SpringBoot+Shiro+Jwt整合
前言
Apache Shiro :是一个强大且易用的Java安全框架,执行身份认证,授权,密码和会话管理,核心组件:Subject,SecurityManager和Realms;
JWT:JSON Web Token是一种流行的跨域身份验证解决方案,主要是用于客户端与用户端之间信息的传递;
SpringBoot:目前Java主流的一个开发框架,不仅集成Spring框架原有的优秀特性,而且通过简化配置来进一步简化Spring应用的整个搭建和开发过程。
项目下载链接
https://download.csdn.net/download/weixin_40736233/16334422
目录结构
1.pom.xml依赖
<parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.3.5.RELEASE</version> <relativePath/> </parent> <properties> <!--java_JDK版本--> <java.version>1.8</java.version> <!--maven打包插件--> <maven.plugin.version>3.8.1</maven.plugin.version> <!--编译编码UTF-8--> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <!--输出报告编码UTF-8--> <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> <!--shiro版本--> <shiro.version>1.6.0</shiro.version> <!--jwt版本--> <java-jwt.version>3.11.0</java-jwt.version> <!--shiro-redis版本--> <shiro-redis.version>3.1.0</shiro-redis.version> <!--json数据格式处理工具--> <fastjson.version>1.2.75</fastjson.version> </properties> <dependencies> <!--集成springmvc框架并实现自动配置 --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <!-- Lombok --> <dependency> <groupId>org.projectlombok</groupId> <artifactId>lombok</artifactId> </dependency> <!-- json --> <dependency> <groupId>com.alibaba</groupId> <artifactId>fastjson</artifactId> <version>1.2.75</version> </dependency> <!-- Redis --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-data-redis</artifactId> </dependency> <!--JWT--> <dependency> <groupId>com.auth0</groupId> <artifactId>java-jwt</artifactId> <version>${java-jwt.version}</version> </dependency> <!--shiro--> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>${shiro.version}</version> </dependency> <!-- shiro-redis --> <dependency> <groupId>org.crazycake</groupId> <artifactId>shiro-redis</artifactId> <version>${shiro-redis.version}</version> <exclusions> <exclusion> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> </exclusion> </exclusions> </dependency> <!--commons类--> <dependency> <groupId>org.apache.commons</groupId> <artifactId>commons-pool2</artifactId> </dependency> </dependencies>
2.application.yml配置
server: port: 7001 servlet: context-path: /sevenhee spring: application: name: shiro redis: host: 127.0.0.1 port: 6379 password: '' jedis: pool: max-active: 8 max-wait: -1 max-idle: 500 min-idle: 0 lettuce: shutdown-timeout: 0 timeout: 2000ms cache: type: redis #自定义属性 custom: jwt: tokenHeader: SevenHee-Token expire_time: 1800000
3.先对我们的处理结果做个统一通用接口返回封装类(Result.Java)
import lombok.Data; import lombok.NoArgsConstructor; import java.io.Serializable; /** * 统一通用接口返回封装类 * * @author xiaosongyue * @date 2021/01/19 09:26:32 */ @Data @NoArgsConstructor public class Result implements Serializable { private static final long serialVersionUID = 1L; /** * 后台是否处理成功(状态) */ private boolean state; /** * 前后端约定的状态码(状态码) */ private int code; /** * 后台响应的信息(处理信息) */ private String message; /** * 后台响应的数据(返回数据) */ private Object data; public static Result success() { Result result = new Result(); result.setState(true); result.setCode(1); result.setMessage("操作成功"); return result; } public static Result success(Object data) { Result result = new Result(); result.setState(true); result.setCode(1); result.setMessage("操作成功"); result.setData(data); return result; } public static Result success(int code, String message) { Result result = new Result(); result.setState(true); result.setCode(code); result.setMessage(message); return result; } public static Result success(int code, String message, Object data) { Result result = new Result(); result.setState(true); result.setCode(code); result.setMessage(message); result.setData(data); return result; } public static Result fail() { Result result = new Result(); result.setState(false); result.setCode(-1); result.setMessage("操作失败"); return result; } public static Result fail(Object data) { Result result = new Result(); result.setState(false); result.setCode(-1); result.setMessage("操作失败"); result.setData(data); return result; } public static Result fail(int code, String message) { Result result = new Result(); result.setState(false); result.setCode(code); result.setMessage(message); return result; } public static Result fail(int code, String message, Object data) { Result result = new Result(); result.setState(false); result.setCode(code); result.setMessage(message); result.setData(data); return result; } }
