前言

目的:

通过注解完成权限控制。

源码下载:Spring-Boot-Shiro-master.zip

效果:

image.png

操作

代码一览

image.png

maven引用

  1. <dependency>
  2.     <groupId>org.apache.shiro</groupId>
  3.     <artifactId>shiro-spring</artifactId>
  4.     <version>1.3.2</version>
  5. </dependency>
  6. <dependency>
  7.     <groupId>com.auth0</groupId>
  8.     <artifactId>java-jwt</artifactId>
  9.     <version>3.2.0</version>
  10. </dependency>
  11. <dependency>
  12.     <groupId>org.springframework.boot</groupId>
  13.     <artifactId>spring-boot-starter-web</artifactId>
  14.     <version>1.5.8.RELEASE</version>
  15. </dependency>
  16. <!--lombok-->
  17. <dependency>
  18.     <groupId>org.projectlombok</groupId>
  19.     <artifactId>lombok</artifactId>
  20.     <version>1.18.4</version>
  21. </dependency>

基础代码

ShiroUserBean

  1. @Data
  2. @Builder
  3. @NoArgsConstructor
  4. @AllArgsConstructor
  5. @FieldNameConstants
  6. public class ShiroUserBean {
  7.     private String username;
  9.     private String password;
  11.     private String role;
  13.     private String permission;
  14. }

JWTUtil

  1. import com.auth0.jwt.JWT;
  2. import com.auth0.jwt.JWTVerifier;
  3. import com.auth0.jwt.algorithms.Algorithm;
  4. import com.auth0.jwt.exceptions.JWTDecodeException;
  5. import com.auth0.jwt.interfaces.DecodedJWT;
  6. import org.inlighting.database.ShiroUserBean;
  8. import java.io.UnsupportedEncodingException;
  9. import java.util.Date;
  11. public class JWTUtil {
  13.     private static String SECRET = "123SDFEEdfdeFDRE";
  15.     /**
  16.      * 过期时间1000 60 秒 60 分钟 24 小时 5 天
  17.      */
  18.     private static final long EXPIRE_TIME = 1000*60*60*24*5;
  20.     /**
  21.      * 校验token是否正确,是否过期
  22.      * @param token 密钥
  23.      * @return 是否正确
  24.      */
  25.     public static boolean verify(String token) {
  26.         try {
  27.             Algorithm algorithm = Algorithm.HMAC256(SECRET);
  28.             JWTVerifier verifier = JWT.require(algorithm).build();
  29.             DecodedJWT jwt = verifier.verify(token);
  30.             return true;
  31.         } catch (Exception exception) {
  32.             return false;
  33.         }
  34.     }
  36.     /**
  37.      * 获得token中的信息
  38.      * @return ShiroUserBean
  39.      */
  40.     public static ShiroUserBean getUserBean(String token) {
  41.         try {
  42.             DecodedJWT jwt = JWT.decode(token);
  43.             ShiroUserBean shiroUserBean = new ShiroUserBean();
  44.             shiroUserBean.setUsername(jwt.getClaim(ShiroUserBean.Fields.username).asString());
  45.             shiroUserBean.setRole(jwt.getClaim(ShiroUserBean.Fields.role).asString());
  46.             shiroUserBean.setPermission(jwt.getClaim(ShiroUserBean.Fields.permission).asString());
  47.             return shiroUserBean;
  48.         } catch (JWTDecodeException e) {
  49.             return null;
  50.         }
  51.     }
  53.     /**
  54.      * 生成签名,5min后过期
  55.      * @param shiroUserBean 用户名
  56.      * @return 加密的token
  57.      */
  58.     public static String sign(ShiroUserBean shiroUserBean) {
  59.         try {
  60.             Date date = new Date(System.currentTimeMillis()+EXPIRE_TIME);
  61.             Algorithm algorithm = Algorithm.HMAC256(SECRET);
  62.             // 附带username信息
  63.             return JWT.create()
  64.                     .withClaim(ShiroUserBean.Fields.username, shiroUserBean.getUsername())
  65.                     .withClaim(ShiroUserBean.Fields.role, shiroUserBean.getRole())
  66.                     .withClaim(ShiroUserBean.Fields.permission, shiroUserBean.getPermission())
  67.                     .withExpiresAt(date)
  68.                     .sign(algorithm);
  69.         } catch (UnsupportedEncodingException e) {
  70.             return null;
  71.         }
  72.     }
  73. }

