个性
- 齐全应用了 Shiro 的注解配置,放弃高度的灵活性。
- 放弃 Cookie ,Session ,应用JWT进行鉴权,齐全实现无状态鉴权。
- JWT 密钥反对过期工夫。
- 对跨域提供反对。
筹备工作
在开始本教程之前,请保障曾经相熟以下几点。
- Spring Boot 根本语法,至多要懂得
Controller、RestController、Autowired等这些根本正文。其实看看官网的 Getting-Start 教程就差不多了。 - JWT (Json Web Token)的基本概念,并且会简略操作JWT的 JAVA SDK。
- Shiro 的基本操作,看下官网的 10 Minute Tutorial 即可。
- 模仿 HTTP 申请工具,我应用的是 PostMan。
简要的阐明下咱们为什么要用 JWT ,因为咱们要实现齐全的前后端拆散,所以不可能应用 session, cookie 的形式进行鉴权,所以 JWT 就被派上了用场,你能够通过一个加密密钥来进行前后端的鉴权。
程序逻辑
- 咱们 POST 用户名与明码到
/login进行登入,如果胜利返回一个加密 token,失败的话间接返回 401 谬误。 - 之后用户拜访每一个须要权限的网址申请必须在
header中增加Authorization字段,例如Authorization: token,token为密钥。 - 后盾会进行
token的校验,如果有误会间接返回 401。
Token加密阐明
- 携带了
username信息在 token 中。 - 设定了过期工夫。
- 应用用户登入明码对
token进行加密。
Token校验流程
- 取得
token中携带的username信息。 - 进入数据库搜寻这个用户,失去他的明码。
- 应用用户的明码来测验
token是否正确。
筹备Maven文件
新建一个 Maven 工程,增加相干的 dependencies。
<?xml version="1.0" encoding="UTF-8"?><project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>org.inlighting</groupId> <artifactId>shiro-study</artifactId> <version>1.0-SNAPSHOT</version> <dependencies> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.3.2</version> </dependency> <dependency> <groupId>com.auth0</groupId> <artifactId>java-jwt</artifactId> <version>3.2.0</version> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> <version>1.5.8.RELEASE</version> </dependency> </dependencies> <build> <plugins> <!-- Srping Boot 打包工具 --> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> <version>1.5.7.RELEASE</version> <executions> <execution> <goals> <goal>repackage</goal> </goals> </execution> </executions> </plugin> <!-- 指定JDK编译版本 --> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-compiler-plugin</artifactId> <configuration> <source>1.8</source> <target>1.8</target> <encoding>UTF-8</encoding> </configuration> </plugin> </plugins> </build></project>留神指定JDK版本和编码。
构建繁难的数据源
为了缩减教程的代码,我应用 HashMap 本地模仿了一个数据库,构造如下:
| username | password | role | permission |
|---|---|---|---|
| smith | smith123 | user | view |
| danny | danny123 | admin | view,edit |
这是一个最简略的用户权限表,如果想更加进一步理解,自行百度 RBAC。
之后再构建一个 UserService 来模仿数据库查问,并且把后果放到 UserBean 之中。
UserService.java
@Componentpublic class UserService { public UserBean getUser(String username) { // 没有此用户间接返回null if (! DataSource.getData().containsKey(username)) return null; UserBean user = new UserBean(); Map<String, String> detail = DataSource.getData().get(username); user.setUsername(username); user.setPassword(detail.get("password")); user.setRole(detail.get("role")); user.setPermission(detail.get("permission")); return user; }}UserBean.java
public class UserBean { private String username; private String password; private String role; private String permission; public String getUsername() { return username; } public void setUsername(String username) { this.username = username; } public String getPassword() { return password; } public void setPassword(String password) { this.password = password; } public String getRole() { return role; } public void setRole(String role) { this.role = role; } public String getPermission() { return permission; } public void setPermission(String permission) { this.permission = permission; }}配置 JWT
咱们写一个简略的 JWT 加密,校验工具,并且应用用户本人的明码充当加密密钥,这样保障了 token 即便被别人截获也无奈破解。并且咱们在 token 中附带了 username 信息,并且设置密钥5分钟就会过期。
