自定义Realm
doGetAuthenticationInfo
身份验证,主要是在登录时的逻辑处理。doGetAuthorizationInfo
登录认证成功后,赋予用户角色与权限。
用户进行权限验证时,shiro会去缓存中找,如果查不到数据,会执行 doGetAuthorizationInfo 这个方法去查权限,并放入缓存中。
Shiro配置类
基础配置
自定义过滤器,并存入 filterMap
// 自定义过滤器Map<String, Filter> filtersMap = new LinkedHashMap<>();// 定义过滤器名称 【注:map里面key值对于的value要为authc才能使用自定义的过滤器】filtersMap.put( "zqPerms", new MyPermissionsAuthorizationFilter() );filtersMap.put( "zqRoles", new MyRolesAuthorizationFilter() );filtersMap.put( "token", new TokenCheckFilter() );shiroFilterFactoryBean.setFilters(filtersMap);
身份验证器
新建自定义Realm对象,并通过 @Bean 注入Spring容器,交由Spring容器管理。
/*** 身份验证器*/@Beanpublic ShiroRealm shiroRealm() {ShiroRealm shiroRealm = new ShiroRealm();shiroRealm.setCredentialsMatcher(hashedCredentialsMatcher());return shiroRealm;}
安全管理器
自定义session管理、自定义Cache管理、自定义Realm验证
/*** 安全管理器*/@Beanpublic SecurityManager securityManager() {DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();// 自定义session管理securityManager.setSessionManager(sessionManager());// 自定义Cache实现缓存管理securityManager.setCacheManager(cacheManager());// 自定义Realm验证securityManager.setRealm(shiroRealm());return securityManager;}
自定义Realm加密规则
/*** 自定义Realm的加密规则 ->* 凭证匹配器:将密码校验交给Shiro的SimpleAuthenticationInfo进行处理,在这里做匹配配置*/@Beanpublic HashedCredentialsMatcher hashedCredentialsMatcher() {HashedCredentialsMatcher shaCredentialsMatcher = new HashedCredentialsMatcher();// 散列算法:这里使用SHA256算法;shaCredentialsMatcher.setHashAlgorithmName(SHA256Util.HASH_ALGORITHM_NAME);// 散列的次数,比如散列两次,相当于 md5(md5(""));shaCredentialsMatcher.setHashIterations(SHA256Util.HASH_ITERATIONS);return shaCredentialsMatcher;}
完整代码
@Configurationpublic class ShiroConfig {private final String CACHE_KEY = "shiro:cache:";private final String SESSION_KEY = "shiro:session:";/*** 默认过期时间30分钟,即在30分钟内不进行操作则清空缓存信息,页面即会提醒重新登录*/private final int EXPIRE = 1800;/*** Redis配置*/@Value("${redis.host}")private String host;@Value("${redis.port}")private int port;@Value("${redis.password}")private String password;/*** 开启Shiro-aop注解支持:使用代理方式所以需要开启代码支持*/@Beanpublic AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);return authorizationAttributeSourceAdvisor;}/*** Shiro生命周期处理器* 此方法需要用static作为修饰词,否则无法通过@Value()注解的方式获取配置文件的值**/@Beanpublic static LifecycleBeanPostProcessor getLifecycleBeanPostProcessor() {return new LifecycleBeanPostProcessor();}/*** Shiro基础配置*/@Beanpublic ShiroFilterFactoryBean shiroFilterFactory(SecurityManager securityManager, ShiroServiceImpl shiroService){ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();shiroFilterFactoryBean.setSecurityManager(securityManager);// 自定义过滤器Map<String, Filter> filtersMap = new LinkedHashMap<>();// 定义过滤器名称 【注:map里面key值对应的value要有authc才能使用自定义的过滤器】filtersMap.put( "zqPerms", new CustomizePermissionsAuthFilter() );filtersMap.put( "zqRoles", new CustomizeRolesAuthFilter() );// filtersMap.put( "token", new TokenCheckFilter() );shiroFilterFactoryBean.setFilters(filtersMap);// 登录成功后跳转的主页面 (这里没用,前端vue控制了跳转)// shiroFilterFactoryBean.setSuccessUrl("/index");// 登录的路径: 如果你没有登录则会跳到这个页面中// 如果没有设置值则会默认跳转到工程根目录下的"/login.jsp"页面 或 "/login" 