UnauthorizedException

  1. public class UnauthorizedException extends RuntimeException {
  2.     public UnauthorizedException(String msg) {
  3.         super(msg);
  4.     }
  6.     public UnauthorizedException() {
  7.         super();
  8.     }
  9. }

shiro配置

直接复制接口,基本上不变

JWTToken

  1. import org.apache.shiro.authc.AuthenticationToken;
  3. public class JWTToken implements AuthenticationToken {
  5.     // 密钥
  6.     private String token;
  8.     public JWTToken(String token) {
  9.         this.token = token;
  10.     }
  12.     @Override
  13.     public Object getPrincipal() {
  14.         return token;
  15.     }
  17.     @Override
  18.     public Object getCredentials() {
  19.         return token;
  20.     }
  21. }

JWTFilter

  1. import org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter;
  2. import org.slf4j.Logger;
  3. import org.slf4j.LoggerFactory;
  4. import org.springframework.http.HttpStatus;
  5. import org.springframework.web.bind.annotation.RequestMethod;
  7. import javax.servlet.ServletRequest;
  8. import javax.servlet.ServletResponse;
  9. import javax.servlet.http.HttpServletRequest;
  10. import javax.servlet.http.HttpServletResponse;
  11. import java.io.IOException;
  13. public class JWTFilter extends BasicHttpAuthenticationFilter {
  15.     private Logger LOGGER = LoggerFactory.getLogger(this.getClass());
  17.     /**
  18.      * 判断用户是否想要登入。
  19.      * 检测header里面是否包含Authorization字段即可
  20.      */
  21.     @Override
  22.     protected boolean isLoginAttempt(ServletRequest request, ServletResponse response) {
  23.         HttpServletRequest req = (HttpServletRequest) request;
  24.         String authorization = req.getHeader("Authorization");
  25.         return authorization != null;
  26.     }
  28.     /**
  29.      *
  30.      */
  31.     @Override
  32.     protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception {
  33.         HttpServletRequest httpServletRequest = (HttpServletRequest) request;
  34.         String authorization = httpServletRequest.getHeader("Authorization");
  36.         JWTToken token = new JWTToken(authorization);
  37.         // 提交给realm进行登入,如果错误他会抛出异常并被捕获
  38.         getSubject(request, response).login(token);
  39.         // 如果没有抛出异常则代表登入成功,返回true
  40.         return true;
  41.     }
  43.     /**
  44.      * 这里我们详细说明下为什么最终返回的都是true,即允许访问
  45.      * 例如我们提供一个地址 GET /article
  46.      * 登入用户和游客看到的内容是不同的
  47.      * 如果在这里返回了false,请求会被直接拦截,用户看不到任何东西
  48.      * 所以我们在这里返回true,Controller中可以通过 subject.isAuthenticated() 来判断用户是否登入
  49.      * 如果有些资源只有登入用户才能访问,我们只需要在方法上面加上 @RequiresAuthentication 注解即可
  50.      * 但是这样做有一个缺点,就是不能够对GET,POST等请求进行分别过滤鉴权(因为我们重写了官方的方法),但实际上对应用影响不大
  51.      */
  52.     @Override
  53.     protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
  54.         if (isLoginAttempt(request, response)) {
  55.             try {
  56.                 executeLogin(request, response);
  57.             } catch (Exception e) {
  58.                 response401(request, response);
  59.             }
  60.         }
  61.         return true;
  62.     }
  64.     /**
  65.      * 对跨域提供支持
  66.      */
  67.     @Override
  68.     protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
  69.         HttpServletRequest httpServletRequest = (HttpServletRequest) request;
  70.         HttpServletResponse httpServletResponse = (HttpServletResponse) response;
  71.         httpServletResponse.setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin"));
  72.         httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS,PUT,DELETE");
  73.         httpServletResponse.setHeader("Access-Control-Allow-Headers", httpServletRequest.getHeader("Access-Control-Request-Headers"));
  74.         // 跨域时会首先发送一个option请求,这里我们给option请求直接返回正常状态
  75.         if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) {
  76.             httpServletResponse.setStatus(HttpStatus.OK.value());
  77.             return false;
  78.         }
  79.         return super.preHandle(request, response);
  80.     }
  82.     /**
  83.      * 将非法请求跳转到 /401
  84.      */
  85.     private void response401(ServletRequest req, ServletResponse resp) {
  86.         try {
  87.             HttpServletResponse httpServletResponse = (HttpServletResponse) resp;
  88.             httpServletResponse.sendRedirect("/401");
  89.         } catch (IOException e) {
  90.             LOGGER.error(e.getMessage());
  91.         }
  92.     }
  93. }

