社区微信群开通啦,扫一扫抢先加入社区官方微信群
社区微信群
<!--Shiro核心框架 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>${shiro.version}</version>
<exclusions>
<exclusion>
<artifactId>commons-collections</artifactId>
<groupId>commons-collections</groupId>
</exclusion>
</exclusions>
</dependency>
<!-- Shiro使用Srping框架 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>redis.clients</groupId>
<artifactId>jedis</artifactId>
<version>3.0.1</version>
</dependency>
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-redis</artifactId>
<version>2.1.3.RELEASE</version>
</dependency>
<!--shiro redis-->
<dependency>
<groupId>org.crazycake</groupId>
<artifactId>shiro-redis</artifactId>
<version>2.4.2.1-RELEASE</version>
<exclusions>
<exclusion>
<artifactId>shiro-core</artifactId>
<groupId>org.apache.shiro</groupId>
</exclusion>
</exclusions>
</dependency>
import com.alibaba.fastjson.JSONObject;
import com.dongao.support.utils.Properties2YmlUtils;
import com.ruoyi.common.constant.Constants;
import com.ruoyi.common.utils.MessageUtils;
import com.ruoyi.common.utils.StringUtils;
import com.ruoyi.common.utils.http.HttpUtils;
import com.ruoyi.common.utils.security.RedisUtils;
import com.ruoyi.common.utils.security.ShiroCasUtils;
import com.ruoyi.framework.config.properties.CasProperties;
import com.ruoyi.framework.manager.AsyncManager;
import com.ruoyi.framework.manager.factory.AsyncFactory;
import com.ruoyi.project.system.menu.service.IMenuService;
import com.ruoyi.project.system.role.service.IRoleService;
import com.ruoyi.project.system.user.domain.User;
import com.ruoyi.project.system.user.service.IUserService;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.cas.CasRealm;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.SimplePrincipalCollection;
import org.apache.shiro.util.CollectionUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import javax.annotation.PostConstruct;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
/**
* 直接继承CasRealm类,然后CasRealm已经完成了数据的认证工作,我们直接调用父类的功能即可
* @ClassName MyShiroCasRealm
* @Author zhangcongming
* @Version 1.0
**/
public class MyShiroCasRealm extends CasRealm {
private static final Logger logger = LoggerFactory.getLogger(MyShiroCasRealm.class);
private final String projectName = Properties2YmlUtils.getCommonYml("project.name");
@Autowired
private IMenuService menuService;
@Autowired
private IRoleService roleService;
@Autowired
private IUserService userService;
@Autowired
private CasProperties casProperties;
@PostConstruct
public void initProperty(){
// cas server地址
setCasServerUrlPrefix(casProperties.getCasServerUrl());
// 客户端回调地址,表示当你认证中心认证完成之后需要访问的service地址
setCasService(casProperties.getCasServiceProject() + casProperties.getCasFilterUrlPattern());
}
/**
* 权限认证,为当前登录的Subject授予角色和权限
* 本例中该方法的调用时机为需授权资源被访问时
* 并且每次访问需授权资源时都会执行该方法中的逻辑,这表明本例中默认并未启用AuthorizationCache
* 如果连续访问同一个URL(比如刷新),该方法不会被重复调用,Shiro有一个时间间隔(也就是cache时间,在ehcache-shiro.xml中配置),超过这个时间间隔再刷新页面,该方法会被执行
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
logger.info("##################Shiro--权限认证##################");
User user = ShiroCasUtils.getSysUser();
if(user==null){
logger.info("ShiroCasUtils获取用户为空!");
throw new AuthenticationException("登录用户为空!");
}
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
// 角色列表
Set<String> roles = new HashSet<String>();
// 功能列表
Set<String> menus = new HashSet<String>();
// 管理员拥有所有权限
if (user.isAdmin()){
info.addRole("admin");
info.addStringPermission("*:*:*");
}else {
roles = roleService.selectRoleKeys(user.getUserId());
