1.什么是免登錄功能
當(dāng)我們的應(yīng)用需要集成到第三方平臺(tái)時(shí)(比如微信),第三方平臺(tái)的賬戶和我們應(yīng)用必然不是同一個(gè)励七,為了方便用戶使用崇裁,我們不可能每次在微信打開(kāi)我們的H5頁(yè)面時(shí),都需要進(jìn)行登錄蜻底。我們需要做的是骄崩,把微信賬號(hào)和我們應(yīng)用內(nèi)的賬號(hào)進(jìn)行綁定,綁定過(guò)后薄辅,進(jìn)入應(yīng)用就不需要在登錄了要拂。并且修改密碼不影響這個(gè)免登功能。
2.怎么實(shí)現(xiàn)免登功能
在講什么實(shí)現(xiàn)之前长搀,先思考一下宇弛,為什么需要登錄這個(gè)操作,如何保持登錄狀態(tài)
登錄操作源请,通過(guò)驗(yàn)證用戶名和密碼枪芒,讓系統(tǒng)承認(rèn)你是對(duì)應(yīng)用戶信息的擁有人,并授權(quán)做一些操作谁尸,簡(jiǎn)單來(lái)講舅踪,登錄就是拿到你自己的id,用這個(gè)id你可以做一些和自己有關(guān)的事情
如何保持登錄狀態(tài)則利用到了Cookie(Cookie不是必須的,也可以用其他方式實(shí)現(xiàn)良蛮,如Header)和Session
Cookie存在于客戶端抽碌,用來(lái)找到對(duì)應(yīng)的Session
Session存在于服務(wù)端,用來(lái)維持用戶登錄狀態(tài),內(nèi)部具體保存內(nèi)容货徙,見(jiàn)下一節(jié)
用戶在訪問(wèn)頁(yè)面后就會(huì)生成session以及cookie左权,但是這個(gè)session可以和用戶無(wú)關(guān),用戶執(zhí)行登錄操作后痴颊,會(huì)綁定用戶信息到session中去
session和cookie缺少一者赏迟,都需要重新登錄
接上文,在與第三方綁定過(guò)后蠢棱,一般會(huì)直接進(jìn)入應(yīng)用锌杀,對(duì)應(yīng)服務(wù)器會(huì)生成Session,客戶端會(huì)生成cookie泻仙,但是隨著時(shí)間流逝史翘,要么session會(huì)失效(服務(wù)器重啟什么的),要么cookie會(huì)失效(本地清除緩存)箩退,但是我們的需求是梨熙,只要綁定過(guò)后沃琅,從第三方進(jìn)入應(yīng)用,就是不需要登錄的究抓。
最關(guān)鍵的一點(diǎn)浮出水面了蒿柳,你知道我們應(yīng)該做什么事情嗎?漩蟆?
那就是重建Session(跳過(guò)登錄操作,綁定用戶信息到Session)
解釋下上面的流程圖
- 請(qǐng)求應(yīng)用頁(yè)的時(shí)候妓蛮,會(huì)帶上本地的cookie發(fā)送到服務(wù)器來(lái)校驗(yàn)對(duì)應(yīng)session是否存在以及有效怠李,如果有效,正常訪問(wèn)應(yīng)用頁(yè)蛤克,不需要進(jìn)行登錄或綁定
- 在第1步失敗的情況下捺癞,會(huì)跳轉(zhuǎn)到綁定頁(yè)面,首先從上下文中拿到第三方userid构挤,請(qǐng)求服務(wù)器接口判斷是否存在對(duì)應(yīng)用戶信息髓介,如果存在,把用戶信息綁定到當(dāng)前session,跳轉(zhuǎn)到目標(biāo)頁(yè)筋现。(session在訪問(wèn)綁定頁(yè)的時(shí)候會(huì)生成一個(gè))
- 如果第2步找不到用戶信息唐础,那么不進(jìn)行任何跳轉(zhuǎn),讓用戶進(jìn)行綁定操作
綁定操作矾飞,主要是把第三方用戶id和我們應(yīng)用內(nèi)用戶id以及其他信息綁定
下面開(kāi)始源碼分析一膨,我們應(yīng)該如何重建Session,看源碼還是有好處的洒沦,Shiro沒(méi)有特別來(lái)講這個(gè)東西豹绪。
3. Shiro源碼分析
3.1 Shiro對(duì)session的抽象
看下Session接口能讓我們對(duì)Session的理解更加深刻點(diǎn),主要講下其中幾個(gè)屬性
id:用來(lái)和cookie保存的用戶憑證匹配
touch:用來(lái)刷新session
stop:用來(lái)停止session
attribute: 我們的用戶詳細(xì)信息就保存在這里
3.2 Session的獲取與創(chuàng)建
3.2.1 Session的創(chuàng)建
Session的創(chuàng)建由DefaultSessionManager的doCreateSession方法實(shí)現(xiàn)
protected Session doCreateSession(SessionContext context) {
Session s = newSessionInstance(context);
if (log.isTraceEnabled()) {
log.trace("Creating session for host {}", s.getHost());
}
create(s);
return s;
}
newSessionInstance方法中使用SessionFactory的createSession創(chuàng)建初始Session
public Session createSession(SessionContext initData) {
if (initData != null) {
String host = initData.getHost();
if (host != null) {
return new SimpleSession(host);
}
}
return new SimpleSession();
}
注意到其實(shí)只放了host申眼,sessionID在doCreateSession里的create方法里賦值
protected void create(Session session) {
if (log.isDebugEnabled()) {
log.debug("Creating new EIS record for new session instance [" + session + "]");
