惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Tailwind CSS Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
The Cloudflare Blog
J
Java Code Geeks
大猫的无限游戏
大猫的无限游戏
雷峰网
雷峰网
WordPress大学
WordPress大学
Jina AI
Jina AI
IT之家
IT之家
Hugging Face - Blog
Hugging Face - Blog
博客园 - 聂微东
有赞技术团队
有赞技术团队
V
Vulnerabilities – Threatpost
博客园 - 司徒正美
L
Lohrmann on Cybersecurity
P
Privacy International News Feed
S
SegmentFault 最新的问题
C
Cisco Blogs
V
V2EX
博客园 - 三生石上(FineUI控件)
Apple Machine Learning Research
Apple Machine Learning Research
I
Intezer
人人都是产品经理
人人都是产品经理
博客园_首页
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Cyberwarzone
Cyberwarzone
Know Your Adversary
Know Your Adversary
酷 壳 – CoolShell
酷 壳 – CoolShell
Security Latest
Security Latest
V
Visual Studio Blog
S
Schneier on Security
宝玉的分享
宝玉的分享
博客园 - 【当耐特】
腾讯CDC
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
博客园 - Franky
Last Week in AI
Last Week in AI
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
K
Kaspersky official blog
T
The Exploit Database - CXSecurity.com
G
GRAHAM CLULEY
量子位
S
Securelist
小众软件
小众软件
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
Tenable Blog
阮一峰的网络日志
阮一峰的网络日志
博客园 - 叶小钗
T
Troy Hunt's Blog

CAYZLH

MacBook上备忘录APP的快捷键和手势 让Google屏蔽某些搜索结果 WSL自定义安装Ubuntu typora自动上传图片配置 自建giscus服务 Windows下结束指定端口的进程 批量修改maven多模块版本号 使用winsw部署SpringBoot项目 Gson简易指南 docker搭建Consul集群 使用Docker部署SpringBoot项目 Docker使用redis镜像 Docker使用rabbitmq Docker使用zookeeper Docker使用MySQL Dockerfile常用指令 Docker免sudo操作 雷鸟电视去广告 使用ADB卸载MIUI系统应用 利用GitHub做图床 将网站变成灰色 Github上传大文件 Android远程调试命令adb vscode快捷键的使用 SpringBoot文件上传异常处理 SpringBoot封装JedisUtils工具类 SpringBoot自动部署脚本 使用Spring读取文件的几种方式 Spring统一异常返回 利用Github做Maven私服 Redis常用指令 Maven常用指令 使用mysqldump导出数据 SpringBoot动态切换多数据源 Java8的日期处理实践 lambda表达式语法 Stream表达式语法 使用Optional优雅地判空 Android Support vs AndroidX 「Vue」Runtime-Complier和Runtime-only的区别 RecyclerView使用记录 动态设置布局之LayoutInflater Redis分布式锁的几种方案 打造一个舒服的写作环境(Hexo) 深入了解与使用ThreadLocal Maven中dependencyManagement的作用 Redis配置认证密码 nginx简单配置示例 Linux(macOS)换源 Linux搭建Git服务器 Linux配置ssh使用公钥登录远程服务器 Linux下find与exec的使用 Linux排查Java问题工具单 Linux常用命令 MySql数据库优化细节 API签名验证方案 Java集合框架 Redis基础知识总结 Spring事务管理 Redis为什么这么快 SpringBoot实现Jwt单点登录 SpringBoot实现Redis分布式锁 Spring面向切面编程(知识梳理) SpringBoot异步请求和异步调用 Mybatis中用到的几种设计模式 Docker Swarm RocketMQ相关流程图/原理图 SonarQube的安装与使用 宝塔面板部署vue项目 Tomcat的三种接收请求处理方式 Docker知识扫盲 安装Jenkins并用于部署SpringBoot项目 Tomcat单机多实例部署 Maven中Scope的分类 Linux搭建frp服务(内网穿透) Redis高逼格指令 Docker私有仓库的搭建与使用 Dockerfile使用介绍 Redis的使用场景 Docker的网络模式
Springboot集成Shiro(前后端分离)
Ant丶 · 2019-04-30 · via CAYZLH

