码迷,mamicode.com
首页 > 编程语言 > 详细

springboot 集成shiro

时间:2017-03-24 23:14:51      阅读:819      评论:0      收藏:0      [点我收藏+]

标签:contains   oda   info   lifecycle   simple   gre   ble   tproxy   index   

首先看下shiro configuration 的配置,重要部分用红色标出了

package cn.xiaojf.today.shiro.configuration;

import at.pollux.thymeleaf.shiro.dialect.ShiroDialect;
import cn.xiaojf.today.sys.security.credentials.RetryLimitHashedCredentialsMatcher;
import cn.xiaojf.today.sys.security.filter.MyLogoutFilter;
import cn.xiaojf.today.sys.security.filter.RoleAuthorizationFilter;
import cn.xiaojf.today.sys.security.realm.UsernameRealm;
import cn.xiaojf.today.sys.service.SysResService;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.filter.DelegatingFilterProxy;

import javax.servlet.Filter;
import java.util.LinkedHashMap;
import java.util.Map;

/**
 * shiro配置
 * @author xiaojf 2017/2/10 11:30.
 */
@Configuration
public class ShiroConfiguration {
    @Bean
    public FilterRegistrationBean filterRegistrationBean() {
        FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
        filterRegistrationBean.setFilter(new DelegatingFilterProxy("shiroFilter"));
        filterRegistrationBean.addInitParameter("targetFilterLifecycle", "true");
        filterRegistrationBean.setEnabled(true);
        filterRegistrationBean.addUrlPatterns("/*");
        return filterRegistrationBean;
    }

    @Bean
    public RetryLimitHashedCredentialsMatcher credentialsMatcher() {
        RetryLimitHashedCredentialsMatcher credentialsMatcher = new RetryLimitHashedCredentialsMatcher();
        credentialsMatcher.setHashAlgorithmName("sha");
        credentialsMatcher.setHashIterations(2);
        credentialsMatcher.setStoredCredentialsHexEncoded(true);
        credentialsMatcher.setRetryCount(5);
        credentialsMatcher.setRetryTime(1800000);
        return credentialsMatcher;
    }

    @Bean
    public UsernameRealm usernameRealm(RetryLimitHashedCredentialsMatcher credentialsMatcher) {
        UsernameRealm usernameRealm = new UsernameRealm();
        usernameRealm.setCredentialsMatcher(credentialsMatcher);
        usernameRealm.setCachingEnabled(true);
        return  usernameRealm;
    }

    @Bean
    public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
        return new LifecycleBeanPostProcessor();
    }

    @Bean
    public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
        DefaultAdvisorAutoProxyCreator daap = new DefaultAdvisorAutoProxyCreator();
        daap.setProxyTargetClass(true);
        return daap;
    }

    @Bean
    public DefaultWebSecurityManager securityManager(UsernameRealm usernameRealm) {
        DefaultWebSecurityManager dwsm = new DefaultWebSecurityManager();
        dwsm.setRealm(usernameRealm);
        return dwsm;
    }

    @Bean
    public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(DefaultWebSecurityManager defaultWebSecurityManager) {
        AuthorizationAttributeSourceAdvisor aasa = new AuthorizationAttributeSourceAdvisor();
        aasa.setSecurityManager(defaultWebSecurityManager);
        return aasa;
    }

    @Bean
    public MyLogoutFilter logoutFilter() {
        MyLogoutFilter myLogoutFilter = new MyLogoutFilter();
        myLogoutFilter.setRedirectUrl("/login/index");
        return myLogoutFilter;
    }

    @Bean(name = "shiroFilter")
    public ShiroFilterFactoryBean shiroFilterFactoryBean(DefaultWebSecurityManager securityManager,
                                                         MyLogoutFilter logoutFilter, ApplicationContext context) {
        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
        shiroFilterFactoryBean.setSecurityManager(securityManager);
        shiroFilterFactoryBean.setLoginUrl("/login/index");
        shiroFilterFactoryBean.setUnauthorizedUrl("/login/index");

        Map<String, Filter> filters = new LinkedHashMap<>();
//        filters.put("logout", logoutFilter);
        filters.put("role", new RoleAuthorizationFilter());

        shiroFilterFactoryBean.getFilters().putAll(filters);//加载自定义拦截器

        SysResService resService = context.getBean(SysResService.class);//只有通过这种方式才能获得resService,因为此处会优先于resService实例化
        loadShiroFilterChain(shiroFilterFactoryBean,resService);//加载拦截规则
        return shiroFilterFactoryBean;
    }

    private void loadShiroFilterChain(ShiroFilterFactoryBean shiroFilterFactoryBean,SysResService resService) {
        Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
     //默认拦截规则 filterChainDefinitionMap.put(
"/login/index", "anon"); filterChainDefinitionMap.put("/error/403", "anon"); filterChainDefinitionMap.put("/error/404", "anon"); filterChainDefinitionMap.put("/error/500", "anon"); filterChainDefinitionMap.put("/login/auth", "anon"); filterChainDefinitionMap.put("/logout", "logout"); filterChainDefinitionMap.put("/plugins/**", "anon"); filterChainDefinitionMap.put("/css/**", "anon"); filterChainDefinitionMap.put("/js/**", "anon"); filterChainDefinitionMap.put("/images/**", "anon");      //用户自定义拦截规则 filterChainDefinitionMap = resService.loadFilterChainDefinitions(filterChainDefinitionMap);      //都不满足的时候,需要超级管理员权限才能访问 filterChainDefinitionMap.put("/**", "role[ROLE_SUPER]");      shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap); } @Bean public ShiroDialect shiroDialect() {//thymeleaf 集成shiro使用,如果没有可以删除 return new ShiroDialect(); } }

