这里主要是为了说明使用session和不用session的情况,如何取舍就看用户自身需求
- 如果使用了session,用户登陆一次,则session有效期内的请求则不会再验证token。
- 如果不适用session,用户每次请求都会验证 token。
Maven
引入springboot-start
<!-- springboot-web -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>2.3.5.RELEASE</version>
</dependency>
<!-- shiro-web -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring-boot-web-starter</artifactId>
<shiro.version>1.9.0</shiro.version>
</dependency>
OAuth2Token
/**
* TOKEN
*/
public class OAuth2Token implements AuthenticationToken {
private String token;
public OAuth2Token(String token) {
this.token = token;
}
@Override
public Object getPrincipal() {
return token;
}
@Override
public Object getCredentials() {
return token;
}
}
Realm
supports 方法是为了确保 OAuth2Realm 只对 OAuth2Token生效。
public class OAuth2Realm extends AuthorizingRealm {
@Override
public boolean supports(AuthenticationToken token) {
return token instanceof OAuth2Token;
}
/**
* 授权
*
* @param principalCollection
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
// 授权逻辑
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
return simpleAuthorizationInfo;
}
/**
* 认证
*
* @param authenticationToken
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
String token = (String) authenticationToken.getCredentials();
if (token == null) {
log.info("————————身份认证失败————————,IP地址记录:" + IPUtils.getIpAddrByRequest(SpringContextUtils.getHttpServletRequest()));
throw new AuthenticationException("身份验证失败");
}
// token验证逻辑
return new SimpleAuthenticationInfo(userId, token, getName());
}
}
Filter
/**
* oauth2过滤器
*
*/
public class OAuth2Filter extends BasicHttpAuthenticationFilter {
@Override
protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) {
//获取请求token
String token = getRequestToken((HttpServletRequest) request);
if (StringUtils.isBlank(token)) {
return null;
}
return new OAuth2Token(token);
}
@Override
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) {
httpServletResponse.setStatus(HttpStatus.OK.value());
return false;
}
return super.preHandle(request, response);
}
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
//获取请求token,如果token不存在,直接返回401
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
String token = getRequestToken(httpServletRequest);
if (StringUtils.isBlank(token)) {
JwtUtils.responseError(response, ResultCode.NO_AUTH, CommonConstant.S_INVALID_TOKEN);
return false;
}
return executeLogin(request, response);
}
@Override
protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e, ServletRequest request, ServletResponse response) {
//处理登录失败的异常
Throwable throwable = e.getCause() == null ? e : e.getCause();
JwtUtils.responseError(response, ResultCode.NO_AUTH, throwable.getMessage() );
return false;
}
/**
* 获取请求的token
*/
private String getRequestToken(HttpServletRequest httpRequest) {
//从header中获取token
String token = httpRequest.getHeader(CommonConstant.S_ACCESS_TOKEN);
//如果header中不存在token,则从参数中获取token
if (StringUtils.isBlank(token)) {
token = httpRequest.getParameter(CommonConstant.S_ACCESS_TOKEN);
}
return token;
}
}
-
preHandle 方法中,获取Request请求的Method是否为Options是为了解决跨域问题,现在前端浏览器会在发起真正的请求前,发起一次Options请求,用来作为跨域预检。这里捕捉到了以后直接拦截并更改状态为成功后,直接返回。
-
protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception { AuthenticationToken token = createToken(request, response); if (token == null) { String msg = "createToken method implementation returned null. A valid non-null AuthenticationToken " + "must be created in order to execute a login attempt."; throw new IllegalStateException(msg); } try { Subject subject = getSubject(request, response); subject.login(token); return onLoginSuccess(token, subject, request, response); } catch (AuthenticationException e) { return onLoginFailure(token, e, request, response); } }- 重写 createToken 方法是在因为在 exceuteLogin 方法的默认实现中,是通过 createToken 方法获取token信息,因为我们是基于http请求,在header中获取自定义属性的,这里就进行了重写。
