验证客户端jar

pom.xml

@@ -14,6 +14,7 @@
     <modules>
         <module>spring5-auth</module>
         <module>spring5-gateway</module>
+        <module>spring5-admin</module>
     </modules>
 
 	<properties>

spring5-admin/.gitignore

@@ -0,0 +1 @@
+/target/

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/Oauth2Application.java

@@ -5,8 +5,8 @@ import org.springframework.boot.autoconfigure.SpringBootApplication;
 
 
 @SpringBootApplication
-public class Oauth2Application {
+public class Application {
     public static void main(String[] args) {
-        SpringApplication.run(Oauth2Application.class, args);
+        SpringApplication.run(Application.class, args);
     }
 }

spring5-admin/java/com/yaozhitech/spring5/config/RoleResourceConfiguration.java

@@ -0,0 +1,23 @@
+package com.yaozhitech.spring5.config;
+
+import org.apache.shiro.spring.web.config.DefaultShiroFilterChainDefinition;
+import org.apache.shiro.spring.web.config.ShiroFilterChainDefinition;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class RoleResourceConfiguration {
+
+//	@Bean
+	public ShiroFilterChainDefinition shiroFilterChainDefinition() {
+		DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
+//    chainDefinition.addPathDefinition("/login", "noSessionCreation,anon");  //login不做认证，noSessionCreation的作用是用户在操作session时会抛异常
+//    chainDefinition.addPathDefinition("/logout", "noSessionCreation,authcToken[permissive]"); //做用户认证，permissive参数的作用是当token无效时也允许请求访问，不会返回鉴权未通过的错误
+//    chainDefinition.addPathDefinition("/image/**", "anon");
+		chainDefinition.addPathDefinition("/admin/**", "noSessionCreation,authcToken,anyRole[admin,manager]"); // 只允许admin或manager角色的用户访问
+		chainDefinition.addPathDefinition("/article/list", "noSessionCreation,authcToken");
+		chainDefinition.addPathDefinition("/article/*", "noSessionCreation,authcToken[permissive]");
+		chainDefinition.addPathDefinition("/**", "noSessionCreation,authcToken"); // 默认进行用户鉴权
+		return chainDefinition;
+	}
+}

spring5-admin/java/com/yaozhitech/spring5/controller/AdminController.java

@@ -0,0 +1,17 @@
+package com.yaozhitech.spring5.controller;
+
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@RequestMapping("/admin")
+public class AdminController {
+
+	@GetMapping("/{id}")
+	public ResponseEntity<String> read(@PathVariable Long id) {
+		return ResponseEntity.ok("ok");
+	}
+}

spring5-admin/pom.xml

@@ -0,0 +1,92 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	
+	<artifactId>spring5-admin</artifactId>
+	<packaging>jar</packaging>
+	<name>${project.artifactId}</name>
+    <description>spring5 demo</description>
+	
+	<!-- Spring Boot 启动父依赖 -->
+	<parent>
+        <groupId>com.yaozhitech</groupId>
+        <artifactId>spring5</artifactId>
+        <version>0.1.0</version>
+    </parent>
+
+	<dependencies>
+        
+		<!-- Spring Boot Web 依赖 -->
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+		</dependency>
+	
+		<!-- Spring Boot Redis 依赖 -->
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-data-redis</artifactId>
+		</dependency>
+		
+<!-- 		<dependency> -->
+<!--             <groupId>com.alicp.jetcache</groupId> -->
+<!--             <artifactId>jetcache-starter-redis</artifactId> -->
+<!--             <version>2.6.0.M3</version> -->
+<!--         </dependency> -->
+
+<!-- 		<dependency> -->
+<!-- 			<groupId>com.alicp.jetcache</groupId> -->
+<!-- 			<artifactId>jetcache-redis-lettuce</artifactId> -->
+<!-- 			<version>2.6.0.M3</version> -->
+<!-- 		</dependency> -->
+			
+		<!-- Spring test 依赖 -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+        
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+        
+        <!-- 集成wireMock来实现mock请求响应。wireMock会自动构建一个虚拟远程服务 -->
+		<dependency>
+		   <groupId>org.springframework.cloud</groupId>
+		   <artifactId>spring-cloud-contract-wiremock</artifactId>
+		   <scope>test</scope>
+		</dependency>
+		
+		<!-- 提供打包预定义数据服务 -->
+		<dependency>
+		   <groupId>org.springframework.cloud</groupId>
+		   <artifactId>spring-cloud-starter-contract-stub-runner</artifactId>
+		   <scope>test</scope>
+		</dependency>
+		
+		<!-- 自动生成单元测试代码 -->
+		<dependency>
+		   <groupId>org.springframework.cloud</groupId>
+		   <artifactId>spring-cloud-starter-contract-verifier</artifactId>
+		   <scope>test</scope>
+		</dependency>
+
+
+		<dependency>
+			<groupId>com.github.tomakehurst</groupId>
+			<artifactId>wiremock-standalone</artifactId>
+			<scope>test</scope>
+		</dependency>
+		
+		<dependency>
+            <groupId>com.yaozhitech</groupId>
+            <artifactId>spring5-auth-client</artifactId>
+            <version>0.1.0</version>
+        </dependency>
+
+	</dependencies>
+</project>

