBody
    public ReturnMsg processException(HttpServletRequest request, HttpServletResponse response, Exception exception) {
        // 打印异常信息至控制台,开始处理异常
        log.error("异常统一处理-Exception:" + exception.getLocalizedMessage(), exception);
        //异常默认为是操作失败
        ReturnMsg message = ReturnMsg.FAIL;
        // 检查异常的类型
        if (exception instanceof NestedServletException) {
            // 异步请求错误,已处理
        } else if (exception instanceof BaseException) {
            // 自定义类型的异常,转换为自定义异常
            message = ((BaseException) exception).asReturnMsg();
        } else {
            // 非自定义类型异常,打印错误信息至日志,封装ReturnMsg对象
            log.error(request.getRequestURI(), exception);
            message = ReturnMsg.FAIL;
        }
        //返回消息体
        return message;
    }

    /**
     * response 输出JSON
     */
    public static void out(ServletResponse response, ReturnMsg returnMsg) {
        PrintWriter out = null;
        try {
            response.setContentType("application/json;charset=utf-8");
            out = response.getWriter();
            out.println(ObjectMapperFactory.getInstance().writeValueAsString(returnMsg));
        } catch (Exception e) {
            e.printStackTrace();
        } finally {
            if (null != out) {
                out.flush();
                out.close();
            }
        }
    }
}

CustomAuthenticationToken.java

package com.yezi_tool.basic_project.shiro;

import com.yezi_tool.basic_project.commons.constants.ConfigConstants;
import lombok.Data;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.web.util.WebUtils;

import javax.servlet.ServletRequest;

/**
 * @author Echo_Ye
 * @title 自定义token
 * @description 自定义token,适用于shiro
 * @date 2020/8/20 11:56
 * @email [email protected]
 */
@Data
public class CustomAuthenticationToken extends UsernamePasswordToken {
    /**
     * 序列号
     */
    private static final long serialVersionUID = ConfigConstants.SERIAL_VERSION_UID;

    /**
     * 验证码字段
     */
    public static final String DEFAULT_CAPTCHA_PARAM = "captcha";

    /**
     * 登录类型
     */
    private int loginType;

    /**
     * 登录方式
     */
    private String loginMode;

    /**
     * 手机验证码
     */
    private String code;

    /**
     * 验证码
     */
    private String captcha;


    /**
     * 从request请求中获取验证码
     */
    public String getCaptcha(ServletRequest request) {
        return WebUtils.getCleanParam(request, DEFAULT_CAPTCHA_PARAM);
    }


    public CustomAuthenticationToken(String username, String password) {
        super(username, password);
    }

    public CustomAuthenticationToken(String username, String password, String captcha) {
        super(username, password);
        this.captcha = captcha;
    }
}

KickoutSessionControlFilter.java

package com.yezi_tool.basic_project.shiro;

import com.alibaba.fastjson.JSON;
import com.yezi_tool.basic_project.commons.constants.ConfigConstants;
import com.yezi_tool.basic_project.entity.UserInfo;
import org.apache.shiro.cache.Cache;
import org.apache.shiro.cache.CacheManager;
import org.apache.shiro.session.Session;
import org.apache.shiro.session.mgt.DefaultSessionKey;
import org.apache.shiro.session.mgt.SessionManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.AccessControlFilter;
import org.apache.shiro.web.util.WebUtils;

import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.io.PrintWriter;
import java.io.Serializable;
import java.util.Deque;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.Map;

public class KickoutSessionControlFilter extends AccessControlFilter {

    private String kickoutUrl; //踢出后到的地址
    private boolean kickoutAfter = false; //踢出之前登录的/之后登录的用户 默认踢出之前登录的用户
    private int maxSession = 1; //同一个帐号最大会话数 默认1
    private String kickoutKey = ConfigConstants.SHIRO_SESSION_PREFIX_KICKOUT;//提出字段名

    private SessionManager sessionManager;
    private Cache> cache;

    public void setKickoutUrl(String kickoutUrl) {
        this.kickoutUrl = kickoutUrl;
    }

    public void setKickoutAfter(boolean kickoutAfter) {
        this.kickoutAfter = kickoutAfter;
    }

    public void setMaxSession(int maxSession) {
        this.maxSession = maxSession;
    }

    public void setSessionManager(SessionManager sessionManager) {
        this.sessionManager = sessionManager;
    }

    //设置Cache的key的前缀
    public void setCacheManager(CacheManager cacheManager) {
        this.cache = cacheManager.getCache(ConfigConstants.SHIRO_REDIS_PREFIX_CACHE);
    }

    @Override
    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
        return false;
    }

    @Override
    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
        Subject subject = getSubject(request, response);
        if (!subject.isAuthenticated() && !subject.isRemembered()) {
            //如果没有登录,直接进行之后的流程
            return true;
        }

        Session session = subject.getSession();
        UserInfo user = (UserInfo) subject.getPrincipal();
        String username = user.getUsername();
        Serializable sessionId = session.getId();

        //读取缓存   没有就存入
        Deque deque = cache.get(username);

        //如果此用户没有session队列,也就是还没有登录过,缓存中没有
        //就new一个空队列,不然deque对象为空,会报空指针
        if (deque == null) {
            deque = new LinkedList();
        }

        //如果队列里没有此sessionId,且用户没有被踢出;放入队列
        if (!deque.contains(sessionId) && session.getAttribute(kickoutKey) == null) {
            //将sessionId存入队列
            deque.push(sessionId);
            //将用户的sessionId队列缓存
            cache.put(username, deque);
        }

