springboot shiro cas整合
- pom.xml中引入如下jar
- 在application.yml中增加cas配置
- 增加ShiroCasConfig.java配置类
- 自定义MyShiroCasRealm.java继承CasRealm
- cas退出过滤器LogoutFilter.java
pom.xml中引入如下jar
<!--shiro 和 cas单点登录--> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-cas</artifactId> <version>1.3.2</version> <!--Spring Boot 内嵌Tomcat不能有servlet依赖,需要将其排除掉--> <exclusions> <exclusion> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> </exclusion> <exclusion> <groupId>javax.servlet</groupId> <artifactId>servlet-api</artifactId> </exclusion> </exclusions> </dependency>
在application.yml中增加cas配置
#cas配置 cas: serverUrl: http://educas1.dongao.com/cas #cas server地址,外网访问需用外网IP,可以写域名 service-project: http://springboss.dongao.com loginSuccessUrl: /index #登录成功地址 unauthorizedUrl: /unauth #权限认证失败跳转地址 casLogoutUrl: /logout #退出登录地址 casFilterUrlPattern: / #当前项目地址,外网访问需用外网IP session-expireTime: 30 # Session超时时间(默认30分钟) ehCacheSwitch: true #shiro ehCache是否开启
增加ShiroCasConfig.java配置类
package com.dongao.framework.config; import at.pollux.thymeleaf.shiro.dialect.ShiroDialect; import com.dongao.common.utils.spring.SpringUtils; import com.dongao.framework.config.properties.CasProperties; import com.dongao.framework.shiro.realm.MyShiroCasRealm; import com.dongao.framework.shiro.session.OnlineSessionDAO; import com.dongao.framework.shiro.session.OnlineSessionFactory; import com.dongao.framework.shiro.web.filter.LogoutFilter; import com.dongao.framework.shiro.web.session.OnlineWebSessionManager; import org.apache.shiro.cache.ehcache.EhCacheManager; import org.apache.shiro.cas.CasFilter; import org.apache.shiro.cas.CasSubjectFactory; import org.apache.shiro.spring.LifecycleBeanPostProcessor; import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor; import org.apache.shiro.spring.web.ShiroFilterFactoryBean; import org.apache.shiro.web.mgt.DefaultWebSecurityManager; import org.jasig.cas.client.session.SingleSignOutFilter; import org.jasig.cas.client.session.SingleSignOutHttpSessionListener; import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator; import org.springframework.boot.web.servlet.FilterRegistrationBean; import org.springframework.boot.web.servlet.ServletListenerRegistrationBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.Ordered; import org.springframework.web.filter.DelegatingFilterProxy; import javax.servlet.Filter; import java.util.HashMap; import java.util.LinkedHashMap; import java.util.Map; /** * shiro+cas配置 * @ClassName ShiroCasConfig * @Version 1.0 * @Date 2019/6/20 0020 下午 2:04 **/ @Configuration public class ShiroCasConfig { /** * 配置的ehcache进行数据的缓存 * * @return */ @Bean public EhCacheManager getEhCacheManager() { EhCacheManager ehCacheManager = new EhCacheManager(); ehCacheManager.setCacheManagerConfigFile("classpath:ehcache/ehcache-shiro.xml"); return ehCacheManager; } @Bean(name = "myShiroCasRealm") public MyShiroCasRealm myShiroCasRealm() { MyShiroCasRealm realm = new MyShiroCasRealm(); return realm; } /** * 设置单点退出的监听器,作用是将所有的过期的session将其从对应的映射关系中移除 * 注册单点登出listener * SingleSignOutHttpSessionListener用于在Cas Client应用中的Session过期时将其从对应的映射关系中移除。 * * @return */ @Bean public ServletListenerRegistrationBean singleSignOutHttpSessionListener() { ServletListenerRegistrationBean bean = new ServletListenerRegistrationBean(); bean.setListener(new SingleSignOutHttpSessionListener()); //bean.setName(""); //默认为bean name bean.setEnabled(true); //设置优先级 bean.setOrder(Ordered.HIGHEST_PRECEDENCE); return bean; } /** * 注册单点登出filter * 设置单点退出的拦截器,在登录的时候,客户端会去服务端进行认证,此时认证成功之后, * 服务端会将地址和ST返回给客户端,而在此时该拦截器会将session跟ST绑定在一起, * 如果访问退出的时候,此时服务端也会将服务地址和ST返回,此时的监听器会将所有的session全部变为失效。 * <p> * SingleSignOutFilter需要配置在所有Filter之前,当Cas Client通过Cas Server登录成功, * Cas Server会携带生成的Service Ticket回调Cas Client, * 此时SingleSignOutFilter会将Service Ticket与当前的Session绑定在一起。 * 当Cas Server在进行logout后回调Cas Client应用时也会携带该Service Ticket, * 此时Cas Client配置的SingleSignOutFilter将会使对应的Session失效,进而达到登出的目的。 * * @return */ @Bean public FilterRegistrationBean singleSignOutFilter() { FilterRegistrationBean bean = new FilterRegistrationBean(); bean.setName("singleSignOutFilter"); bean.setFilter(new SingleSignOutFilter()); //拦截所有的请求 bean.addUrlPatterns("/*"); bean.setEnabled(true); //设置优先级 bean.setOrder(10); return bean; } /** * 退出过滤器 */ public LogoutFilter logoutFilter() { LogoutFilter logoutFilter = new LogoutFilter(); CasProperties casProperties = SpringUtils.getBean(CasProperties.class); String logoutUrl = casProperties.getCasServerUrl() + casProperties.getCasLogoutUrl() + "?service="+casProperties.getCasServiceProject() + casProperties.getCasFilterUrlPattern(); logoutFilter.setRedirectUrl(logoutUrl); return logoutFilter; } /** * 设置shiro的拦截器工厂类 * 在设置拦截器的时候,需要先执行cas的拦截器,再执行shiro的拦截器 * * @param securityManager * @param casFilter * @return */ @Bean(name = "shiroFilter") public ShiroFilterFactoryBean getShiroFilterFactoryBean(DefaultWebSecurityManager securityManager, CasFilter casFilter) { CasProperties casProperties = SpringUtils.getBean(CasProperties.class); String loginUrl = casProperties.getCasServerUrl() + "/login?service=" + casProperties.getCasServiceProject() + casProperties.getCasFilterUrlPattern(); ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); // 必须设置 SecurityManager shiroFilterFactoryBean.setSecurityManager(securityManager); // 如果不设置默认会自动寻找Web工程根目录下的"/login.jsp"页面 shiroFilterFactoryBean.setLoginUrl(loginUrl); // 登录成功后要跳转的连接 shiroFilterFactoryBean.setSuccessUrl(casProperties.getLoginSuccessUrl()); shiroFilterFactoryBean.setUnauthorizedUrl(casProperties.getUnauthorizedUrl()); // 添加casFilter到shiroFilter中,注意,casFilter需要放到shiroFilter的前面 Map<String, Filter> filters = new HashMap(); filters.put("casFilter", casFilter); filters.put("logout",logoutFilter()); shiroFilterFactoryBean.setFilters(filters); loadShiroFilterChain(shiroFilterFactoryBean); return shiroFilterFactoryBean; } /** * 设置配置的触发的地方:用于设置shiro的拦截器,和将每一个拦截器的生命周期交给spring去管理 * 注册DelegatingFilterProxy(Shiro)注册DelegatingFilterProxy(shiro) 是一个代理类,用于管理拦截器的生命周期, * 所有的请求都会拦截 ,在创建的时候,filter的执行会优先于bean的执行,所以需要使用该类先来管理bean * <p> * 该步只是将当前的的生命周期交给了spring管理,具体的管理还是需要下面的LifecycleBeanPostProcessor的对象去进行操作 * * @return */ @Bean public FilterRegistrationBean delegatingFilterProxy() { FilterRegistrationBean filterRegistration = new FilterRegistrationBean(); filterRegistration.setFilter(new DelegatingFilterProxy("shiroFilter")); // 该值缺省为false,表示生命周期由SpringApplicationContext管理,设置为true则表示由ServletContainer管理 //targetFilterLifecycle 指明作用于filter的所有生命周期 filterRegistration.addInitParameter("targetFilterLifecycle", "true"); filterRegistration.setEnabled(true); //拦截所有的请求 filterRegistration.addUrlPatterns("/*"); return filterRegistration; } /** * 上面设置了声明周期,下面进行设置生命周期的自动化 * 设置方法的自动初始化和销毁,init和destory方法被自动调用。 * 注意,如果使用了该类,则不需要手动初始化方法和销毁方法,否则出错 * * @return */ @Bean(name = "lifecycleBeanPostProcessor") public LifecycleBeanPostProcessor getLifecycleBeanPostProcessor() { return new LifecycleBeanPostProcessor(); } /** * 开启注解声明: * 开启shiro aop 的注解支持,使用代理的方式,所以需要开启代码的支持 * * @return */ @Bean public DefaultAdvisorAutoProxyCreator getDefaultAdvisorAutoProxyCreator() { DefaultAdvisorAutoProxyCreator proxyCreator = new DefaultAdvisorAutoProxyCreator(); //设置代理方式,true是cglib的代理方式,false是普通的jdk代理方式 proxyCreator.setProxyTargetClass(true); return proxyCreator; } /** * 开启注解声明: * * @param securityManager * @return */ @Bean public AuthorizationAttributeSourceAdvisor getAuthorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager) { AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor(); advisor.setSecurityManager(securityManager); return advisor; } /** * 自定义sessionDAO会话 */ @Bean public OnlineSessionDAO sessionDAO() { OnlineSessionDAO sessionDAO = new OnlineSessionDAO(); return sessionDAO; } /** * 自定义sessionFactory会话 */ @Bean public OnlineSessionFactory sessionFactory() { OnlineSessionFactory sessionFactory = new OnlineSessionFactory(); return sessionFactory; } /** * 会话管理器 */ @Bean public OnlineWebSessionManager sessionManager() { OnlineWebSessionManager manager = new OnlineWebSessionManager(); // 加入缓存管理器 CasProperties casProperties = SpringUtils.getBean(CasProperties.class); if (casProperties.isEhCacheSwitch()){ manager.setCacheManager(getEhCacheManager()); } // 删除过期的session manager.setDeleteInvalidSessions(true); // 设置全局session超时时间 manager.setGlobalSessionTimeout(casProperties.getSessionExpireTime() * 60 * 1000); // 去掉 JSESSIONID manager.setSessionIdUrlRewritingEnabled(false); // 定义要使用的无效的Session定时调度器 // manager.setSessionValidationScheduler(SpringUtils.getBean(SpringSessionValidationScheduler.class)); // 是否定时检查session manager.setSessionValidationSchedulerEnabled(true); // 自定义SessionDao manager.setSessionDAO(sessionDAO()); // 自定义sessionFactory manager.setSessionFactory(sessionFactory()); return manager; } /** * @param myShiroCasRealm * @return */ @Bean(name = "securityManager") public DefaultWebSecurityManager getDefaultWebSecurityManager(MyShiroCasRealm myShiroCasRealm) { DefaultWebSecurityManager dwsm = new DefaultWebSecurityManager(); dwsm.setRealm(myShiroCasRealm); //用户授权/认证信息Cache, 采用EhCache 缓存 CasProperties casProperties = SpringUtils.getBean(CasProperties.class); if (casProperties.isEhCacheSwitch()){ dwsm.setCacheManager(getEhCacheManager()); } // 指定 SubjectFactory dwsm.setSubjectFactory(new CasSubjectFactory()); // dwsm.setSessionManager(sessionManager()); return dwsm; } /** * thymeleaf模板引擎和shiro框架的整合 */ @Bean public ShiroDialect shiroDialect() { return new ShiroDialect(); } /** * CAS过滤器 * * @return */ @Bean(name = "casFilter") public CasFilter getCasFilter() { CasProperties casProperties = SpringUtils.getBean(CasProperties.class); String loginUrl = casProperties.getCasServerUrl() + "/login?service=" + casProperties.getCasServiceProject() + casProperties.getCasFilterUrlPattern(); CasFilter casFilter = new CasFilter(); //自动注入拦截器的名称 