• springboot+shiro登录校验及权限验证

    shiro所需要的包 
    <dependency> 
          <groupId>org.apache.shiro</groupId> 
          <artifactId>shiro-cas</artifactId> 
          <version>1.2.4</version> 
        </dependency> 
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-spring</artifactId>
            <version>1.4.0</version>
        </dependency>
        <!-- https://mvnrepository.com/artifact/org.apache.shiro/shiro-ehcache -->
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-ehcache</artifactId>
            <version>1.4.0</version>
        </dependency>
    public class AuthRealm extends AuthorizingRealm {
    
    @Autowired
    private ISysAdminService adminService;
    
    @Autowired
    private ISysAdminRoleService adminRoleService;
    
    @Autowired
    private ISysRolePermService rolePermService;
    
    //认证.登录
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
        System.out.println("-----------------认证.登录-------------------");
        UsernamePasswordToken utoken = (UsernamePasswordToken) token;//获取用户输入的token
        String username = utoken.getUsername();
        //处理session
        SessionsSecurityManager securityManager = (SessionsSecurityManager) SecurityUtils.getSecurityManager();
        DefaultSessionManager sessionManager = (DefaultSessionManager) securityManager.getSessionManager();
      //获取当前已登录的用户session列表
        Collection<Session> sessions = sessionManager.getSessionDAO().getActiveSessions();
        for (Session session : sessions) {
            //清除该用户以前登录时保存的session
//            IotdUserEntity en=(IotdUserEntity)(session.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY));
//            String phone=en.getPhone();
            //如果和当前session是同一个session,则不剔除
            if (SecurityUtils.getSubject().getSession().getId().equals(session.getId()))
                break;
            
            SysAdmin admin = (SysAdmin) (session.getAttribute("sysAdmin"));
            if (admin != null) {
                String adminName = admin.getLoginName();
                if (username.equals(adminName)) {
                    System.out.println(username + "已登录,剔除中...........");
                    sessionManager.getSessionDAO().delete(session);
                }
            }
        }
        //获取用户信息
        SysAdmin sysAdmin = adminService.getByLoginName(username);
        if(sysAdmin == null) {
            throw new UnknownAccountException();
        }
        if(sysAdmin.getIsLock() == 1) {//被锁定
            throw new LockedAccountException();
        }
        if(sysAdmin.getIsEnable() == 1) {//该账号未被启用
            throw new DisabledAccountException();
        }
        //放入shiro.调用CredentialsMatcher检验密码
        SimpleAuthenticationInfo rst = new SimpleAuthenticationInfo(sysAdmin, sysAdmin.getPassword(), this.getClass().getName());
        return rst;
    }

    //授权
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principal) {
        SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
        SysAdmin admin = (SysAdmin) principal.fromRealm(this.getClass().getName()).iterator().next();//获取session中的用户
        //获取该用户的所有角色
        List<Integer> listId = adminRoleService.getRoleIdByAdminId(admin.getSysAdminId());
        //查询该用户的权限
        List<String> list = rolePermService.getAuthCodeListByRoles(listId);
        info.addStringPermissions(list);
        return info;
    }


}
    /**
 * shiro配置类
 * @author Administrator
 *
 */

@Configuration
public class ShiroConfiguration {
    
    /**
     * 创建ShiroFilterFactoryBean
     */
    @Bean(name="shiroFilter")
    public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securityManager") DefaultWebSecurityManager securityManager) {
        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
        
