Shiro是一種簡單的安全框架，可以用來處理系統(tǒng)的登錄和權(quán)限問題。
本篇記錄一下Spring Boot和Shiro集成，并使用Jwt Token進(jìn)行無狀態(tài)登錄的簡單例子。
參考Demo地址，此Demo適合用于SpringBoot小型項(xiàng)目的快速開發(fā)。

環(huán)境

• SpringBoot 版本 1.5.15.RELEASE
  不建議使用2.x版本的Springboot，與1.x相比很多地方代碼有所改動(dòng)，很麻煩。
• Shiro 版本 1.4.0
• IntelliJ IDEA
• jjwt 版本 0.9.0
• lombok（可選）精簡代碼

思路

使用Jwt Token實(shí)現(xiàn)無狀態(tài)登錄
平時(shí)用戶登錄后，服務(wù)器將會(huì)把用戶信息存儲(chǔ)到Session里，在用戶數(shù)量很大的時(shí)候，服務(wù)器負(fù)擔(dān)會(huì)很大。而使用token方式登錄，服務(wù)器不存儲(chǔ)用戶信息，而是將其加密后生成token發(fā)送給請(qǐng)求方，請(qǐng)求方在請(qǐng)求需要權(quán)限的資源時(shí)，將token帶上，服務(wù)器解析token即可知道登錄用戶的信息。

服務(wù)器自動(dòng)刷新token
token需要刷新。對(duì)于活躍的用戶，服務(wù)器自動(dòng)完成刷新token；對(duì)于長期不活躍的用戶，服務(wù)器通過配置的 token有效期 來檢查，如果時(shí)間超過有效期的兩倍，則認(rèn)為該用戶需要重新登錄。

登錄流程

• 用戶通過賬號(hào)密碼登錄
  用戶登錄成功后，服務(wù)器將用戶信息等集合起來做成Jwt Token（字符串），然后將其放入Response里的header，并發(fā)送請(qǐng)求成功的json給請(qǐng)求方。
  請(qǐng)求方接收到請(qǐng)求成功的json信息后，從header中拿出jwt token存儲(chǔ)起來。
• 用戶請(qǐng)求需要驗(yàn)證的資源
  請(qǐng)求方將token放入request的header，并發(fā)送請(qǐng)求。
  服務(wù)器收到請(qǐng)求，檢查request里的token，首先驗(yàn)證token合法性，不合法返回token不合法的json給請(qǐng)求方。
  如果token合法，則檢查token是否過期：
  如果token簽發(fā)時(shí)間到現(xiàn)在，已經(jīng)超過了有效期，卻沒有超過有效期的兩倍，則服務(wù)器自動(dòng)生成新token，將其放入response的header，請(qǐng)求方接收到response后，可以檢查header里是否有token，有則更新一下token預(yù)備下次請(qǐng)求。
  如果token從簽發(fā)時(shí)間到現(xiàn)在，已經(jīng)超過有效期的兩倍，則用戶需要重新登錄。

集成步驟

注意

• @Slf4j(topic = "xxx")注解是lombok集成的日志模塊，可不使用，參考：日志處理方案

數(shù)據(jù)庫建表

思路：
系統(tǒng)里有多個(gè)角色，每個(gè)角色對(duì)于多個(gè)權(quán)限。每個(gè)權(quán)限都是一個(gè)請(qǐng)求url，驗(yàn)證權(quán)限時(shí)，后臺(tái)拿到用戶信息后即可知道該用戶的角色，而后去數(shù)據(jù)庫查詢?cè)摻巧鶕碛械臋?quán)限集合，在其中查找是否存在當(dāng)前請(qǐng)求url，存在說明用戶有訪問該url的權(quán)限，否則沒有權(quán)限

-- Sql -- Mysql Version 5.7 -- author 1802226517@qq.comdrop database if exists `rb_demo`; CREATE DATABASE rb_demoDEFAULT CHARACTER SET utf8COLLATE utf8_general_ci; USE rb_demo;-- ------------------------------ 用戶部分 ------------------------------DROP TABLE IF EXISTS `user`; CREATE TABLE `user` (`id` BIGINT UNSIGNED NOT NULL AUTO_INCREMENT COMMENT '主鍵',`account` VARCHAR(50) NOT NULL COMMENT '賬號(hào)，唯一',`password` VARCHAR(100) NOT NULL COMMENT '密碼',`name` VARCHAR(100) DEFAULT '默認(rèn)用戶名' COMMENT '昵稱',`role_id` BIGINT UNSIGNED NOT NULL COMMENT '所屬角色id',`status` TINYINT UNSIGNED NOT NULL COMMENT '是否啟用',`is_deleted` TINYINT UNSIGNED NOT NULL COMMENT '是否刪除',`version` BIGINT UNSIGNED NOT NULL COMMENT '版本',`gmt_create` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT '創(chuàng)建時(shí)間',`gmt_modified` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP COMMENT '更新時(shí)間',PRIMARY KEY (`id`),KEY `idx_id` (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='用戶表';DROP TABLE IF EXISTS `role`; CREATE TABLE `role` (`id` BIGINT UNSIGNED NOT NULL AUTO_INCREMENT COMMENT '主鍵',`name` VARCHAR(200) NOT NULL COMMENT '角色名稱',`version` BIGINT UNSIGNED NOT NULL COMMENT '版本',PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='角色表';DROP TABLE IF EXISTS `permission`; CREATE TABLE `permission` (`id` BIGINT UNSIGNED NOT NULL AUTO_INCREMENT COMMENT '主鍵',`role_id` BIGINT UNSIGNED NOT NULL COMMENT '所屬角色id',`name` VARCHAR(200) NOT NULL COMMENT '權(quán)限名稱',`url` VARCHAR(200) NOT NULL COMMENT '匹配url',`version` BIGINT UNSIGNED NOT NULL COMMENT '版本',PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='權(quán)限表';