casFilter.setName("casFilter"); //是否自动的将当前的拦截器进行注入 casFilter.setEnabled(true); // 登录失败后跳转的URL,也就是 Shiro 执行 CasRealm 的 doGetAuthenticationInfo 方法向CasServer验证tiket // 我们选择认证失败后重新登录 casFilter.setFailureUrl(loginUrl); return casFilter; } /** * 加载shiroFilter权限控制规则(从数据库读取然后配置),角色/权限信息由MyShiroCasRealm对象提供doGetAuthorizationInfo实现获取来的 * * @param shiroFilterFactoryBean */ private void loadShiroFilterChain(ShiroFilterFactoryBean shiroFilterFactoryBean) { Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>(); // authc:该过滤器下的页面必须登录后才能访问,它是Shiro内置的一个拦截器org.apache.shiro.web.filter.authc.FormAuthenticationFilter // anon: 可以理解为不拦截 // user: 登录了就不拦截 // roles["admin"] 用户拥有admin角色 // perms["permission1"] 用户拥有permission1权限 // filter顺序按照定义顺序匹配,匹配到就验证,验证完毕结束。 // url匹配通配符支持:? * **,分别表示匹配1个,匹配0-n个(不含子路径),匹配下级所有路径 //1.shiro集成cas后,首先添加该规则 CasProperties casProperties = SpringUtils.getBean(CasProperties.class); filterChainDefinitionMap.put(casProperties.getCasFilterUrlPattern(), "casFilter"); //logut请求采用logout filter //2.不拦截的请求 对静态资源设置匿名访问 filterChainDefinitionMap.put("/favicon.ico**", "anon"); filterChainDefinitionMap.put("/dongao.png**", "anon"); filterChainDefinitionMap.put("/css/**", "anon"); filterChainDefinitionMap.put("/docs/**", "anon"); filterChainDefinitionMap.put("/fonts/**", "anon"); filterChainDefinitionMap.put("/img/**", "anon"); filterChainDefinitionMap.put("/ajax/**", "anon"); filterChainDefinitionMap.put("/js/**", "anon"); filterChainDefinitionMap.put("/dongao/**", "anon"); filterChainDefinitionMap.put("/druid/**", "anon"); filterChainDefinitionMap.put("/captcha/captchaImage**", "anon"); filterChainDefinitionMap.put("/error", "anon"); // 退出 logout地址,shiro去清除session // 此处将logout页面设置为anon,而不是logout,因为logout被单点处理,而不需要再被shiro的logoutFilter进行拦截 filterChainDefinitionMap.put("/logout", "logout"); // 不需要拦截的访问 filterChainDefinitionMap.put("/login", "anon"); //不需要登录拦截的接口 filterChainDefinitionMap.put("/system/api/**","anon"); //3.拦截的请求(从本地数据库获取或者从casserver获取(webservice,http等远程方式),看你的角色权限配置在哪里) filterChainDefinitionMap.put("/user", "authc"); //4.登录过的不拦截 filterChainDefinitionMap.put("/**", "authc"); shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap); } }
代码中读取的配置文件基础内容如下classpath:ehcache/ehcache-shiro.xml
<?xml version="1.0" encoding="UTF-8"?> <ehcache name="dongao" updateCheck="false"> <!-- 磁盘缓存位置 --> <diskStore path="java.io.tmpdir"/> <!-- 默认缓存 --> <defaultCache maxEntriesLocalHeap="1000" eternal="false" timeToIdleSeconds="3600" timeToLiveSeconds="3600" overflowToDisk="false"> </defaultCache> <!-- 登录记录缓存 锁定10分钟 --> <cache name="loginRecordCache" maxEntriesLocalHeap="2000" eternal="false" timeToIdleSeconds="600" timeToLiveSeconds="0" overflowToDisk="false" statistics="true"> </cache> </ehcache>
自定义MyShiroCasRealm.java继承CasRealm
package com.dongao.framework.shiro.realm; import com.dongao.framework.config.properties.CasProperties; import com.dongao.framework.util.RedisUtils; import com.dongao.framework.util.ShiroUtils; import com.dongao.system.domain.SysUser; import com.dongao.system.service.ISysMenuService; import com.dongao.system.service.ISysRoleService; import com.dongao.system.service.ISysUserService; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.*; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.cas.CasRealm; import org.apache.shiro.subject.PrincipalCollection; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import javax.annotation.PostConstruct; import java.util.HashSet; import java.util.Set; /** * 直接继承CasRealm类,然后CasRealm已经完成了数据的认证工作,我们直接调用父类的功能即可 * @ClassName MyShiroCasRealm * @Version 1.0 * @Date 2019/6/20 0020 下午 1:39 **/ public class MyShiroCasRealm extends CasRealm { private static final Logger logger = LoggerFactory.getLogger(MyShiroCasRealm.class); @Autowired private ISysMenuService menuService; @Autowired private ISysRoleService roleService; @Autowired private ISysUserService userService; @Autowired private CasProperties casProperties; @PostConstruct public void initProperty(){ // cas server地址 setCasServerUrlPrefix(casProperties.getCasServerUrl()); // 客户端回调地址,表示当你认证中心认证完成之后需要访问的service地址 setCasService(casProperties.getCasServiceProject() + casProperties.getCasFilterUrlPattern()); } /** * 权限认证,为当前登录的Subject授予角色和权限 * 本例中该方法的调用时机为需授权资源被访问时 * 并且每次访问需授权资源时都会执行该方法中的逻辑,这表明本例中默认并未启用AuthorizationCache * 如果连续访问同一个URL(比如刷新),该方法不会被重复调用,Shiro有一个时间间隔(也就是cache时间,在ehcache-shiro.xml中配置),超过这个时间间隔再刷新页面,该方法会被执行 */ @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { logger.info("##################Shiro权限认证##################"); // 返回null的话,就会导致任何用户访问被拦截的请求时,都会自动跳转到unauthorizedUrl指定的地址 String loginName = (String) SecurityUtils.getSubject().getPrincipal(); logger.info("授权 loginName:"+loginName); String username = (String) super.getAvailablePrincipal(principalCollection); logger.info("授权 username:"+username); SysUser user = ShiroUtils.getSysUser(); if(user==null){ logger.info("ShiroUtil获取用户为空!"); user = userService.selectUserByLoginName(username); } // 角色列表 Set<String> roles = new HashSet<String>(); // 功能列表 Set<String> menus = new HashSet<String>(); SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); // 管理员拥有所有权限 if (user.isAdmin()) { info.addRole("admin"); info.addStringPermission("*:*:*"); } else { roles = roleService.selectRoleKeys(user.getUserId()); menus = menuService.selectPermsByUserId(user.getUserId()); // 角色加入 AuthorizationInfo认证对象 info.setRoles(roles); // 权限加入 AuthorizationInfo认证对象 info.setStringPermissions(menus); } RedisUtils.set("simpleAuthorizationInfo_userId_"+user.getUserId(),info); return info; } /** * 1、CAS认证 ,验证用户身份 * 2、将用户基本信息设置到会话中(不用了,随时可以获取的) */ @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) { // 调用父类的认证,父类认证已经完成了 AuthenticationInfo authenticationInfo = super.doGetAuthenticationInfo(token); if (authenticationInfo == null) { logger.warn("authenticationInfo为空,可能是退出了!"); return null; } String account = (String) authenticationInfo.getPrincipals().getPrimaryPrincipal(); logger.info("认证 account:"+account); SysUser user = userService.selectUserByLoginName(account); if (user == null){ throw new UnknownAccountException(); } logger.info("认证 user:"+user); logger.info("认证 userId:"+user.getUserId()); SecurityUtils.getSubject().getSession().setAttribute("user", user); SecurityUtils.getSubject().getSession().setAttribute("userId", user.getUserId()); SecurityUtils.getSubject().getSession().setAttribute("username", account); return authenticationInfo; } /** * 清理缓存权限 */ public void clearCachedAuthorizationInfo() { this.clearCachedAuthorizationInfo(SecurityUtils.getSubject().getPrincipals()); } }