public class JWTUtil { // 过期工夫5分钟 private static final long EXPIRE_TIME = 5*60*1000; /** * 校验token是否正确 * @param token 密钥 * @param secret 用户的明码 * @return 是否正确 */ public static boolean verify(String token, String username, String secret) { try { Algorithm algorithm = Algorithm.HMAC256(secret); JWTVerifier verifier = JWT.require(algorithm) .withClaim("username", username) .build(); DecodedJWT jwt = verifier.verify(token); return true; } catch (Exception exception) { return false; } } /** * 取得token中的信息无需secret解密也能取得 * @return token中蕴含的用户名 */ public static String getUsername(String token) { try { DecodedJWT jwt = JWT.decode(token); return jwt.getClaim("username").asString(); } catch (JWTDecodeException e) { return null; } } /** * 生成签名,5min后过期 * @param username 用户名 * @param secret 用户的明码 * @return 加密的token */ public static String sign(String username, String secret) { try { Date date = new Date(System.currentTimeMillis()+EXPIRE_TIME); Algorithm algorithm = Algorithm.HMAC256(secret); // 附带username信息 return JWT.create() .withClaim("username", username) .withExpiresAt(date) .sign(algorithm); } catch (UnsupportedEncodingException e) { return null; } }}构建URL
ResponseBean.java
既然想要实现 restful,那咱们要保障每次返回的格局都是雷同的,因而我建设了一个 ResponseBean 来对立返回的格局。
public class ResponseBean { // http 状态码 private int code; // 返回信息 private String msg; // 返回的数据 private Object data; public ResponseBean(int code, String msg, Object data) { this.code = code; this.msg = msg; this.data = data; } public int getCode() { return code; } public void setCode(int code) { this.code = code; } public String getMsg() { return msg; } public void setMsg(String msg) { this.msg = msg; } public Object getData() { return data; } public void setData(Object data) { this.data = data; }}自定义异样
为了实现我本人可能手动抛出异样,我本人写了一个 UnauthorizedException.java
public class UnauthorizedException extends RuntimeException { public UnauthorizedException(String msg) { super(msg); } public UnauthorizedException() { super(); }}URL构造
| URL | 作用 |
|---|---|
| /login | 登入 |
| /article | 所有人都能够拜访,然而用户与游客看到的内容不同 |
| /require_auth | 登入的用户才能够进行拜访 |
| /require_role | admin的角色用户才能够登入 |
| /require_permission | 领有view和edit权限的用户才能够拜访 |
Controller
@RestControllerpublic class WebController { private static final Logger LOGGER = LogManager.getLogger(WebController.class); private UserService userService; @Autowired public void setService(UserService userService) { this.userService = userService; } @PostMapping("/login") public ResponseBean login(@RequestParam("username") String username, @RequestParam("password") String password) { UserBean userBean = userService.getUser(username); if (userBean.getPassword().equals(password)) { return new ResponseBean(200, "Login success", JWTUtil.sign(username, password)); } else { throw new UnauthorizedException(); } } @GetMapping("/article") public ResponseBean article() { Subject subject = SecurityUtils.getSubject(); if (subject.isAuthenticated()) { return new ResponseBean(200, "You are already logged in", null); } else { return new ResponseBean(200, "You are guest", null); } } @GetMapping("/require_auth") @RequiresAuthentication public ResponseBean requireAuth() { return new ResponseBean(200, "You are authenticated", null); } @GetMapping("/require_role") @RequiresRoles("admin") public ResponseBean requireRole() { return new ResponseBean(200, "You are visiting require_role", null); } @GetMapping("/require_permission") @RequiresPermissions(logical = Logical.AND, value = {"view", "edit"}) public ResponseBean requirePermission() { return new ResponseBean(200, "You are visiting permission require edit,view", null); } @RequestMapping(path = "/401") @ResponseStatus(HttpStatus.UNAUTHORIZED) public ResponseBean unauthorized() { return new ResponseBean(401, "Unauthorized", null); }}解决框架异样
之前说过 restful 要对立返回的格局,所以咱们也要全局解决 Spring Boot 的抛出异样。利用 @RestControllerAdvice 能很好的实现。