映射shiroFilterFactoryBean.setLoginUrl(Constants.LOGIN_URL);// 设置没有权限时跳转的urlshiroFilterFactoryBean.setUnauthorizedUrl(Constants.UN_AUTH_URL);shiroFilterFactoryBean.setFilterChainDefinitionMap( shiroService.loadFilterChainDefinitionMap() );return shiroFilterFactoryBean;}/*** 配置Redis管理器:使用的是shiro-redis开源插件*/@Beanpublic RedisManager redisManager() {RedisManager redisManager = new RedisManager();redisManager.setHost(host + ":" + port);redisManager.setTimeout(6000);redisManager.setPassword(password);return redisManager;}/*** 配置Cache管理器:用于往Redis存储权限和角色标识 (使用的是shiro-redis开源插件)*/@Beanpublic RedisCacheManager cacheManager() {RedisCacheManager redisCacheManager = new RedisCacheManager();redisCacheManager.setRedisManager(redisManager());redisCacheManager.setKeyPrefix(CACHE_KEY);// 配置缓存的话要求放在session里面的实体类必须有个id标识 注:这里id为用户表中的主键,否-> 报:User must has getter for field: xxredisCacheManager.setPrincipalIdFieldName("userId");return redisCacheManager;}/*** SessionID生成器*/@Beanpublic ShiroSessionIdGenerator sessionIdGenerator(){return new ShiroSessionIdGenerator();}/*** 配置RedisSessionDAO (使用的是shiro-redis开源插件)*/@Beanpublic RedisSessionDAO redisSessionDAO() {RedisSessionDAO redisSessionDAO = new RedisSessionDAO();redisSessionDAO.setRedisManager(redisManager());redisSessionDAO.setSessionIdGenerator(sessionIdGenerator());redisSessionDAO.setKeyPrefix(SESSION_KEY);redisSessionDAO.setExpire(EXPIRE);return redisSessionDAO;}/*** 配置Session管理器*/@Beanpublic SessionManager sessionManager() {SimpleCookie simpleCookie = new SimpleCookie(Constants.SHIRO_TOKEN);simpleCookie.setPath("/");simpleCookie.setHttpOnly(false);ShiroSessionManager shiroSessionManager = new ShiroSessionManager();shiroSessionManager.setSessionDAO(redisSessionDAO());return shiroSessionManager;}}
shiro动态权限处理方法
1、初始化权限信息loadFilterChainDefinitionMap
在shiro基础配置里 shiroFilterFactory 方法里,需要调用此方法从数据库中配置所有uri权限全部加载进去,以及放行的接口和配置权限过滤器等。
2、动态刷新加载数据库中的uri权限updatePermission
页面在新增uri路径到数据库中,也就是在配置新的权限时就可以调用此方法实现动态加载uri权限。
3、shiro动态权限加载 updatePermissionByRoleId
在分配给指定用户权限时,可以调用此方法删除shiro缓存,重新执行 doAuthizationInfo 方法授权角色和权限。
@Slf4j@Servicepublic class ShiroServiceImpl implements ShiroService {@Autowiredprivate PermMenuService permMenuService;@Autowiredprivate RoleService roleService;@Autowiredprivate UserService userService;private static final String ANONYMOUS = "anon";@Overridepublic Map<String, String> loadFilterChainDefinitionMap() {// 权限控制mapMap<String, String> filterChainDefinitionMap = new LinkedHashMap<>();// 配置过滤: 不会被拦截的链接// --------------- 放行 start ---------------// 放行Swagger2页面filterChainDefinitionMap.put("/doc.html", ANONYMOUS);filterChainDefinitionMap.put("/api-docs-ext", ANONYMOUS);filterChainDefinitionMap.put("/api-docs", ANONYMOUS);filterChainDefinitionMap.put("/swagger-ui.html", ANONYMOUS);filterChainDefinitionMap.put("/swagger/**", ANONYMOUS);filterChainDefinitionMap.put("/webjars/**", ANONYMOUS);filterChainDefinitionMap.put("/swagger-resources/**", ANONYMOUS);filterChainDefinitionMap.put("/v2/**", ANONYMOUS);filterChainDefinitionMap.put("/static/**", ANONYMOUS);// 