}
sessionDAO.create(session);
}
可以看到create方法里使用sessionDAO.create(session)對(duì)session進(jìn)行里處理瞒津,我們看下框架提供的AbstractSessionDAO
public Serializable create(Session session) {
Serializable sessionId = doCreate(session);
verifySessionId(sessionId);
return sessionId;
}
這邊有個(gè)doCreate會(huì)返回sessionID蝉衣,也就是說(shuō)里面會(huì)對(duì)session構(gòu)建sessionid,與此同時(shí)巷蚪,sessionDAO本身的功能病毡,保存session到第三方存儲(chǔ)也在這里面實(shí)現(xiàn),我們看下MemorySessionDAO的實(shí)現(xiàn)
protected Serializable doCreate(Session session) {
Serializable sessionId = generateSessionId(session);
assignSessionId(session, sessionId);
storeSession(sessionId, session);
return sessionId;
}
3.2.2 Session的獲取
Shiro獲取Session的邏輯在DefaultSessionManager的resolveSession方法中钓辆,過(guò)程分為兩步
protected Session retrieveSession(SessionKey sessionKey) throws UnknownSessionException {
Serializable sessionId = getSessionId(sessionKey);//1
if (sessionId == null) {
log.debug("Unable to resolve session ID from SessionKey [{}]. Returning null to indicate a " +
"session could not be found.", sessionKey);
return null;
}
Session s = retrieveSessionFromDataSource(sessionId);//2
if (s == null) {
//session ID was provided, meaning one is expected to be found, but we couldn't find one:
String msg = "Could not find session with ID [" + sessionId + "]";
throw new UnknownSessionException(msg);
}
return s;
}
- 獲取sessionID
獲取SessionID由DefaultWebSessionManager的getSessionId方法實(shí)現(xiàn)
protected Serializable getSessionId(ServletRequest request, ServletResponse response) {
return getReferencedSessionId(request, response);
}
再來(lái)看下getReferencedSessionId的具體邏輯
private Serializable getReferencedSessionId(ServletRequest request, ServletResponse response) {
String id = getSessionIdCookieValue(request, response);//1
if (id != null) {
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE,
ShiroHttpServletRequest.COOKIE_SESSION_ID_SOURCE);
} else {
//not in a cookie, or cookie is disabled - try the request URI as a fallback (i.e. due to URL rewriting):
//try the URI path segment parameters first:
id = getUriPathSegmentParamValue(request, ShiroHttpSession.DEFAULT_SESSION_ID_NAME);//2
if (id == null) {
//not a URI path segment parameter, try the query parameters:
String name = getSessionIdName();
id = request.getParameter(name);//3
if (id == null) {
//try lowercase:
id = request.getParameter(name.toLowerCase());//4
}
}
if (id != null) {
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE,
ShiroHttpServletRequest.URL_SESSION_ID_SOURCE);
}
}
if (id != null) {
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, id);
//automatically mark it valid here. If it is invalid, the
//onUnknownSession method below will be invoked and we'll remove the attribute at that time.