spring5-admin/src/main/resources/application.yml

@@ -0,0 +1,22 @@
+server:
+  port: 8752
+
+logging:
+  level:
+    root: INFO
+    org.springframework.web: INFO
+    org.springframework.security: INFO
+#    org.springframework.boot.autoconfigure: DEBUG
+
+spring:
+  thymeleaf:
+    cache: false
+  redis:
+    host: 120.55.124.69
+    port: 6280
+    password: bbztx123456
+    timeout: 5000
+  
+password:
+  salt: k12829WhsvnEV$#03b2n          
+  

spring5-auth/spring5-auth-client/pom.xml

@@ -15,43 +15,24 @@
     </parent>
     
 	<dependencies>
-	    <!--oauth2认证-->
-        <dependency>
-            <groupId>org.springframework.cloud</groupId>
-            <artifactId>spring-cloud-security</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-jwt</artifactId>
-            <version>RELEASE</version>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-oauth2-client</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-oauth2-jose</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-config</artifactId>
-        </dependency>
-        
-        <!-- Spring Boot Web 依赖 -->
+	    <!-- Spring Boot 响应式 Redis 依赖 -->
         <dependency>
             <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-webflux</artifactId>
+            <artifactId>spring-boot-starter-data-redis-reactive</artifactId>
         </dependency>
         
+	    <!-- shrio -->
         <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-thymeleaf</artifactId>
+            <groupId>org.apache.shiro</groupId>
+            <artifactId>shiro-spring-boot-web-starter</artifactId>
+            <version>1.4.0</version>
         </dependency>
         
+        <!-- jwt -->
         <dependency>
-            <groupId>org.thymeleaf.extras</groupId>
-            <artifactId>thymeleaf-extras-springsecurity5</artifactId>
+            <groupId>com.auth0</groupId>
+            <artifactId>java-jwt</artifactId>
+            <version>3.2.0</version>
         </dependency>
 		
 	</dependencies>

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/config/AuthorizationServerConfig.java