建立Springboot項(xiàng)目

組件選擇 web、redis和lombok，Springboot版本選擇 1.5.15.RELEASE
連接數(shù)據(jù)庫參考：Mybatis-Plus

編寫Shiro配置類

ShiroConfig.java 這個(gè)配置類主要配置了Shiro攔截器、自定義的Realm和禁用了Session。
禁用Session方法參考代碼注釋。
為什么要禁用？因?yàn)槲覀儾捎肑wt Token方式完成登錄驗(yàn)證，不需要存用戶信息到Session。

package com.spz.demo.security.shiro.config;import com.spz.demo.security.shiro.filter.ShiroLoginFilter; import com.spz.demo.security.shiro.matcher.PasswordCredentialsMatcher; import com.spz.demo.security.shiro.realm.UserRealm; import com.spz.demo.security.shiro.token.UserAuthenticationToken; import lombok.extern.slf4j.Slf4j; import org.apache.shiro.mgt.DefaultSessionStorageEvaluator; import org.apache.shiro.mgt.DefaultSubjectDAO; import org.apache.shiro.mgt.SecurityManager; import org.apache.shiro.realm.Realm; import org.apache.shiro.session.mgt.DefaultSessionManager; import org.apache.shiro.spring.web.ShiroFilterFactoryBean; import org.apache.shiro.web.mgt.DefaultWebSecurityManager; import org.apache.shiro.web.mgt.DefaultWebSubjectFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import javax.servlet.Filter; import java.util.*;/*** Shiro 配置* 禁用 Shiro Session 步驟：* 1. SubjectContext 在創(chuàng)建的時(shí)候，需要關(guān)閉 session 的創(chuàng)建，這個(gè)由 DefaultWebSubjectFactory.createSubject 管理。* 參考自定義類：ASubjectFactory.java* 2. 禁用使用 Sessions 作為存儲(chǔ)策略的實(shí)現(xiàn)，這個(gè)由 securityManager 的 subjectDao.sessionStorageEvaluator 管理* 3. 禁用掉會(huì)話調(diào)度器，這個(gè)由 sessionManager 管理*/ @Slf4j(topic = "SYSTEM_LOG") @Configuration public class ShiroConfig {@Autowiredprivate UserRealm userRealm;/*** Shiro 安全管理器*/@Beanpublic DefaultWebSecurityManager securityManager() {DefaultWebSecurityManager manager = new DefaultWebSecurityManager();// 設(shè)置自定義的 SubjectFactorymanager.setSubjectFactory(subjectFactory());// 設(shè)置自定義的 SessionManagermanager.setSessionManager(sessionManager());// 禁用 Session((DefaultSessionStorageEvaluator)((DefaultSubjectDAO)manager.getSubjectDAO()).getSessionStorageEvaluator()).setSessionStorageEnabled(false);// 設(shè)置自定義的 Realmmanager.setRealms(getRealms());return manager;}/*** 設(shè)置過濾規(guī)則*/@Beanpublic ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();shiroFilterFactoryBean.setSecurityManager(securityManager);//自定義攔截器 參考 ShiroLoginFilter.javaMap<String, Filter> filtersMap = new LinkedHashMap<String, Filter>();filtersMap.put("shiroLoginFilter", new ShiroLoginFilter());//登錄驗(yàn)證攔截器shiroFilterFactoryBean.setFilters(filtersMap);// 所有請(qǐng)求給這個(gè)攔截器處理Map<String,String> filterChainDefinitionMap = new LinkedHashMap<String,String>();filterChainDefinitionMap.put("/**", "shiroLoginFilter");shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);return shiroFilterFactoryBean;}/*** 自定義的 subjectFactory* 禁用了 Session* @return*/@Beanpublic DefaultWebSubjectFactory subjectFactory(){ASubjectFactory mySubjectFactory = new ASubjectFactory();return mySubjectFactory;}/*** session管理器* 禁用了 Session* sessionManager通過sessionValidationSchedulerEnabled禁用掉會(huì)話調(diào)度器，* @return*/@Beanpublic DefaultSessionManager sessionManager(){DefaultSessionManager sessionManager = new DefaultSessionManager();sessionManager.setSessionValidationSchedulerEnabled(false);return sessionManager;}/*** 配置自定義的 Realm* @return*/@Beanpublic Collection<Realm> getRealms(){Collection<Realm> realms = new ArrayList<>();// 配置自定義 UserRealm// 由于UserRealm里使用了自動(dòng)注入，所以這里需要注入Realm而不是new新建userRealm.setAuthenticationTokenClass(UserAuthenticationToken.class);userRealm.setCredentialsMatcher(new PasswordCredentialsMatcher());//使用自定義的密碼匹配器realms.add(userRealm);return realms;} }

