增加注释

spring5-auth/spring5-auth-server/src/main/java/com/yaozhitech/spring5/config/ShiroConfiguration.java

@@ -29,6 +29,9 @@ import com.yaozhitech.spring5.service.UserService;
 @Configuration
 public class ShiroConfiguration {
 
+	/**
+	 * 注册shiro的Filter，拦截请求
+	 */
 	@Bean
     public FilterRegistrationBean<Filter> filterRegistrationBean(SecurityManager securityManager,UserService userService) throws Exception{
         FilterRegistrationBean<Filter> filterRegistration = new FilterRegistrationBean<Filter>();
@@ -44,11 +47,16 @@ public class ShiroConfiguration {
     @Bean
     public Authenticator authenticator(UserService userService) {
         ModularRealmAuthenticator authenticator = new ModularRealmAuthenticator();
+        //设置两个Realm，一个用于用户登录验证和访问权限获取；一个用于jwt token的认证
         authenticator.setRealms(Arrays.asList(jwtShiroRealm(userService), dbShiroRealm(userService)));
         authenticator.setAuthenticationStrategy(new FirstSuccessfulStrategy());
         return authenticator;
     }
 
+	/**
+	 * 禁用session, 不保存用户登录状态。保证每次请求都重新认证。
+	 * 需要注意的是，如果用户代码里调用Subject.getSession()还是可以用session，如果要完全禁用，要配合下面的noSessionCreation的Filter来实现
+	 */
     @Bean
     protected SessionStorageEvaluator sessionStorageEvaluator(){
         DefaultWebSessionStorageEvaluator sessionStorageEvaluator = new DefaultWebSessionStorageEvaluator();
@@ -56,12 +64,18 @@ public class ShiroConfiguration {
         return sessionStorageEvaluator;
     }
 
+    /**
+         * 用于用户名密码登录时认证的realm
+    */
     @Bean("dbRealm")
     public Realm dbShiroRealm(UserService userService) {
         DbShiroRealm myShiroRealm = new DbShiroRealm(userService);
         return myShiroRealm;
     }
 
+    /**
+          * 用于JWT token认证的realm
+     */
     @Bean("jwtRealm")
     public Realm jwtShiroRealm(UserService userService) {
         JWTShiroRealm myShiroRealm = new JWTShiroRealm(userService);
@@ -69,7 +83,7 @@ public class ShiroConfiguration {
     }
 
     /**
-     * 设置过滤器
+          * 设置过滤器，将自定义的Filter加入
      */
     @Bean("shiroFilter")
     public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager, UserService userService) {
@@ -87,16 +101,17 @@ public class ShiroConfiguration {
     @Bean
     protected ShiroFilterChainDefinition shiroFilterChainDefinition() {
         DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
-        chainDefinition.addPathDefinition("/login", "noSessionCreation,anon");
-        chainDefinition.addPathDefinition("/logout", "noSessionCreation,authcToken[permissive]");
-        chainDefinition.addPathDefinition("/image/**", "anon");  
+        chainDefinition.addPathDefinition("/login", "noSessionCreation,anon");  //login不做认证，noSessionCreation的作用是用户在操作session时会抛异常
+        chainDefinition.addPathDefinition("/logout", "noSessionCreation,authcToken[permissive]"); //做用户认证，permissive参数的作用是当token无效时也允许请求访问，不会返回鉴权未通过的错误
+        chainDefinition.addPathDefinition("/image/**", "anon");
         chainDefinition.addPathDefinition("/admin/**", "noSessionCreation,authcToken,anyRole[admin,manager]"); //只允许admin或manager角色的用户访问
         chainDefinition.addPathDefinition("/article/list", "noSessionCreation,authcToken");
         chainDefinition.addPathDefinition("/article/*", "noSessionCreation,authcToken[permissive]");
-        chainDefinition.addPathDefinition("/**", "noSessionCreation,authcToken");
+        chainDefinition.addPathDefinition("/**", "noSessionCreation,authcToken"); // 默认进行用户鉴权
         return chainDefinition;
     }
 
+   //注意不要加@Bean注解，不然spring会自动注册成filter
     protected JwtAuthFilter createAuthFilter(UserService userService){
         return new JwtAuthFilter(userService);
     }

spring5-auth/spring5-auth-server/src/main/java/com/yaozhitech/spring5/config/WebConfiguration.java

@@ -1,10 +1,8 @@
 package com.yaozhitech.spring5.config;
 
-import java.util.concurrent.Executors;
-
 import org.springframework.context.annotation.Configuration;
-import org.springframework.scheduling.concurrent.ConcurrentTaskExecutor;
-import org.springframework.web.servlet.config.annotation.*;
+import org.springframework.web.servlet.config.annotation.CorsRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport;
 
 @Configuration
 public class WebConfiguration extends WebMvcConfigurationSupport{
@@ -17,9 +15,9 @@ public class WebConfiguration extends WebMvcConfigurationSupport{
 				.allowedOrigins("*");
 	}
 	
-	@Override
-	protected void configureAsyncSupport(AsyncSupportConfigurer configurer) {
-		configurer.setTaskExecutor(new ConcurrentTaskExecutor(Executors.newFixedThreadPool(3)));
-		configurer.setDefaultTimeout(30000);
-	}
+//	@Override
+//	protected void configureAsyncSupport(AsyncSupportConfigurer configurer) {
+//		configurer.setTaskExecutor(new ConcurrentTaskExecutor(Executors.newFixedThreadPool(3)));
+//		configurer.setDefaultTimeout(30000);
+//	}
 }

spring5-auth/spring5-auth-server/src/main/java/com/yaozhitech/spring5/filter/AnyRolesAuthorizationFilter.java

@@ -1,29 +1,24 @@
 package com.yaozhitech.spring5.filter;
 
-import org.apache.commons.lang3.BooleanUtils;
-import org.apache.http.HttpStatus;
-import org.apache.shiro.subject.Subject;
-import org.apache.shiro.web.filter.authz.AuthorizationFilter;
-import org.apache.shiro.web.util.WebUtils;
+import java.io.IOException;
 
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
+
+import org.apache.http.HttpStatus;
+import org.apache.shiro.subject.Subject;
+import org.apache.shiro.web.filter.authz.AuthorizationFilter;
+import org.apache.shiro.web.util.WebUtils;
 
 public class AnyRolesAuthorizationFilter  extends AuthorizationFilter {
 	
 	@Override
     protected void postHandle(ServletRequest request, ServletResponse response){
-		request.setAttribute("anyRolesAuthFilter.FILTERED", true);
 	}
 
     @Override
     protected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse, Object mappedValue) throws Exception {
-    	Boolean afterFiltered = (Boolean)(servletRequest.getAttribute("anyRolesAuthFilter.FILTERED"));
-        if( BooleanUtils.isTrue(afterFiltered))
-        	return true;
-        
         Subject subject = getSubject(servletRequest, servletResponse);
         String[] rolesArray = (String[]) mappedValue;
         if (rolesArray == null || rolesArray.length == 0) { //没有角色限制，有权限访问