cas退出过滤器LogoutFilter.java
package com.dongao.framework.shiro.web.filter; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletResponse; import com.dongao.framework.util.RedisUtils; import org.apache.shiro.SecurityUtils; import org.apache.shiro.session.SessionException; import org.apache.shiro.subject.Subject; import org.apache.shiro.web.servlet.AdviceFilter; import org.apache.shiro.web.util.WebUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.dongao.common.constant.Constants; import com.dongao.common.utils.MessageUtils; import com.dongao.common.utils.StringUtils; import com.dongao.framework.manager.AsyncManager; import com.dongao.framework.manager.factory.AsyncFactory; import com.dongao.framework.util.ShiroUtils; import com.dongao.system.domain.SysUser; import java.util.Locale; /** * 退出过滤器 * * @author dongao */ public class LogoutFilter extends AdviceFilter { private static final Logger log = LoggerFactory.getLogger(LogoutFilter.class); public static final String DEFAULT_REDIRECT_URL = "/"; private String redirectUrl = "/"; private boolean postOnlyLogout = false; public LogoutFilter() { } @Override protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception { Subject subject = this.getSubject(request, response); if(this.isPostOnlyLogout() && !WebUtils.toHttp(request).getMethod().toUpperCase(Locale.ENGLISH).equals("POST")) { return this.onLogoutRequestNotAPost(request, response); } else { String redirectUrl = this.getRedirectUrl(request, response, subject); try { SysUser user = ShiroUtils.getSysUser(); if (StringUtils.isNotNull(user)) { RedisUtils.del("simpleAuthorizationInfo_userId_"+user.getUserId()); RedisUtils.del("menus_userId_"+user.getUserId()); String loginName = user.getLoginName(); // 记录用户退出日志 AsyncManager.me().execute(AsyncFactory.recordLogininfor(loginName, Constants.LOGOUT, MessageUtils.message("user.logout.success"))); } subject.logout(); } catch (SessionException var6) { log.debug("Encountered session exception during logout. This can generally safely be ignored.", var6); } this.issueRedirect(request, response, redirectUrl); return false; } } protected Subject getSubject(ServletRequest request, ServletResponse response) { return SecurityUtils.getSubject(); } protected void issueRedirect(ServletRequest request, ServletResponse response, String redirectUrl) throws Exception { WebUtils.issueRedirect(request, response, redirectUrl); } protected String getRedirectUrl(ServletRequest request, ServletResponse response, Subject subject) { return this.getRedirectUrl(); } public String getRedirectUrl() { return this.redirectUrl; } public void setRedirectUrl(String redirectUrl) { this.redirectUrl = redirectUrl; } protected boolean onLogoutRequestNotAPost(ServletRequest request, ServletResponse response) { HttpServletResponse httpServletResponse = WebUtils.toHttp(response); httpServletResponse.setStatus(405); httpServletResponse.setHeader("Allow", "POST"); return false; } public boolean isPostOnlyLogout() { return this.postOnlyLogout; } public void setPostOnlyLogout(boolean postOnlyLogout) { this.postOnlyLogout = postOnlyLogout; } /** * 退出后重定向的地址 */ private String loginUrl; public String getLoginUrl() { return loginUrl; } public void setLoginUrl(String loginUrl) { this.loginUrl = loginUrl; } }
注:欢迎讨论指正