ASubjectFactory.java 和ShiroConfig配套使用，用于禁用Session。

package com.spz.demo.security.shiro.config;import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.mgt.DefaultSessionStorageEvaluator; import org.apache.shiro.subject.Subject; import org.apache.shiro.subject.SubjectContext; import org.apache.shiro.web.mgt.DefaultWebSubjectFactory;/*** 自定義的 SubjectFactory* 禁用Session* 對(duì)于無狀態(tài)的TOKEN不創(chuàng)建session 這里都不使用session*/ public class ASubjectFactory extends DefaultWebSubjectFactory {@Overridepublic Subject createSubject(SubjectContext context) {context.setSessionCreationEnabled(Boolean.FALSE);return super.createSubject(context);} }

編寫自定義Shiro攔截器

ShiroLoginFilter.java

• Message類是包裝返回給請(qǐng)求方的類，需要將Message實(shí)例轉(zhuǎn)為json輸出到Response輸出流，參考：[SpringMVC] Web層返回值包裝JSON
• WebUtil.isPublicRequest()方法判斷請(qǐng)求是否為公共請(qǐng)求
  建議將不需要驗(yàn)證權(quán)限的請(qǐng)求設(shè)置一個(gè)前綴，比如/public/，這樣，isPublicRequest方法就可以檢查請(qǐng)求url里是否有/public，有則說明是公共請(qǐng)求，直接放行。
• 所有請(qǐng)求(公共請(qǐng)求除外)都給* onAccessDenied*方法處理
  在onAccessDenied方法里，通過檢查請(qǐng)求url的方式來得知當(dāng)前請(qǐng)求是什么類型的請(qǐng)求。
  如果是登錄請(qǐng)求，則直接放行，因?yàn)榈卿涍壿嫹旁诹薱ontroller層方法。
  如果是其他請(qǐng)求，則需要驗(yàn)證登錄和權(quán)限。
• 檢查用戶是否具備權(quán)限
  將請(qǐng)求url和permission表里的url進(jìn)行匹配，如果存在匹配，則說明有權(quán)限。

package com.spz.demo.security.shiro.filter;import com.alibaba.fastjson.JSON; import com.alibaba.fastjson.JSONObject; import com.spz.demo.security.bean.Message; import com.spz.demo.security.common.MessageCode; import com.spz.demo.security.common.RequestMappingConst; import com.spz.demo.security.common.WebConst; import com.spz.demo.security.entity.Role; import com.spz.demo.security.exception.custom.RoleException; import com.spz.demo.security.util.CommonUtil; import com.spz.demo.security.util.JwtUtil; import com.spz.demo.security.util.WebUtil; import com.spz.demo.security.vo.JwtToken; import lombok.extern.slf4j.Slf4j; import org.apache.shiro.web.filter.AccessControlFilter; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Lazy; import org.springframework.stereotype.Component;import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse;/*** 重寫shiro攔截器* 所有請(qǐng)求由此攔截器攔截*/ @Slf4j(topic = "USER_LOG") @Component public class ShiroLoginFilter extends AccessControlFilter {//由于項(xiàng)目啟動(dòng)時(shí)，Shiro加載比其他bean快，所以這里需要加入Lazy注解，在使用時(shí)再加載。否則會(huì)出現(xiàn)jwtUtil為null的情況@Autowired@Lazyprivate JwtUtil jwtUtil;@Overrideprotected boolean isAccessAllowed(ServletRequest request,ServletResponse response, Object mappedValue) {// 判斷請(qǐng)求是否是公共請(qǐng)求，通過請(qǐng)求的url判斷if(WebUtil.isPublicRequest((HttpServletRequest) request)){return true;}return false;// 拒絕，統(tǒng)一交給 onAccessDenied 處理}@Overrideprotected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {HttpServletRequest httpServletRequest = (HttpServletRequest)request;HttpServletResponse httpServletResponse = (HttpServletResponse) response;// ========== 判斷是否是登錄請(qǐng)求，是就放行，登錄處理放在了controller層 ==========if(WebUtil.isLoginRequest(httpServletRequest)){return true;}// ========== 其他請(qǐng)求，都需要驗(yàn)證 ==========//驗(yàn)證是否登錄（檢查json token）if(CommonUtil.isBlank(httpServletRequest.getHeader(WebConst.TOKEN))){// 返回JSON給請(qǐng)求方WebUtil.writeStringToResponse(httpServletResponse,JSON.toJSONString(new Message().setErrorMessage("[" + WebConst.TOKEN + "] 不能為空，請(qǐng)將token存入header")));return false;}String token = httpServletRequest.getHeader(WebConst.TOKEN);JwtToken jwtToken;try {jwtToken = jwtUtil.parseJwt(token);}catch (RoleException re){//出現(xiàn)異常，說明驗(yàn)證失敗Message message = new Message();if(re.getMessage().equals(RoleException.MSG_TOKEN_ERROR)){//token錯(cuò)誤異常message.setMessage(MessageCode.TOKEN_ERROR,RoleException.MSG_TOKEN_ERROR);}else{//token過期異常message.setMessage(MessageCode.TOKEN_OVERDUE,RoleException.MSG_TOKEN_OVERDUE);}WebUtil.writeStringToResponse((HttpServletResponse) response,JSON.toJSONString(message));//返回jsonreturn false;}if(jwtToken.getIsFlushed()){//需要刷新tokenhttpServletResponse.setHeader(WebConst.TOKEN,jwtToken.getToken());// 更新response}// 檢查用戶是否具備權(quán)限if(!jwtToken.hasUrl(((HttpServletRequest) request).getRequestURI())){WebUtil.writeStringToResponse((HttpServletResponse) response,JSON.toJSONString(new Message().setPermissionDeniedMessage("沒有權(quán)限")));return false;}else{//登錄驗(yàn)證通過return true;}} }