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE);
}
return id;
}
邏輯如下
- 通過(guò)getSessionIdCookieValue從cookie去獲取剪验,獲取不到,進(jìn)入下一步
- 調(diào)用getUriPathSegmentParamValue從url的Segement片段獲取前联,獲取不到功戚,進(jìn)入下一步
- 調(diào)用request.getParameter從url帶的參數(shù)中獲取,獲取不到似嗤,進(jìn)入下一步
- 調(diào)用request.getParameter從url帶的參數(shù)中獲取啸臀,但是對(duì)傳入的參數(shù)轉(zhuǎn)換為小寫
Segement片段,這部分不看源碼還真不知道有這東西,在URL中的位置如下烁落,
protocol://host:port/path;segement?param=value
2.獲取Session
在拿到SessionId之后就要通過(guò)SessionDao獲取Session了,先看下retrieveSessionFromDataSource方法
protected Session retrieveSessionFromDataSource(Serializable sessionId) throws UnknownSessionException {
return sessionDAO.readSession(sessionId);
}
委托給了sessionDAO做處理乘粒,SessionDAO的主要作用是做Session的持久化存儲(chǔ)
SessionDAO默認(rèn)實(shí)現(xiàn)為MemorySessionDAO,但是我們?yōu)榱酥С旨翰渴穑枰远x實(shí)現(xiàn)伤塌,一般使用Redis來(lái)擴(kuò)展
3.3session中用戶信息的設(shè)置和獲取
上面講了session的創(chuàng)建和獲取灯萍,其實(shí)都不是本文關(guān)鍵點(diǎn),我最關(guān)注的是Session里的用戶信息是怎么設(shè)置進(jìn)去的每聪,需要設(shè)置哪些內(nèi)容
用戶信息的設(shè)置旦棉,很明顯是登陸過(guò)后,我們看下登陸的方法做了什么
入口在DelegatingSubject的login方法
public void login(AuthenticationToken token) throws AuthenticationException {
clearRunAsIdentitiesInternal();
Subject subject = securityManager.login(this, token);
PrincipalCollection principals;
String host = null;
if (subject instanceof DelegatingSubject) {
DelegatingSubject delegating = (DelegatingSubject) subject;
//we have to do this in case there are assumed identities - we don't want to lose the 'real' principals:
principals = delegating.principals;
host = delegating.host;
} else {
principals = subject.getPrincipals();
}
if (principals == null || principals.isEmpty()) {
String msg = "Principals returned from securityManager.login( token ) returned a null or " +
"empty value. This value must be non null and populated with one or more elements.";
throw new IllegalStateException(msg);
}
this.principals = principals;
this.authenticated = true;
if (token instanceof HostAuthenticationToken) {
host = ((HostAuthenticationToken) token).getHost();
}
if (host != null) {
this.host = host;
}
Session session = subject.getSession(false);
if (session != null) {
this.session = decorate(session);
} else {
this.session = null;
}
}
這邊并沒(méi)有明顯的對(duì)session的操作药薯,但是我們可以發(fā)現(xiàn)
Subject subject = securityManager.login(this, token);
這句代碼生成了一個(gè)subject绑洛,并且后面的代碼,會(huì)把這個(gè)subject的內(nèi)容替換給當(dāng)前的subject童本,比如
Session session = subject.getSession(false);
那么對(duì)session設(shè)置用戶信息的代碼肯定在securityManager.login里面
public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException {
AuthenticationInfo info;
try {
info = authenticate(token);
} catch (AuthenticationException ae) {
try {
onFailedLogin(token, ae, subject);
} catch (Exception e) {
if (log.isInfoEnabled()) {
log.info("onFailedLogin method threw an " +
"exception. Logging and propagating original AuthenticationException.", e);
}
}
throw ae; //propagate
}
Subject loggedIn = createSubject(token, info, subject);
onSuccessfulLogin(token, info, loggedIn);
return loggedIn;
}
在這個(gè)方法里面真屯,通過(guò)createSubject生成了subject,再次進(jìn)入
protected Subject createSubject(AuthenticationToken token, AuthenticationInfo info, Subject existing) {
SubjectContext context = createSubjectContext();
context.setAuthenticated(true);
context.setAuthenticationToken(token);
context.setAuthenticationInfo(info);
if (existing != null) {
context.setSubject(existing);
}
return createSubject(context);
}
使用入?yún)?chuàng)建了上下文,然后調(diào)用上下文為參數(shù)的重載方法createSubject(context)
