spring boot Shiro JWT整合
一个api要支持H5, PC和APP三个前端,如果使用session的话对app不是很友好,而且session有跨域攻击的问题,所以选择了JWT
1.导入依赖包
- <dependency>
- <groupId>org.apache.shiro</groupId>
- <artifactId>shiro-spring</artifactId>
- <version>1.3.2</version>
- </dependency>
- <dependency>
- <groupId>com.auth0</groupId>
- <artifactId>java-jwt</artifactId>
- <version>3.2.0</version>
- </dependency>
2.自定义JWTToken
- import org.apache.shiro.authc.AuthenticationToken;
- public class JwtToken implements AuthenticationToken {
- private String token;
- public JwtToken(String token) {
- this.token = token;
- }
- @Override
- public Object getPrincipal() {
- return token;
- }
- @Override
- public Object getCredentials() {
- return token;
- }
- }
工具类
- import com.auth0.jwt.JWT;
- import com.auth0.jwt.JWTVerifier;
- import com.auth0.jwt.algorithms.Algorithm;
- import com.auth0.jwt.exceptions.JWTDecodeException;
- import com.auth0.jwt.interfaces.DecodedJWT;
- import java.io.UnsupportedEncodingException;
- import java.util.Date;
- public class JwtUtils {
- // 过期时间30天
- private static final long EXPIRE_TIME = 24 * 60 * 30 * 1000;
- /**
- * 校验token是否正确
- *
- * @param token 密钥
- * @param username 登录名
- * @param password 密码
- * @return
- */
- public static boolean verify(String token, String username, String password) {
- try {
- Algorithm algorithm = Algorithm.HMAC256(password);
- JWTVerifier verifier = JWT.require(algorithm).withClaim("userName", username).build();
- DecodedJWT jwt = verifier.verify(token);
- return true;
- } catch (Exception e) {
- return false;
- }
- }
- /**
- * 获取登录名
- *
- * @param token
- * @return
- */
- public static String getUsername(String token) {
- try {
- DecodedJWT jwt = JWT.decode(token);
- return jwt.getClaim("userName").asString();
- } catch (JWTDecodeException e) {
- return null;
- }
- }
- /**
- * 生成签名
- *
- * @param username
- * @param password
- * @return
- */
- public static String sign(String username, String password) {
- try {
- // 指定过期时间
- Date date = new Date(System.currentTimeMillis() + EXPIRE_TIME);
- Algorithm algorithm = Algorithm.HMAC256(password);
- return JWT.create()
- .withClaim("userName", username)
- .withExpiresAt(date)
- .sign(algorithm);
- } catch (UnsupportedEncodingException e) {
- return null;
- }
- }
- }
3.自定义realm
- import com.system.authorization.model.JwtToken;
- import com.system.authorization.model.MzUser;
- import com.system.authorization.service.MzUserService;
- import com.system.authorization.utils.JwtUtils;
- import org.apache.shiro.authc.*;
- import org.apache.shiro.authz.AuthorizationInfo;
- import org.apache.shiro.authz.SimpleAuthorizationInfo;
- import org.apache.shiro.realm.AuthorizingRealm;
- import org.apache.shiro.subject.PrincipalCollection;
- import org.slf4j.Logger;
- import org.slf4j.LoggerFactory;
- import org.springframework.beans.factory.annotation.Autowired;
- import java.util.Set;
- public class JwtShiroRealm extends AuthorizingRealm {
- private Logger logger = LoggerFactory.getLogger(this.getClass());
- @Autowired
- private MzUserService mzUserService;
- /**
- * 使用JWT代替原生Token
- * @param token
- * @return
- */
- @Override
- public boolean supports(AuthenticationToken token) {
- return token instanceof JwtToken;
- }
- //权限验证
- @Override
- protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
- logger.info("doGetAuthorizationInfo:" + principalCollection.toString());
- String userName = JwtUtils.getUsername(principalCollection.toString());
- //获取权限数据
- Set<String> permissions = mzUserService.getPermissionByUserName(userName);
- SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
- simpleAuthorizationInfo.setStringPermissions(permissions);
- return simpleAuthorizationInfo;
- }
- /**
- * 身份认证:Authentication 用来验证用户身份
- * 默认使用此方法进行用户名正确与否验证,错误抛出异常
- */
- @Override
- protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
- String token = authenticationToken.getPrincipal().toString();
- System.out.println("Realm 验证:"+token);
- String userName = JwtUtils.getUsername(token);
- System.out.println("Realm 验证用户名:"+userName);
- MzUser mzUser = mzUserService.queryByUserName(userName);
- if (mzUser == null) {