編寫自定義的 Realm 類

• Realm類用來給shiro注入認(rèn)證信息和授權(quán)信息，我們需要自定義。
• @Value("${jwt.salt}")是從application.yml中讀取配置

package com.spz.demo.security.shiro.realm;import com.spz.demo.security.common.DatabaseConst; import com.spz.demo.security.entity.User; import com.spz.demo.security.service.UserService; import com.spz.demo.security.shiro.token.UserAuthenticationToken; import lombok.extern.slf4j.Slf4j; import org.apache.shiro.authc.*; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.apache.shiro.util.ByteSource; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Lazy; import org.springframework.stereotype.Component;@Slf4j(topic = "USER_LOG") @Component("userRealm") public class UserRealm extends AuthorizingRealm{@Autowiredprivate UserService userService;@Value("${jwt.salt}")private String jwtSalt;private static final String DEFAULT_JWT_SALT = "asdfh2738yWsdjDfha";//默認(rèn)的鹽/*** 授權(quán)處理* 不使用* @param principals* @return*/@Overrideprotected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {return null;}/*** 身份認(rèn)證*/@Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {// 獲取用戶String account = (String) authenticationToken.getPrincipal();//這里的user里只有賬號(hào)和未加密的密碼User user = userService.getUserByAccount(account,DatabaseConst.STATUS_ENABLE,DatabaseConst.IS_DETETED_NO);if (user == null) {return null;}else{//這里這樣做是因?yàn)槲倚枰趙eb層可以拿到userID((UserAuthenticationToken)authenticationToken).setUserId(user.getId());//賦值userId}return new SimpleAuthenticationInfo(user,user.getPassword().toCharArray(),ByteSource.Util.bytes((jwtSalt == null ? DEFAULT_JWT_SALT: jwtSalt)),//鹽getName());} }

編寫自定義的 Matcher 類

• AuthenticatingRealm使用CredentialsMatcher進(jìn)行密碼匹配，我們需要自定義

package com.spz.demo.security.shiro.matcher;import com.spz.demo.security.entity.User; import com.spz.demo.security.shiro.token.UserAuthenticationToken; import com.spz.demo.security.util.CommonUtil; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.credential.CredentialsMatcher;/*** 改寫原有的密碼匹配器* 用于賬號(hào)密碼登錄時(shí)的賬密匹配*/ public class PasswordCredentialsMatcher implements CredentialsMatcher {@Overridepublic boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {//賬號(hào)密碼登錄，則token應(yīng)該是自定義的 AccountPasswordAuthenticationTokenif(token instanceof UserAuthenticationToken){//這里檢查賬號(hào)和密碼是否匹配//token是登錄接口那里獲取的，info是通過account獲取到數(shù)據(jù)里的信息//密碼需要進(jìn)行md5處理，因?yàn)閿?shù)據(jù)庫存儲(chǔ)的密碼為密文if(info.getPrincipals().getPrimaryPrincipal() instanceof User){User user = (User)info.getPrincipals().getPrimaryPrincipal();if(token.getPrincipal().equals(user.getAccount()) &&CommonUtil.md5((String) token.getCredentials()).equals(user.getPassword())){return true;}}}return false;} }

編寫自定義的AuthenticationToken類

package com.spz.demo.security.shiro.token;import com.spz.demo.security.entity.User; import lombok.Data; import org.apache.shiro.authc.AuthenticationToken;/*** 用于登錄* 登錄時(shí)給此類的account和password(明文)賦值* 然后在UserRealm里將查詢到的userId賦值給此類里的userId。controller層需要id*/ @Data public class UserAuthenticationToken implements AuthenticationToken {private Long userId;//用戶在數(shù)據(jù)庫中的idprivate String account;private String password;public UserAuthenticationToken(String account, String password){this.account = account;this.password = password;}/*** 返回 account* @return*/@Overridepublic Object getPrincipal() {return this.account;}/*** 返回 password* @return*/@Overridepublic Object getCredentials() {return this.password;} }