ShiroConfig

  1. import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;
  2. import org.apache.shiro.mgt.DefaultSubjectDAO;
  3. import org.apache.shiro.spring.LifecycleBeanPostProcessor;
  4. import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
  5. import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
  6. import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
  7. import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
  8. import org.springframework.context.annotation.Bean;
  9. import org.springframework.context.annotation.Configuration;
  10. import org.springframework.context.annotation.DependsOn;
  12. import javax.servlet.Filter;
  13. import java.util.HashMap;
  14. import java.util.Map;
  16. @Configuration
  17. public class ShiroConfig {
  19.     @Bean("securityManager")
  20.     public DefaultWebSecurityManager getManager(MyRealm realm) {
  21.         DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
  22.         // 使用自己的realm
  23.         manager.setRealm(realm);
  25.         /*
  26.          * 关闭shiro自带的session,详情见文档
  27.          * http://shiro.apache.org/session-management.html#SessionManagement-StatelessApplications%28Sessionless%29
  28.          */
  29.         DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();
  30.         DefaultSessionStorageEvaluator defaultSessionStorageEvaluator = new DefaultSessionStorageEvaluator();
  31.         defaultSessionStorageEvaluator.setSessionStorageEnabled(false);
  32.         subjectDAO.setSessionStorageEvaluator(defaultSessionStorageEvaluator);
  33.         manager.setSubjectDAO(subjectDAO);
  35.         return manager;
  36.     }
  38.     @Bean("shiroFilter")
  39.     public ShiroFilterFactoryBean factory(DefaultWebSecurityManager securityManager) {
  40.         ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
  42.         // 添加自己的过滤器并且取名为jwt
  43.         Map<String, Filter> filterMap = new HashMap<>();
  44.         filterMap.put("jwt", new JWTFilter());
  45.         factoryBean.setFilters(filterMap);
  47.         factoryBean.setSecurityManager(securityManager);
  48.         factoryBean.setUnauthorizedUrl("/401");
  50.         /*
  51.          * 自定义url规则
  52.          * http://shiro.apache.org/web.html#urls-
  53.          */
  54.         Map<String, String> filterRuleMap = new HashMap<>();
  55.         // 所有请求通过我们自己的JWT Filter
  56.         filterRuleMap.put("/**", "jwt");
  57.         // 访问401和404页面不通过我们的Filter
  58.         filterRuleMap.put("/401", "anon");
  59.         factoryBean.setFilterChainDefinitionMap(filterRuleMap);
  60.         return factoryBean;
  61.     }
  63.     /**
  64.      * 下面的代码是添加注解支持
  65.      */
  66.     @Bean
  67.     @DependsOn("lifecycleBeanPostProcessor")
  68.     public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
  69.         DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
  70.         // 强制使用cglib,防止重复代理和可能引起代理出错的问题
  71.         // https://zhuanlan.zhihu.com/p/29161098
  72.         defaultAdvisorAutoProxyCreator.setProxyTargetClass(true);
  73.         return defaultAdvisorAutoProxyCreator;
  74.     }
  76.     @Bean
  77.     public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
  78.         return new LifecycleBeanPostProcessor();
  79.     }
  81.     @Bean
  82.     public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager) {
  83.         AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();
  84.         advisor.setSecurityManager(securityManager);
  85.         return advisor;
  86.     }
  87. }