思维导图

Shiro

什么是Shiro

shiro是apache的一个开源框架,是一个权限管理的框架,实现 用户认证、用户授权。

spring中有spring security (原名Acegi),是一个权限框架,它和spring依赖过于紧密,没有shiro使用简单。

shiro不依赖于spring,shiro不仅可以实现 web应用的权限管理,还可以实现c/s系统,分布式系统权限管理,shiro属于轻量框架,越来越多企业项目开始使用shiro。

使用shiro实现系统的权限管理,有效提高开发效率,从而降低开发成本。

用户通过subject登陆,形成一个UsernamePasswordToken,令牌,在域realm里完成认证、授权,成功后加入缓存。(realm可以写、也可以用默认的,也可以写很多个域)

Shiro

Shiro架构

Shiro架构

  • subject:主体,可以是用户也可以是程序,主体要访问系统,系统需要对主体进行认证、授权。

  • securityManager:安全管理器,主体进行认证和授权都是通过securityManager进行。

  • authenticator:认证器,主体进行认证最终通过authenticator进行的。

  • authorizer:授权器,主体进行授权最终通过authorizer进行的。

  • sessionManager:web应用中一般是用web容器对session进行管理,shiro也提供一套session管理的方式。

  • SessionDao: 通过SessionDao管理session数据,针对个性化的session数据存储需要使用sessionDao。

  • cache Manager:缓存管理器,主要对session和授权数据进行缓存,比如将授权数据通过cacheManager进行缓存管理,和ehcache整合对缓存数据进行管理。

  • realm:域,领域,相当于数据源,通过realm存取认证、授权相关数据。

    在realm中存储授权和认证的逻辑。

认证过程

认证过程

认证执行流程

1、通过ini配置文件创建securityManager

2、调用subject.login方法主体提交认证,提交的token

3、securityManager进行认证,securityManager最终由ModularRealmAuthenticator进行认证。

4、ModularRealmAuthenticator调用IniRealm(给realm传入token) 去ini配置文件中查询用户信息

5、IniRealm根据输入的token(UsernamePasswordToken)从 shiro.ini查询用户信息,根据账号查询用户信息(账号和密码)

如果查询到用户信息,就给ModularRealmAuthenticator返回用户信息(账号和密码)
如果查询不到,就给ModularRealmAuthenticator返回null

6、ModularRealmAuthenticator接收IniRealm返回Authentication认证信息

如果返回的认证信息是null,ModularRealmAuthenticator抛出异常(org.apache.shiro.authc.UnknownAccountException)

如果返回的认证信息不是null(说明inirealm找到了用户),对IniRealm返回用户密码 (在ini文件中存在)
和 token中的密码 进行对比,如果不一致抛出异常(org.apache.shiro.authc.IncorrectCredentialsException)

授权流程

授权过程

1、对subject进行授权,调用方法isPermitted(”permission串”)

2、SecurityManager执行授权,通过ModularRealmAuthorizer执行授权

3、ModularRealmAuthorizer执行realm(自定义的Realm)从数据库查询权限数据

调用realm的授权方法:doGetAuthorizationInfo

4、realm从数据库查询权限数据,返回ModularRealmAuthorizer

5、ModularRealmAuthorizer调用PermissionResolver进行权限串比对

6、如果比对后,isPermitted中”permission串”在realm查询到权限数据中,说明用户访问permission串有权限,否则 没有权限,抛出异常。

实现

代码地址:https://github.com/cayzlh/spring-boot-shiro-demo

自定义Realm

CustRealm:

public class CustomRealm extends AuthorizingRealm {

@Autowired
@Lazy
private AuthorizingService authorizingService;









@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
String username = (String) super.getAvailablePrincipal(principalCollection);
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
Set<String> roles = authorizingService.findRoleListByUsername(username);
authorizationInfo.setRoles(roles);
roles.forEach(role -> {
Set<String> permissions = authorizingService.findPermissionsByRole(roles);
authorizationInfo.addStringPermissions(permissions);
});
return authorizationInfo;
}




