4.实现shiro的AuthenticationToken接口的,重写Token类型(JwtFilter.java)
import org.apache.shiro.authc.AuthenticationToken; /** * 实现shiro的AuthenticationToken接口的类JwtToken * * @author xiaosongyue * @date 2021/01/21 15:41:20 */ public class JwtToken implements AuthenticationToken{ private String token; public JwtToken(String token) { this.token = token; } @Override public Object getPrincipal() { return token; } @Override public Object getCredentials() { return token; } }
5.编写Jwt的工具类,主要是生成,解析,获取值等功能(JwtUtil.java)
import com.auth0.jwt.JWT; import com.auth0.jwt.JWTVerifier; import com.auth0.jwt.algorithms.Algorithm; import com.auth0.jwt.exceptions.JWTDecodeException; import com.auth0.jwt.interfaces.DecodedJWT; import lombok.extern.slf4j.Slf4j; import java.util.Date; /** * JwtUtil:用来进行签名和效验Token * * @author xiaosongyue * @date 2021/01/21 15:41:35 */ @Slf4j public class JwtUtil { /** * JWT验证过期时间 EXPIRE_TIME 分钟 */ private static final long EXPIRE_TIME = 30 * 60 * 1000; /** * 校验token是否正确 * * @param token 密钥 * @param secret 用户的密码 * @return 是否正确 */ public static boolean verify(String token, String username, String secret) { try { //根据密码生成JWT效验器 Algorithm algorithm = Algorithm.HMAC256(secret); JWTVerifier verifier = JWT.require(algorithm) .withClaim("username", username) .build(); //效验TOKEN DecodedJWT jwt = verifier.verify(token); log.info("登录验证成功!"); return true; } catch (Exception exception) { log.error("JwtUtil登录验证失败!"); return false; } } /** * 获得token中的信息无需secret解密也能获得 * * @return token中包含的用户名 */ public static String getUsername(String token) { try { DecodedJWT jwt = JWT.decode(token); return jwt.getClaim("username").asString(); } catch (JWTDecodeException e) { return null; } } /** * 生成token签名EXPIRE_TIME 分钟后过期 * * @param username 用户名(电话号码) * @param secret 用户的密码 * @return 加密的token */ public static String sign(String username, String secret) { Date date = new Date(System.currentTimeMillis() + EXPIRE_TIME); Algorithm algorithm = Algorithm.HMAC256(secret); // 附带username信息 return JWT.create() .withClaim("username", username) .withExpiresAt(date) .sign(algorithm); } }
6.编写JWT的过滤器(JWTFilter.java)
import com.alibaba.fastjson.JSONObject; import com.xsy.sevenhee.common.Result; import lombok.extern.slf4j.Slf4j; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter; import org.springframework.http.HttpStatus; import org.springframework.web.bind.annotation.RequestMethod; import javax.servlet.Filter; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; /** * jwt过滤器 * * @author xiaosongyue * @date 2021/01/21 15:40:42 */ @Slf4j public class JwtFilter extends BasicHttpAuthenticationFilter implements Filter { /** * 执行登录 * * @param request * @param response * @return * @throws Exception */ @Override protected boolean executeLogin(ServletRequest request, ServletResponse response) throws IOException { HttpServletRequest httpServletRequest = (HttpServletRequest) request; String token = httpServletRequest.getHeader("SevenHee-Token"); JwtToken jwtToken = new JwtToken(token); // 提交给realm进行登入,如果错误他会抛出异常并被捕获 try { getSubject(request, response).login(jwtToken); // 如果没有抛出异常则代表登入成功,返回true return true; } catch (AuthenticationException e) { return false; } } /** * 执行登录认证 * * @param request * @param response * @param mappedValue * @return */ @Override protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) { try { return executeLogin(request, response); } catch (Exception e) { log.error("JwtFilter过滤验证失败!"); return false; } } /** * 认证失败时,自定义返回json数据 * * @param request 请求 * @param response 响应 * @return boolean* @throws Exception 异常 */ @Override protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception { Result result = Result.fail(-1,"认证失败"); Object parse = JSONObject.toJSON(result); response.setCharacterEncoding("utf-8"); response.getWriter().print(parse); return