|
@@ -29,6 +29,9 @@ import com.yaozhitech.spring5.service.UserService;
|
29
|
29
|
@Configuration
|
30
|
30
|
public class ShiroConfiguration {
|
31
|
31
|
|
|
32
|
+ /**
|
|
33
|
+ * 注册shiro的Filter,拦截请求
|
|
34
|
+ */
|
32
|
35
|
@Bean
|
33
|
36
|
public FilterRegistrationBean<Filter> filterRegistrationBean(SecurityManager securityManager,UserService userService) throws Exception{
|
34
|
37
|
FilterRegistrationBean<Filter> filterRegistration = new FilterRegistrationBean<Filter>();
|
|
@@ -44,11 +47,16 @@ public class ShiroConfiguration {
|
44
|
47
|
@Bean
|
45
|
48
|
public Authenticator authenticator(UserService userService) {
|
46
|
49
|
ModularRealmAuthenticator authenticator = new ModularRealmAuthenticator();
|
|
50
|
+ //设置两个Realm,一个用于用户登录验证和访问权限获取;一个用于jwt token的认证
|
47
|
51
|
authenticator.setRealms(Arrays.asList(jwtShiroRealm(userService), dbShiroRealm(userService)));
|
48
|
52
|
authenticator.setAuthenticationStrategy(new FirstSuccessfulStrategy());
|
49
|
53
|
return authenticator;
|
50
|
54
|
}
|
51
|
55
|
|
|
56
|
+ /**
|
|
57
|
+ * 禁用session, 不保存用户登录状态。保证每次请求都重新认证。
|
|
58
|
+ * 需要注意的是,如果用户代码里调用Subject.getSession()还是可以用session,如果要完全禁用,要配合下面的noSessionCreation的Filter来实现
|
|
59
|
+ */
|
52
|
60
|
@Bean
|
53
|
61
|
protected SessionStorageEvaluator sessionStorageEvaluator(){
|
54
|
62
|
DefaultWebSessionStorageEvaluator sessionStorageEvaluator = new DefaultWebSessionStorageEvaluator();
|
|
@@ -56,12 +64,18 @@ public class ShiroConfiguration {
|
56
|
64
|
return sessionStorageEvaluator;
|
57
|
65
|
}
|
58
|
66
|
|
|
67
|
+ /**
|
|
68
|
+ * 用于用户名密码登录时认证的realm
|
|
69
|
+ */
|
59
|
70
|
@Bean("dbRealm")
|
60
|
71
|
public Realm dbShiroRealm(UserService userService) {
|
61
|
72
|
DbShiroRealm myShiroRealm = new DbShiroRealm(userService);
|
62
|
73
|
return myShiroRealm;
|
63
|
74
|
}
|
64
|
75
|
|
|
76
|
+ /**
|
|
77
|
+ * 用于JWT token认证的realm
|
|
78
|
+ */
|
65
|
79
|
@Bean("jwtRealm")
|
66
|
80
|
public Realm jwtShiroRealm(UserService userService) {
|
67
|
81
|
JWTShiroRealm myShiroRealm = new JWTShiroRealm(userService);
|
|
@@ -69,7 +83,7 @@ public class ShiroConfiguration {
|
69
|
83
|
}
|
70
|
84
|
|
71
|
85
|
/**
|
72
|
|
- * 设置过滤器
|
|
86
|
+ * 设置过滤器,将自定义的Filter加入
|
73
|
87
|
*/
|
74
|
88
|
@Bean("shiroFilter")
|
75
|
89
|
public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager, UserService userService) {
|
|
@@ -87,16 +101,17 @@ public class ShiroConfiguration {
|
87
|
101
|
@Bean
|
88
|
102
|
protected ShiroFilterChainDefinition shiroFilterChainDefinition() {
|
89
|
103
|
DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
|
90
|
|
- chainDefinition.addPathDefinition("/login", "noSessionCreation,anon");
|
91
|
|
- chainDefinition.addPathDefinition("/logout", "noSessionCreation,authcToken[permissive]");
|
92
|
|
- chainDefinition.addPathDefinition("/image/**", "anon");
|
|
104
|
+ chainDefinition.addPathDefinition("/login", "noSessionCreation,anon"); //login不做认证,noSessionCreation的作用是用户在操作session时会抛异常
|
|
105
|
+ chainDefinition.addPathDefinition("/logout", "noSessionCreation,authcToken[permissive]"); //做用户认证,permissive参数的作用是当token无效时也允许请求访问,不会返回鉴权未通过的错误
|
|
106
|
+ chainDefinition.addPathDefinition("/image/**", "anon");
|
93
|
107
|
chainDefinition.addPathDefinition("/admin/**", "noSessionCreation,authcToken,anyRole[admin,manager]"); //只允许admin或manager角色的用户访问
|
94
|
108
|
chainDefinition.addPathDefinition("/article/list", "noSessionCreation,authcToken");
|
95
|
109
|
chainDefinition.addPathDefinition("/article/*", "noSessionCreation,authcToken[permissive]");
|
96
|
|
- chainDefinition.addPathDefinition("/**", "noSessionCreation,authcToken");
|
|
110
|
+ chainDefinition.addPathDefinition("/**", "noSessionCreation,authcToken"); // 默认进行用户鉴权
|
97
|
111
|
return chainDefinition;
|
98
|
112
|
}
|
99
|
113
|
|
|
114
|
+ //注意不要加@Bean注解,不然spring会自动注册成filter
|
100
|
115
|
protected JwtAuthFilter createAuthFilter(UserService userService){
|
101
|
116
|
return new JwtAuthFilter(userService);
|
102
|
117
|
}
|