編寫Jwt Token工具類

package com.spz.demo.security.util;import com.alibaba.fastjson.JSONObject; import com.fasterxml.jackson.databind.ObjectMapper; import com.spz.demo.security.exception.custom.RoleException; import com.spz.demo.security.vo.JwtToken; import io.jsonwebtoken.*; import io.jsonwebtoken.impl.DefaultHeader; import io.jsonwebtoken.impl.DefaultJwsHeader; import io.jsonwebtoken.impl.TextCodec; import io.jsonwebtoken.impl.compression.DefaultCompressionCodecResolver; import io.jsonwebtoken.lang.Assert; import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Value; import org.springframework.stereotype.Component; import org.springframework.util.CollectionUtils; import org.springframework.util.StringUtils; import sun.java2d.pipe.AlphaPaintPipe;import javax.swing.event.CaretListener; import javax.xml.bind.DatatypeConverter; import java.io.IOException; import java.util.*;/*** jwt 工具類** @author zp*/ @Slf4j(topic = "SYSTEM_LOG") @Component public class JwtUtil {@Value("${jwt.appKey}")private String appKey;//app key，用于加密@Value("${jwt.period}")private Long period;//token有效時(shí)間@Value(("${jwt.issuer}"))private String issuer;//jwt token 簽發(fā)人public static final long DEFAULT_PERIOD = 60*60*1000;//token默認(rèn)有效時(shí)間，1小時(shí)public static final String DEFAULT_APPKEY = "defaultAppKey";//默認(rèn)appkey，配置文件里讀不到appKey時(shí)用此值public static final String DEFAULT_ISSUER = "Server-System-2333";//默認(rèn)簽發(fā)人private static final ObjectMapper MAPPER = new ObjectMapper();private static CompressionCodecResolver codecResolver = new DefaultCompressionCodecResolver();/*** 簽發(fā) JWT Token Token* @param id 令牌ID* @param subject subject 用戶ID* @param issuer 簽發(fā)人，自定義* @param roles 角色* @param permissions 權(quán)限集合，建議傳入權(quán)限集合的json字符串* @param period 有效時(shí)間(ms)* 1. 在 當(dāng)前時(shí)間-簽發(fā)時(shí)間>有效時(shí)間 時(shí)攜帶token訪問接口，會(huì)重新刷新token* 在 當(dāng)前時(shí)間-簽發(fā)時(shí)間>有效時(shí)間*2 時(shí)，則需要重新登錄。* 2. 這樣可以分離長時(shí)間不活躍的用戶和活躍用戶* 活躍用戶感受不到token的刷新* 不活躍用戶需要登錄才可以重新獲取token* @param algorithm 加密算法* @return*/public String issueJWT(String id,String subject,String issuer,String roles,String permissions,Long period,SignatureAlgorithm algorithm) {// 需要讀取appKeyif(appKey == null || appKey.equals("")){log.error("appKey無法讀取：" + appKey);appKey = DEFAULT_APPKEY;}byte[] secreKeyBytes = DatatypeConverter.parseBase64Binary(appKey);// 秘鑰JwtBuilder jwtBuilder = Jwts.builder();if (!StringUtils.isEmpty(id)) {jwtBuilder.setId(id);}if (!StringUtils.isEmpty(subject)) {jwtBuilder.setSubject(subject);}if (!StringUtils.isEmpty(issuer)) {jwtBuilder.setIssuer(issuer);}// 設(shè)置簽發(fā)時(shí)間Date now = new Date();jwtBuilder.setIssuedAt(now);// 設(shè)置到期時(shí)間if (null != period) {jwtBuilder.setExpiration(new Date(now.getTime() + period + period)//簽發(fā)時(shí)間+有效期*2);}if (!StringUtils.isEmpty(roles)) {jwtBuilder.claim("roles",roles);}if (!StringUtils.isEmpty(permissions)) {jwtBuilder.claim("perms",permissions);}// 壓縮，可選GZIPjwtBuilder.compressWith(CompressionCodecs.DEFLATE);// 加密設(shè)置jwtBuilder.signWith(algorithm,secreKeyBytes);return jwtBuilder.compact();}/*** 驗(yàn)簽JWT** @param jwt json web token* @return 如果驗(yàn)證通過，且刷新了token，則設(shè)置 JwtToken.isFlushed 為true*/public JwtToken parseJwt(String jwt) throws RoleException {if(appKey == null || appKey.equals("")){log.error("appKey無法讀取：" + appKey);appKey = DEFAULT_APPKEY;}// 檢查 jwt token 合法性Claims claims;try{claims = Jwts.parser().setSigningKey(DatatypeConverter.parseBase64Binary(appKey)).parseClaimsJws(jwt).getBody();}catch (ExpiredJwtException ex){//token過期異常 token已經(jīng)失效需要重新登錄throw new RoleException(RoleException.MSG_TOKEN_OVERDUE);}catch (SignatureException | UnsupportedJwtException | MalformedJwtException | IllegalArgumentException e){//不支持的tokenthrow new RoleException(RoleException.MSG_TOKEN_ERROR);}catch (Exception e){log.error("驗(yàn)證token時(shí)出現(xiàn)未知錯(cuò)誤: " + CommonUtil.getDetailExceptionMsg(e));throw new RoleException(RoleException.MSG_UNKNOWN_ERROR);}JwtToken jwtToken = new JwtToken();// 檢查是否需要刷新 jwt tokenlong time = claims.getIssuedAt().getTime();//token簽發(fā)時(shí)間long now = new Date().getTime();//當(dāng)前時(shí)間period = (period == null ? JwtUtil.DEFAULT_PERIOD : period);if(time + period >= now){//還在有效期內(nèi)，不需要刷新token // log.info("不需要刷新token");jwtToken.setToken(jwt);jwtToken.setIsFlushed(false);}else if(time + period < now &&//超過有效期，但未超過2倍有效期，此時(shí)應(yīng)該刷新tokentime + period + period >= now){ // log.info("刷新token");jwtToken.setToken(issueJWT(// 制作JWT TokenCommonUtil.getRandomString(20),//令牌idclaims.getSubject(),//用戶id(issuer == null ? DEFAULT_ISSUER : issuer),//簽發(fā)人claims.get("roles", String.class),//訪問角色,設(shè)置為null，不使用claims.get("perms", String.class),//權(quán)限集合字符串，jsonperiod,//token有效時(shí)間*2SignatureAlgorithm.HS512));jwtToken.setIsFlushed(true);}else{log.error("未知錯(cuò)誤 - Jwts.parser() 方法未對(duì)過期token拋出異常");}// 設(shè)置其他字段jwtToken.setId(claims.getSubject());//用戶idjwtToken.setPermissions(JSONObject.parseObject(claims.get("perms", String.class),List.class));//用戶權(quán)限集合,json轉(zhuǎn)為list集合return jwtToken;}/* ** @Description* @Param [val] 從json數(shù)據(jù)中讀取格式化map* @Return java.util.Map<java.lang.String,java.lang.Object>*/@SuppressWarnings("unchecked")public static Map<String, Object> readValue(String val) {try {return MAPPER.readValue(val, Map.class);} catch (IOException e) {throw new MalformedJwtException("Unable to read JSON value: " + val, e);}} }