menus = menuService.selectPermsByUserId(user.getUserId());
// 角色加入 AuthorizationInfo认证对象
info.setRoles(roles);
// 权限加入 AuthorizationInfo认证对象
info.setStringPermissions(menus);
}
return info;
}
/**
* 1、CAS认证 ,验证用户身份
* 2、将用户基本信息设置到会话中(不用了,随时可以获取的)
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) {
logger.info("##################Shiro--登录认证##################");
// 调用父类的认证,父类认证已经完成了
AuthenticationInfo authenticationInfo = super.doGetAuthenticationInfo(token);
if (authenticationInfo == null) {
logger.warn("authenticationInfo为空,可能是退出了!");
return null;
}
String account = (String) authenticationInfo.getPrincipals().getPrimaryPrincipal();
logger.info("认证 account:"+account);
User user;
user = userService.selectUserByLoginName(account);
if (user == null){
throw new UnknownAccountException();
}
//重写了权限返回值
List<Object> principals = CollectionUtils.asList(new Object[]{user, authenticationInfo.getPrincipals()});
PrincipalCollection principalCollection = new SimplePrincipalCollection(principals, this.getName());
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(principalCollection, authenticationInfo.getCredentials());
return info;
}
/**
* 清理缓存权限(这里是用redis保存的权限)
*/
public void clearCachedAuthorizationInfo()
{
this.clearCachedAuthorizationInfo(SecurityUtils.getSubject().getPrincipals());
}
}
import at.pollux.thymeleaf.shiro.dialect.ShiroDialect;
import com.dongao.support.utils.Properties2YmlUtils;
import com.ruoyi.common.utils.security.MyRedisCacheManager;
import com.ruoyi.common.utils.spring.SpringUtils;
import com.ruoyi.framework.config.properties.CasProperties;
import com.ruoyi.framework.config.properties.RedisProperties;
import com.ruoyi.framework.config.properties.ShiroProperties;
import com.ruoyi.framework.shiro.realm.MyShiroCasRealm;
import com.ruoyi.framework.shiro.session.OnlineSessionDAO;
import com.ruoyi.framework.shiro.session.OnlineSessionFactory;
import com.ruoyi.framework.shiro.web.filter.sync.LogoutCasFilter;
import com.ruoyi.framework.shiro.web.session.OnlineWebSessionManager;
import org.apache.shiro.cas.CasFilter;
import org.apache.shiro.cas.CasSubjectFactory;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.servlet.SimpleCookie;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.crazycake.shiro.RedisCacheManager;
import org.crazycake.shiro.RedisManager;
import org.crazycake.shiro.RedisSessionDAO;
import org.jasig.cas.client.session.SingleSignOutFilter;
import org.jasig.cas.client.session.SingleSignOutHttpSessionListener;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.boot.web.servlet.ServletListenerRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.Ordered;
import org.springframework.web.filter.DelegatingFilterProxy;
import javax.servlet.Filter;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
/**
* shiro+cas配置
* @ClassName ShiroCasConfig
* @Author zhangcongming
* @Version 1.0
* @Date 2019/6/20 0020 下午 2:04
**/
@Configuration
public class ShiroCasConfig {
private final String keyPrefix = Properties2YmlUtils.getCommonYml("spring.redis.sessionPrefix");
/**
* 配置的redis进行数据的缓存
*
* @return
*/
@Bean(name = "myShiroCasRealm")
public MyShiroCasRealm myShiroCasRealm() {
MyShiroCasRealm realm = new MyShiroCasRealm();
return realm;
}
/**
* 设置单点退出的监听器,作用是将所有的过期的session将其从对应的映射关系中移除
* 注册单点登出listener
* SingleSignOutHttpSessionListener用于在Cas Client应用中的Session过期时将其从对应的映射关系中移除。
*
* @return
*/
@Bean
public ServletListenerRegistrationBean singleSignOutHttpSessionListener() {