        /**
         * shiro常用拦截器
         *     anon: 无需认证就可访问
         *     authc: 需要认证才能访问
         *  user :使用rememberMe的功能可直接访问
         *  perms: 必须有资源的权限才可以访问
         *     role : 该资源必须得到角色的权限才可以访问
         */
        //设置安全管理器
        shiroFilterFactoryBean.setSecurityManager(securityManager);
        
        return shiroFilterFactoryBean;
    }
    


    //配置核心安全事务管理器
    @Bean(name="securityManager")
    public DefaultWebSecurityManager securityManager(@Qualifier("authRealm") AuthRealm authRealm) {
        System.err.println("--------------shiro已经加载----------------");
        DefaultWebSecurityManager manager=new DefaultWebSecurityManager();
        manager.setRealm(authRealm);
        manager.setSessionManager(sessionManager());
        // <!-- 用户授权/认证信息Cache, 采用EhCache 缓存 -->
        manager.setCacheManager(ehCacheManager());
        //注入记住我管理器;
        manager.setRememberMeManager(rememberMeManager());
        return manager;
    }

    @Bean(name = "sessionManager")
    public DefaultWebSessionManager sessionManager() {
        DefaultWebSessionManager sessionManager=new DefaultWebSessionManager();
        return sessionManager;
    }
    
    //配置自定义的权限登录器
    @Bean(name="authRealm")
    public AuthRealm authRealm(@Qualifier("credentialsMatcher") CredentialsMatcher matcher) {
        AuthRealm authRealm=new AuthRealm();
        authRealm.setCredentialsMatcher(matcher);
        return authRealm;
    }
    
    //配置自定义的密码比较器
    @Bean(name="credentialsMatcher")
    public CredentialsMatcher credentialsMatcher() {
        return new CredentialsMatcher(ehCacheManager());
    }
    
    @Bean
    public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(@Qualifier("securityManager") SecurityManager manager) {
        AuthorizationAttributeSourceAdvisor advisor=new AuthorizationAttributeSourceAdvisor();
        advisor.setSecurityManager(manager);
        return advisor;
    }

    //----------------------------------------------- 
    /**
     * LifecycleBeanPostProcessor,这是个DestructionAwareBeanPostProcessor的子类,
     * 负责org.apache.shiro.util.Initializable类型bean的生命周期的,初始化和销毁。
     * 主要是AuthorizingRealm类的子类,以及EhCacheManager类。
     *
     * @return
     */
    @Bean(name = "lifecycleBeanPostProcessor")
    public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
        return new LifecycleBeanPostProcessor();
    }

    /**
     * ShiroRealm,这是个自定义的认证类,继承自AuthorizingRealm, 负责用户的认证和权限的处理
     *
     * @return
     */
    @Bean(name = "myShiroRealm")
    @DependsOn("lifecycleBeanPostProcessor")
    public AuthRealm myShiroRealm() {
        AuthRealm myShiroRealm = new AuthRealm();
        return myShiroRealm;
    }

    /**
     * EhCacheManager,缓存管理,用户登陆成功后,把用户信息和权限信息缓存起来,
     * 然后每次用户请求时,放入用户的session中,如果不设置这个bean,每个请求都会查询一次数据库。
     *
     * @return
     */
    @Bean(name = "ehCacheManager")
    @DependsOn("lifecycleBeanPostProcessor")
    public EhCacheManager ehCacheManager() {
        EhCacheManager cacheManager = new EhCacheManager();
        cacheManager.setCacheManagerConfigFile("classpath:ehcache-shiro.xml");
        return cacheManager;
    }

    /**
     * 自定义shiroSession的cookie,如果不设置默认JSESSIONID,
     * 会与tomcat等默认cookie名重复,sessionIdCookie用于保存sessionId标识
     *
     * @return
     */
    @Bean(name = "rememberMeCookie")
    public SimpleCookie rememberMeCookie() {
        // 这个参数是cookie的名称,对应前端的checkbox的name = rememberMe
        SimpleCookie simpleCookie = new SimpleCookie("rememberMe");
        // setcookie的httponly属性如果设为true的话,会增加对xss防护的安全系数。它有以下特点:
        // 设为true后,只能通过http访问,javascript无法访问
        // 防止xss读取cookie
        simpleCookie.setHttpOnly(true);
        // <!-- 记住我cookie生效时间30天 ,单位秒;-->
        simpleCookie.setMaxAge(259200);
        return simpleCookie;
    }