controller登錄驗(yàn)證

package com.spz.demo.security.controller;import com.alibaba.fastjson.JSONArray; import com.spz.demo.security.bean.Message; import com.spz.demo.security.common.MessageKeyConst; import com.spz.demo.security.common.RedisConst; import com.spz.demo.security.common.RequestMappingConst; import com.spz.demo.security.common.WebConst; import com.spz.demo.security.entity.Permission; import com.spz.demo.security.entity.User; import com.spz.demo.security.service.UserService; import com.spz.demo.security.shiro.token.UserAuthenticationToken; import com.spz.demo.security.util.CommonUtil; import com.spz.demo.security.util.JwtUtil; import com.spz.demo.security.util.RedisUtil; import com.spz.demo.security.util.WebUtil; import com.spz.demo.security.vo.JwtToken; import io.jsonwebtoken.SignatureAlgorithm; import lombok.extern.slf4j.Slf4j; import org.apache.shiro.SecurityUtils; import org.apache.shiro.subject.Subject; import org.hibernate.validator.constraints.NotEmpty; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.validation.annotation.Validated; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RestController; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.util.ArrayList; import java.util.Date; import java.util.List;@Slf4j(topic = "USER_LOG") @RestController public class UserController {@Value("${jwt.period}")private Long period;//token有效時(shí)間（毫秒）@Value(("${jwt.issuer}"))private String issuer;//jwt token 簽發(fā)人@Autowiredprivate JwtUtil jwtUtil;@Autowiredprivate UserService userService;/*** 用戶登錄* 驗(yàn)證碼校驗(yàn)和請(qǐng)求參數(shù)校驗(yàn)功能已去除，完整版參考Demo* @return*/@PostMapping(value = RequestMappingConst.LOGIN)public Message login(String account,String password,HttpServletRequest request,HttpServletResponse response)throws Exception{// 使用 Shiro 進(jìn)行登錄Subject subject = SecurityUtils.getSubject();UserAuthenticationToken token = new UserAuthenticationToken(account,password);subject.login(token);// 登錄成功后，獲取userid，查詢?cè)撚脩魮碛械臋?quán)限List<String> permissions = userService.getUserPermissions(token.getUserId());// 制作JWT TokenString jwtToken = jwtUtil.issueJWT(CommonUtil.getRandomString(20),//令牌id，必須為整個(gè)系統(tǒng)唯一idtoken.getUserId() + "",//用戶id(issuer == null ? JwtUtil.DEFAULT_ISSUER : issuer),//簽發(fā)人，可隨便定義null,//訪問角色JSONArray.toJSONString(permissions),//用戶權(quán)限集合，json格式(period == null ? JwtUtil.DEFAULT_PERIOD : period),//token有效時(shí)間SignatureAlgorithm.HS512//簽名算法，我也不知道是啥來的);//token存入 response里的Headerresponse.setHeader(WebConst.TOKEN,jwtToken);// 返回Message的jsonMessage message = new Message().setSuccessMessage("登錄成功，token已存入header");message.getData().put("account",account);message.getData().put(MessageKeyConst.LOGIN_TIME,new Date().getTime());log.info("用戶登錄成功 ip=" + WebUtil.getIpAdrress(request));return message;} }