@@ -1,145 +0,0 @@
-package com.yaozhitech.spring5.config;
-
-import org.springframework.context.annotation.Configuration;
-
-@Configuration
-public class AuthorizationServerConfig {
-	
-//	@Bean
-//	SecurityWebFilterChain configure(ServerHttpSecurity http) throws Exception {
-//	    http
-//	        // ...
-//	        .oauth2Client(withDefaults());
-//	    return http.build();
-//	}
-
-//    @Autowired
-//    @Qualifier("authenticationManagerBean")
-//    private AuthenticationManager authenticationManager;
-//
-//    @Qualifier("dataSource")
-//    @Autowired
-//    DataSource dataSource;
-//
-//    @Autowired
-//    @Qualifier("userDetailsService")
-//    UserDetailsService userDetailsService;
-//
-//    /**
-//     * jwt 对称加密密钥
-//     */
-//    @Value("${spring.security.oauth2.jwt.signingKey}")
-//    private String signingKey;
-//
-//    @Override
-//    public void configure(AuthorizationServerSecurityConfigurer oauthServer) {
-//        // 支持将client参数放在header或body中
-//        oauthServer.allowFormAuthenticationForClients();
-//        oauthServer.tokenKeyAccess("isAuthenticated()")
-//                .checkTokenAccess("permitAll()");
-//    }
-//
-//    @Override
-//    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
-//        // 配置客户端信息，从数据库中读取，对应oauth_client_details表
-//        clients.jdbc(dataSource);
-//    }
-//
-//    @Override
-//    public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
-//        // 配置token的数据源、自定义的tokenServices等信息,配置身份认证器，配置认证方式，TokenStore，TokenGranter，OAuth2RequestFactory
-//        endpoints.tokenStore(tokenStore())
-//                .authorizationCodeServices(authorizationCodeServices())
-//                .approvalStore(approvalStore())
-//                .exceptionTranslator(customExceptionTranslator())
-//                .tokenEnhancer(tokenEnhancerChain())
-//                .authenticationManager(authenticationManager)
-//                .userDetailsService(userDetailsService)
-//                //update by joe_chen add  granter
-//                .tokenGranter(tokenGranter(endpoints));
-//
-//    }
-//
-//    /**
-//     * 自定义OAuth2异常处理
-//     *
-//     * @return CustomWebResponseExceptionTranslator
-//     */
-//    @Bean
-//    public WebResponseExceptionTranslator<OAuth2Exception> customExceptionTranslator() {
-//        return new CustomWebResponseExceptionTranslator();
-//    }
-//
-//    /**
-//     * 授权信息持久化实现
-//     *
-//     * @return JdbcApprovalStore
-//     */
-//    @Bean
-//    public ApprovalStore approvalStore() {
-//        return new JdbcApprovalStore(dataSource);
-//    }
-//
-//    /**
-//     * 授权码模式持久化授权码code
-//     *
-//     * @return JdbcAuthorizationCodeServices
-//     */
-//    @Bean
-//    protected AuthorizationCodeServices authorizationCodeServices() {
-//        // 授权码存储等处理方式类，使用jdbc，操作oauth_code表
-//        return new JdbcAuthorizationCodeServices(dataSource);
-//    }
-//
-//    /**
-//     * token的持久化
-//     *
-//     * @return JwtTokenStore
-//     */
-//    @Bean
-//    public TokenStore tokenStore() {
-//        return new JwtTokenStore(accessTokenConverter());
-//    }
-//
-//    /**
-//     * 自定义token
-//     *
-//     * @return tokenEnhancerChain
-//     */
-//    @Bean
-//    public TokenEnhancerChain tokenEnhancerChain() {
-//        TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
-//        tokenEnhancerChain.setTokenEnhancers(Arrays.asList(new CustomTokenEnhancer(), accessTokenConverter()));
-//        return tokenEnhancerChain;
-//    }
-//
-//    /**
-//     * jwt token的生成配置
-//     *
-//     * @return
-//     */
-//    @Bean
-//    public JwtAccessTokenConverter accessTokenConverter() {
-//        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
-//        converter.setSigningKey(signingKey);
-//        return converter;
-//    }
-//
-//    /**
-//     * 配置自定义的granter,手机号验证码登陆
-//     *
-//     * @param endpoints
-//     * @return
-//     * @auth joe_chen
-//     */
-//    public TokenGranter tokenGranter(final AuthorizationServerEndpointsConfigurer endpoints) {
-//        List<TokenGranter> granters = Lists.newArrayList(endpoints.getTokenGranter());
-//        granters.add(new MobileTokenGranter(
-//                authenticationManager,
-//                endpoints.getTokenServices(),
-//                endpoints.getClientDetailsService(),
-//                endpoints.getOAuth2RequestFactory()));
-//        return new CompositeTokenGranter(granters);
-//    }
-
-}

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/config/ShiroConfiguration.java