自定义realm,用于认证和授权

package cn.xiaojf.today.sys.security.realm;

import cn.xiaojf.today.base.constant.DataStatus;
import cn.xiaojf.today.base.constant.SystemConstant;
import cn.xiaojf.today.sys.entity.SysUser;
import cn.xiaojf.today.sys.service.SysUserService;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Lazy;

import java.util.Set;

/**
 * 根据用户名和密码校验登陆
 *
 * @author xiaojf 2016-01-07 16:05:55
 */
public class UsernameRealm extends AuthorizingRealm {

    /**
     * 系统用户service
     */
    @Autowired
    @Lazy
    private SysUserService sysUserService;

    /**
     * 加载用户授权信息, 包括权限资源和角色\用户组资源
     *
     * @author xiaojf 2016-01-07 16:05:55
     */
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {

        // 登陆名
        String username = (String) principals.getPrimaryPrincipal();
        SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();

        Set<String> roles = sysUserService.loadEnabledRolesByUsername(username);

        if (roles.contains(SystemConstant.ROLE_SUPER)) {
            authorizationInfo.addStringPermission("*");
        }else {
            // 加载权限资源
            authorizationInfo.setStringPermissions(sysUserService.loadEnabledPermissionsByUsername(username));
        }

        // 加载角色/用户组
        authorizationInfo.setRoles(roles);

        return authorizationInfo;
    }

    /**
     * 加载用户身份认证信息
     *
     * @author xiaojf 2016-01-07 16:05:55
     */
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
        String username = (String) token.getPrincipal();

        // 获取账号信息
        SysUser sysUser = sysUserService.getByUsername(username);

        if (sysUser == null) {
            throw new UnknownAccountException();    // 没找到帐号
        }

        if (sysUser.getStatus() == DataStatus.LOGIC_DELETE.getValue()) {
            throw new UnknownAccountException();    // 没找到帐号
        }

        if (sysUser.getStatus() == DataStatus.DISABLE.getValue()) {
            throw new LockedAccountException();    // 帐号锁定
        }

        SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(sysUser.getUsername(),
                sysUser.getPwd(), ByteSource.Util.bytes(sysUser.getSalt()),
                getName());

        return authenticationInfo;
    }

}

自定义登出过滤器

package cn.xiaojf.today.sys.security.filter;

import org.apache.shiro.web.filter.authc.LogoutFilter;

import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import java.util.Date;

/**
 * 自定义退出过滤器
 * @author xiaojf 294825811@qq.com
 *
 * 2015-3-20
 */
public class MyLogoutFilter extends LogoutFilter {
    
    @Override
    protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
        return true;
    }
}

自定义权限校验过滤器

package cn.xiaojf.today.sys.security.filter;

import com.alibaba.fastjson.JSON;
import cn.xiaojf.today.base.model.CommonResult;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.CollectionUtils;
import org.apache.shiro.util.StringUtils;
import org.apache.shiro.web.filter.authz.AuthorizationFilter;
import org.apache.shiro.web.util.WebUtils;

import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Set;

/**
 * 自定义认证器,区分ajax请求
 * @author xiaojf 2017/2/10 11:30.
 */
public class RoleAuthorizationFilter extends AuthorizationFilter {

    public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)
            throws IOException {

        Subject subject = getSubject(request, response);
        String[] rolesArray = (String[]) mappedValue;

        if (rolesArray == null || rolesArray.length == 0) {
            // no roles specified, so nothing to check - allow access.
            return true;
        }

        Set<String> roles = CollectionUtils.asSet(rolesArray);
        for (String role : roles) {
            if (subject.hasRole(role)) {
                return true;
            }
        }
        return false;
    }

    @Override
    protected boolean onAccessDenied(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {

        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
        HttpServletResponse httpServletResponse = (HttpServletResponse) response;

        Subject subject = getSubject(request, response);

        if (subject.getPrincipal() == null) {
            if ("XMLHttpRequest".equalsIgnoreCase(httpServletRequest.getHeader("X-Requested-With"))) {
                httpServletResponse.setCharacterEncoding("UTF-8");
                httpServletResponse.setHeader("Charset","UTF-8");
                PrintWriter out = httpServletResponse.getWriter();

                CommonResult result = new CommonResult(false);
                result.setCode("401");
                result.setMsg("请重新登录");

                out.write(JSON.toJSONString(result));
                out.flush();
                out.close();
            } else {
//                saveRequestAndRedirectToLogin(request, response);
                String unauthorizedUrl = getUnauthorizedUrl();
                WebUtils.issueRedirect(request, response, unauthorizedUrl);
            }
        } else {
            if ("XMLHttpRequest".equalsIgnoreCase(httpServletRequest.getHeader("X-Requested-With"))) {
                httpServletResponse.setCharacterEncoding("UTF-8");
                httpServletResponse.setHeader("Charset","UTF-8");
                PrintWriter out = httpServletResponse.getWriter();

                CommonResult result = new CommonResult(false);
                result.setCode("403");
                result.setMsg("没有足够的权限: "+((HttpServletRequest) request).getServletPath());

                out.println(JSON.toJSONString(result));
                out.flush();
                out.close();
            } else {
                String unauthorizedUrl = getUnauthorizedUrl();
                if (StringUtils.hasText(unauthorizedUrl)) {
                    WebUtils.issueRedirect(request, response, unauthorizedUrl);
                } else {
                    WebUtils.toHttp(response).sendError(403);
                }
            }
        }
        return false;
    }
}

 

springboot 集成shiro

标签:contains   oda   info   lifecycle   simple   gre   ble   tproxy   index   

原文地址:http://www.cnblogs.com/xiaojf/p/6613666.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!