@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken)
throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
String username = token.getUsername();
UserInfo user = authorizingService.selectByUserName(username);
if (null == user) {
throw new UnknownAccountException("doGetAuthenticationInfo() has an UnknownAccountException: "+username);
}
String passwordInToken = new String(token.getPassword());
String passwordInDb = user.getPassword();
if (!StringUtils.equals(passwordInDb, passwordInToken)) {
throw new IncorrectCredentialsException("doGetAuthenticationInfo() has an IncorrectCredentialsException: "+username);
}
return new SimpleAuthenticationInfo(username, passwordInToken, ByteSource.Util.bytes(user.getSalt()), getName());
}
}

自定义SessionManager

在我们项目中, 由于使用前后端分离的架构,所以要自定义Shiro的session管理:

public class CustomSessionManager extends DefaultWebSessionManager {

private static final String HEADER_TOKEN = "token";

private static final String REFERENCED_SESSION_ID_SOURCE = "Stateless request";

public CustomSessionManager() {
super();
}

@Override
protected Serializable getSessionId(ServletRequest request, ServletResponse response) {
String id = WebUtils.toHttp(request).getHeader(HEADER_TOKEN);
if (!StringUtils.isEmpty(id)) {
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE, REFERENCED_SESSION_ID_SOURCE);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, id);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE);
return id;
} else {

return super.getSessionId(request, response);
}
}
}

通过监听请求Header里的token字段,如果有值,则作为shiro的sessionid。

配置Shiro

@Configuration
public class ShiroConfig {

@Bean(name = "customRealm")
public CustomRealm customRealm() {
return new CustomRealm();
}

@Bean(name = "sessionManager")
public SessionManager sessionManager() {
return new CustomSessionManager();
}

@Bean(name = "securityManager")
public DefaultWebSecurityManager defaultWebSecurityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();

securityManager.setRealm(customRealm());
securityManager.setSessionManager(sessionManager());
return securityManager;
}

@Bean(name = "lifecycleBeanPostProcessor")
public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}

@Bean(name = "shiroFilter")
public ShiroFilterFactoryBean shiroFilterFactoryBean(DefaultWebSecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
return shiroFilterFactoryBean;
}

@Bean
public DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator(){
DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
advisorAutoProxyCreator.setProxyTargetClass(true);
return advisorAutoProxyCreator;
}

@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}

}

其中:

@Bean
public DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator(){
DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
advisorAutoProxyCreator.setProxyTargetClass(true);
return advisorAutoProxyCreator;
}

@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}

在spring boot中, shiro使用@RequiresRoles,@RequiresPermissions注解无效时,需要添加这两个配置。

其他代码

AuthorizingService:

@Service
public class AuthorizingService {

@Autowired
private UserDao userDao;

@Autowired
private RoleDao roleDao;

@Autowired
private PermissionDao permissionDao;

public UserInfo selectByUserName(String username) {
return userDao.selectByUsername(username);
}

public Set<String> findRoleListByUsername(String username) {
return roleDao.selectByUsername(username);
}

public Set<String> findPermissionsByRole(Set<String> roles) {
HashSet<String> permissions = Sets.newHashSet();
roles.forEach(role -> permissions.addAll(permissionDao.selectByRole(role)));
return permissions;
}

public String login(String username, String password) {
UsernamePasswordToken token = new UsernamePasswordToken(username,
password);
Subject currentUser = SecurityUtils.getSubject();
currentUser.login(token);
currentUser.getSession().setTimeout(60 * 60 * 1000);
return currentUser.getSession().getId().toString();
}

public void logout() {
Subject currentUser = SecurityUtils.getSubject();
currentUser.logout();
}
}

PermissionDao:

@Repository
public class PermissionDao {

public Set<String> selectByRole(String role) {
switch (role) {
case "admin":
return Sets.newHashSet("Idea", "navicat", "notepad", "webstorm",
"chrome");
case "java":
return Sets.newHashSet("Idea");
case "mysql":
return Sets.newHashSet("navicat");
case "html":
return Sets.newHashSet("notepad");
case "javascript":
return Sets.newHashSet("webstorm");
case "guest":
return Sets.newHashSet("chrome");
default:
return Sets.newHashSet();
}
}
}

RoleDao:

@Repository
public class RoleDao {

public Set<String> selectByUsername(String username) {
switch (username) {
case "zhangsan":
return Sets.newHashSet("admin");
case "lisi":
return Sets.newHashSet("java", "mysql");
case "wangwu":
return Sets.newHashSet("html", "javascript");
default:
return Sets.newHashSet("guest");
}
}