- throw new AuthenticationException("token验证失败,权限不足");
- }
- if (!JwtUtils.verify(token, userName, mzUser.getPassword())) {
- throw new UnknownAccountException("token验证失败,权限不足");
- }
- return new SimpleAuthenticationInfo(token, token, "realm");
- }
- }
4.自定义filter
- import com.system.authorization.model.JwtToken;
- import org.apache.commons.lang3.StringUtils;
- import org.apache.http.HttpStatus;
- import org.apache.shiro.authc.UnknownAccountException;
- import org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter;
- import org.apache.shiro.web.util.WebUtils;
- import org.slf4j.Logger;
- import org.slf4j.LoggerFactory;
- import javax.servlet.ServletRequest;
- import javax.servlet.ServletResponse;
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletResponse;
- import java.io.IOException;
- public class JwtAuthFilter extends BasicHttpAuthenticationFilter {
- private Logger logger = LoggerFactory.getLogger(this.getClass());
- // 登录标识
- private static String LOGIN_SIGN = "x-auth-token";
- /**
- * 检测用户是否登录
- * 检测header里面是否包含Authorization字段即可
- *
- * @param request
- * @param response
- * @return
- */
- @Override
- protected boolean isLoginAttempt(ServletRequest request, ServletResponse response) {
- HttpServletRequest httpRequest = WebUtils.toHttp(request);
- String authorization = httpRequest.getHeader(LOGIN_SIGN);
- return StringUtils.isNoneBlank(authorization);
- }
- @Override
- protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception {
- HttpServletRequest httpRequest = WebUtils.toHttp(request);
- String token = httpRequest.getHeader(LOGIN_SIGN);
- JwtToken jwtToken = new JwtToken(token);
- //提交给realm进行登录,如果错误会怕熬出异常并被捕获,如果没有抛出异常则返回true
- getSubject(request, response).login(jwtToken);
- return true;
- }
- @Override
- protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
- System.out.println("开始jwt 校验");
- //如果不是登录请求
- if (isLoginAttempt(request, response)) {
- try {
- executeLogin(request, response);
- } catch (Exception e) {
- // throw new TSharkException("登录权限不足!", e);
- throw new UnknownAccountException("token验证失败,权限不足");
- }
- }
- System.out.println("jwt 校验通过");
- return true;
- }
- @Override
- protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException {
- HttpServletResponse httpResponse = WebUtils.toHttp(response);
- httpResponse.setCharacterEncoding("UTF-8");
- httpResponse.setContentType("application/json;charset=utf-8");
- httpResponse.setStatus(org.apache.http.HttpStatus.SC_UNAUTHORIZED);
- System.out.println("token验证失败,没权限访问");
- return false;
- }
- /**
- * 对跨域提供支持
- *
- * @param request
- * @param response
- * @return
- * @throws Exception
- */
- @Override
- protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
- HttpServletRequest httpServletRequest = (HttpServletRequest) request;
- HttpServletResponse httpServletResponse = (HttpServletResponse) response;
- httpServletResponse.setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin"));
- httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS,PUT,DELETE");
- httpServletResponse.setHeader("Access-Control-Allow-Headers", httpServletRequest.getHeader("Access-Control-Request-Headers"));
- // 跨域时会首先发送一个option请求,这里我们给option请求直接返回正常状态
- if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) {
- httpServletResponse.setStatus(HttpStatus.OK.value());
- return false;
- }
- return super.preHandle(request, response);
- }
- }
授权过滤器
- import org.apache.http.HttpStatus;
- import org.apache.shiro.subject.Subject;
- import org.apache.shiro.web.filter.authz.AuthorizationFilter;
- import org.apache.shiro.web.util.WebUtils;
- import javax.servlet.ServletRequest;
- import javax.servlet.ServletResponse;
- import javax.servlet.http.HttpServletResponse;
- import java.io.IOException;
- public class RolesAndPermissionFilter extends AuthorizationFilter {
- @Override
- protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
- System.out.println("开始Roles permission校验");
- //获取接口请求地址
- String path = WebUtils.toHttp(request).getRequestURI();
- Subject subject = getSubject(request, response);
- //数据库中存储的是接口的请求地址,此处验证当前请求的接口地址,当前登录的用户是否存在,如果存在则通过验证