查看DefaultSecurityManager的createSubject(context)方法
public Subject createSubject(SubjectContext subjectContext) {
//create a copy so we don't modify the argument's backing map:
SubjectContext context = copy(subjectContext);
//ensure that the context has a SecurityManager instance, and if not, add one:
context = ensureSecurityManager(context);
//Resolve an associated Session (usually based on a referenced session ID), and place it in the context before
//sending to the SubjectFactory. The SubjectFactory should not need to know how to acquire sessions as the
//process is often environment specific - better to shield the SF from these details:
context = resolveSession(context);
//Similarly, the SubjectFactory should not require any concept of RememberMe - translate that here first
//if possible before handing off to the SubjectFactory:
context = resolvePrincipals(context);
Subject subject = doCreateSubject(context);
//save this subject for future reference if necessary:
//(this is needed here in case rememberMe principals were resolved and they need to be stored in the
//session, so we don't constantly rehydrate the rememberMe PrincipalCollection on every operation).
//Added in 1.2:
save(subject);
return subject;
}
前面的代碼都是設(shè)置上下文穷娱,創(chuàng)建subject绑蔫,我們需要的邏輯在save方法里
protected void save(Subject subject) {
this.subjectDAO.save(subject);
}
public Subject save(Subject subject) {
if (isSessionStorageEnabled(subject)) {
saveToSession(subject);
} else {
log.trace("Session storage of subject state for Subject [{}] has been disabled: identity and " +
"authentication state are expected to be initialized on every request or invocation.", subject);
}
return subject;
}
protected void saveToSession(Subject subject) {
//performs merge logic, only updating the Subject's session if it does not match the current state:
mergePrincipals(subject);
mergeAuthenticationState(subject);
}
終于找到這個(gè)看起來(lái)很像的saveToSession方法
很明顯在mergePrincipals方法里,繼續(xù)
protected void mergePrincipals(Subject subject) {
//merge PrincipalCollection state:
PrincipalCollection currentPrincipals = null;
//SHIRO-380: added if/else block - need to retain original (source) principals
//This technique (reflection) is only temporary - a proper long term solution needs to be found,
//but this technique allowed an immediate fix that is API point-version forwards and backwards compatible
//
//A more comprehensive review / cleaning of runAs should be performed for Shiro 1.3 / 2.0 +
if (subject.isRunAs() && subject instanceof DelegatingSubject) {
try {
Field field = DelegatingSubject.class.getDeclaredField("principals");
field.setAccessible(true);
currentPrincipals = (PrincipalCollection)field.get(subject);
} catch (Exception e) {
throw new IllegalStateException("Unable to access DelegatingSubject principals property.", e);
}
}
if (currentPrincipals == null || currentPrincipals.isEmpty()) {
currentPrincipals = subject.getPrincipals();
}
Session session = subject.getSession(false);
if (session == null) {
if (!isEmpty(currentPrincipals)) {
session = subject.getSession();
session.setAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY, currentPrincipals);
}
// otherwise no session and no principals - nothing to save
} else {
PrincipalCollection existingPrincipals =
(PrincipalCollection) session.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY);
if (isEmpty(currentPrincipals)) {
if (!isEmpty(existingPrincipals)) {