ServletListenerRegistrationBean bean = new ServletListenerRegistrationBean();
bean.setListener(new SingleSignOutHttpSessionListener());
//bean.setName(""); //默认为bean name
bean.setEnabled(true);
//设置优先级
bean.setOrder(Ordered.HIGHEST_PRECEDENCE);
return bean;
}
/**
* 注册单点登出filter
* 设置单点退出的拦截器,在登录的时候,客户端会去服务端进行认证,此时认证成功之后,
* 服务端会将地址和ST返回给客户端,而在此时该拦截器会将session跟ST绑定在一起,
* 如果访问退出的时候,此时服务端也会将服务地址和ST返回,此时的监听器会将所有的session全部变为失效。
* <p>
* SingleSignOutFilter需要配置在所有Filter之前,当Cas Client通过Cas Server登录成功,
* Cas Server会携带生成的Service Ticket回调Cas Client,
* 此时SingleSignOutFilter会将Service Ticket与当前的Session绑定在一起。
* 当Cas Server在进行logout后回调Cas Client应用时也会携带该Service Ticket,
* 此时Cas Client配置的SingleSignOutFilter将会使对应的Session失效,进而达到登出的目的。
*
* @return
*/
@Bean
public FilterRegistrationBean singleSignOutFilter() {
FilterRegistrationBean bean = new FilterRegistrationBean();
bean.setName("singleSignOutFilter");
bean.setFilter(new SingleSignOutFilter());
//拦截所有的请求
bean.addUrlPatterns("/*");
bean.setEnabled(true);
//设置优先级
bean.setOrder(10);
return bean;
}
/**
* 退出过滤器
*/
public LogoutCasFilter logoutFilter()
{
LogoutCasFilter logoutFilter = new LogoutCasFilter();
CasProperties casProperties = SpringUtils.getBean(CasProperties.class);
String logoutUrl = casProperties.getCasServerUrl() + casProperties.getCasLogoutUrl()
+ "?service="+casProperties.getCasServiceProject() + casProperties.getCasFilterUrlPattern();
logoutFilter.setRedirectUrl(logoutUrl);
return logoutFilter;
}
/**
* 设置shiro的拦截器工厂类
* 在设置拦截器的时候,需要先执行cas的拦截器,再执行shiro的拦截器
*
* @param securityManager
* @param casFilter
* @return
*/
@Bean(name = "shiroFilter")
public ShiroFilterFactoryBean getShiroFilterFactoryBean(DefaultWebSecurityManager securityManager,
CasFilter casFilter) {
CasProperties casProperties = SpringUtils.getBean(CasProperties.class);
String loginUrl = casProperties.getCasServerUrl() + "/login?service="
+ casProperties.getCasServiceProject() + casProperties.getCasFilterUrlPattern();
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
// 必须设置 SecurityManager
shiroFilterFactoryBean.setSecurityManager(securityManager);
// 如果不设置默认会自动寻找Web工程根目录下的"/login.jsp"页面
shiroFilterFactoryBean.setLoginUrl(loginUrl);
// 登录成功后要跳转的连接
shiroFilterFactoryBean.setSuccessUrl(casProperties.getLoginSuccessUrl());
shiroFilterFactoryBean.setUnauthorizedUrl(casProperties.getUnauthorizedUrl());
// 添加casFilter到shiroFilter中,注意,casFilter需要放到shiroFilter的前面
Map<String, Filter> filters = new HashMap();
filters.put("casFilter", casFilter);
filters.put("logout",logoutFilter());
shiroFilterFactoryBean.setFilters(filters);
loadShiroFilterChain(shiroFilterFactoryBean);
return shiroFilterFactoryBean;
}
/**
* 设置配置的触发的地方:用于设置shiro的拦截器,和将每一个拦截器的生命周期交给spring去管理
* 注册DelegatingFilterProxy(Shiro)注册DelegatingFilterProxy(shiro) 是一个代理类,用于管理拦截器的生命周期,
* 所有的请求都会拦截 ,在创建的时候,filter的执行会优先于bean的执行,所以需要使用该类先来管理bean
* <p>
* 该步只是将当前的的生命周期交给了spring管理,具体的管理还是需要下面的LifecycleBeanPostProcessor的对象去进行操作
*
* @return
*/
@Bean
public FilterRegistrationBean delegatingFilterProxy() {
FilterRegistrationBean filterRegistration = new FilterRegistrationBean();
filterRegistration.setFilter(new DelegatingFilterProxy("shiroFilter"));
// 该值缺省为false,表示生命周期由SpringApplicationContext管理,设置为true则表示由ServletContainer管理
//targetFilterLifecycle 指明作用于filter的所有生命周期
filterRegistration.addInitParameter("targetFilterLifecycle", "true");
filterRegistration.setEnabled(true);
//拦截所有的请求
filterRegistration.addUrlPatterns("/*");
return filterRegistration;
}
/**
* 上面设置了声明周期,下面进行设置生命周期的自动化