- if (subject.isPermitted(path))
- return true;
- System.out.println("roles permission校验未通过");
- return false;
- }
- @Override
- protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException {
- HttpServletResponse httpResponse = WebUtils.toHttp(response);
- httpResponse.setCharacterEncoding("UTF-8");
- httpResponse.setContentType("application/json;charset=utf-8");
- httpResponse.setStatus(HttpStatus.SC_UNAUTHORIZED);
- return false;
- }
- }
5.配置信息,注入spring容器
- import com.system.authorization.filter.JwtAuthFilter;
- import com.system.authorization.filter.RolesAndPermissionFilter;
- import com.system.authorization.realm.JwtShiroRealm;
- import org.apache.shiro.mgt.DefaultSecurityManager;
- import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;
- import org.apache.shiro.mgt.DefaultSubjectDAO;
- import org.apache.shiro.mgt.SecurityManager;
- import org.apache.shiro.realm.Realm;
- import org.apache.shiro.spring.LifecycleBeanPostProcessor;
- import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
- import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
- import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
- import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
- import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
- import org.springframework.context.annotation.Bean;
- import org.springframework.context.annotation.Configuration;
- import org.springframework.context.annotation.DependsOn;
- import javax.servlet.Filter;
- import java.util.HashMap;
- import java.util.LinkedHashMap;
- import java.util.Map;
- @Configuration
- @ConditionalOnWebApplication
- public class ShiroConfig {
- @Bean
- public Realm jwtShiroRealm() {
- return new JwtShiroRealm();
- }
- @Bean
- public SecurityManager securityManager() {
- DefaultSecurityManager defaultSecurityManager = new DefaultWebSecurityManager();
- defaultSecurityManager.setRealm(jwtShiroRealm());
- // 关闭自带session
- DefaultSessionStorageEvaluator evaluator = new DefaultSessionStorageEvaluator();
- evaluator.setSessionStorageEnabled(false);
- DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();
- subjectDAO.setSessionStorageEvaluator(evaluator);
- defaultSecurityManager.setSubjectDAO(subjectDAO);
- return defaultSecurityManager;
- }
- @Bean(name = "shiroFilter")
- public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
- ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
- //将自定义的过滤器注入
- Map<String, Filter> filterMap = new LinkedHashMap<>();
- filterMap.put("jwt", new JwtAuthFilter());
- filterMap.put("permission", new RolesAndPermissionFilter());
- factoryBean.setFilters(filterMap);
- factoryBean.setSecurityManager(securityManager);
- //定义过滤规则
- Map<String, String> filterRuleMap = new HashMap<>();
- //所有的请求都必须经过jwt,permission过滤器
- filterRuleMap.put("/**", "jwt,permission");
- //登录接口可以不做验证
- filterRuleMap.put("/mz/user/login", "anon");
- factoryBean.setFilterChainDefinitionMap(filterRuleMap);
- //设置登录页面,主页面,验证失败页面
- factoryBean.setLoginUrl("https://www.baidu.com");
- factoryBean.setSuccessUrl("https://www.cnblogs.com/gyli20170901/");
- factoryBean.setUnauthorizedUrl("/403");
- return factoryBean;
- }
- @Bean
- @DependsOn("lifecycleBeanPostProcessor")
- public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
- DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
- defaultAdvisorAutoProxyCreator.setProxyTargetClass(true);
- return defaultAdvisorAutoProxyCreator;
- }
- @Bean
- public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
- return new LifecycleBeanPostProcessor();
- }
- @Bean
- public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
- AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();
- advisor.setSecurityManager(securityManager);
- return advisor;
- }
- }
参考:https://yq.aliyun.com/articles/646440
spring boot Shiro JWT整合的更多相关文章
- spring boot shiro redis整合基于角色和权限的安全管理-Java编程
一.概述 本博客主要讲解spring boot整合Apache的shiro框架,实现基于角色的安全访问控制或者基于权限的访问安全控制,其中还使用到分布式缓存redis进行用户认证信息的缓存,减少数据库 ...
- Spring Boot Security JWT 整合实现前后端分离认证示例
前面两章节我们介绍了 Spring Boot Security 快速入门 和 Spring Boot JWT 快速入门,本章节使用 JWT 和 Spring Boot Security 构件一个前后端 ...