}

UserDao:

@Repository
public class UserDao {

public UserInfo selectByUsername(String username) {

switch (username) {
case "zhangsan":
return UserInfo.builder()
.userName("zhangsan").password("123456").salt("123456")
.build();
case "lisi":
return UserInfo.builder()
.userName("lisi").password("123456").salt("123456")
.build();
case "wangwu":
return UserInfo.builder()
.userName("wangwu").password("123456").salt("123456")
.build();
default:
return null;
}


}

}

这里没有使用数据库, 直接模拟数据库操作。

集群

在实际项目运行中,为了达到高可用的目的,通常要把应用部署在多台服务器上,这个时候就要对session进行集群的管理

添加redis支持

pom.xml
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>

<dependency>
<groupId>redis.clients</groupId>
<artifactId>jedis</artifactId>
</dependency>
配置文件
spring:
application:
name: shiro-demo
redis:
host: redistest.xxxx.com
port: 6379
database: 10
password: test@2018
timeout: 180000
jedis:
pool:
max-active: 100
max-wait: 360000
min-idle: 0
max-idle: 100
my:
shiro:
session:
expireTime: 1800
prefix: you-shiro-session
新增Java类:ShiroCacheManager
public class ShiroCacheManager implements CacheManager {

private RedisTemplate redisTemplate;

private int expireTime;

@Override
public <K, V> Cache<K, V> getCache(String name) throws CacheException {
return new ShiroRedisCache<>(name, redisTemplate, expireTime);
}

public ShiroCacheManager(RedisTemplate redisTemplate, int expireTime) {
this.redisTemplate = redisTemplate;
this.expireTime = expireTime;
}

public class ShiroRedisCache<K, V> implements Cache<K, V> {

private String cacheKey;

private RedisTemplate redisTemplate;

private int expireTime;

private ShiroRedisCache(String cacheKey, RedisTemplate redisTemplate, int expireTime) {
this.cacheKey = cacheKey;
this.redisTemplate = redisTemplate;
this.expireTime = expireTime;
}

private Object hashKey(K key) {
if (key instanceof PrincipalCollection) {
PrincipalCollection principalCollection = (PrincipalCollection) key;
return principalCollection.getPrimaryPrincipal().toString();
}
return key;
}

@Override
public V get(K key) throws CacheException {
BoundHashOperations<String, K, V> boundHashOperations = redisTemplate.boundHashOps(cacheKey);
Object realKey = hashKey(key);
return boundHashOperations.get(realKey);
}

@Override
public V put(K key, V value) throws CacheException {
BoundHashOperations<String, K, V> boundHashOperations = redisTemplate.boundHashOps(cacheKey);
Object realKey = hashKey(key);
boundHashOperations.put((K) realKey, value);
boundHashOperations.expire(expireTime, TimeUnit.SECONDS);
return value;
}

@Override
public V remove(K key) throws CacheException {
BoundHashOperations<String, K, V> boundHashOperations = redisTemplate.boundHashOps(cacheKey);
Object realKey = hashKey(key);
V value = boundHashOperations.get(realKey);
boundHashOperations.delete(realKey);
return value;
}

@Override
public void clear() throws CacheException {
redisTemplate.delete(cacheKey);
}

@Override
public int size() {
BoundHashOperations<String, K, V> boundHashOperations = redisTemplate.boundHashOps(cacheKey);
return boundHashOperations.size().intValue();
}

@Override
public Set<K> keys() {
BoundHashOperations<String, K, V> boundHashOperations = redisTemplate.boundHashOps(cacheKey);
return boundHashOperations.keys();
}

@Override
public Collection<V> values() {
BoundHashOperations<String, K, V> boundHashOperations = redisTemplate.boundHashOps(cacheKey);
return boundHashOperations.values();
}
}
}
新增java类:RedisSessionDAO,继承EnterpriseCacheSessionDAO
public class RedisSessionDAO extends EnterpriseCacheSessionDAO {

private int expireTime;

private String prefix;

private RedisTemplate redisTemplate;

public RedisSessionDAO(RedisTemplate redisTemplate, int expireTime, String prefix) {
this.redisTemplate = redisTemplate;
this.expireTime = expireTime;
this.prefix = prefix;
}