POM文件參考

<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><groupId>com.spz.demo</groupId><artifactId>security</artifactId><version>0.0.1-SNAPSHOT</version><packaging>jar</packaging><name>security</name><description>登錄和權(quán)限demo，適用于小項(xiàng)目</description><parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>1.5.15.RELEASE</version><relativePath/> <!-- lookup parent from repository --></parent><properties><project.build.sourceEncoding>UTF-8</project.build.sourceEncoding><project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding><java.version>1.8</java.version><fastjson.version>1.2.38</fastjson.version><mybatisplus.version>2.2.0</mybatisplus.version></properties><dependencies><!--json--><dependency><groupId>com.alibaba</groupId><artifactId>fastjson</artifactId><version>${fastjson.version}</version></dependency><!-- Mybatis Plus --><dependency><groupId>com.baomidou</groupId><artifactId>mybatis-plus-boot-starter</artifactId><version>${mybatisplus.version}</version></dependency><!-- Mybatis 代碼生成器（模板引擎） --><dependency><groupId>org.apache.velocity</groupId><artifactId>velocity</artifactId><version>1.7</version></dependency><dependency><groupId>org.freemarker</groupId><artifactId>freemarker</artifactId><version>2.3.28</version></dependency><!-- redis --><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-data-redis</artifactId></dependency><!-- Kaptcha驗(yàn)證碼框架 --><dependency><groupId>com.github.axet</groupId><artifactId>kaptcha</artifactId><version>0.0.9</version></dependency><!-- apache --><dependency><groupId>commons-codec</groupId><artifactId>commons-codec</artifactId><version>1.11</version></dependency><!-- json 用于web層包裝請(qǐng)求返回--><dependency><groupId>com.fasterxml.jackson.core</groupId><artifactId>jackson-databind</artifactId><version>2.7.4</version></dependency><!-- lombok 精簡代碼用 --><dependency><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId><version>1.18.0</version><scope>provided</scope></dependency><!-- Jwt --><dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt</artifactId><version>0.9.0</version></dependency><!-- shiro --><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-spring-boot-starter</artifactId><version>1.4.0</version></dependency><!-- Mysql --><dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId><version>5.1.47</version></dependency><!-- AOP --><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-aop</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-test</artifactId><scope>test</scope></dependency></dependencies><build><plugins><plugin><groupId>org.springframework.boot</groupId><artifactId>spring-boot-maven-plugin</artifactId></plugin></plugins></build></project>

application.yml參考

spring:# AOP Configaop:auto: trueredis:host: 127.0.0.1password:port: 6379database: 0datasource:url: jdbc:mysql://xxx.xx.xx.xxx:3306/rb_demo?useUnicode=true&characterEncoding=UTF-8username: rootpassword:driver-class-name: com.mysql.jdbc.Driver# Jwt Token相關(guān)配置 jwt:appKey: ds[W&dsfa:dfhu12a%W@ // app秘鑰，隨便定義即可appId: 210293ajkw723o@7eh*db //appId，隨便定義即可period: 120000 # 有效期，單位msissuer: Server-System # 簽發(fā)者，用于制作 jwt tokensalt: salt-sdwbhx23i # 鹽，隨便定義即可, view UserRealm.doGetAuthenticationInfo()# Mybatis-Plus 配置，請(qǐng)參考官方文檔 mybatis-plus:mapper-locations: classpath:/mapper/*Mapper.xmltypeAliasesPackage: com.spz.demo.security.entityglobal-config:id-type: 2field-strategy: 0db-column-underline: truerefresh-mapper: trueconfiguration:map-underscore-to-camel-case: truecache-enabled: true