- Spring Boot认证:整合Jwt
背景 Jwt全称是:json web token.它将用户信息加密到token里,服务器不保存任何用户信息.服务器通过使用保存的密钥验证token的正确性,只要正确即通过验证. 优点 简洁: 可以通过 ...
- SpringBoot2.0+Shiro+JWT 整合
SpringBoot2.0+Shiro+JWT 整合 JSON Web Token(JWT)是一个非常轻巧的规范.这个规范允许我们使用 JWT 在用户和服务器之间传递安全可靠的信息. 我们利用一定的编 ...
- Spring Boot Shiro 使用教程
Apache Shiro 已经大名鼎鼎,搞 Java 的没有不知道的,这类似于 .Net 中的身份验证 form 认证.跟 .net core 中的认证授权策略基本是一样的.当然都不知道也没有关系,因 ...
- Spring Boot 2.x整合Redis
最近在学习Spring Boot 2.x整合Redis,在这里和大家分享一下,希望对大家有帮助. Redis是什么 Redis 是开源免费高性能的key-value数据库.有以下的优势(源于Redis ...
- spring boot 2.0 整合 elasticsearch6.5.3,spring boot 2.0 整合 elasticsearch NoNodeAvailableException
原文地址:spring boot 2.0 整合 elasticsearch NoNodeAvailableException 原文说的有点问题,下面贴出我的配置: 原码云项目地址:https://gi ...
- Spring Boot入门 and Spring Boot与ActiveMQ整合
1.Spring Boot入门 1.1什么是Spring Boot Spring 诞生时是 Java 企业版(Java Enterprise Edition,JEE,也称 J2EE)的轻量级代替品.无 ...
- Spring Boot和Dubbo整合
provider端 POM依赖 <dependencies> <dependency> <groupId>org.springframework.boot</ ...
随机推荐
- 查看linux系统安装的服务
如何查看linux系统安装了哪些服务呢,因不同版本的操作系统可能使用的命令不一样或者有些命令在某些操作系统不可用,现列举一些常用查看命令(基于我的linux版本). 我的操作系统版本如下: 1.ser ...
- linux 上安装 keepalive
1.keepalive 单机安装 1.1 安装环境 yum -y install kernel-devel* openssl-* popt-devel lrzsz openssh-clients li ...
- 高性能JAVA开发之内存管理
这几天在找一个程序的bug,主要是java虚拟机内存溢出的问题,调研了一些java内存管理的资料,现整理如下: 一.JVM中的对象生命周期 对象的生命周期一般分为7个阶段:创建阶段,应用阶段,不可视阶 ...
- Excel-DNA项目只用1个文件实现Ribbon CustomUI和CustomTaskpane定制【C#版】
Excel-DNA项目中的自定义功能区和自定义任务窗格需要用到各种命名空间.添加所需文件,才能实现.后来我发现可以把所有代码都写在Class1.cs这个默认文件中. 大家可以在Visual Studi ...
- 3)ARP到底属于网络层还是链路层
说白了 就是有些协议起到了承上启下的作用 比较模糊 很难给出一个精确的定位
- curl操作和file_get_contents() 比较
1 . curl需要php开启php_curl开启扩展 $ch = curl_init(); $timeout = 5; curl_setopt ($ch, CURLOPT_URL, 'http:// ...
- python3的数据类型转换问题
问题描述:在自我学习的过程中,写了个登陆,在input处,希望能够对数据类型进行判断,但是因为python3的输入的数据会被系统默认为字符串,也就是1,1.2,a.都会被系统默认为字符串,这个心塞啊, ...
- 深度学习之TensorFlow安装与初体验
深度学习之TensorFlow安装与初体验 学习前 搞懂一些关系和概念 首先,搞清楚一个关系:深度学习的前身是人工神经网络,深度学习只是人工智能的一种,深层次的神经网络结构就是深度学习的模型,浅层次的 ...
- js如何深度克隆
var json = {a:6,b:4,c:[1,2,3]}; var json2 = clone(json); function clone(obj){ var oNew = new obj.con ...
- 在 mac osx 上安装OpenOffice并以服务的方式启动
OpenOffice是Apache基金会旗下的一款先进的开源办公软件套件,包含文本文档.电子表格.演示文稿.绘图.数据库等.包含Microsoft office所有功能.它不仅可以作为桌面应用供普通用 ...