@@ -0,0 +1,139 @@
+package com.yaozhitech.spring5.config;
+
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.servlet.DispatcherType;
+import javax.servlet.Filter;
+
+import org.apache.shiro.authc.Authenticator;
+import org.apache.shiro.authc.pam.FirstSuccessfulStrategy;
+import org.apache.shiro.authc.pam.ModularRealmAuthenticator;
+import org.apache.shiro.authz.AuthorizationException;
+import org.apache.shiro.mgt.SecurityManager;
+import org.apache.shiro.mgt.SessionStorageEvaluator;
+import org.apache.shiro.realm.Realm;
+import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
+import org.apache.shiro.spring.web.config.DefaultShiroFilterChainDefinition;
+import org.apache.shiro.spring.web.config.ShiroFilterChainDefinition;
+import org.apache.shiro.web.mgt.DefaultWebSessionStorageEvaluator;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpStatus;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.ExceptionHandler;
+import org.springframework.web.bind.annotation.ResponseStatus;
+
+import com.yaozhitech.spring5.filter.AnyRolesAuthorizationFilter;
+import com.yaozhitech.spring5.filter.JwtAuthFilter;
+import com.yaozhitech.spring5.jwt.JWTShiroRealm;
+import com.yaozhitech.spring5.service.UserService;
+
+@Configuration
+public class ShiroConfiguration {
+	
+	@Value("${password.salt}")
+	private String encryptSalt;
+
+	/**
+	 * 注册shiro的Filter，拦截请求
+	 */
+	@Bean
+    public FilterRegistrationBean<Filter> filterRegistrationBean(SecurityManager securityManager,UserService userService) throws Exception{
+        FilterRegistrationBean<Filter> filterRegistration = new FilterRegistrationBean<Filter>();
+        filterRegistration.setFilter((Filter)shiroFilter(securityManager, userService).getObject());
+        filterRegistration.addInitParameter("targetFilterLifecycle", "true");
+        filterRegistration.setAsyncSupported(true);
+        filterRegistration.setEnabled(true);
+        filterRegistration.setDispatcherTypes(DispatcherType.REQUEST, DispatcherType.ASYNC);
+
+        return filterRegistration;
+    }
+
+    @Bean
+    public Authenticator authenticator(UserService userService) {
+        ModularRealmAuthenticator authenticator = new ModularRealmAuthenticator();
+        authenticator.setRealms(Arrays.asList(jwtShiroRealm(userService)));
+        authenticator.setAuthenticationStrategy(new FirstSuccessfulStrategy());
+        return authenticator;
+    }
+
+	/**
+	 * 禁用session, 不保存用户登录状态。保证每次请求都重新认证。
+	 * 需要注意的是，如果用户代码里调用Subject.getSession()还是可以用session，如果要完全禁用，要配合下面的noSessionCreation的Filter来实现
+	 */
+    @Bean
+    protected SessionStorageEvaluator sessionStorageEvaluator(){
+        DefaultWebSessionStorageEvaluator sessionStorageEvaluator = new DefaultWebSessionStorageEvaluator();
+        sessionStorageEvaluator.setSessionStorageEnabled(false);
+        return sessionStorageEvaluator;
+    }
+
+    /**
+          * 用于JWT token认证的realm
+     */
+    @Bean("jwtRealm")
+    public Realm jwtShiroRealm(UserService userService) {
+        JWTShiroRealm myShiroRealm = new JWTShiroRealm(userService);
+        return myShiroRealm;
+    }
+
+    /**
+          * 设置过滤器，将自定义的Filter加入
+     */
+    @Bean("shiroFilter")
+    public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager, UserService userService) {
+    	ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
+        factoryBean.setSecurityManager(securityManager);
+        Map<String, Filter> filterMap = factoryBean.getFilters();
+        filterMap.put("authcToken", createAuthFilter(userService));
+//        filterMap.put("anyRole", createRolesFilter());
+        factoryBean.setFilters(filterMap);
+        factoryBean.setFilterChainDefinitionMap(shiroFilterChainDefinition().getFilterChainMap());
+
+        return factoryBean;
+    }
+
+    @Bean
+    protected ShiroFilterChainDefinition shiroFilterChainDefinition() {
+        DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
+//        chainDefinition.addPathDefinition("/login", "noSessionCreation,anon");  //login不做认证，noSessionCreation的作用是用户在操作session时会抛异常
+//        chainDefinition.addPathDefinition("/logout", "noSessionCreation,authcToken[permissive]"); //做用户认证，permissive参数的作用是当token无效时也允许请求访问，不会返回鉴权未通过的错误
+//        chainDefinition.addPathDefinition("/image/**", "anon");
+//        chainDefinition.addPathDefinition("/admin/**", "noSessionCreation,authcToken,anyRole[admin,manager]"); //只允许admin或manager角色的用户访问
+        chainDefinition.addPathDefinition("/article/list", "noSessionCreation,authcToken");
+        chainDefinition.addPathDefinition("/admin/**", "noSessionCreation,authcToken");
+//        chainDefinition.addPathDefinition("/article/*", "noSessionCreation,authcToken[permissive]");
+        chainDefinition.addPathDefinition("/**", "noSessionCreation,authcToken"); // 默认进行用户鉴权
+        return chainDefinition;
+    }
+
+   //注意不要加@Bean注解，不然spring会自动注册成filter
+    protected JwtAuthFilter createAuthFilter(UserService userService){
+        return new JwtAuthFilter(userService);
+    }
+
+//    protected AnyRolesAuthorizationFilter createRolesFilter(){
+//        return new AnyRolesAuthorizationFilter();
+//    }
+    
+    @ExceptionHandler(AuthorizationException.class)
+    @ResponseStatus(HttpStatus.FORBIDDEN)
+    public String handleException(AuthorizationException e, Model model) {
+
+        // you could return a 404 here instead (this is how github handles 403, so the user does NOT know there is a
+        // resource at that location)
+//        log.debug("AuthorizationException was thrown", e);
+
+        Map<String, Object> map = new HashMap<String, Object>();
+        map.put("status", HttpStatus.FORBIDDEN.value());
+        map.put("message", "No message available");
+        model.addAttribute("errors", map);
+
+        return "error";
+    }
+    
+}

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/controller/LoginController.java

@@ -1,23 +0,0 @@
-package com.yaozhitech.spring5.controller;
-
-import org.springframework.security.core.annotation.AuthenticationPrincipal;
-import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
-import org.springframework.security.oauth2.client.annotation.RegisteredOAuth2AuthorizedClient;
-import org.springframework.security.oauth2.core.user.OAuth2User;
-import org.springframework.stereotype.Controller;
-import org.springframework.ui.Model;
-import org.springframework.web.bind.annotation.GetMapping;
-
-@Controller
-public class LoginController {
-
-	@GetMapping("/")
-	public String index(Model model,
-						@RegisteredOAuth2AuthorizedClient OAuth2AuthorizedClient authorizedClient,
-						@AuthenticationPrincipal OAuth2User oauth2User) {
-		model.addAttribute("userName", oauth2User.getName());
-		model.addAttribute("clientName", authorizedClient.getClientRegistration().getClientName());
-		model.addAttribute("userAttributes", oauth2User.getAttributes());
-		return "index";
-	}
-}