登录filterChainDefinitionMap.put("/open/auth/api/**", ANONYMOUS);// 退出filterChainDefinitionMap.put(Constants.LOGIN_URL, ANONYMOUS);// 放行未授权接口,重定向使用filterChainDefinitionMap.put(Constants.UN_AUTH_URL, ANONYMOUS);// token过期接口filterChainDefinitionMap.put(Constants.TOKEN_EXPIRED_URL, ANONYMOUS);// 被挤下线filterChainDefinitionMap.put(Constants.DOWN_LINE_URL, ANONYMOUS);// --------------- 放行 end --------------------// 从数据库或缓存中查找出来的url与resources对应则不会被拦截,放行List<PermMenuPo> permList = permMenuService.selectList(null);if (!CollectionUtils.isEmpty(permList)) {permList.forEach(perm -> {if (StringUtils.isNotBlank(perm.getApiPath())) {// 根据url查询相关联的角色名,拼接自定义的角色权限List<RoleVo> roleList = roleService.queryByPermId(perm.getPermId());StringJoiner zqRoles = new StringJoiner(",", "zqRoles[", "]");if (!CollectionUtils.isEmpty(roleList)) {roleList.forEach(role -> {zqRoles.add(role.getRoleId());});}// 注意过滤器配置顺序不能颠倒// (1) 认证登录// (2) 认证自定义的token过滤器 - 判断token是否有效// (3) 角色权限 zqRoles: 自定义的只需要满足其中一个角色即可访问// roles[admin, guest] : 默认需要每个参数满足才算通过,相当于hasAllRoles()方法// (4) 操作权限 zqPerms: 认证自定义的url过滤器拦截权限// filterChainDefinitionMap.put(perm.getApiPath(), "authc,token," + zqRoles.toString() + ",zqPerms[" + perm.getPermId() + "]");filterChainDefinitionMap.put(perm.getApiPath(), "authc," + zqRoles.toString() + ",zqPerms[" + perm.getResource() + "]");// filterChainDefinitionMap.put("/api/system/user/listPage", "authc,token,zqPerms[user1]"); // 写死的一种用法}});}// (5) 认证登录filterChainDefinitionMap.put("/**", "authc");return filterChainDefinitionMap;}@Overridepublic void updatePermission(ShiroFilterFactoryBean shiroFilterFactoryBean, String roleId, Boolean isRemoveSession) {synchronized (this) {AbstractShiroFilter shiroFilter;try {shiroFilter = (AbstractShiroFilter) shiroFilterFactoryBean.getObject();} catch (Exception e) {e.printStackTrace();log.error("get ShiroFilter from shiroFilterFactoryBean error!");return;}PathMatchingFilterChainResolver filterChainResolver = (PathMatchingFilterChainResolver) shiroFilter.getFilterChainResolver();DefaultFilterChainManager manager = (DefaultFilterChainManager) filterChainResolver.getFilterChainManager();// 清空拦截管理器中的存储manager.getFilterChains().clear();// 清空拦截工厂中的存储,如果不清空这里,还会把之前的带进去// ps:如果仅仅是更新的话,可以根据这里的 map 遍历数据修改,重新整理好权限再一起添加shiroFilterFactoryBean.getFilterChainDefinitionMap().clear();// 动态查询数据库中所有权限shiroFilterFactoryBean.setFilterChainDefinitionMap(loadFilterChainDefinitionMap());// 重新构建生成拦截Map<String, String> chains = shiroFilterFactoryBean.getFilterChainDefinitionMap();for (Map.Entry<String, String> entry : chains.entrySet()) {manager.createChain(entry.getKey(), entry.getValue());}log.info("--------------- 动态生成url权限成功!