@RestControllerAdvicepublic class ExceptionController { // 捕获shiro的异样 @ResponseStatus(HttpStatus.UNAUTHORIZED) @ExceptionHandler(ShiroException.class) public ResponseBean handle401(ShiroException e) { return new ResponseBean(401, e.getMessage(), null); } // 捕获UnauthorizedException @ResponseStatus(HttpStatus.UNAUTHORIZED) @ExceptionHandler(UnauthorizedException.class) public ResponseBean handle401() { return new ResponseBean(401, "Unauthorized", null); } // 捕获其余所有异样 @ExceptionHandler(Exception.class) @ResponseStatus(HttpStatus.BAD_REQUEST) public ResponseBean globalException(HttpServletRequest request, Throwable ex) { return new ResponseBean(getStatus(request).value(), ex.getMessage(), null); } private HttpStatus getStatus(HttpServletRequest request) { Integer statusCode = (Integer) request.getAttribute("javax.servlet.error.status_code"); if (statusCode == null) { return HttpStatus.INTERNAL_SERVER_ERROR; } return HttpStatus.valueOf(statusCode); }}配置 Shiro
大家能够先看下官网的 Spring-Shiro 整合教程,有个初步的理解。不过既然咱们用了 Spring-Boot,那咱们必定要争取零配置文件。
实现JWTToken
JWTToken 差不多就是 Shiro 用户名明码的载体。因为咱们是前后端拆散,服务器无需保留用户状态,所以不须要 RememberMe 这类性能,咱们简略的实现下 AuthenticationToken 接口即可。因为 token 本人曾经蕴含了用户名等信息,所以这里我就弄了一个字段。如果你喜爱钻研,能够看看官网的 UsernamePasswordToken 是如何实现的。
public class JWTToken implements AuthenticationToken { // 密钥 private String token; public JWTToken(String token) { this.token = token; } @Override public Object getPrincipal() { return token; } @Override public Object getCredentials() { return token; }}实现Realm
realm 的用于解决用户是否非法的这一块,须要咱们本人实现。
@Servicepublic class MyRealm extends AuthorizingRealm { private static final Logger LOGGER = LogManager.getLogger(MyRealm.class); private UserService userService; @Autowired public void setUserService(UserService userService) { this.userService = userService; } /** * 大坑!,必须重写此办法,不然Shiro会报错 */ @Override public boolean supports(AuthenticationToken token) { return token instanceof JWTToken; } /** * 只有当须要检测用户权限的时候才会调用此办法,例如checkRole,checkPermission之类的 */ @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { String username = JWTUtil.getUsername(principals.toString()); UserBean user = userService.getUser(username); SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo(); simpleAuthorizationInfo.addRole(user.getRole()); Set<String> permission = new HashSet<>(Arrays.asList(user.getPermission().split(","))); simpleAuthorizationInfo.addStringPermissions(permission); return simpleAuthorizationInfo; } /** * 默认应用此办法进行用户名正确与否验证,谬误抛出异样即可。 */ @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken auth) throws AuthenticationException { String token = (String) auth.getCredentials(); // 解密取得username,用于和数据库进行比照 String username = JWTUtil.getUsername(token); if (username == null) { throw new AuthenticationException("token invalid"); } UserBean userBean = userService.getUser(username); if (userBean == null) { throw new AuthenticationException("User didn't existed!"); } if (! JWTUtil.verify(token, username, userBean.getPassword())) { throw new AuthenticationException("Username or password error"); } return new SimpleAuthenticationInfo(token, token, "my_realm"); }}在 doGetAuthenticationInfo() 中用户能够自定义抛出很多异样,详情见文档。
重写 Filter
所有的申请都会先通过 Filter,所以咱们继承官网的 BasicHttpAuthenticationFilter ,并且重写鉴权的办法。
代码的执行流程 preHandle -> isAccessAllowed -> isLoginAttempt -> executeLogin 。
public class JWTFilter extends BasicHttpAuthenticationFilter { private Logger LOGGER = LoggerFactory.getLogger(this.getClass()); /** * 判断用户是否想要登入。 * 检测header外面是否蕴含Authorization字段即可 */ @Override protected boolean isLoginAttempt(ServletRequest request, ServletResponse response) { HttpServletRequest req = (HttpServletRequest) request; String authorization = req.getHeader("Authorization"); return authorization != null; } /** * */ @Override protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception { HttpServletRequest httpServletRequest = (HttpServletRequest) request; String authorization = httpServletRequest.getHeader("Authorization"); JWTToken token = new JWTToken(authorization); // 提交给realm进行登入,如果谬误他会抛出异样并被捕捉 getSubject(request, response).login(token); // 如果没有抛出异样则代表登入胜利,返回true return true; } /** * 这里咱们具体阐明下为什么最终返回的都是true,即容许拜访 * 例如咱们提供一个地址 GET /article * 登入用户和游客看到的内容是不同的 * 如果在这里返回了false,申请会被间接拦挡,用户看不到任何货色 * 