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/dto/UserDto.java

@@ -0,0 +1,16 @@
+package com.yaozhitech.spring5.dto;
+
+import java.util.List;
+
+import lombok.Data;
+
+@Data
+public class UserDto {
+
+	private String username;
+    private char[] password;
+    private String encryptPwd;
+    private Long userId;
+    private String salt;
+    private List<String> roles;
+}

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/filter/AnyRolesAuthorizationFilter.java

@@ -0,0 +1,43 @@
+package com.yaozhitech.spring5.filter;
+
+import java.io.IOException;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.shiro.subject.Subject;
+import org.apache.shiro.web.filter.authz.AuthorizationFilter;
+import org.apache.shiro.web.util.WebUtils;
+import org.springframework.http.HttpStatus;
+
+public class AnyRolesAuthorizationFilter  extends AuthorizationFilter {
+	
+	@Override
+    protected void postHandle(ServletRequest request, ServletResponse response){
+	}
+
+    @Override
+    protected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse, Object mappedValue) throws Exception {
+        Subject subject = getSubject(servletRequest, servletResponse);
+        String[] rolesArray = (String[]) mappedValue;
+        if (rolesArray == null || rolesArray.length == 0) { //没有角色限制，有权限访问
+            return true;
+        }
+        for (String role : rolesArray) {
+            if (subject.hasRole(role)) //若当前用户是rolesArray中的任何一个，则有权限访问
+                return true;
+        }
+        return false;
+    }
+
+    @Override
+    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException {
+        HttpServletResponse httpResponse = WebUtils.toHttp(response);
+        httpResponse.setCharacterEncoding("UTF-8");
+        httpResponse.setContentType("application/json;charset=utf-8");
+        httpResponse.setStatus(HttpStatus.UNAUTHORIZED.ordinal());
+        return false;
+    }
+
+}