* 设置方法的自动初始化和销毁,init和destory方法被自动调用。
* 注意,如果使用了该类,则不需要手动初始化方法和销毁方法,否则出错
*
* @return
*/
@Bean(name = "lifecycleBeanPostProcessor")
public LifecycleBeanPostProcessor getLifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
/**
* 开启注解声明:
* 开启shiro aop 的注解支持,使用代理的方式,所以需要开启代码的支持
*
* @return
*/
@Bean
public DefaultAdvisorAutoProxyCreator getDefaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator proxyCreator = new DefaultAdvisorAutoProxyCreator();
//设置代理方式,true是cglib的代理方式,false是普通的jdk代理方式
proxyCreator.setProxyTargetClass(true);
return proxyCreator;
}
/**
* 开启注解声明:
*
* @param securityManager
* @return
*/
@Bean
public AuthorizationAttributeSourceAdvisor getAuthorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();
advisor.setSecurityManager(securityManager);
return advisor;
}
/**
* 配置shiro redisManager
* 使用的是shiro-redis开源插件
* @return
*/
@Bean(name="redisManager")
public RedisManager redisManager() {
RedisManager redisManager = new RedisManager();
RedisProperties redisProperties = SpringUtils.getBean(RedisProperties.class);
redisManager.setHost(redisProperties.getHostName());
redisManager.setPort(redisProperties.getPort());
// 配置缓存过期时间
redisManager.setExpire(Integer.parseInt(String.valueOf(redisProperties.getExpire())));
redisManager.setTimeout(redisProperties.getTimeout());
redisManager.setPassword(redisProperties.getPassword());
return redisManager;
}
/**
* cacheManager 缓存 redis实现
* 使用的是shiro-redis开源插件
* @return
*/
/*@Bean(name = "shiroRedisCacheManager")
public RedisCacheManager redisCacheManager() {
RedisCacheManager redisCacheManager = new RedisCacheManager();
redisCacheManager.setRedisManager(redisManager());
return redisCacheManager;
}*/
/**
* 使用自定义redis缓存管理器
* 解决redis中key为非字符串乱码问题
* @return
*/
@Bean(name = "myRedisCacheManager")
public MyRedisCacheManager myRedisCacheManager() {
MyRedisCacheManager myRedisCacheManager = new MyRedisCacheManager();
return myRedisCacheManager;
}
/**
* RedisSessionDAO shiro sessionDao层的实现 通过redis
* 使用的是shiro-redis开源插件
*/
@Bean
public RedisSessionDAO redisSessionDAO() {
RedisSessionDAO redisSessionDAO = new RedisSessionDAO();
redisSessionDAO.setRedisManager(redisManager());
redisSessionDAO.setKeyPrefix(keyPrefix);
return redisSessionDAO;
}
/**
* shiro session的管理
*/
@Bean(name = "redisSessionManager")
public DefaultWebSessionManager redisSessionManager() {
CasProperties casProperties = SpringUtils.getBean(CasProperties.class);
ShiroProperties shiroProperties = SpringUtils.getBean(ShiroProperties.class);
DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
sessionManager.setSessionDAO(redisSessionDAO());
//会话超时时间,单位:毫秒
sessionManager.setGlobalSessionTimeout(casProperties.getSessionExpireTime() * 60 * 1000);
//当跳出SHIRO SERVLET时如ERROR-PAGE容器会为JSESSIONID重新分配值导致登录会话丢失
sessionManager.setSessionIdCookie(shrioCookie());
// 删除过期的session
sessionManager.setDeleteInvalidSessions(true);
// 去掉URL中的JSESSIONID
sessionManager.setSessionIdUrlRewritingEnabled(false);
// 是否定时检查session
sessionManager.setSessionValidationSchedulerEnabled(true);
//定时清理失效会话, 清理用户直接关闭浏览器造成的孤立会话,单位为毫秒
sessionManager.setSessionValidationInterval(shiroProperties.getSessionValidationInterval() * 60 * 1000);
return sessionManager;
}
/**
* cookie 属性设置
*/
public SimpleCookie shrioCookie()
{
ShiroProperties shiroProperties = SpringUtils.getBean(ShiroProperties.class);
SimpleCookie cookie = new SimpleCookie("shiroCasCookie");
//如果是单点登录,各个系统要设置相同的父域名public.com,否则会出现每进入一个子系统都会生成一个session,
//也就是session没有实现共享,在退出后,子系统中用户还有残留!