所以咱们在这里返回true,Controller中能够通过 subject.isAuthenticated() 来判断用户是否登入 * 如果有些资源只有登入用户能力拜访,咱们只须要在办法下面加上 @RequiresAuthentication 注解即可 * 然而这样做有一个毛病,就是不可能对GET,POST等申请进行别离过滤鉴权(因为咱们重写了官网的办法),但实际上对利用影响不大 */ @Override protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) { if (isLoginAttempt(request, response)) { try { executeLogin(request, response); } catch (Exception e) { response401(request, response); } } return true; } /** * 对跨域提供反对 */ @Override protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception { HttpServletRequest httpServletRequest = (HttpServletRequest) request; HttpServletResponse httpServletResponse = (HttpServletResponse) response; httpServletResponse.setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin")); httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS,PUT,DELETE"); httpServletResponse.setHeader("Access-Control-Allow-Headers", httpServletRequest.getHeader("Access-Control-Request-Headers")); // 跨域时会首先发送一个option申请,这里咱们给option申请间接返回失常状态 if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) { httpServletResponse.setStatus(HttpStatus.OK.value()); return false; } return super.preHandle(request, response); } /** * 将非法申请跳转到 /401 */ private void response401(ServletRequest req, ServletResponse resp) { try { HttpServletResponse httpServletResponse = (HttpServletResponse) resp; httpServletResponse.sendRedirect("/401"); } catch (IOException e) { LOGGER.error(e.getMessage()); } }}getSubject(request, response).login(token); 这一步就是提交给了 realm 进行解决。
配置Shiro
@Configurationpublic class ShiroConfig { @Bean("securityManager") public DefaultWebSecurityManager getManager(MyRealm realm) { DefaultWebSecurityManager manager = new DefaultWebSecurityManager(); // 应用本人的realm manager.setRealm(realm); /* * 敞开shiro自带的session,详情见文档 * http://shiro.apache.org/session-management.html#SessionManagement-StatelessApplications%28Sessionless%29 */ DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO(); DefaultSessionStorageEvaluator defaultSessionStorageEvaluator = new DefaultSessionStorageEvaluator(); defaultSessionStorageEvaluator.setSessionStorageEnabled(false); subjectDAO.setSessionStorageEvaluator(defaultSessionStorageEvaluator); manager.setSubjectDAO(subjectDAO); return manager; } @Bean("shiroFilter") public ShiroFilterFactoryBean factory(DefaultWebSecurityManager securityManager) { ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean(); // 增加本人的过滤器并且取名为jwt Map<String, Filter> filterMap = new HashMap<>(); filterMap.put("jwt", new JWTFilter()); factoryBean.setFilters(filterMap); factoryBean.setSecurityManager(securityManager); factoryBean.setUnauthorizedUrl("/401"); /* * 自定义url规定 * http://shiro.apache.org/web.html#urls- */ Map<String, String> filterRuleMap = new HashMap<>(); // 所有申请通过咱们本人的JWT Filter filterRuleMap.put("/**", "jwt"); // 拜访401和404页面不通过咱们的Filter filterRuleMap.put("/401", "anon"); factoryBean.setFilterChainDefinitionMap(filterRuleMap); return factoryBean; } /** * 上面的代码是增加注解反对 */ @Bean @DependsOn("lifecycleBeanPostProcessor") public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() { DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator(); // 强制应用cglib,避免反复代理和可能引起代理出错的问题 // https://zhuanlan.zhihu.com/p/29161098 defaultAdvisorAutoProxyCreator.setProxyTargetClass(true); return defaultAdvisorAutoProxyCreator; } @Bean public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() { return new LifecycleBeanPostProcessor(); } @Bean public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager) { AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor(); advisor.setSecurityManager(securityManager); return advisor; }}外面 URL 规定本人参考文档即可 http://shiro.apache.org/web.html 。
总结
我就说下代码还有哪些能够提高的中央吧
- 没有实现 Shiro 的
Cache性能。 - Shiro 中鉴权失败时不可能间接返回 401 信息,而是通过跳转到
/401地址实现。
github地址及其起源:https://github.com/Smith-Crui...