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/filter/JwtAuthFilter.java

@@ -0,0 +1,157 @@
+package com.yaozhitech.spring5.filter;
+
+
+import java.time.LocalDateTime;
+import java.time.ZoneId;
+import java.util.Date;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.subject.Subject;
+import org.apache.shiro.web.filter.authc.AuthenticatingFilter;
+import org.apache.shiro.web.util.WebUtils;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.util.StringUtils;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+import com.yaozhitech.spring5.dto.UserDto;
+import com.yaozhitech.spring5.jwt.JWTToken;
+import com.yaozhitech.spring5.service.UserService;
+import com.yaozhitech.spring5.utils.JwtUtils;
+
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public class JwtAuthFilter extends AuthenticatingFilter {
+	
+	@Value("${jwt.header}")
+    private String tokenHeader;
+
+    @Value("${jwt.tokenHead}")
+    private String tokenHead;
+
+    private static final int tokenRefreshInterval = 300;
+    private UserService userService;
+
+    public JwtAuthFilter(UserService userService){
+        this.userService = userService;
+        this.setLoginUrl("/login");
+    }
+
+    @Override
+    protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
+        HttpServletRequest httpServletRequest = WebUtils.toHttp(request);
+        if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) //对于OPTION请求做拦截，不做token校验
+            return false;
+
+        return super.preHandle(request, response);
+    }
+
+    @Override
+    protected void postHandle(ServletRequest request, ServletResponse response){
+        this.fillCorsHeader(WebUtils.toHttp(request), WebUtils.toHttp(response));
+        request.setAttribute("jwtShiroFilter.FILTERED", true);
+    }
+
+    /**
+          * 父类会在请求进入拦截器后调用该方法，返回true则继续，返回false则会调用onAccessDenied()。这里在不通过时，还调用了isPermissive()方法，
+     */
+    @Override
+    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
+        if(this.isLoginRequest(request, response))
+            return true;
+
+        Boolean afterFiltered = (Boolean)(request.getAttribute("jwtShiroFilter.FILTERED"));
+        if(afterFiltered != null && afterFiltered)
+        	return true;
+        
+        boolean allowed = false;
+        try {
+            allowed = executeLogin(request, response);
+        } catch(IllegalStateException e){ //not found any token
+            log.error("Not found any token", e);
+        }catch (Exception e) {
+            log.error("Error occurs when login", e);
+        }
+        return allowed;// || super.isPermissive(mappedValue);
+    }
+
+    /**
+          * 这里重写了父类的方法，使用我们自己定义的Token类，提交给shiro。这个方法返回null的话会直接抛出异常，进入isAccessAllowed（）的异常处理逻辑。
+     */
+    @Override
+    protected AuthenticationToken createToken(ServletRequest servletRequest, ServletResponse servletResponse) {
+        String jwtToken = getAuthzHeader(servletRequest);
+        if(!StringUtils.isEmpty(jwtToken)&&!JwtUtils.isTokenExpired(jwtToken))
+            return new JWTToken(jwtToken);
+
+        return null;
+    }
+
+    @Override
+    protected boolean onAccessDenied(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
+        
+    	HttpServletRequest httpServletRequest = WebUtils.toHttp(servletRequest);
+        HttpServletResponse httpResponse = WebUtils.toHttp(servletResponse);
+        // 返回401
+        httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+        httpResponse.getOutputStream().println("401 UNAUTHORIZED");
+        // 设置响应码为401或者直接输出消息
+        String url = httpServletRequest.getRequestURI();
+        log.error("onAccessDenied url：{}", url);
+
+    	return false;
+    }
+
+    /**
+          *  如果Shiro Login认证成功，会进入该方法，等同于用户名密码登录成功，我们这里还判断了是否要刷新Token
+     */
+    @Override
+    protected boolean onLoginSuccess(AuthenticationToken token, Subject subject, ServletRequest request, ServletResponse response) throws Exception {
+        HttpServletResponse httpResponse = WebUtils.toHttp(response);
+        String newToken = null;
+        if(token instanceof JWTToken){
+            JWTToken jwtToken = (JWTToken)token;
+            UserDto user = (UserDto) subject.getPrincipal();
+            boolean shouldRefresh = shouldTokenRefresh(JwtUtils.getIssuedAt(jwtToken.getToken()));
+            if(shouldRefresh) {
+                newToken = userService.generateJwtToken(user.getUsername());
+            }
+        }
+        if(!StringUtils.isEmpty(newToken))
+            httpResponse.setHeader("x-auth-token", newToken);
+
+        return true;
+    }
+
+    @Override
+    protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e, ServletRequest request, ServletResponse response) {
+        log.error("Validate token fail, token:{}, error:{}", token.toString(), e.getMessage());
+        return false;
+    }
+
+    protected String getAuthzHeader(ServletRequest request) {
+        HttpServletRequest httpRequest = WebUtils.toHttp(request);
+        String header = httpRequest.getHeader("x-auth-token");
+        if (StringUtils.startsWithIgnoreCase(header, "Bearer ")) {
+			return StringUtils.replace(header, "Bearer ", "");
+		}
+        return header;
+    }
+
+    protected boolean shouldTokenRefresh(Date issueAt){
+        LocalDateTime issueTime = LocalDateTime.ofInstant(issueAt.toInstant(), ZoneId.systemDefault());
+        return LocalDateTime.now().minusSeconds(tokenRefreshInterval).isAfter(issueTime);
+    }
+
+    protected void fillCorsHeader(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse){
+        httpServletResponse.setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin"));
+        httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS,HEAD");
+        httpServletResponse.setHeader("Access-Control-Allow-Headers", httpServletRequest.getHeader("Access-Control-Request-Headers"));
+    }
+}

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/jwt/JWTCredentialsMatcher.java

@@ -0,0 +1,41 @@
+package com.yaozhitech.spring5.jwt;
+
+import java.io.UnsupportedEncodingException;
+
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.credential.CredentialsMatcher;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.yaozhitech.spring5.dto.UserDto;
+
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public class JWTCredentialsMatcher implements CredentialsMatcher {
+	
+    @Override
+    public boolean doCredentialsMatch(AuthenticationToken authenticationToken, AuthenticationInfo authenticationInfo) {
+        String token = (String) authenticationToken.getCredentials();
+        Object stored = authenticationInfo.getCredentials();
+        String salt = stored.toString();
+
+        UserDto user = (UserDto)authenticationInfo.getPrincipals().getPrimaryPrincipal();
+        try {
+            Algorithm algorithm = Algorithm.HMAC256(salt);
+            JWTVerifier verifier = JWT.require(algorithm)
+                    .withClaim("username", user.getUsername())
+                    .build();
+            verifier.verify(token);
+            return true;
+        } catch (UnsupportedEncodingException | JWTVerificationException e) {
+            log.error("Token Error:{}", e.getMessage());
+        }
+
+        return false;
+    }
+
+}