super.onAccessDenied(request, response); } /** * 对跨域提供支持 * * @param request * @param response * @return * @throws Exception */ @Override protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception { HttpServletRequest httpServletRequest = (HttpServletRequest) request; HttpServletResponse httpServletResponse = (HttpServletResponse) response; httpServletResponse.setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin")); httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS,PUT,DELETE"); httpServletResponse.setHeader("Access-Control-Allow-Headers", httpServletRequest.getHeader("Access-Control-Request-Headers")); // 跨域时会首先发送一个option请求,这里我们给option请求直接返回正常状态 if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) { httpServletResponse.setStatus(HttpStatus.OK.value()); return false; } return super.preHandle(request, response); } }
7.shiro配置类(ShiroConfig.java)
tips:主要是用来配置Shiro的相关功能,如拦截过滤路径,密码加密,开启注解,安全管理器
import com.xsy.sevenhee.jwt.JwtFilter; import org.apache.shiro.mgt.DefaultSessionStorageEvaluator; import org.apache.shiro.mgt.DefaultSubjectDAO; import org.apache.shiro.mgt.SecurityManager; import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor; import org.apache.shiro.spring.web.ShiroFilterFactoryBean; import org.apache.shiro.web.mgt.DefaultWebSecurityManager; import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import javax.servlet.Filter; import java.util.HashMap; import java.util.LinkedHashMap; import java.util.Map; /** * shiro配置 * * @author xiaosongyue * @date 2021/03/30 16:37:11 */ @Configuration public class ShiroConfig { @Autowired private ShiroRealm shiroRealm; /** * shiro过滤器工厂 * * @param securityManager 安全管理器 * @return {@link ShiroFilterFactoryBean} */ @Bean(name = "shiroFilter") public ShiroFilterFactoryBean shiroFilterFactoryBean(@Qualifier("securityManager") SecurityManager securityManager) { //创建拦截链实例 ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); //设置安全管理器 shiroFilterFactoryBean.setSecurityManager(securityManager); //设置组登录请求,其他路径一律自动跳转到这里 shiroFilterFactoryBean.setLoginUrl("/login"); //未授权跳转路径 shiroFilterFactoryBean.setUnauthorizedUrl("/notRole"); //设置拦截链map LinkedHashMap<String, String> filterChainDefinitionMap = new LinkedHashMap<>(); //放行请求 filterChainDefinitionMap.put("/shiro/getToken", "anon"); //拦截剩下的其他请求 filterChainDefinitionMap.put("/**", "authc"); //设置拦截规则给shiro的拦截链工厂 shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap); // 添加自己的自定义拦截器并且取名为jwt Map<String, Filter> filterMap = new HashMap<String, Filter>(1); filterMap.put("jwt", new JwtFilter()); shiroFilterFactoryBean.setFilters(filterMap); //拦截链配置,从上向下顺序执行,一般将jwt过滤器放在最为下边 filterChainDefinitionMap.put("/**", "jwt"); //配置拦截链到过滤器工厂 shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap); //返回实例 return shiroFilterFactoryBean; } /** * 安全管理器 * * @return {@link DefaultWebSecurityManager} */ @Bean public DefaultWebSecurityManager securityManager() { //创建默认的web安全管理器 DefaultWebSecurityManager defaultSecurityManager = new DefaultWebSecurityManager(); //配置shiro的自定义认证逻辑 defaultSecurityManager.setRealm(shiroRealm); /* * 关闭shiro自带的session,详情见文档 * http://shiro.apache.org/session-management.html#SessionManagement-StatelessApplications%28Sessionless%29 */ DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO(); DefaultSessionStorageEvaluator defaultSessionStorageEvaluator = new DefaultSessionStorageEvaluator(); defaultSessionStorageEvaluator.setSessionStorageEnabled(false); subjectDAO.setSessionStorageEvaluator(defaultSessionStorageEvaluator); defaultSecurityManager.setSubjectDAO(subjectDAO); //返回安全管理器实例 return defaultSecurityManager; } /** * 开启Shiro的注解(如@RequiresRoles,@RequiresPermissions) * @return */ @Bean public DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator(){ DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator(); advisorAutoProxyCreator.setProxyTargetClass(true); return advisorAutoProxyCreator; } /** * 开启aop注解支持 * @param securityManager * @return */ @Bean public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) { AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor(); authorizationAttributeSourceAdvisor.setSecurityManager(securityManager); return authorizationAttributeSourceAdvisor; } }
