Apache Shiro是一個功能強大且靈活的開源安全框架雳刺,可以清晰地處理身份驗證营密,授權(quán),企業(yè)會話管理和加密蛀骇。
驗證用戶以驗證其身份
-
為用戶執(zhí)行訪問控制,例如:
- 確定是否為用戶分配了某個安全角色
- 確定是否允許用戶執(zhí)行某些操作
在任何環(huán)境中使用Session API读拆,即使沒有Web容器或EJB容器也是如此擅憔。
在身份驗證,訪問控制或會話生命周期內(nèi)對事件做出反應(yīng)檐晕。
聚合用戶安全數(shù)據(jù)的1個或多個數(shù)據(jù)源暑诸,并將其全部顯示為單個復(fù)合用戶“視圖”蚌讼。
啟用單點登錄(SSO)功能
無需登錄即可為用戶關(guān)聯(lián)啟用“記住我”服務(wù)
Shiro針對Shiro開發(fā)團隊所稱的“應(yīng)用程序安全的四大基石” - 身份驗證,授權(quán)个榕,會話管理和加密:身份驗證:有時稱為“登錄”篡石,這是證明用戶是他們所說的人的行為。
授權(quán):訪問控制的過程西采,即確定“誰”可以訪問“什么”凰萨。
會話管理:即使在非Web或EJB應(yīng)用程序中,也可以管理特定于用戶的會話械馆。
密碼學(xué):使用加密算法保持數(shù)據(jù)安全胖眷,同時仍然易于使用。
具體參考: http://shiro.apache.org/reference.html
技術(shù)背景
- 開發(fā)工具:STS(eclipse)
- 技術(shù)選擇: SpringBoot, SpringDataJpa, shiro
- 數(shù)據(jù)庫選擇: MySQL, Redis
創(chuàng)建項目
創(chuàng)建maven子項目 study-springboot-backstage 引入一下依賴pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>study-springboot</groupId>
<artifactId>study-springboot</artifactId>
<version>0.0.1-SNAPSHOT</version>
</parent>
<artifactId>study-springboot-backstage</artifactId>
<description>后臺管理</description>
<dependencies>
<!-- 實體項目 -->
<dependency>
<groupId>study-springboot</groupId>
<artifactId>study-springboot-domain</artifactId>
<version>0.0.1-SNAPSHOT</version>
</dependency>
<!-- shiro -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>1.4.0</version>
</dependency>
<!-- shiro+redis緩存插件 -->
<dependency>
<groupId>org.crazycake</groupId>
<artifactId>shiro-redis</artifactId>
<version>2.4.2.1-RELEASE</version>
</dependency>
<!-- 開啟注解 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-aop</artifactId>
</dependency>
</dependencies>
<!-- 打包 -->
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
配置AuthorizingRealm,創(chuàng)建SysUserRealm.java
/**
* @describe shiro認證
* @author Bertram.Wang
*/
@Component
public class SysUserRealm extends AuthorizingRealm {
@Autowired
private SysUserRepository sysUserRepository;
@Autowired
private SysUserService sysUserService;
/**
* 授權(quán)(驗證權(quán)限時調(diào)用)
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
SysUser user = (SysUser) principals.getPrimaryPrincipal();
Integer userId = user.getId();
// 用戶權(quán)限列表
Set<String> permsSet = sysUserService.getAuthorityByUserId(userId);
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
info.setStringPermissions(permsSet);
return info;
}
/**
* 認證(登錄時調(diào)用)
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String username = (String) token.getPrincipal();
String password = new String((char[]) token.getCredentials());
// 查詢用戶信息
SysUser user = sysUserRepository.findOneByNameAndPassword(username, password);
// 賬號不存在
if (user == null) {
throw new UnknownAccountException("賬號或密碼不正確");
}
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(userInfo, password, getName());
return info;
}
}
shiro配置類霹崎,主要是設(shè)置shiroFilter珊搀,securityManager, sessionManage等信息
自定義SessionManager
/**
* @Date 2019年4月10日
* @Sgin MySessionManager
* @Author Bertram.Wang
*/
public class MySessionManager extends DefaultWebSessionManager {
private static final String AUTHORIZATION = "Authorization";
private static final String REFERENCED_SESSION_ID_SOURCE = "Stateless request";
public MySessionManager() {
super();
}
@Override
protected Serializable getSessionId(ServletRequest request, ServletResponse response) {
String id = WebUtils.toHttp(request).getHeader(AUTHORIZATION);
//如果請求頭中有 Authorization 則其值為sessionId
if (!StringUtils.isEmpty(id)) {
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE, REFERENCED_SESSION_ID_SOURCE);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, id);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE);
return id;
} else {
//否則按默認規(guī)則從cookie取sessionId
return super.getSessionId(request, response);
}
}
}
shiroConfig.java
/**
* @Date 2019年4月10日
* @Sgin ShiroConfig
* @Author Bertram.Wang
*/
@Configuration
public class ShiroConfig {
@Bean
public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
// 沒有登陸的用戶只能訪問登陸頁面
shiroFilterFactoryBean.setLoginUrl("/initlogin");
// 登錄成功后要跳轉(zhuǎn)的鏈接
//shiroFilterFactoryBean.setSuccessUrl("/auth/index");
// 未授權(quán)界面; ----這個配置了沒卵用仿畸,具體原因想深入了解的可以自行百度
shiroFilterFactoryBean.setUnauthorizedUrl("/initlogin");
//自定義攔截器
Map<String, Filter> filtersMap = new LinkedHashMap<String, Filter>();
//限制同一帳號同時在線的個數(shù)食棕。
filtersMap.put("kickout", kickoutSessionControlFilter());
shiroFilterFactoryBean.setFilters(filtersMap);
// 權(quán)限控制map.
Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>();
filterChainDefinitionMap.put("/css/**", "anon");
filterChainDefinitionMap.put("/js/**", "anon");
filterChainDefinitionMap.put("/img/**", "anon");
filterChainDefinitionMap.put("/login", "anon");
filterChainDefinitionMap.put("/logout", "logout");
filterChainDefinitionMap.put("/**/kickout", "anon");
filterChainDefinitionMap.put("/**", "authc,kickout");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroFilterFactoryBean;
}
@Bean
public SecurityManager securityManager(SysUserRealm sysUserRealm) {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(sysUserRealm);
// 自定義緩存實現(xiàn) 使用redis
securityManager.setCacheManager(cacheManager());
// 自定義session管理 使用redis
securityManager.setSessionManager(sessionManager());
return securityManager;
}
/**
* cacheManager 緩存 redis實現(xiàn) 使用的是shiro-redis開源插件
* @return
*/
public RedisCacheManager cacheManager() {
RedisCacheManager redisCacheManager = new RedisCacheManager();
redisCacheManager.setRedisManager(redisManager());
return redisCacheManager;
}
/**
* shiro redisManager 使用的是shiro-redis開源插件
* @return
*/
public RedisManager redisManager() {
RedisManager redisManager = new RedisManager();
redisManager.setHost("localhost");
redisManager.setPort(6379);
redisManager.setExpire(1800);// 配置緩存過期時間
redisManager.setTimeout(0);
redisManager.setPassword("Redis1234!");
return redisManager;
}
/**
* Session Manager
*/
@Bean
public DefaultWebSessionManager sessionManager() {
MySessionManager mySessionManager = new MySessionManager();
mySessionManager.setSessionDAO(redisSessionDAO());
return mySessionManager;
}
/**
* RedisSessionDAO shiro
*/
@Bean
public RedisSessionDAO redisSessionDAO() {
RedisSessionDAO redisSessionDAO = new RedisSessionDAO();
redisSessionDAO.setRedisManager(redisManager());
return redisSessionDAO;
}
/**
* *限制同一賬號登錄同時登錄人數(shù)控制
* @return
*/
@Bean
public KickoutSessionControlFilter kickoutSessionControlFilter() {
KickoutSessionControlFilter kickoutSessionControlFilter = new KickoutSessionControlFilter();
kickoutSessionControlFilter.setCacheManager(cacheManager());
kickoutSessionControlFilter.setSessionManager(sessionManager());
kickoutSessionControlFilter.setKickoutAfter(false);
kickoutSessionControlFilter.setMaxSession(1);
kickoutSessionControlFilter.setKickoutUrl("/auth/kickout");
return kickoutSessionControlFilter;
}
/***
* *授權(quán)所用配置
* @return
*/
@Bean
public DefaultAdvisorAutoProxyCreator getDefaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
defaultAdvisorAutoProxyCreator.setProxyTargetClass(true);
return defaultAdvisorAutoProxyCreator;
}
/***
* *使授權(quán)注解起作用不如不想配置可以在pom文件中加入
* <dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-aop</artifactId>
</dependency>
* @param securityManager
* @return
*/
// @Bean
// public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager){
// AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
// authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
// return authorizationAttributeSourceAdvisor;
// }
/**
* Shiro生命周期處理器
*/
@Bean
public LifecycleBeanPostProcessor getLifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
}
限制規(guī)則:
引用圖
- anon:準(zhǔn)許直接訪問
- authc:要求對請求用戶進行身份驗證,以便請求繼續(xù)错沽,如果沒有驗證簿晓,則強制用戶通過將其定向到您配置的LoginUurl來登錄。
- logout:接收到請求后千埃,將立即注銷當(dāng)前正在執(zhí)行的子節(jié)點憔儿,然后將它們重定向到已配置的redirecturl。
- perms: 如果當(dāng)前用戶具有映射值指定的權(quán)限放可,則允許訪問;如果用戶沒有指定的所有權(quán)限谒臼,則拒絕訪問