        //如果队列里的sessionId数超出最大会话数,开始踢人
        while (deque.size() > maxSession) {
            Serializable kickoutSessionId = null;
            if (kickoutAfter) { //如果踢出后者
                kickoutSessionId = deque.removeFirst();
                //踢出后再更新下缓存队列
            } else { //否则踢出前者
                kickoutSessionId = deque.removeLast();
                //踢出后再更新下缓存队列
            }
            cache.put(username, deque);


            try {
                //获取被踢出的sessionId的session对象
                Session kickoutSession = sessionManager.getSession(new DefaultSessionKey(kickoutSessionId));
                if (kickoutSession != null) {
                    //设置会话的kickout属性表示踢出了
                    kickoutSession.setAttribute(kickoutKey, true);
                }
            } catch (Exception e) {//ignore exception
            }
        }

        //如果被踢出了,直接退出,重定向到踢出后的地址
        if (session.getAttribute(kickoutKey) != null) {
            //会话被踢出了
            try {
                //退出登录
                subject.logout();
            } catch (Exception e) { //ignore
            }
            saveRequest(request);

            Map resultMap = new HashMap();
            //判断是不是Ajax请求
            if ("XMLHttpRequest".equalsIgnoreCase(((HttpServletRequest) request).getHeader("X-Requested-With"))) {
                resultMap.put("code ", "300");
                resultMap.put("message", "您已经在其他地方登录,请重新登录!");
                //输出json串
                out(response, resultMap);
            } else {
                //重定向
                WebUtils.issueRedirect(request, response, kickoutUrl);
            }
            return false;
        }
        return true;
    }

    private void out(ServletResponse hresponse, Map resultMap) throws IOException {
        try {
            hresponse.setCharacterEncoding("UTF-8");
            PrintWriter out = hresponse.getWriter();
            out.println(JSON.toJSONString(resultMap));
            out.flush();
            out.close();
        } catch (Exception e) {
            System.err.println("KickoutSessionFilter.class 输出JSON异常,可以忽略。");
        }
    }
}

BaseController.java

package com.yezi_tool.basic_project.controller;

import com.yezi_tool.basic_project.commons.constants.ConfigConstants;
import com.yezi_tool.basic_project.commons.constants.ResponseConstants;
import com.yezi_tool.basic_project.commons.exception.BaseException;
import com.yezi_tool.basic_project.shiro.CustomAuthenticationToken;
import org.apache.shiro.SecurityUtils;
import org.springframework.stereotype.Controller;

@Controller
public class BaseController {

    /**
     * 校验验证码
     *
     * @param token token对象
     * @throws Exception 校验失败则抛出异常
     */
    public void checkCaptcha(CustomAuthenticationToken token) throws Exception {
        String captcha = token.getCaptcha();
        String exitCode = (String) SecurityUtils.getSubject().getSession().getAttribute(ConfigConstants.REDIS_KEY_CAPTCHA);
        if (null == captcha || !captcha.equalsIgnoreCase(exitCode)) {
            throw new BaseException(ResponseConstants.RETURN_MSG_INCORRECT_CAPTCHA);
        }
    }

    /**
     * 获取认证者身份
     *
     * @return 认证者身份信息
     */
    public Object getPrimaryPrincipal() {
        return SecurityUtils.getSubject().getPrincipals().getPrimaryPrincipal();
    }

    /**
     * 获取session字段值
     *
     * @param key session的字段key
     * @return session的字段值
     */
    public Object getSessionAttribute(String key) {
        return SecurityUtils.getSubject().getSession().getAttribute(key);
    }
}

LoginController.java

package com.yezi_tool.basic_project.controller;

import com.yezi_tool.basic_project.commons.model.ReturnMsg;
import com.yezi_tool.basic_project.shiro.CustomAuthenticationToken;
import lombok.Data;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.*;

/**
 * @author Echo_Ye
 * @title 登录接口
 * @description 用于登录相关接口
 * @date 2020/8/17 9:39
 * @email [email protected]
 */
@Controller
@RequestMapping("/login")
public class LoginController extends BaseController {

    @Data
    private static class LoginRequest {
        private String username;
        private String password;
        private Boolean rememberMe;
    }


    @PostMapping("/login")
    @ResponseBody
    public ReturnMsg login(@RequestBody LoginRequest loginRequest) throws Exception {
        //组装token
        Subject subject = SecurityUtils.getSubject();
        CustomAuthenticationToken token = new CustomAuthenticationToken(loginRequest.username, loginRequest.password);
        // 设置rememberMe字段
        if(loginRequest.rememberMe!=null) {
            token.setRememberMe(loginRequest.rememberMe);
        }
        //判断验证码,暂不启用
//        checkCaptcha(token);
        //执行登录
        subject.login(token);

        return ReturnMsg.success();
    }

}

8.3.全部代码:

demo地址:https://gitee.com/echo_ye/shiro-demo

demo已能正常运转预期所有功能,但仅供参考,请视实际业务自行删减和修改,有疑问或者建议可以留言或者联系我~

BB两句

真的是了解越多,越觉得其强大,越觉得自己弱鸡。。。


作者:Echo_Ye

WX:Echo_YeZ

EMAIL :[email protected]

个人站点:在搭了在搭了。。。(右键 - 新建文件夹)

你可能感兴趣的:(【shiro】初识与集成)