工具類參考

• 通用工具類

package com.spz.demo.security.util;import lombok.extern.slf4j.Slf4j; import org.springframework.util.CollectionUtils; import org.springframework.util.StringUtils;import java.security.MessageDigest; import java.util.HashSet; import java.util.Random; import java.util.Set;/* ** @Author tomsun28* @Description 高頻方法工具類* @Date 14:08 2018/3/12*/ @Slf4j(topic = "SYSTEM_LOG") public class CommonUtil {/*** 獲取指定位數(shù)的隨機(jī)數(shù)* @param length* @return*/public static String getRandomString(int length) {String base = "abcdefghijklmnopqrstuvwxyz0123456789";Random random = new Random();StringBuilder sb = new StringBuilder();for (int i = 0; i < length; i++) {int number = random.nextInt(base.length());sb.append(base.charAt(number));}return sb.toString();}/*** MD5加密* @param content* @return*/public static String md5(String content) {// 用于加密的字符char[] md5String = {'0','1','2','3','4','5','6','7','8','9','A','B','C','D','E','F'};try {// 使用平臺(tái)默認(rèn)的字符集將md5String編碼為byte序列,并將結(jié)果存儲(chǔ)到一個(gè)新的byte數(shù)組中byte[] byteInput = content.getBytes();// 信息摘要是安全的單向哈希函數(shù),它接收任意大小的數(shù)據(jù),并輸出固定長度的哈希值MessageDigest mdInst = MessageDigest.getInstance("MD5");// MessageDigest對(duì)象通過使用update方法處理數(shù)據(jù),使用指定的byte數(shù)組更新摘要mdInst.update(byteInput);//摘要更新后通過調(diào)用digest() 執(zhí)行哈希計(jì)算,獲得密文byte[] md = mdInst.digest();//把密文轉(zhuǎn)換成16進(jìn)制的字符串形式int j = md.length;char[] str = new char[j*2];int k = 0;for (int i=0;i<j;i++) {byte byte0 = md[i];str[k++] = md5String[byte0 >>> 4 & 0xf];str[k++] = md5String[byte0 & 0xf];}// 返回加密后的字符串return new String(str);}catch (Exception e) {log.error("加密出現(xiàn)錯(cuò)誤：" + e.toString());return null;}}/*** 分割字符串進(jìn)SET*/@SuppressWarnings("unchecked")public static Set<String> split(String str) {Set<String> set = new HashSet<>();if (StringUtils.isEmpty(str))return set;set.addAll(CollectionUtils.arrayToList(str.split(",")));return set;}/*** 檢查字符串是否為空* @param str* @return*/public static boolean isBlank(String str){return (str == null || str.equals("") ? true : false);} }

• Web請(qǐng)求工具類

package com.spz.demo.security.util;import com.spz.demo.security.common.RedisConst; import com.spz.demo.security.common.RequestMappingConst; import org.apache.commons.lang.StringUtils;import javax.servlet.ServletRequest; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.PrintWriter;public class WebUtil {/*** 檢查url是否需要登錄驗(yàn)證* @param url* @return false 不需要登錄即可訪問* true 需要登錄才可以訪問*/public static boolean needLogin(String url){if(url.indexOf(RequestMappingConst.V_CODE) >= 0 || //驗(yàn)證碼url.indexOf(RequestMappingConst.LOGIN) >= 0){//登錄return false;}return true;}/*** 獲取Ip地址* @param request* @return*/public static String getIpAdrress(HttpServletRequest request) {String Xip = request.getHeader("X-Real-IP");String XFor = request.getHeader("X-Forwarded-For");if (StringUtils.isNotEmpty(XFor) && !"unKnown".equalsIgnoreCase(XFor)) {//多次反向代理后會(huì)有多個(gè)ip值，第一個(gè)ip才是真實(shí)ipint index = XFor.indexOf(",");if (index != -1) {return XFor.substring(0,index);} else {return XFor;}}XFor = Xip;if (StringUtils.isNotEmpty(XFor) && !"unKnown".equalsIgnoreCase(XFor)) {return XFor;}if (StringUtils.isBlank(XFor) || "unknown".equalsIgnoreCase(XFor)) {XFor = request.getHeader("Proxy-Client-IP");}if (StringUtils.isBlank(XFor) || "unknown".equalsIgnoreCase(XFor)) {XFor = request.getHeader("WL-Proxy-Client-IP");}if (StringUtils.isBlank(XFor) || "unknown".equalsIgnoreCase(XFor)) {XFor = request.getHeader("HTTP_CLIENT_IP");}if (StringUtils.isBlank(XFor) || "unknown".equalsIgnoreCase(XFor)) {XFor = request.getHeader("HTTP_X_FORWARDED_FOR");}if (StringUtils.isBlank(XFor) || "unknown".equalsIgnoreCase(XFor)) {XFor = request.getRemoteAddr();}return XFor;}/*** 檢查請(qǐng)求是否為登錄請(qǐng)求* @param request* @return*/public static boolean isLoginRequest(HttpServletRequest request) {if(request.getRequestURI().indexOf(RequestMappingConst.LOGIN) >= 0){return true;}return false;}/*** 檢查請(qǐng)求是否為注銷請(qǐng)求* @param request* @return*/public static boolean isLogoutRequest(HttpServletRequest request) {if(request.getRequestURI().indexOf(RequestMappingConst.LOGOUT) >= 0){return true;}return false;}/*** 檢查請(qǐng)求是否為公共請(qǐng)求* @param request* @return*/public static boolean isPublicRequest(HttpServletRequest request) {if(request.getRequestURI().indexOf(RequestMappingConst.BASIC_URL_PUBLIC) >= 0){return true;}return false;}/*** 輸出json字符串到 HttpServletResponse* @param response* @param str : 字符串*/public static void writeJSONToResponse(HttpServletResponse response, String str){PrintWriter jsonOut = null;response.setContentType("application/json;charset=UTF-8");try {jsonOut = response.getWriter();jsonOut.write(str);}catch (Exception e){e.printStackTrace();}finally{if(jsonOut != null){jsonOut.close();}}} }

參考文章

簽發(fā)的用戶認(rèn)證token超時(shí)刷新策略
shiro實(shí)現(xiàn)手機(jī)驗(yàn)證碼登錄
SpringBoot 集成無狀態(tài)的 Shiro

總結(jié)

以上是生活随笔為你收集整理的Shiro和SpringBoot简单集成的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。