是跟着git上的项目自己写了一遍
网址:https://github.com/Smith-Cruise/Spring-Boot-Shiro
首先先引入pom
org.slf4j
slf4j-api
1.7.16
org.apache.shiro
shiro-spring
1.3.2
com.auth0
java-jwt
3.2.0
先创建数据,可以从db中直接获取,也可以伪造后台数据
DataSource.java
package com.example.shiro.database;
import java.util.HashMap;
import java.util.Map;
public class DataSource {
private static Map> data = new HashMap<>();
static {
HashMap data1 = new HashMap<>();
data1.put("password", "smith123");
data1.put("role", "user");
data1.put("permission", "view");
Map data2 = new HashMap<>();
data2.put("password", "danny123");
data2.put("role", "admin");
data2.put("permission", "view,edit");
data.put("smith", data1);
data.put("danny", data2);
}
public static Map> getData() {
return data;
}
}
使用UserService.java,可以获取userBean中的数据
package com.example.shiro.database;
import org.springframework.stereotype.Component;
import java.util.Map;
@Component
public class UserService {
public UserBean getUser(String name){
if (! DataSource.getData().containsKey(name)){
return null;
}
UserBean userBean = new UserBean();
Map detail = DataSource.getData().get(name);
userBean.setUsername(name);
userBean.setPassword(detail.get("password"));
userBean.setRole(detail.get("role"));
userBean.setPermission(detail.get("permission"));
return userBean;
}
}
创建user实体类
UserBean
package com.example.shiro.database;
public class UserBean {
private String username;
private String password;
private String role;
private String permission;
public String getPermission() {
return permission;
}
public void setPermission(String permission) {
this.permission = permission;
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public String getRole() {
return role;
}
public void setRole(String role) {
this.role = role;
}
}
创建JWTUtil,
1.使用JWT生成token
2.通过token,获取username
3.通过username和password验证token
package com.example.shiro.util;
import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.interfaces.DecodedJWT;
import java.io.UnsupportedEncodingException;
import java.util.Date;
public class JWTUtil {
private static final long EXPIRE_TIME = 5*60*1000;
//验证token是否正确
public static boolean verify(String token, String username, String secret){
try {
Algorithm algorithm = Algorithm.HMAC256(secret);
JWTVerifier verifier = JWT.require(algorithm).withClaim("username", username).build();
DecodedJWT jwt = verifier.verify(token);
return true;
}catch (Exception e){
return false;
}
}
//通过token获取用户
public static String getUsername(String token){
try {
DecodedJWT jwt = JWT.decode(token);
return jwt.getClaim("username").asString();
}catch (JWTDecodeException e){
return null;
}
}
//生成签名
public static String sign(String username, String secret){
Date date = new Date(System.currentTimeMillis() + EXPIRE_TIME);
try {
Algorithm algorithm = Algorithm.HMAC256(secret);
return JWT.create().withClaim("username",username).withExpiresAt(date)
.sign(algorithm);
} catch (UnsupportedEncodingException e) {
return null;
}
}
}
自定义异常
package com.example.shiro.exception;
public class UnauthorizedException extends RuntimeException{
public UnauthorizedException(String msg){
super(msg);
}
public UnauthorizedException(){
super();
}
}
控制端,编写测试url,分别测试
1.login
2.是否授权
3.是否有权限访问url
4.是否有操作权限访问url
5.loginout
package com.example.shiro.controller;
import com.example.shiro.bean.ResponseBean;
import com.example.shiro.database.UserBean;
import com.example.shiro.database.UserService;
import com.example.shiro.exception.UnauthorizedException;
import com.example.shiro.shiro.JWTToken;
import com.example.shiro.util.JWTUtil;
import jdk.nashorn.internal.runtime.logging.Logger;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.annotation.Logical;
import org.apache.shiro.authz.annotation.RequiresAuthentication;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.*;
@RestController
@Logger
public class WebController {
@Autowired
private UserService userService;
@GetMapping("/login")
public ResponseBean login(@RequestParam("username") String username,@RequestParam("password") String password){
UserBean userBean = userService.getUser(username);
if (password.equals(userBean.getPassword())){
try {
String JWTSign = JWTUtil.sign(username, password);
Subject subject = SecurityUtils.getSubject();
subject.login(new JWTToken(JWTSign));
}catch (Exception e){
e.printStackTrace();
}
return new ResponseBean(200, "Login success", JWTUtil.sign(username, password));