MyRealm

  1. import org.apache.log4j.LogManager;
  2. import org.apache.log4j.Logger;
  3. import org.apache.shiro.authc.*;
  4. import org.apache.shiro.authz.AuthorizationInfo;
  5. import org.apache.shiro.authz.SimpleAuthorizationInfo;
  6. import org.apache.shiro.realm.AuthorizingRealm;
  7. import org.apache.shiro.subject.PrincipalCollection;
  8. import org.inlighting.database.ShiroUserBean;
  9. import org.inlighting.database.UserService;
  10. import org.inlighting.util.JWTUtil;
  11. import org.springframework.beans.factory.annotation.Autowired;
  12. import org.springframework.stereotype.Service;
  14. import java.util.Arrays;
  15. import java.util.HashSet;
  17. @Service
  18. public class MyRealm extends AuthorizingRealm {
  20.     private static final Logger LOGGER = LogManager.getLogger(MyRealm.class);
  22.     private UserService userService;
  24.     @Autowired
  25.     public void setUserService(UserService userService) {
  26.         this.userService = userService;
  27.     }
  29.     /**
  30.      * 必须重写此方法,不然Shiro会报错
  31.      */
  32.     @Override
  33.     public boolean supports(AuthenticationToken token) {
  34.         return token != null;
  35.     }
  37.     /**
  38.      * 只有当需要检测用户权限的时候才会调用此方法,例如checkRole,checkPermission之类的
  39.      */
  40.     @Override
  41.     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
  42.         ShiroUserBean shiroUserBean = JWTUtil.getUserBean(principals.toString());
  43.         SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
  44.         simpleAuthorizationInfo.addRoles(new HashSet<>(Arrays.asList(shiroUserBean.getRole().split(","))));
  45.         simpleAuthorizationInfo.addStringPermissions(new HashSet<>(Arrays.asList(shiroUserBean.getPermission().split(","))));
  46.         return simpleAuthorizationInfo;
  47.     }
  49.     /**
  50.      * 校验是否需要登录
  51.      */
  52.     @Override
  53.     protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken auth) throws AuthenticationException {
  54.         String token = (String) auth.getCredentials();
  55.         if (! JWTUtil.verify(token)) {
  56.             throw new AuthenticationException("need login");
  57.         }
  58.         return new SimpleAuthenticationInfo(token, token, "my_realm");
  59.     }
  60. }

测试

  1. import org.apache.log4j.LogManager;
  2. import org.apache.log4j.Logger;
  3. import org.apache.shiro.SecurityUtils;
  4. import org.apache.shiro.authz.annotation.*;
  5. import org.apache.shiro.subject.Subject;
  6. import org.inlighting.bean.Result;
  7. import org.inlighting.database.ShiroUserBean;
  8. import org.inlighting.database.UserService;
  9. import org.inlighting.exception.UnauthorizedException;
  10. import org.inlighting.util.JWTUtil;
  11. import org.springframework.beans.factory.annotation.Autowired;
  12. import org.springframework.http.HttpStatus;
  13. import org.springframework.web.bind.annotation.*;
  15. @RestController
  16. public class WebController {
  18.     private static final Logger LOGGER = LogManager.getLogger(WebController.class);
  20.     private UserService userService;
  22.     @Autowired
  23.     public void setService(UserService userService) {
  24.         this.userService = userService;
  25.     }
  27.     @PostMapping("/login")
  28.     public Result login(@RequestParam("username") String username,
  29.                         @RequestParam("password") String password) {
  30.         ShiroUserBean shiroUserBean = userService.getUser(username);
  31.         if (shiroUserBean.getPassword().equals(password)) {
  32.             return Result.success(200, "Login success", JWTUtil.sign(shiroUserBean));
  33.         } else {
  34.             throw new UnauthorizedException();
  35.         }
  36.     }
  38.     @GetMapping("/article")
  39.     public Result article() {
  40.         Subject subject = SecurityUtils.getSubject();
  41.         if (subject.isAuthenticated()) {
  42.             return Result.success(200, "You are already logged in", null);
  43.         } else {
  44.             return Result.success(200, "You are guest", null);
  45.         }
  46.     }
  48.     @GetMapping("/require_auth")
  49.     @RequiresAuthentication
  50.     public Result requireAuth() {
  51.         return Result.success(200, "You are authenticated", null);
  52.     }
  54.     @GetMapping("/require_role")
  55.     @RequiresRoles("admin")
  56.     public Result requireRole() {
  57.         return Result.success(200, "You are visiting require_role", null);
  58.     }
  60.     @GetMapping("/require_permission")
  61.     @RequiresPermissions(logical = Logical.AND, value = {"view", "edit"})
  62.     public Result requirePermission() {
  63.         return Result.success(200, "You are visiting permission require edit,view", null);
  64.     }
  66.     @RequestMapping(path = "/401")
  67.     @ResponseStatus(HttpStatus.UNAUTHORIZED)
  68.     public Result unauthorized() {
  69.         return Result.error(401, "Unauthorized", null);
  70.     }
  71. }

参考文章:

https://juejin.im/post/59f1b2766fb9a0450e755993