|
@@ -1,7 +1,6 @@
|
1
|
1
|
package com.yaozhitech.spring5.config;
|
2
|
2
|
|
3
|
3
|
import java.util.Arrays;
|
4
|
|
-import java.util.HashMap;
|
5
|
4
|
import java.util.Map;
|
6
|
5
|
|
7
|
6
|
import javax.servlet.DispatcherType;
|
|
@@ -10,30 +9,23 @@ import javax.servlet.Filter;
|
10
|
9
|
import org.apache.shiro.authc.Authenticator;
|
11
|
10
|
import org.apache.shiro.authc.pam.FirstSuccessfulStrategy;
|
12
|
11
|
import org.apache.shiro.authc.pam.ModularRealmAuthenticator;
|
13
|
|
-import org.apache.shiro.authz.AuthorizationException;
|
14
|
12
|
import org.apache.shiro.mgt.SecurityManager;
|
15
|
13
|
import org.apache.shiro.mgt.SessionStorageEvaluator;
|
16
|
14
|
import org.apache.shiro.realm.Realm;
|
17
|
15
|
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
|
18
|
|
-import org.apache.shiro.spring.web.config.DefaultShiroFilterChainDefinition;
|
19
|
16
|
import org.apache.shiro.spring.web.config.ShiroFilterChainDefinition;
|
20
|
17
|
import org.apache.shiro.web.mgt.DefaultWebSessionStorageEvaluator;
|
21
|
18
|
import org.springframework.beans.factory.annotation.Value;
|
22
|
19
|
import org.springframework.boot.web.servlet.FilterRegistrationBean;
|
23
|
20
|
import org.springframework.context.annotation.Bean;
|
24
|
21
|
import org.springframework.context.annotation.Configuration;
|
25
|
|
-import org.springframework.http.HttpStatus;
|
26
|
|
-import org.springframework.ui.Model;
|
27
|
|
-import org.springframework.web.bind.annotation.ExceptionHandler;
|
28
|
|
-import org.springframework.web.bind.annotation.ResponseStatus;
|
29
|
22
|
|
30
|
|
-import com.yaozhitech.spring5.filter.AnyRolesAuthorizationFilter;
|
31
|
23
|
import com.yaozhitech.spring5.filter.JwtAuthFilter;
|
32
|
24
|
import com.yaozhitech.spring5.jwt.JWTShiroRealm;
|
33
|
25
|
import com.yaozhitech.spring5.service.UserService;
|
34
|
26
|
|
35
|
27
|
@Configuration
|
36
|
|
-public class ShiroConfiguration {
|
|
28
|
+public abstract class ShiroConfiguration {
|
37
|
29
|
|
38
|
30
|
@Value("${password.salt}")
|
39
|
31
|
private String encryptSalt;
|
|
@@ -84,7 +76,6 @@ public class ShiroConfiguration {
|
84
|
76
|
/**
|
85
|
77
|
* 设置过滤器,将自定义的Filter加入
|
86
|
78
|
*/
|
87
|
|
- @Bean("shiroFilter")
|
88
|
79
|
public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager, UserService userService) {
|
89
|
80
|
ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
|
90
|
81
|
factoryBean.setSecurityManager(securityManager);
|
|
@@ -96,20 +87,22 @@ public class ShiroConfiguration {
|
96
|
87
|
|
97
|
88
|
return factoryBean;
|
98
|
89
|
}
|
99
|
|
-
|
100
|
|
- @Bean
|
101
|
|
- protected ShiroFilterChainDefinition shiroFilterChainDefinition() {
|
102
|
|
- DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
|
103
|
|
-// chainDefinition.addPathDefinition("/login", "noSessionCreation,anon"); //login不做认证,noSessionCreation的作用是用户在操作session时会抛异常
|
104
|
|
-// chainDefinition.addPathDefinition("/logout", "noSessionCreation,authcToken[permissive]"); //做用户认证,permissive参数的作用是当token无效时也允许请求访问,不会返回鉴权未通过的错误
