spring-boot项⽬shiro运⾏流程分析
spring-boot框架
1.注⼊bean交由spring管理
项⽬debug可以看到,项⽬初始启动的时候,依次创建"sessionManager","securityManager","shiroFilter"对象交由spring管理
仔细看,是先创建了sessionManager,然后sessionManager为参数创建了securityManager,然后securityManager为参数创建了shiroFilter.
package fig;
import dules.sys.oauth2.OAuth2Filter;
import dules.sys.oauth2.OAuth2Realm;
import org.SecurityManager;
import org.apache.SessionManager;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.DefaultWebSecurityManager;
import org.apache.shiro.DefaultWebSessionManager;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import t.annotation.Bean;
import t.annotation.Configuration;
import javax.servlet.Filter;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
/**
* Shiro配置
*
*/
@Configuration
public class ShiroConfig {
@Bean("sessionManager")
public SessionManager sessionManager(){
DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
sessionManager.setSessionValidationSchedulerEnabled(true);
sessionManager.setSessionIdCookieEnabled(true);
return sessionManager;
}
@Bean("securityManager")
public SecurityManager securityManager(OAuth2Realm oAuth2Realm, SessionManager sessionManager) {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(oAuth2Realm);
securityManager.setSessionManager(sessionManager);
return securityManager;
}
@Bean("shiroFilter")
public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilter = new ShiroFilterFactoryBean();
shiroFilter.setSecurityManager(securityManager);
//oauth过滤
Map<String, Filter> filters = new HashMap<>();
filters.put("oauth2", new OAuth2Filter());
shiroFilter.setFilters(filters);
Map<String, String> filterMap = new LinkedHashMap<>();
filterMap.put("/webjars/**", "anon");
filterMap.put("/druid/**", "anon");
filterMap.put("/app/**", "anon");
filterMap.put("/sys/login", "anon");
filterMap.put("/swagger/**", "anon");
filterMap.put("/v2/api-docs", "anon");
filterMap.put("/swagger-ui.html", "anon");
filterMap.put("/swagger-resources/**", "anon");
filterMap.put("/captcha.jpg", "anon");
filterMap.put("/queryuser", "anon");
//        filterMap.put("/api/**", "anon");
//        filterMap.put("/**", "oauth2");
filterMap.put("/api/auth", "anon");
filterMap.put("/api/**", "oauth2");
shiroFilter.setFilterChainDefinitionMap(filterMap);
return shiroFilter;
}
/**
* shiro bean⽣命周期管理
* @return
*/
@Bean("lifecycleBeanPostProcessor")
public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
/
**
*  开启Shiro的注解(如@RequiresRoles,@RequiresPermissions),需借助SpringAOP扫描使⽤Shiro注解的类,并在必要时进⾏安全逻辑验证    * 配置以下两个bean(DefaultAdvisorAutoProxyCreator和AuthorizationAttributeSourceAdvisor)即可实现此功能
* @return
*/
@Bean
public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator proxyCreator = new DefaultAdvisorAutoProxyCreator();
proxyCreator.setProxyTargetClass(true);
return proxyCreator;
}
/**
* 开启aop注解⽀持
* @param securityManager
* @return
*/
@Beanshiro安全框架
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();
advisor.setSecurityManager(securityManager);
return advisor;
}
}
2. FilterRegistrationBean:shiro注册类,且可以进⾏执⾏顺序排序
在shiroFilterRegistration()这个⽅法中可以看到,new了⼀个spring的注册类,shiroFilter这个被注册到了spring中,且设置的执⾏顺序仅次于下边的 防xss攻击过滤.