------------------");// 动态更新该角色关联的用户shiro权限if (roleId != null) {updatePermissionByRoleId(roleId, isRemoveSession);}}}@Overridepublic void updatePermissionByRoleId(String roleId, Boolean isRemoveSession) {// 查询当前角色的shiro缓存信息 -> 实现动态权限List<UserVo> userList = userService.queryByRoleId(roleId);// 删除当前角色关联的用户缓存信息,用户再次访问接口时会重新授权, isRemoveSession为true时删除Session->即强制用户退出if (!CollectionUtils.isEmpty(userList)) {for (UserVo user : userList) {ShiroUtils.deleteCache(user.getUserAccount(), isRemoveSession);}}log.info("------------------ 动态修改用户权限成功! ------------------");}@Overridepublic void updatePermissionByUserId(String userId, Boolean isRemoveSession) {UserPo userPo = userService.selectById(userId);ShiroUtils.deleteCache(userPo.getUserAccount(), isRemoveSession);log.info("------------------ 动态修改用户权限成功! ------------------");}@Overridepublic void updatePermissionByUserId(List<String> userIdList, Boolean isRemoveSession) {List<UserPo> userPoList = userService.selectBatchIds(userIdList);if (!userPoList.isEmpty()) {for (UserPo userPo : userPoList) {ShiroUtils.deleteCache(userPo.getUserAccount(), isRemoveSession);}}log.info("------------------ 动态修改用户权限成功! ------------------");}}
Shiro工具类
public class ShiroUtils {/** 私有构造器 **/private ShiroUtils(){ }private static RedisSessionDAO redisSessionDAO = SpringUtil.getBean(RedisSessionDAO.class);/*** 获取当前用户Session* @Return SysUserEntity 用户信息*/public static Session getSession() {return SecurityUtils.getSubject().getSession();}/*** 用户登出*/public static void logout() {SecurityUtils.getSubject().logout();}/*** 获取当前用户信息* @Return SysUserEntity 用户信息*/public static User getUserInfo() {return (User) SecurityUtils.getSubject().getPrincipal();}/*** 删除用户缓存信息* @Param username 用户名称* @Param isRemoveSession 是否删除Session,删除后用户需重新登录*/public static void deleteCache(String username, boolean isRemoveSession){//从缓存中获取SessionSession session = null;// 获取当前已登录的用户session列表Collection<Session> sessions = redisSessionDAO.getActiveSessions();User sysUserEntity;Object attribute = null;// 遍历Session,找到该用户名称对应的Sessionfor(Session sessionInfo : sessions){attribute = sessionInfo.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY);if (attribute == null) {continue;}sysUserEntity = (User) ((SimplePrincipalCollection) attribute).getPrimaryPrincipal();if (sysUserEntity == null) {continue;}if (Objects.equals(sysUserEntity.getUsername(), username)) {session=sessionInfo;// 清除该用户以前登录时保存的session,强制退出 -> 单用户登录处理if (isRemoveSession) {redisSessionDAO.delete(session);}}}if (session == null||attribute == null) {return;}//删除sessionif (isRemoveSession) {redisSessionDAO.delete(session);}//删除Cache,再访问受限接口时会重新授权DefaultWebSecurityManager securityManager = (DefaultWebSecurityManager) SecurityUtils.getSecurityManager();Authenticator authc = securityManager.getAuthenticator();((LogoutAware) authc).onLogout((SimplePrincipalCollection) attribute);}/*** 从缓存中获取指定用户名的Session* @param username*/private static Session getSessionByUsername(String username){// 获取当前已登录的用户session列表Collection<Session> sessions = redisSessionDAO.getActiveSessions();User user;Object attribute;// 遍历Session,找到该用户名称对应的Sessionfor(Session session : sessions){attribute = session.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY);if (attribute == null) {continue;}user = (User) ((SimplePrincipalCollection) attribute).getPrimaryPrincipal();if (user == null) {continue;}if (Objects.equals(user.getUsername(), username)) {return session;}}return null;}}
若有收获,就点个赞吧
0 人点赞