8.shiro自定义认证逻辑类(ShiroRealm)
tips:自定义的Realm类,主要是用来对用进行用户认证以及权限认证
import com.xsy.sevenhee.jwt.JwtToken; import com.xsy.sevenhee.jwt.JwtUtil; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.data.redis.core.RedisTemplate; import org.springframework.stereotype.Component; import java.util.HashSet; import java.util.concurrent.TimeUnit; /** * shiro自定义认证逻辑 * * @author xiaosongyue * @date 2021/03/30 16:52:06 */ @Component public class ShiroRealm extends AuthorizingRealm { @Autowired private RedisTemplate redisTemplate; /** * redis过期时间设置 */ @Value("${custom.jwt.expire_time}") private long expireTime; /** * 设置对应的token类型 * 必须重写此方法,不然Shiro会报错 * * @param token 令牌 * @return boolean */ @Override public boolean supports(AuthenticationToken token) { return token instanceof JwtToken; } /** * 授权认证 * * @param principalCollection 主要收集 * @return {@link AuthorizationInfo} */ @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { //权限认证 System.out.println("开始进行权限认证............."); //获取用户名 String token = (String) SecurityUtils.getSubject().getPrincipal(); String username = JwtUtil.getUsername(token); //模拟数据库校验,写死用户名xsy,其他用户无法登陆成功 if (!"xsy".equals(username)) { return null; } //创建授权信息 SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); //创建set集合,存储权限 HashSet<String> rootSet = new HashSet<>(); //添加权限 rootSet.add("user:show"); rootSet.add("user:admin"); //设置权限 info.setStringPermissions(rootSet); //返回权限实例 return info; } @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { System.out.println("开始身份认证....................."); //获取token String token = (String) authenticationToken.getCredentials(); //创建字符串,存储用户信息 String username = null; try { //获取用户名 username = JwtUtil.getUsername(token); } catch (AuthenticationException e) { throw new AuthenticationException("heard的token拼写错误或者值为空"); } if (username == null) { throw new AuthenticationException("token无效"); } // 校验token是否超时失效 & 或者账号密码是否错误 if (!jwtTokenRefresh(token, username, "123")) { throw new AuthenticationException("Token失效,请重新登录!"); } //返回身份认证信息 return new SimpleAuthenticationInfo(token, token, "my_realm"); } /** * jwt刷新令牌 * * @param token 令牌 * @param userName 用户名 * @param passWord 通过单词 * @return boolean */ public boolean jwtTokenRefresh(String token, String userName, String passWord) { String redisToken = (String) redisTemplate.opsForValue().get(token); if (redisToken != null) { if (!JwtUtil.verify(redisToken, userName, passWord)) { String newToken = JwtUtil.sign(userName, passWord); //设置redis缓存 redisTemplate.opsForValue().set(token, newToken, expireTime * 2 / 1000, TimeUnit.SECONDS); } return true; } return false; } }
9.创建测试类(ShiroController.java)
import com.xsy.sevenhee.common.Result; import com.xsy.sevenhee.jwt.JwtUtil; import org.apache.shiro.authz.annotation.RequiresPermissions; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.data.redis.core.RedisTemplate; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; import java.util.concurrent.TimeUnit; /** * shiro控制器 * * @author xiaosongyue * @date 2021/04/01 14:48:40 */ @RestController @RequestMapping("/shiro") public class ShiroController { @Autowired private RedisTemplate redisTemplate; @Value("${custom.jwt.expire_time}") private long expireTime; @RequestMapping("/getToken") public Result getToken(){ String token = JwtUtil.sign("xsy", "123"); redisTemplate.opsForValue().set(token,token, expireTime*2/100, TimeUnit.SECONDS); return Result.success(token); } @RequiresPermissions("user:admin") @RequestMapping("/test") public Result test(){ System.out.println("进入测试,只有带有令牌才可以进入该方法"); return Result.success(1,"访问接口成功"); } }
10.创建springboot的启动类
import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; /** * shiro的应用程序 * * @author xiaosongyue * @date 2021/04/01 14:35:17 */ @SpringBootApplication public class ShiroApplication { public static void main(String[] args) { SpringApplication.run(ShiroApplication.class); } }
11.使用postman进行测试
(1)获取token
(2)携带token访问接口,访问成功
(3)不携带token访问,认证失败
