因为项目要改为单点登录,shiro是通过session进行信息验证的,而且还要保留shiro的权限验证,所以只需要把验证这一部分改为token。
Shiro和token的实现和概念网上有很多,这里就不做讲解了。
本文主要参考了这篇文章https://blog.csdn.net/sqlgao22/article/details/99186391/
先讲一下大体思路:
1、登录后生成token存入数据库并将token放入cookie,这样好处是浏览器发送请求的时候cookie会被自动带上,前端不用做任何变动。
2、前端每次请求后端,进行验证的时候取出token进行验证。
重点就在于后端的拦截,所以主要讲拦截怎么做的。
登录
@PostMapping("login")
@ApiOperation(value = "登录")
public Result login(HttpServletRequest request, HttpServletResponse response,@RequestBody LoginDTO login) {
//用户登录校验代码
...
//shiro验证和授权
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(login.getUsername(), login.getPassword());
subject.login(token);
//createToken方法:生成token,存入cookie并保存到数据库。
String token1 = sysUserTokenService.createToken(user.getId());
Cookie cookie = new Cookie("token", token1);
cookie.setPath("/");
response.addCookie(cookie);
//登录成功
return result;
}
自定义的过滤拦截
package io.renren.modules.security.token;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter;
import org.codehaus.groovy.syntax.TokenUtil;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class ClientShiroThree extends BasicHttpAuthenticationFilter {
@Override
protected boolean onAccessDenied(ServletRequest servletRequest, ServletResponse response1) throws Exception {
HttpServletResponse response = (HttpServletResponse) response1;
//验证失败直接返回登录页面
response.sendRedirect("/tlyd/login.html");
return false;
}
@Override
protected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse response, Object mappedValue) {
HttpServletRequest request = (HttpServletRequest) servletRequest;
String token = "";
Cookie[] cookies = request.getCookies();
for (Cookie cookie1 : cookies) {
if ("token".equals(cookie1.getName())) {
token=cookie1.getValue();
}
}
if (null == token||"".equals(token)) {
System.out.println("-------token为空");
return false;
}
//验证token的真实性
try {
//校验token并返回用户信息user对象
User user=TokenUtil.getTokenBody(token);
System.out.println("-------token正确");
//验证通过重新进行授权
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(user.getUsername(), user.getPassword());
subject.login(login);
} catch (Exception e) {
e.printStackTrace();
System.out.println("-------token有问题");
return false;
}
return true;
}
}
进行shiro配置
package io.renren.modules.security.config;
import io.renren.modules.security.realm.UserRealm;
import io.renren.modules.security.token.ClientShiroThree;
import io.renren.modules.security.token.ShiroSessionManager;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.session.mgt.SessionManager;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.apache.shiro.web.session.mgt.ServletContainerSessionManager;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import javax.servlet.Filter;
import java.util.LinkedHashMap;
import java.util.Map;
/**
* Shiro的配置文件
*
* @author Mark [email protected]
*/
@Configuration
public class ShiroConfig {
/**
* 单机环境,session交给shiro管理
*/
@Bean
@ConditionalOnProperty(prefix = "renren", name = "cluster", havingValue = "false")
public DefaultWebSessionManager sessionManager(@Value("${renren.globalSessionTimeout:3600}") long globalSessionTimeout){
DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
sessionManager.setSessionValidationSchedulerEnabled(true);
sessionManager.setSessionIdUrlRewritingEnabled(false);
sessionManager.setSessionValidationInterval(globalSessionTimeout * 1000);
sessionManager.setGlobalSessionTimeout(globalSessionTimeout * 1000);
return sessionManager;
}
/**
* 集群环境,session交给spring-session管理
*/
@Bean
@ConditionalOnProperty(prefix = "renren", name = "cluster", havingValue = "true")
public ServletContainerSessionManager servletContainerSessionManager() {
return new ServletContainerSessionManager();
}
@Bean("securityManager")
public SecurityManager securityManager(UserRealm userRealmr) {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(userRealm);
return securityManager;
}
@Bean("shiroFilter")
public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilter = new ShiroFilterFactoryBean();
shiroFilter.setSecurityManager(securityManager);
shiroFilter.setLoginUrl("/login.html");
shiroFilter.setUnauthorizedUrl("/");
//加入刚刚写的自定义的过滤器ClientShiroThree并给了key:client
Map<String, Filter> filters = shiroFilter.getFilters();
filters.put("client", new ClientShiroThree());
shiroFilter.setFilters(filters);
Map<String, String> filterMap = new LinkedHashMap<>();
filterMap.put("/swagger/**", "anon");
filterMap.put("/v2/api-docs", "anon");
filterMap.put("/swagger-ui.html", "anon");
filterMap.put("/webjars/**", "anon");
filterMap.put("/swagger-resources/**", "anon");
filterMap.put("/statics/**", "anon");
filterMap.put("/login.html", "anon");
filterMap.put("/login", "anon");
filterMap.put("/favicon.ico", "anon");
filterMap.put("/captcha", "anon");
filterMap.put("/downLoadBrower", "anon");
filterMap.put("/getBaseOrgSource", "anon");
filterMap.put("/common/**", "anon");
filterMap.put("/cadastre/**", "anon");
//注意这里把上面的client进行配置
filterMap.put("/**", "client");
shiroFilter.setFilterChainDefinitionMap(filterMap);
return shiroFilter;
}
@Bean("lifecycleBeanPostProcessor")
public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
@Bean
public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator proxyCreator = new DefaultAdvisorAutoProxyCreator();
proxyCreator.setProxyTargetClass(true);
return proxyCreator;
}
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();
advisor.setSecurityManager(securityManager);
return advisor;
}
}
这样就可以进行拦截了 ,可以看到下图,获取了前端传来的token
如果要在自定义的拦截器里面注入你的server,直接用@Autowired是无法注入的,可以看一下我这个文章https://blog.csdn.net/qq_36802726/article/details/82841735