session.removeAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY);
}
// otherwise both are null or empty - no need to update the session
} else {
if (!currentPrincipals.equals(existingPrincipals)) {
session.setAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY, currentPrincipals);
}
// otherwise they're the same - no need to update the session
}
}
}
可以觀察到用戶信息被設(shè)置到session的attribute里鄙煤,key為DefaultSubjectContext.PRINCIPALS_SESSION_KEY
當(dāng)然mergeAuthenticationState也是必須的
protected void mergeAuthenticationState(Subject subject) {
Session session = subject.getSession(false);
if (session == null) {
if (subject.isAuthenticated()) {
session = subject.getSession();
session.setAttribute(DefaultSubjectContext.AUTHENTICATED_SESSION_KEY, Boolean.TRUE);
}
//otherwise no session and not authenticated - nothing to save
} else {
Boolean existingAuthc = (Boolean) session.getAttribute(DefaultSubjectContext.AUTHENTICATED_SESSION_KEY);
if (subject.isAuthenticated()) {
if (existingAuthc == null || !existingAuthc) {
session.setAttribute(DefaultSubjectContext.AUTHENTICATED_SESSION_KEY, Boolean.TRUE);
}
//otherwise authc state matches - no need to update the session
} else {
if (existingAuthc != null) {
//existing doesn't match the current state - remove it:
session.removeAttribute(DefaultSubjectContext.AUTHENTICATED_SESSION_KEY);
}
//otherwise not in the session and not authenticated - no need to update the session
}
}
}
他會(huì)在session里面設(shè)置DefaultSubjectContext.AUTHENTICATED_SESSION_KEY晾匠,值為true是表示session內(nèi)的用戶信息是驗(yàn)證過(guò)后的,有效的
那么我們的問(wèn)題也解決了梯刚,我們只需要把第三方id和用戶信息綁定關(guān)系存下來(lái)凉馆,然后在綁定頁(yè)面渲染之前判斷當(dāng)前第三方id是否綁定了用戶信息,如果有,直接在當(dāng)前session對(duì)象塞入這2個(gè)內(nèi)容澜共,并且返回true給前端向叉,讓前端執(zhí)行重定向。重定向到其他子系統(tǒng)的時(shí)候嗦董,shiro框架會(huì)重新根據(jù)sessionid去查詢session是否有效母谎,此時(shí)session已經(jīng)有效了,能正常訪問(wèn)子系統(tǒng)頁(yè)面
目標(biāo)頁(yè)的系統(tǒng)也集成了我單點(diǎn)登陸的shiro配置京革,所以會(huì)在shirofilter里面校驗(yàn)session是否存在并且有效奇唤,然后進(jìn)入系統(tǒng),而不是跳轉(zhuǎn)到單點(diǎn)登陸
在我Demo中也模擬了這個(gè)免登陸功能
查詢用戶是否綁定接口代碼如下
@GetMapping("/isUserBind")
@ResponseBody
public WebResult isUserBind(@RequestParam("thirdUserId")String thirdUserId){
if(!UserBindInfoCache.containsKey(thirdUserId)){
return new WebResult(null,false);
}
Subject subject =SecurityUtils.getSubject();
Session session = subject.getSession(false);
SessionKey sessionKey = new DefaultSessionKey(session.getId());
Principal principal = UserBindInfoCache.get(thirdUserId);
SimplePrincipalCollection simplePrincipalCollection = new SimplePrincipalCollection(principal, AuthenticationRealm.class.getName());
sessionManager.setAttribute(sessionKey, DefaultSubjectContext.PRINCIPALS_SESSION_KEY,simplePrincipalCollection);
sessionManager.setAttribute(sessionKey, DefaultSubjectContext.AUTHENTICATED_SESSION_KEY,true);
return new WebResult(null,true);
}
前端邏輯代碼如下
<script>
//模擬第三方環(huán)境
var thirdUserId ="abcd1234";
$(function () {
$.get("/isUserBind",{
thirdUserId:thirdUserId
},function (result) {
if(result.flag==true){
window.location.href = $('#redirectUrl').val();
}else{
$('#bindPage').removeClass('hidden')
}
},"json")
$('#loginButton').click(function (event) {
event.preventDefault()
var username = $('#username').val();
var password = $('#password').val();
var redirectUrl = $('#redirectUrl').val();
$.post("/bind",{
username:username,
password:password,
thirdUserId:thirdUserId
},function (result) {
console.log(JSON.stringify(result));
if(result.flag==true){
window.location.href=redirectUrl;
}
},"json")
})
})
</script>