@Override
protected Serializable doCreate(Session session) {
log.info("doCreate({})", session.getId());
Serializable sessionId = super.doCreate(session);
redisTemplate.opsForValue().set(prefix + ":" + sessionId.toString(), session);
return sessionId;
}

@Override
protected Session doReadSession(Serializable sessionId) {
log.info("doReadSession({})", sessionId);
Session session = super.doReadSession(sessionId);
if (session == null) {
session = (Session) redisTemplate.opsForValue().get(prefix + ":" + sessionId.toString());
}
return session;
}

@Override
protected void doUpdate(Session session) {
super.doUpdate(session);
String key = prefix + ":" + session.getId().toString();
if (!redisTemplate.hasKey(key)) {
redisTemplate.opsForValue().set(key, session);
}
redisTemplate.expire(key, expireTime, TimeUnit.SECONDS);
}

@Override
protected void doDelete(Session session) {
log.info("doDelete({})", session.getId());
super.doDelete(session);
redisTemplate.delete(prefix + ":" + session.getId().toString());
}
}
新增Java类:RedisObjectSerializer implements RedisSerializer
public class RedisObjectSerializer implements RedisSerializer<Object> {
private Converter<Object, byte[]> serializer = new SerializingConverter();
private Converter<byte[], Object> deserializer = new DeserializingConverter();
static final byte[] EMPTY_ARRAY = new byte[0];

@Override
public Object deserialize(byte[] bytes) {
if (isEmpty(bytes)) {
return null;
}
try {
return deserializer.convert(bytes);
} catch (Exception ex) {
throw new SerializationException("Cannot deserialize", ex);
}
}

@Override
public byte[] serialize(Object object) {
if (object == null) {
return EMPTY_ARRAY;
}
try {
return serializer.convert(object);
} catch (Exception ex) {
return EMPTY_ARRAY;
}
}

private boolean isEmpty(byte[] data) {
return (data == null || data.length == 0);
}
}
修改ShiroConfig
@Configuration
public class ShiroConfig implements InitializingBean {

@Value("${my.shiro.session.expireTime:1800}")
private int expireTime;

@Value("${my.shiro.session.prefix:you-shiro-session}")
private String prefix;

@Autowired
private RedisTemplate redisTemplate;

@Override
public void afterPropertiesSet() {
ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
redisTemplate.setKeySerializer(new StringRedisSerializer());
redisTemplate.setValueSerializer(new RedisObjectSerializer());
redisTemplate.afterPropertiesSet();
}

@Bean
public RedisTemplate redisTemplate() {
return new RedisTemplate();
}

@Bean(name = "shiroCacheManager")
public ShiroCacheManager shiroCacheManager() {
return new ShiroCacheManager(redisTemplate, expireTime);
}

@Bean(name = "redisSessionDAO")
public RedisSessionDAO redisSessionDAO() {
return new RedisSessionDAO(redisTemplate, expireTime, prefix);
}

@Bean(name = "customRealm")
public CustomRealm customRealm() {
return new CustomRealm();
}

@Bean(name = "sessionManager")
public SessionManager sessionManager() {
CustomSessionManager sessionManager = new CustomSessionManager();
sessionManager.setSessionDAO(redisSessionDAO());
return sessionManager;
}

@Bean(name = "securityManager")
public DefaultWebSecurityManager defaultWebSecurityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();

securityManager.setRealm(customRealm());

securityManager.setCacheManager(shiroCacheManager());

securityManager.setSessionManager(sessionManager());

return securityManager;
}

@Bean(name = "lifecycleBeanPostProcessor")
public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}

@Bean(name = "shiroFilter")
public ShiroFilterFactoryBean shiroFilterFactoryBean(DefaultWebSecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
return shiroFilterFactoryBean;
}

@Bean
public DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator(){
DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
advisorAutoProxyCreator.setProxyTargetClass(true);
return advisorAutoProxyCreator;
}

@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}

}
集群完成

^_^.

经过以上改造,shiro就可以在分布式应用中集群使用。

项目代码,在 with-redis 分支中。

测试

运行Demo,测试登录和请求其他接口:

登录

请求