}else{
throw new UnauthorizedException();
}
}
@GetMapping("/article")
public ResponseBean article(){
try {
Subject subject = SecurityUtils.getSubject();
if (subject.isAuthenticated()){
return new ResponseBean(200, "you are already logged in", null);
}
}catch (Exception e){
e.printStackTrace();
}
return new ResponseBean(200, "you are guest",null);
}
@GetMapping("/require_auth")
@RequiresAuthentication
public ResponseBean requireAuth(){
return new ResponseBean(200,"you are authenticated", null);
}
@GetMapping("require_role")
@RequiresRoles("admin")
public ResponseBean requireRole(){
return new ResponseBean(200, "You are visiting require_role", null);
}
@GetMapping("/require_permission")
@RequiresPermissions(logical = Logical.AND, value = {"view", "edit"})
public ResponseBean requirePermission(){
return new ResponseBean(200, "You are visiting permission require edit,view", null);
}
@RequestMapping(path = "401")
@ResponseStatus(HttpStatus.UNAUTHORIZED)
public ResponseBean unauthorized(){
return new ResponseBean(401, "Unauthorized", null);
}
@GetMapping("/loginout")
public ResponseBean loginout(){
Subject subject = SecurityUtils.getSubject();
subject.logout();
return new ResponseBean(200, "you have login out", null);
}
}
package com.example.shiro.controller;
import com.example.shiro.bean.ResponseBean;
import com.example.shiro.exception.UnauthorizedException;
import org.apache.shiro.ShiroException;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.ResponseStatus;
import org.springframework.web.bind.annotation.RestControllerAdvice;
import javax.servlet.http.HttpServletRequest;
@RestControllerAdvice
public class ExceptionController {
@ResponseStatus(HttpStatus.UNAUTHORIZED)
@ExceptionHandler(ShiroException.class)
public ResponseBean handle401(ShiroException e) {
return new ResponseBean(401, e.getMessage(), null);
}
@ResponseStatus(HttpStatus.UNAUTHORIZED)
@ExceptionHandler(UnauthorizedException.class)
public ResponseBean handle401() {
return new ResponseBean(401, "Unauthorized", null);
}
// 捕捉其他所有异常
@ExceptionHandler(Exception.class)
@ResponseStatus(HttpStatus.BAD_REQUEST)
public ResponseBean globalException(HttpServletRequest request, Throwable ex) {
return new ResponseBean(getStatus(request).value(), ex.getMessage(), null);
}
private HttpStatus getStatus(HttpServletRequest request) {
Integer statusCode = (Integer) request.getAttribute("javax.servlet.error.status_code");
if (statusCode == null) {
return HttpStatus.INTERNAL_SERVER_ERROR;
}
return HttpStatus.valueOf(statusCode);
}
}
重点部分,,,,,shiro
JWTFilter
配置允许跨域,通过request中是否有Authorization,去判断是否想去登陆。
如果header中有token,就去登陆
package com.example.shiro.shiro;
import org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.RequestMethod;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class JWTFilter extends BasicHttpAuthenticationFilter {
private Logger LOGGER = LoggerFactory.getLogger(this.getClass());
@Override
protected boolean isLoginAttempt(ServletRequest request, ServletResponse response) {
HttpServletRequest req = (HttpServletRequest) request;
String authorization = req.getHeader("Authorization");
System.out.println("isLoginAttempt is : " + authorization);
return authorization != null;
}
@Override
protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
String authorization = httpServletRequest.getHeader("Authorization");
System.out.println("executeLogin is : " + authorization);
JWTToken jwtToken = new JWTToken(authorization);
getSubject(request,response).login(jwtToken);
return true;
}
@Override
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
if (isLoginAttempt(request, response)){
try {
executeLogin(request, response);
} catch (Exception e) {
response401(request,response);
}
}
return true;
}
@Override
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
httpServletResponse.setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin"));
httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS,PUT,DELETE");
httpServletResponse.setHeader("Access-Control-Allow-Headers", httpServletRequest.getHeader("Access-Control-Request-Headers")+"T");
// 跨域时会首先发送一个option请求,这里我们给option请求直接返回正常状态
if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) {
httpServletResponse.setStatus(HttpStatus.OK.value());
return false;
}
return super.preHandle(request, response);
}