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/jwt/JWTShiroRealm.java

@@ -0,0 +1,58 @@
+package com.yaozhitech.spring5.jwt;
+
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.SimpleAuthenticationInfo;
+import org.apache.shiro.authz.AuthorizationInfo;
+import org.apache.shiro.authz.SimpleAuthorizationInfo;
+import org.apache.shiro.realm.AuthorizingRealm;
+import org.apache.shiro.subject.PrincipalCollection;
+
+import com.yaozhitech.spring5.dto.UserDto;
+import com.yaozhitech.spring5.service.UserService;
+import com.yaozhitech.spring5.utils.JwtUtils;
+
+
+/**
+ * 自定义身份认证
+ * 基于HMAC（ 散列消息认证码）的控制域
+ */
+
+public class JWTShiroRealm extends AuthorizingRealm {
+
+    protected UserService userService;
+
+    public JWTShiroRealm(UserService userService){
+        this.userService = userService;
+        this.setCredentialsMatcher(new JWTCredentialsMatcher());
+    }
+
+    @Override
+    public boolean supports(AuthenticationToken token) {
+        return token instanceof JWTToken;
+    }
+
+    /**
+     * 认证信息.(身份验证) : Authentication 是用来验证用户身份
+     * 默认使用此方法进行用户名正确与否验证，错误抛出异常即可。
+     */
+    @Override
+    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) throws AuthenticationException {    
+        JWTToken jwtToken = (JWTToken) authcToken;
+        String token = jwtToken.getToken();
+        
+        UserDto user = userService.getJwtTokenInfo(JwtUtils.getUsername(token));
+        if(user == null)
+            throw new AuthenticationException("token过期，请重新登录");
+
+        SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(user, user.getSalt(), "jwtRealm");
+
+        return authenticationInfo;
+    }
+
+    @Override
+    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
+        return new SimpleAuthorizationInfo();
+    }
+}

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/jwt/JWTToken.java

@@ -0,0 +1,44 @@
+package com.yaozhitech.spring5.jwt;
+
+import org.apache.shiro.authc.HostAuthenticationToken;
+
+import lombok.Data;
+
+@Data
+public class JWTToken implements HostAuthenticationToken {
+
+	/**
+	 * 
+	 */
+	private static final long serialVersionUID = -6910437116441110747L;
+	
+	private String token;
+    private String host;
+    
+    public JWTToken(String token) {
+        this(token, null);
+    }
+
+    public JWTToken(String token, String host) {
+        this.token = token;
+        this.host = host;
+    }
+    
+	@Override
+	public Object getPrincipal() {
+		return token;
+	}
+	@Override
+	public Object getCredentials() {
+		return token;
+	}
+	@Override
+	public String getHost() {
+		return host;
+	}
+    
+	@Override
+    public String toString(){
+        return token + ':' + host;
+    }
+}

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/service/UserService.java

@@ -0,0 +1,82 @@
+package com.yaozhitech.spring5.service;
+
+import java.time.Duration;
+import java.util.Arrays;
+import java.util.List;
+
+import org.apache.shiro.crypto.hash.Sha256Hash;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.data.redis.core.StringRedisTemplate;
+import org.springframework.stereotype.Service;
+
+import com.yaozhitech.spring5.dto.UserDto;
+import com.yaozhitech.spring5.utils.JwtUtils;
+
+@Service
+public class UserService {
+
+	@Value("${password.salt}")
+	private String encryptSalt;
+
+	@Autowired
+	private StringRedisTemplate redisTemplate;
+
+	/**
+	 * 保存user登录信息，返回token
+	 * 
+	 * @param userDto
+	 */
+	public String generateJwtToken(String username) {
+		String salt = JwtUtils.generateSalt();
+		redisTemplate.opsForValue().set("token:"+username, salt, Duration.ofSeconds(3600));
+		return JwtUtils.sign(username, salt, 3600); // 生成jwt token，设置过期时间为1小时
+	}
+
+	/**
+	 * 获取上次token生成时的salt值和登录用户信息
+	 * 
+	 * @param username
+	 * @return
+	 */
+	public UserDto getJwtTokenInfo(String username) {
+		String salt = redisTemplate.opsForValue().get("token:"+username);
+		UserDto user = getUserInfo(username);
+		user.setSalt(salt);
+		return user;
+	}
+
+	/**
+	 * 清除token信息
+	 * 
+	 * @param userName 登录用户名
+	 * @param terminal 登录终端
+	 */
+	public void deleteLoginInfo(String username) {
+		redisTemplate.delete("token:"+username);
+	}
+
+	/**
+	 * 获取数据库中保存的用户信息，主要是加密后的密码
+	 * 
+	 * @param userName
+	 * @return
+	 */
+	public UserDto getUserInfo(String userName) {
+		UserDto user = new UserDto();
+		user.setUserId(1L);
+		user.setUsername("admin");
+		user.setEncryptPwd(new Sha256Hash("123456", encryptSalt).toHex());
+		return user;
+	}
+
+	/**
+	 * 获取用户角色列表，强烈建议从缓存中获取
+	 * 
+	 * @param userId
+	 * @return
+	 */
+	public List<String> getUserRoles(Long userId) {
+		return Arrays.asList("admin");
+	}
+}

