123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132 |
- package com.yaozhitech.spring5.config;
- import java.util.Arrays;
- import java.util.Map;
- import javax.servlet.DispatcherType;
- import javax.servlet.Filter;
- import org.apache.shiro.authc.Authenticator;
- import org.apache.shiro.authc.pam.FirstSuccessfulStrategy;
- import org.apache.shiro.authc.pam.ModularRealmAuthenticator;
- import org.apache.shiro.mgt.SecurityManager;
- import org.apache.shiro.mgt.SessionStorageEvaluator;
- import org.apache.shiro.realm.Realm;
- import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
- import org.apache.shiro.spring.web.config.DefaultShiroFilterChainDefinition;
- import org.apache.shiro.spring.web.config.ShiroFilterChainDefinition;
- import org.apache.shiro.web.mgt.DefaultWebSessionStorageEvaluator;
- import org.springframework.beans.factory.annotation.Value;
- import org.springframework.boot.web.servlet.FilterRegistrationBean;
- import org.springframework.context.annotation.Bean;
- import org.springframework.context.annotation.Configuration;
- import com.yaozhitech.spring5.filter.AnyRolesAuthorizationFilter;
- import com.yaozhitech.spring5.filter.JwtAuthFilter;
- import com.yaozhitech.spring5.jwt.DbShiroRealm;
- import com.yaozhitech.spring5.jwt.JWTShiroRealm;
- import com.yaozhitech.spring5.service.UserService;
- @Configuration
- public class ShiroConfiguration {
-
- @Value("${password.salt}")
- private String encryptSalt;
-
- @Value("${jwt.salt}")
- private String jwtSalt;
- /**
- * 注册shiro的Filter,拦截请求
- */
- @Bean
- public FilterRegistrationBean<Filter> filterRegistrationBean(SecurityManager securityManager,UserService userService) throws Exception{
- FilterRegistrationBean<Filter> filterRegistration = new FilterRegistrationBean<Filter>();
- filterRegistration.setFilter((Filter)shiroFilter(securityManager, userService).getObject());
- filterRegistration.addInitParameter("targetFilterLifecycle", "true");
- filterRegistration.setAsyncSupported(true);
- filterRegistration.setEnabled(true);
- filterRegistration.setDispatcherTypes(DispatcherType.REQUEST, DispatcherType.ASYNC);
- return filterRegistration;
- }
- @Bean
- public Authenticator authenticator(UserService userService) {
- ModularRealmAuthenticator authenticator = new ModularRealmAuthenticator();
- //设置两个Realm,一个用于用户登录验证和访问权限获取;一个用于jwt token的认证
- authenticator.setRealms(Arrays.asList(jwtShiroRealm(userService), dbShiroRealm(userService)));
- authenticator.setAuthenticationStrategy(new FirstSuccessfulStrategy());
- return authenticator;
- }
- /**
- * 禁用session, 不保存用户登录状态。保证每次请求都重新认证。
- * 需要注意的是,如果用户代码里调用Subject.getSession()还是可以用session,如果要完全禁用,要配合下面的noSessionCreation的Filter来实现
- */
- @Bean
- protected SessionStorageEvaluator sessionStorageEvaluator(){
- DefaultWebSessionStorageEvaluator sessionStorageEvaluator = new DefaultWebSessionStorageEvaluator();
- sessionStorageEvaluator.setSessionStorageEnabled(false);
- return sessionStorageEvaluator;
- }
- /**
- * 用于用户名密码登录时认证的realm
- */
- @Bean("dbRealm")
- public Realm dbShiroRealm(UserService userService) {
- DbShiroRealm myShiroRealm = new DbShiroRealm(userService, encryptSalt);
- return myShiroRealm;
- }
- /**
- * 用于JWT token认证的realm
- */
- @Bean("jwtRealm")
- public Realm jwtShiroRealm(UserService userService) {
- JWTShiroRealm myShiroRealm = new JWTShiroRealm(userService, jwtSalt);
- return myShiroRealm;
- }
- /**
- * 设置过滤器,将自定义的Filter加入
- */
- @Bean("shiroFilter")
- public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager, UserService userService) {
- ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
- factoryBean.setSecurityManager(securityManager);
- Map<String, Filter> filterMap = factoryBean.getFilters();
- filterMap.put("authcToken", createAuthFilter(userService));
- filterMap.put("anyRole", createRolesFilter());
- factoryBean.setFilters(filterMap);
- factoryBean.setFilterChainDefinitionMap(shiroFilterChainDefinition().getFilterChainMap());
- return factoryBean;
- }
- @Bean
- protected ShiroFilterChainDefinition shiroFilterChainDefinition() {
- DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
- chainDefinition.addPathDefinition("/login", "noSessionCreation,anon"); //login不做认证,noSessionCreation的作用是用户在操作session时会抛异常
- chainDefinition.addPathDefinition("/clientAuth/**", "noSessionCreation,anon");
- chainDefinition.addPathDefinition("/logout", "noSessionCreation,authcToken[permissive]"); //做用户认证,permissive参数的作用是当token无效时也允许请求访问,不会返回鉴权未通过的错误
- chainDefinition.addPathDefinition("/image/**", "anon");
- chainDefinition.addPathDefinition("/admin/**", "noSessionCreation,authcToken,anyRole[admin,manager]"); //只允许admin或manager角色的用户访问
- chainDefinition.addPathDefinition("/article/list", "noSessionCreation,authcToken");
- chainDefinition.addPathDefinition("/article/*", "noSessionCreation,authcToken[permissive]");
- chainDefinition.addPathDefinition("/**", "noSessionCreation,authcToken"); // 默认进行用户鉴权
- return chainDefinition;
- }
- //注意不要加@Bean注解,不然spring会自动注册成filter
- protected JwtAuthFilter createAuthFilter(UserService userService){
- return new JwtAuthFilter(userService);
- }
- protected AnyRolesAuthorizationFilter createRolesFilter(){
- return new AnyRolesAuthorizationFilter();
- }
-
- }
|