| Spring Boot+Shiro 实现 Token 的登录和认证 | 您所在的位置:网站首页 › shiro获取当前登录用户 › Spring Boot+Shiro 实现 Token 的登录和认证 |
Spring Boot+Shiro 实现 Token 的登录和认证
|
因为项目要改为单点登录,shiro是通过session进行信息验证的,而且还要保留shiro的权限验证,所以只需要把验证这一部分改为token。 Shiro和token的实现和概念网上有很多,这里就不做讲解了。 本文主要参考了这篇文章https://blog.csdn.net/sqlgao22/article/details/99186391/ 先讲一下大体思路: 1、登录后生成token存入数据库并将token放入cookie,这样好处是浏览器发送请求的时候cookie会被自动带上,前端不用做任何变动。 2、前端每次请求后端,进行验证的时候取出token进行验证。 重点就在于后端的拦截,所以主要讲拦截怎么做的。 登录 @PostMapping("login") @ApiOperation(value = "登录") public Result login(HttpServletRequest request, HttpServletResponse response,@RequestBody LoginDTO login) { //用户登录校验代码 ... //shiro验证和授权 Subject subject = SecurityUtils.getSubject(); UsernamePasswordToken token = new UsernamePasswordToken(login.getUsername(), login.getPassword()); subject.login(token); //createToken方法:生成token,存入cookie并保存到数据库。 String token1 = sysUserTokenService.createToken(user.getId()); Cookie cookie = new Cookie("token", token1); cookie.setPath("/"); response.addCookie(cookie); //登录成功 return result; }自定义的过滤拦截 package io.renren.modules.security.token; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.subject.Subject; import org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter; import org.codehaus.groovy.syntax.TokenUtil; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public class ClientShiroThree extends BasicHttpAuthenticationFilter { @Override protected boolean onAccessDenied(ServletRequest servletRequest, ServletResponse response1) throws Exception { HttpServletResponse response = (HttpServletResponse) response1; //验证失败直接返回登录页面 response.sendRedirect("/tlyd/login.html"); return false; } @Override protected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse response, Object mappedValue) { HttpServletRequest request = (HttpServletRequest) servletRequest; String token = ""; Cookie[] cookies = request.getCookies(); for (Cookie cookie1 : cookies) { if ("token".equals(cookie1.getName())) { token=cookie1.getValue(); } } if (null == token||"".equals(token)) { System.out.println("-------token为空"); return false; } //验证token的真实性 try { //校验token并返回用户信息user对象 User user=TokenUtil.getTokenBody(token); System.out.println("-------token正确"); //验证通过重新进行授权 Subject subject = SecurityUtils.getSubject(); UsernamePasswordToken token = new UsernamePasswordToken(user.getUsername(), user.getPassword()); subject.login(login); } catch (Exception e) { e.printStackTrace(); System.out.println("-------token有问题"); return false; } return true; } }进行shiro配置 package io.renren.modules.security.config; import io.renren.modules.security.realm.UserRealm; import io.renren.modules.security.token.ClientShiroThree; import io.renren.modules.security.token.ShiroSessionManager; import org.apache.shiro.mgt.SecurityManager; import org.apache.shiro.session.mgt.SessionManager; import org.apache.shiro.spring.LifecycleBeanPostProcessor; import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor; import org.apache.shiro.spring.web.ShiroFilterFactoryBean; import org.apache.shiro.web.mgt.DefaultWebSecurityManager; import org.apache.shiro.web.session.mgt.DefaultWebSessionManager; import org.apache.shiro.web.session.mgt.ServletContainerSessionManager; import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator; import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import javax.servlet.Filter; import java.util.LinkedHashMap; import java.util.Map; /** * Shiro的配置文件 * * @author Mark [email protected] */ @Configuration public class ShiroConfig { /** * 单机环境,session交给shiro管理 */ @Bean @ConditionalOnProperty(prefix = "renren", name = "cluster", havingValue = "false") public DefaultWebSessionManager sessionManager(@Value("${renren.globalSessionTimeout:3600}") long globalSessionTimeout){ DefaultWebSessionManager sessionManager = new DefaultWebSessionManager(); sessionManager.setSessionValidationSchedulerEnabled(true); sessionManager.setSessionIdUrlRewritingEnabled(false); sessionManager.setSessionValidationInterval(globalSessionTimeout * 1000); sessionManager.setGlobalSessionTimeout(globalSessionTimeout * 1000); return sessionManager; } /** * 集群环境,session交给spring-session管理 */ @Bean @ConditionalOnProperty(prefix = "renren", name = "cluster", havingValue = "true") public ServletContainerSessionManager servletContainerSessionManager() { return new ServletContainerSessionManager(); } @Bean("securityManager") public SecurityManager securityManager(UserRealm userRealmr) { DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(); securityManager.setRealm(userRealm); return securityManager; } @Bean("shiroFilter") public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) { ShiroFilterFactoryBean shiroFilter = new ShiroFilterFactoryBean(); shiroFilter.setSecurityManager(securityManager); shiroFilter.setLoginUrl("/login.html"); shiroFilter.setUnauthorizedUrl("/"); //加入刚刚写的自定义的过滤器ClientShiroThree并给了key:client Map filters = shiroFilter.getFilters(); filters.put("client", new ClientShiroThree()); shiroFilter.setFilters(filters); Map filterMap = new LinkedHashMap(); filterMap.put("/swagger/**", "anon"); filterMap.put("/v2/api-docs", "anon"); filterMap.put("/swagger-ui.html", "anon"); filterMap.put("/webjars/**", "anon"); filterMap.put("/swagger-resources/**", "anon"); filterMap.put("/statics/**", "anon"); filterMap.put("/login.html", "anon"); filterMap.put("/login", "anon"); filterMap.put("/favicon.ico", "anon"); filterMap.put("/captcha", "anon"); filterMap.put("/downLoadBrower", "anon"); filterMap.put("/getBaseOrgSource", "anon"); filterMap.put("/common/**", "anon"); filterMap.put("/cadastre/**", "anon"); //注意这里把上面的client进行配置 filterMap.put("/**", "client"); shiroFilter.setFilterChainDefinitionMap(filterMap); return shiroFilter; } @Bean("lifecycleBeanPostProcessor") public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() { return new LifecycleBeanPostProcessor(); } @Bean public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() { DefaultAdvisorAutoProxyCreator proxyCreator = new DefaultAdvisorAutoProxyCreator(); proxyCreator.setProxyTargetClass(true); return proxyCreator; } @Bean public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) { AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor(); advisor.setSecurityManager(securityManager); return advisor; } }这样就可以进行拦截了 ,可以看到下图,获取了前端传来的token
如果要在自定义的拦截器里面注入你的server,直接用@Autowired是无法注入的,可以看一下我这个文章https://blog.csdn.net/qq_36802726/article/details/82841735
|
【本文地址】
公司简介
联系我们