- 重写 onLoginFailure方法是因为执行login方法后,会进入 Realm 类中的 doGetAuthenticationInfo 方法进行认证,当认证失败会抛出 AuthenticationException 异常,此时try-catch捕捉到异常后会调用 onLoginFailure 方法,这时就能根据需要放回异常信息给用户。
Shiro配置
@Slf4j
@Configuration
public class ShiroConfig {
@Resource
private LettuceConnectionFactory lettuceConnectionFactory;
/**
* 注入realm
*
* @return
*/
@Bean("oAuth2Realm")
public OAuth2Realm oAuth2Realm() {
OAuth2Realm realm = new OAuth2Realm();
return realm;
}
@Bean(name = "shiroFilterFactoryBean")
public ShiroFilterFactoryBean shiroFilterFactoryBean(DefaultWebSecurityManager securityManager, ShiroFilterChainDefinition shiroFilterChainDefinition) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
Map<String, Filter> filters = new HashMap<>();
filters.put("oauth2", new OAuth2Filter());
shiroFilterFactoryBean.setFilters(filters);
shiroFilterFactoryBean.setSecurityManager(securityManager);
shiroFilterFactoryBean.setFilterChainDefinitionMap(shiroFilterChainDefinition.getFilterChainMap());
return shiroFilterFactoryBean;
}
/**
* 配置拦截
*
* @return
*/
@Bean
public ShiroFilterChainDefinition shiroFilterChainDefinition() {
DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
chainDefinition.addPathDefinition("/sys/login", "anon");
chainDefinition.addPathDefinition("/**", "oauth2");
return chainDefinition;
}
@Bean("securityManager")
public DefaultWebSecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
// 注入realm 到securityManager
List<Realm> realms = new ArrayList<>();
realms.add(oAuth2Realm());
securityManager.setRealms(realms);
securityManager.setCacheManager(cacheManager());
securityManager.setSessionManager(defaultSessionManager());
securityManager.setRememberMeManager(null);
return securityManager;
}
@Bean
public DefaultSessionManager defaultSessionManager() {
DefaultWebSessionManager defaultWebSessionManager = new DefaultWebSessionManager();
//有效期30分钟
defaultWebSessionManager.setGlobalSessionTimeout(30 * 60 * 1000);
defaultWebSessionManager.setCacheManager(cacheManager());
defaultWebSessionManager.setDeleteInvalidSessions(true);
return defaultWebSessionManager;
}
/***
* 单机使用
* @return
*/
protected CacheManager cacheManager() {
return new MemoryConstrainedCacheManager();
}
@Bean
public static LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
@Bean
public static DefaultAdvisorAutoProxyCreator getDefaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
defaultAdvisorAutoProxyCreator.setProxyTargetClass(true);
/**
* setUsePrefix(false)用于解决一个奇怪的bug。在引入spring aop的情况下。
* 在@Controller注解的类的方法中加入@RequiresRole等shiro注解,会导致该方法无法映射请求,导致返回404。
* 加入这项配置能解决这个bug
*/
defaultAdvisorAutoProxyCreator.setUsePrefix(true);
return defaultAdvisorAutoProxyCreator;
}
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}
}
这里需要注意的是 defaultSessionManager ,因为shiro默认会使用自带的session管理,那这时session是永不过期的,那用户只需要通过一次token认证,就可以不用再认证了,那我们有什么办法呢?
- 设置defaultSessionManager的过期时间,定时清除session。
- 禁用默认session,使用JWT进行过期管理。
如何禁用session可以参考以下代码:我们只需要更改前面代码中的 securityManager方法,增加DefaultSubjectDAO来禁用默认session。
@Bean("securityManager")
public DefaultWebSecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
// 注入realm 到securityManager
List<Realm> realms = new ArrayList<>();
realms.add(oAuth2Realm());
/**
* 禁用session管理
* 根据需要判断,开启后,所有提交都需要验证Token,
* 否则Login成功后,根据cookie获取session。
*/
DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();
DefaultSessionStorageEvaluator defaultSessionStorageEvaluator = new DefaultSessionStorageEvaluator();
defaultSessionStorageEvaluator.setSessionStorageEnabled(false);
subjectDAO.setSessionStorageEvaluator(defaultSessionStorageEvaluator);
securityManager.setSubjectDAO(subjectDAO);
securityManager.setRealms(realms);
securityManager.setCacheManager(cacheManager());
//设置session管理
// securityManager.setSessionManager(defaultSessionManager());
securityManager.setRememberMeManager(null);
return securityManager;
}
\