public void response401(ServletRequest req, ServletResponse resp){
HttpServletResponse resp1 = (HttpServletResponse) resp;
try {
resp1.sendRedirect("401");
} catch (IOException e) {
LOGGER.error(e.getMessage());
}
}
}
JWTToken
用户密码的载体
package com.example.shiro.shiro;
import org.apache.shiro.authc.AuthenticationToken;
public class JWTToken implements AuthenticationToken {
private String token;
public JWTToken(String token) {
this.token = token;
}
@Override
public Object getPrincipal() {
return token;
}
@Override
public Object getCredentials() {
return token;
}
}
自定义的MyRealm
认证,授权的过程都在这个类中实现
package com.example.shiro.shiro;
import com.example.shiro.database.UserBean;
import com.example.shiro.database.UserService;
import com.example.shiro.util.JWTUtil;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import org.springframework.stereotype.Service;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
@Component("myShiroRealm")
public class MyRealm extends AuthorizingRealm {
private static final Logger LOGGER = LogManager.getLogger(MyRealm.class);
@Autowired
UserService userService;
/**
* 大坑!,必须重写此方法,不然Shiro会报错
*/
@Override
public boolean supports(AuthenticationToken token) {
return token instanceof JWTToken;
}
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
String username = JWTUtil.getUsername(principalCollection.toString());
UserBean user = userService.getUser(username);
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
simpleAuthorizationInfo.addRole(user.getRole());
Set permission = new HashSet<>(Arrays.asList(user.getPermission().split(",")));
simpleAuthorizationInfo.addStringPermissions(permission);
return simpleAuthorizationInfo;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken auth) throws AuthenticationException {
String token = (String) auth.getCredentials();
String username = JWTUtil.getUsername(token);
if (username == null){
throw new AuthenticationException("token invalid");
}
UserBean userBean = userService.getUser(username);
if (userBean == null){
throw new AuthenticationException("user didn't existed");
}
if (!JWTUtil.verify(token,username, userBean.getPassword())){
throw new AuthenticationException("Username or password error");
}
return new SimpleAuthenticationInfo(token, token, "my_realm");
}
}
shiroConfig
realm->SecurityManager->ShiroFilterFactoryBean
realm放入SecurityManager中,然后将SecurityManager放入ShiroFilterFactoryBean,在filter中设置权限
package com.example.shiro.shiro;
import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;
import org.apache.shiro.mgt.DefaultSubjectDAO;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.context.Lifecycle;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.DependsOn;
import javax.servlet.Filter;
import java.util.HashMap;
import java.util.Map;
@Configuration
public class ShiroConfig {
@Bean("securityManager")
public DefaultWebSecurityManager getManager(MyRealm realm){
DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
manager.setRealm(realm);
// DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();
// DefaultSessionStorageEvaluator defaultSessionStorageEvaluator = new DefaultSessionStorageEvaluator();
// defaultSessionStorageEvaluator.setSessionStorageEnabled(false);
// subjectDAO.setSessionStorageEvaluator(defaultSessionStorageEvaluator);
// manager.setSubjectDAO(subjectDAO);
return manager;
}
@Bean("shiroFilter")
public ShiroFilterFactoryBean factory(DefaultWebSecurityManager securityManager){
ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
Map filterMap = new HashMap<>();
filterMap.put("jwt", new JWTFilter());
factoryBean.setFilters(filterMap);
factoryBean.setSecurityManager(securityManager);
factoryBean.setUnauthorizedUrl("/401");
Map filterRuleMap = new HashMap<>();
filterRuleMap.put("/**", "jwt");
filterRuleMap.put("/401", "anon");
factoryBean.setFilterChainDefinitionMap(filterRuleMap);
return factoryBean;
}
@Bean
@DependsOn("lifecycleBeanPostProcessor")
public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator(){
DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
defaultAdvisorAutoProxyCreator.setProxyTargetClass(true);
return defaultAdvisorAutoProxyCreator;
}
@Bean
public LifecycleBeanPostProcessor lifecycleBeanPostProcessor(){
return new LifecycleBeanPostProcessor();
}
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager){
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}
}