cookie.setDomain(“public.com”);
//JSESSIONID的path为/用于多个系统共享JSESSIONID
cookie.setPath(shiroProperties.getPath());
//浏览器中通过document.cookie可以获取cookie属性,设置了HttpOnly=true,在脚本中就不能得到cookie,可以避免cookie被盗用
cookie.setHttpOnly(shiroProperties.isHttpOnly());
/*maxAge=-1表示浏览器关闭时失效此Cookie*/
cookie.setMaxAge(shiroProperties.getMaxAge() * 24 * 60 * 60);
return cookie;
}
/**
* @param myShiroCasRealm
* @return
*/
@Bean(name = "securityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(MyShiroCasRealm myShiroCasRealm) {
DefaultWebSecurityManager dwsm = new DefaultWebSecurityManager();
//用户授权/认证信息Cache, 采用EhCache 缓存
CasProperties casProperties = SpringUtils.getBean(CasProperties.class);
if (casProperties.isEhCacheSwitch()){
dwsm.setCacheManager(myRedisCacheManager());
}
// 指定 SubjectFactory
dwsm.setSubjectFactory(new CasSubjectFactory());
dwsm.setSessionManager(redisSessionManager());
dwsm.setRealm(myShiroCasRealm);
return dwsm;
}
/**
* thymeleaf模板引擎和shiro框架的整合
*/
@Bean
public ShiroDialect shiroDialect() {
return new ShiroDialect();
}
/**
* CAS过滤器
*
* @return
*/
@Bean(name = "casFilter")
public CasFilter getCasFilter() {
CasProperties casProperties = SpringUtils.getBean(CasProperties.class);
String loginUrl = casProperties.getCasServerUrl() + "/login?service=" +
casProperties.getCasServiceProject() + casProperties.getCasFilterUrlPattern();
CasFilter casFilter = new CasFilter();
//自动注入拦截器的名称
casFilter.setName("casFilter");
//是否自动的将当前的拦截器进行注入
casFilter.setEnabled(true);
// 登录失败后跳转的URL,也就是 Shiro 执行 CasRealm 的 doGetAuthenticationInfo 方法向CasServer验证tiket
// 我们选择认证失败后重新登录
casFilter.setFailureUrl(loginUrl);
return casFilter;
}
/**
* 加载shiroFilter权限控制规则(从数据库读取然后配置),角色/权限信息由MyShiroCasRealm对象提供doGetAuthorizationInfo实现获取来的
*
* @param shiroFilterFactoryBean
*/
private void loadShiroFilterChain(ShiroFilterFactoryBean shiroFilterFactoryBean) {
Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>();
// authc:该过滤器下的页面必须登录后才能访问,它是Shiro内置的一个拦截器org.apache.shiro.web.filter.authc.FormAuthenticationFilter
// anon: 可以理解为不拦截
// user: 登录了就不拦截
// roles["admin"] 用户拥有admin角色
// perms["permission1"] 用户拥有permission1权限
// filter顺序按照定义顺序匹配,匹配到就验证,验证完毕结束。
// url匹配通配符支持:? * **,分别表示匹配1个,匹配0-n个(不含子路径),匹配下级所有路径
//1.shiro集成cas后,首先添加该规则
filterChainDefinitionMap.put("/", "casFilter");
//2.不拦截的请求 对静态资源设置匿名访问
filterChainDefinitionMap.put("/favicon.ico**", "anon");
filterChainDefinitionMap.put("/css/**", "anon");
filterChainDefinitionMap.put("/docs/**", "anon");
filterChainDefinitionMap.put("/fonts/**", "anon");
filterChainDefinitionMap.put("/img/**", "anon");
filterChainDefinitionMap.put("/ajax/**", "anon");
filterChainDefinitionMap.put("/js/**", "anon");
filterChainDefinitionMap.put("/druid/**", "anon");
filterChainDefinitionMap.put("/captcha/captchaImage**", "anon");
filterChainDefinitionMap.put("/error", "anon");
// 退出 logout地址,shiro去清除session
// 此处将logout页面设置为anon,而不是logout,因为logout被单点处理,而不需要再被shiro的logoutFilter进行拦截
filterChainDefinitionMap.put("/logout", "logout");
// 不需要拦截的访问
filterChainDefinitionMap.put("/login", "anon");
//不需要登录拦截的接口
filterChainDefinitionMap.put("/system/api/**","anon");
//3.拦截的请求(从本地数据库获取或者从casserver获取(webservice,http等远程方式),看你的角色权限配置在哪里)
filterChainDefinitionMap.put("/user", "authc");
//4.登录过的不拦截
filterChainDefinitionMap.put("/**", "authc");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
}
}
cookie.setDomain(“public.com”);
DefaultWebSecurityManager dwsm = new DefaultWebSecurityManager();
dwsm.setCacheManager(myRedisCacheManager());
// 指定 SubjectFactory
dwsm.setSubjectFactory(new CasSubjectFactory());
dwsm.setSessionManager(redisSessionManager());
dwsm.setRealm(myShiroCasRealm);
如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!