|
105
|
|
-// chainDefinition.addPathDefinition("/image/**", "anon");
|
106
|
|
-// chainDefinition.addPathDefinition("/admin/**", "noSessionCreation,authcToken,anyRole[admin,manager]"); //只允许admin或manager角色的用户访问
|
107
|
|
- chainDefinition.addPathDefinition("/article/list", "noSessionCreation,authcToken");
|
108
|
|
- chainDefinition.addPathDefinition("/admin/**", "noSessionCreation,authcToken");
|
109
|
|
-// chainDefinition.addPathDefinition("/article/*", "noSessionCreation,authcToken[permissive]");
|
110
|
|
- chainDefinition.addPathDefinition("/**", "noSessionCreation,authcToken"); // 默认进行用户鉴权
|
111
|
|
- return chainDefinition;
|
112
|
|
- }
|
|
90
|
+
|
|
91
|
+ public abstract ShiroFilterChainDefinition shiroFilterChainDefinition() ;
|
|
92
|
+
|
|
93
|
+// @Bean
|
|
94
|
+// protected ShiroFilterChainDefinition shiroFilterChainDefinition() {
|
|
95
|
+// DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
|
|
96
|
+//// chainDefinition.addPathDefinition("/login", "noSessionCreation,anon"); //login不做认证,noSessionCreation的作用是用户在操作session时会抛异常
|
|
97
|
+//// chainDefinition.addPathDefinition("/logout", "noSessionCreation,authcToken[permissive]"); //做用户认证,permissive参数的作用是当token无效时也允许请求访问,不会返回鉴权未通过的错误
|
|
98
|
+//// chainDefinition.addPathDefinition("/image/**", "anon");
|
|
99
|
+//// chainDefinition.addPathDefinition("/admin/**", "noSessionCreation,authcToken,anyRole[admin,manager]"); //只允许admin或manager角色的用户访问
|
|
100
|
+// chainDefinition.addPathDefinition("/article/list", "noSessionCreation,authcToken");
|
|
101
|
+// chainDefinition.addPathDefinition("/admin/**", "noSessionCreation,authcToken");
|
|
102
|
+//// chainDefinition.addPathDefinition("/article/*", "noSessionCreation,authcToken[permissive]");
|
|
103
|
+// chainDefinition.addPathDefinition("/**", "noSessionCreation,authcToken"); // 默认进行用户鉴权
|
|
104
|
+// return chainDefinition;
|
|
105
|
+// }
|
113
|
106
|
|
114
|
107
|
//注意不要加@Bean注解,不然spring会自动注册成filter
|
115
|
108
|
protected JwtAuthFilter createAuthFilter(UserService userService){
|
|
@@ -120,20 +113,4 @@ public class ShiroConfiguration {
|
120
|
113
|
// return new AnyRolesAuthorizationFilter();
|
121
|
114
|
// }
|
122
|
115
|
|
123
|
|
- @ExceptionHandler(AuthorizationException.class)
|
124
|
|
- @ResponseStatus(HttpStatus.FORBIDDEN)
|
125
|
|
- public String handleException(AuthorizationException e, Model model) {
|
126
|
|
-
|
127
|
|
- // you could return a 404 here instead (this is how github handles 403, so the user does NOT know there is a
|
128
|
|
- // resource at that location)
|
129
|
|
-// log.debug("AuthorizationException was thrown", e);
|
130
|
|
-
|
131
|
|
- Map<String, Object> map = new HashMap<String, Object>();
|
132
|
|
- map.put("status", HttpStatus.FORBIDDEN.value());
|
133
|
|
- map.put("message", "No message available");
|
134
|
|
- model.addAttribute("errors", map);
|
135
|
|
-
|
136
|
|
- return "error";
|
137
|
|
- }
|
138
|
|
-
|
139
|
116
|
}
|