具體參考:http://shiro.apache.org/static/1.4.0/apidocs/org/apache/shiro/web/filter/
測試控制器
@RestController
public class TestController {
@Autowired
private SysUserService sysUserService;
@GetMapping("/hello")
public Response<?> hello() {
SysUser sysUser = sysUserRepository.findOneById(2);
return success(authorityByUserId);
}
}
測試類
/**
* <p> 測試<p>
* @Author Bertram.Wang
*/
@RunWith(SpringRunner.class)
@SpringBootTest(classes=Application.class, webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
public class ApplicationTest {
private static final Logger log = LoggerFactory.getLogger(ApplicationTest.class);
@LocalServerPort
private int port;
private String base;
@Autowired
private TestRestTemplate restTemplate;
@Before
public void setUp() throws Exception {
this.base = String.format("http://localhost:%d/%s", port, "/backstage");
}
/**
* *設(shè)置請求消息頭
*/
private static HttpHeaders setHttpHeaders() {
HttpHeaders headers = new HttpHeaders();
headers.add("Content-type", "application/json;charset=utf-8;Accept:application/json;");// 設(shè)置編碼 這個一定不能去
headers.add("Authorization", AUTHORIZATION);
return headers;
}
// sessionID
private static final String AUTHORIZATION = "sessionId";
private String requestGET(String url){
HttpEntity<Object> requestEntity = new HttpEntity<>(setHttpHeaders());
ResponseEntity<String> rest = restTemplate.exchange(this.base + url, HttpMethod.GET, requestEntity, String.class);
return rest.getBody();
}
private String requestPOST(String url, Object data){
HttpEntity<Object> requestEntity = new HttpEntity<>(data, setHttpHeaders());
ResponseEntity<String> rest = restTemplate.postForEntity(this.base + url, requestEntity, String.class);
return rest.getBody();
}
// ---------------------LoginController--------------------------
@Test
public void logoutTest() throws Exception {
String requestGET = requestGET("/logout");
log.info("===================rest:{}", requestGET);
}
@Test
public void loginTest() throws Exception {
SysUserAO sysUserAO = new SysUserAO();
sysUserAO.setUsername("admin");
sysUserAO.setPassword("admin");
String requestPOST = requestPOST("/login", sysUserAO);
log.info("===================rest:{}", requestPOST);
}
@Test
public void helloTest() throws Exception {
String requestGET = requestGET("/hello");
log.info("===================rest:{}", requestGET);
}
}
執(zhí)行helloTest方法,
rest:{"code":20303,"message":"請先登錄","time":1555320155}耀里;
先執(zhí)行l(wèi)oginTest方法:
rest:{"code":0,"message":"成功","time":1555320426,"data":{"id":"a521dbf5-6a63-45d2-85de-95c121aeb0e9","host":"127.0.0.1","lastAccessTime":"2019-04-15T09:27:05.985+0000","timeout":1800000,"attributeKeys":["org.apache.shiro.subject.support.DefaultSubjectContext_AUTHENTICATED_SESSION_KEY","org.apache.shiro.subject.support.DefaultSubjectContext_PRINCIPALS_SESSION_KEY"],"startTimestamp":"2019-04-15T09:27:05.985+0000"}}
把rest.data.id替換sessionId蜈缤,再執(zhí)行helloTest方法:
rest:{"code":0,"message":"成功","time":1555328243,"data":{"id":2,"createDate":"2019-04-10T09:31:51.000+0000","modifyDate":"2019-04-10T09:31:53.000+0000","name":"admin","password":"8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918","roles":[{"id":1,"createDate":"2019-04-03T06:53:22.000+0000","modifyDate":"2019-04-03T06:53:25.000+0000","name":"ADMIN","parentId":0,"menus":[{"id":1,"createDate":"2018-08-30T09:27:32.000+0000","modifyDate":"2018-10-10T08:44:03.000+0000","name":"系統(tǒng)管理","parentId":0,"permission":null,"type":0,"url":null,"icon":"fa fa-cog","orderNum":1}]}]}}