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/utils/JwtUtils.java

@@ -0,0 +1,82 @@
+package com.yaozhitech.spring5.utils;
+
+import java.io.UnsupportedEncodingException;
+import java.util.Calendar;
+import java.util.Date;
+
+import org.apache.shiro.crypto.SecureRandomNumberGenerator;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTDecodeException;
+import com.auth0.jwt.interfaces.DecodedJWT;
+
+public class JwtUtils {
+
+	/**
+          * 获得token中的信息无需secret解密也能获得
+     * @return token中包含的签发时间
+     */
+    public static Date getIssuedAt(String token) {
+        try {
+            DecodedJWT jwt = JWT.decode(token);
+            return jwt.getIssuedAt();
+        } catch (JWTDecodeException e) {
+            return null;
+        }
+    }
+
+    /**
+     * 获得token中的信息无需secret解密也能获得
+     * @return token中包含的用户名
+     */
+    public static String getUsername(String token) {
+        try {
+            DecodedJWT jwt = JWT.decode(token);
+            return jwt.getClaim("username").asString();
+        } catch (JWTDecodeException e) {
+            return null;
+        }
+    }
+
+    /**
+     * 生成签名,expireTime后过期
+     * @param username 用户名
+     * @param time 过期时间s
+     * @return 加密的token
+     */
+    public static String sign(String username, String salt, long time) {
+        try {
+            Date date = new Date(System.currentTimeMillis()+time*1000);
+            Algorithm algorithm = Algorithm.HMAC256(salt);
+            // 附带username信息
+            return JWT.create()
+                    .withClaim("username", username)
+                    .withExpiresAt(date)
+                    .withIssuedAt(new Date())
+                    .sign(algorithm);
+        } catch (UnsupportedEncodingException e) {
+            return null;
+        }
+    }
+
+    /**
+     * token是否过期
+     * @return true：过期
+     */
+    public static boolean isTokenExpired(String token) {
+        Date now = Calendar.getInstance().getTime();
+        DecodedJWT jwt = JWT.decode(token);
+        return jwt.getExpiresAt().before(now);
+    }
+
+    /**
+     * 生成随机盐,长度32位
+     * @return
+     */
+    public static String generateSalt(){
+        SecureRandomNumberGenerator secureRandom = new SecureRandomNumberGenerator();
+        String hex = secureRandom.nextBytes(16).toHex();
+        return hex;
+    }
+}

spring5-auth/spring5-auth-client/src/main/resources/application.yml

@@ -18,19 +18,19 @@ spring:
           github:
             client-id: 7b9c752378a3d95a4529
             client-secret: f635d8c7d44a50bdf12f2055e7e44b2bbc9c1043
-          google:
-            client-id: your-app-client-id
-            client-secret: your-app-client-secret
-          okta:
-            client-id: fooClientIdPassword
-            client-secret: secret
-            scopes: read,foo
-            authorization-grant-type: authorization_code
-            redirect-uri-template: http://localhost:8080/login/oauth2/code/custom
-        provider:
-          okta:
-            authorization-uri: http://localhost:8081/spring-security-oauth-server/oauth/authorize
-            token-uri: http://localhost:8081/spring-security-oauth-server/oauth/token
-            user-info-uri: http://localhost:8088/spring-security-oauth-resource/users/extra
-            user-name-attribute: user_name
+#           google:
+#             client-id: your-app-client-id
+#             client-secret: your-app-client-secret
+#           okta:
+#             client-id: fooClientIdPassword
+#             client-secret: secret
+#             scopes: read,foo
+#             authorization-grant-type: authorization_code
+#             redirect-uri-template: http://localhost:8080/login/oauth2/code/custom
+#         provider:
+#           okta:
+#             authorization-uri: http://localhost:8081/spring-security-oauth-server/oauth/authorize
+#             token-uri: http://localhost:8081/spring-security-oauth-server/oauth/token
+#             user-info-uri: http://localhost:8088/spring-security-oauth-resource/users/extra
+#             user-name-attribute: user_name
             

spring5-auth/spring5-auth-server/src/main/java/com/yaozhitech/spring5/filter/JwtAuthFilter.java

@@ -15,7 +15,6 @@ import org.apache.shiro.authc.AuthenticationToken;
 import org.apache.shiro.subject.Subject;
 import org.apache.shiro.web.filter.authc.AuthenticatingFilter;
 import org.apache.shiro.web.util.WebUtils;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.HttpStatus;
 import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -30,13 +29,8 @@ import lombok.extern.slf4j.Slf4j;
 @Slf4j
 public class JwtAuthFilter extends AuthenticatingFilter {
 	
-	@Value("${jwt.header}")
-    private String tokenHeader;
-
-    @Value("${jwt.tokenHead}")
-    private String tokenHead;
-
     private static final int tokenRefreshInterval = 300;
+    
     private UserService userService;
 
     public JwtAuthFilter(UserService userService){