package fig;
import cn.polycismon.xss.XssFilter;
import dules.sys.oauth2.OAuth2Filter;
import dules.sys.oauth2.OAuth2Realm;
import org.SecurityManager;
import org.apache.SessionManager;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.DefaultWebSecurityManager;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import t.annotation.Bean;
import t.annotation.Configuration;
import org.springframework.web.filter.DelegatingFilterProxy;
import javax.servlet.DispatcherType;
import javax.servlet.Filter;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
/**
* Filter配置
*
*/
@Configuration
public class FilterConfig {
@Bean
public FilterRegistrationBean shiroFilterRegistration() {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setFilter(new DelegatingFilterProxy("shiroFilter"));
//该值缺省为false,表⽰⽣命周期由SpringApplicationContext管理,设置为true则表⽰由ServletContainer管理
registration.addInitParameter("targetFilterLifecycle", "true");
registration.setEnabled(true);
//spring boot 会按照order值的⼤⼩,从⼩到⼤的顺序来依次过滤。
registration.setOrder(Integer.MAX_VALUE - 1);
//所有请求都会过滤
registration.addUrlPatterns("/*");
return registration;
}
@Bean
public FilterRegistrationBean xssFilterRegistration() {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setDispatcherTypes(DispatcherType.REQUEST);
registration.setFilter(new XssFilter());
/
/过滤/user的请求
registration.addUrlPatterns("/user/*");
//        registration.addUrlPatterns("/*");
registration.setName("xssFilter");
//spring boot 会按照order值的⼤⼩,从⼩到⼤的顺序来依次过滤。
registration.setOrder(Integer.MAX_VALUE);
return registration;
}
}
3.OAuth2Filter过滤器
标题1的时候shiroFilter这个bean new了⼀个LinkedHashMap, 看代码filters.put("oauth2", new OAuth2Filter());把这个OAuth2Filter放进去了,最后加上其他的过滤条件,塞到shiroFilter⾥了.
package dules.sys.oauth2;
import cn.polycismon.utils.HttpContextUtils;
import cn.polycismon.utils.R;
le.gson.Gson;
import org.apachemons.lang.StringUtils;
import org.apache.http.HttpStatus;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.web.filter.authc.AuthenticatingFilter;
import org.springframework.web.bind.annotation.RequestMethod;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.UUID;
/**
* oauth2过滤器
*
*/
public class OAuth2Filter extends AuthenticatingFilter {
@Override
protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) throws Exception {
//获取请求token
String token = getRequestToken((HttpServletRequest) request);
if (StringUtils.isBlank(token)) {
return null;
}
return new OAuth2Token(token);
}
@Override
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
if (((HttpServletRequest) request).getMethod().equals(RequestMethod.OPTIONS.name())) {
return true;
}
return false;
}
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
//获取请求token,如果token不存在,直接返回401
String token = getRequestToken((HttpServletRequest) request);
if (StringUtils.isBlank(token)) {
HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.setHeader("Access-Control-Allow-Credentials", "true");
httpResponse.setHeader("Access-Control-Allow-Origin", Origin());
String json = new Gson().(HttpStatus.SC_UNAUTHORIZED, "invalid token"));
return false;
}
}
return executeLogin(request, response);
}
@Override
protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e, ServletReq
uest request, ServletResponse response) {        HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.setContentType("application/json;charset=utf-8");
httpResponse.setHeader("Access-Control-Allow-Credentials", "true");
httpResponse.setHeader("Access-Control-Allow-Origin", Origin());
try {
//处理登录失败的异常
Throwable throwable = e.getCause() == null ? e : e.getCause();
R r = R.error(HttpStatus.SC_UNAUTHORIZED, Message());
String json = new Gson().toJson(r);
} catch (IOException e1) {
}
return false;
}
/**
* 获取请求的token
*/
private String getRequestToken(HttpServletRequest httpRequest) {
//从header中获取token
String token = Header("token");
//如果header中不存在token,则从参数中获取token
if (StringUtils.isBlank(token)) {
token = Parameter("token");
}
return token;
}
}
4.Realm类
这个项⽬只简单使⽤了登录验证,授权认证没有使⽤,授权⽅⾯的代码忽略.
验证的⽅式是,企业⽤户将token放⼊请求头中,进⾏验证.
package dules.sys.oauth2;
import ity.SysUserEntity;
import ity.SysUserTokenEntity;
import dules.sys.service.ShiroService;
import ity.Users;
import dules.user.service.IUsersService;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.alm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。