    /**
     * cookie管理对象;
     * 记住我的配置
     * @return
     */
    @Bean(name = "rememberMeManager")
    public CookieRememberMeManager rememberMeManager() {
        CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
        cookieRememberMeManager.setCookie(rememberMeCookie());
        return cookieRememberMeManager;
    }

    /**
     * DefaultAdvisorAutoProxyCreator,Spring的一个bean,由Advisor决定对哪些类的方法进行AOP代理。
     *
     * @return
     */
    @Bean
    @DependsOn("lifecycleBeanPostProcessor")
    public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
        DefaultAdvisorAutoProxyCreator daap = new DefaultAdvisorAutoProxyCreator();
        daap.setProxyTargetClass(true);
        return daap;
    }

    /**
     * thymeleaf模板使用shiro注解
     * @return
     */
    @Bean
    public ShiroDialect getShiroDialect(){
        return new ShiroDialect();
    }
    
}
    /**
 * 自定义密码比较
 * @author Administrator
 * 
 *
 */
public class CredentialsMatcher extends SimpleCredentialsMatcher {
    
     @Autowired
     private ISysAdminService adminService;
    
     private Cache<String, AtomicInteger> passwordRetryCache;
     
     public CredentialsMatcher(CacheManager cacheManager) {
         passwordRetryCache = cacheManager.getCache("passwordRetryCache");
    }
    
    @Override
    public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
        
        // 获取登录用户的用户名
        String username = (String)token.getPrincipal();
        // 获取用户登录次数
        AtomicInteger retryCount = passwordRetryCache.get(username);
        if (retryCount == null) {
            // 如果用户没有登陆过,登陆次数加1 并放入缓存
            retryCount = new AtomicInteger(0);
            passwordRetryCache.put(username, retryCount);
        }
        if (retryCount.incrementAndGet() > 3) {
            // 如果用户登陆失败次数大于3次 抛出锁定用户异常  并修改数据库字段
            SysAdmin admin = adminService.getByLoginName(username);
            if (admin != null && admin.getIsLock() == 0){
                // 数据库字段 默认为 0  就是未锁定状态 所以 要改为1
                // 修改数据库的状态字段为锁定
                admin.setIsLock((byte) 1);
                adminService.updateById(admin);
            }
            // 抛出用户锁定异常
            throw new LockedAccountException();
        }
        // 判断用户账号和密码是否正确
        boolean matches = super.doCredentialsMatch(token, info);
        if (matches) {
            // 如果正确,从缓存中将用户登录计数 清除
            passwordRetryCache.remove(username);
        }
        return matches;
    }
    
    /**
     * 根据用户名 解锁用户
     * @param username
     * @return
     */
    public void unlockAccount(String username){
        passwordRetryCache.remove(username);
    }
}
    /**
     * 生成验证码
     */
    @RequestMapping(value = "/getVerify")
    public void getVerify(HttpServletRequest request, HttpServletResponse response) {
        try {
            response.setContentType("image/jpeg");// 设置相应类型,告诉浏览器输出的内容为图片
            response.setHeader("Pragma", "No-cache");// 设置响应头信息,告诉浏览器不要缓存此内容
            response.setHeader("Cache-Control", "no-cache");
            response.setDateHeader("Expire", 0);
            RandomValidateCodeUtil randomValidateCode = new RandomValidateCodeUtil();
            randomValidateCode.getRandcode(request, response);// 输出验证码图片方法
        } catch (Exception e) {
            result(HTTP_VALID,"获取验证码失败",ICON_ERROR);
        }
    }
    
    /**
     * 登录校验
     * @param admin
     * @return
     * @throws Exception 
     */
    @RequestMapping(value="/checkLogin" ,method=RequestMethod.POST)
    @ResponseBody
//    @OperLog(operModul="登录",operType="checkLogin",operDesc="验证用户名密码")
    public AjaxResult checkLogin(HttpSession session ,SysAdmin admin,String captcha){
        try {
//            String random = (String) session.getAttribute("RANDOMVALIDATECODEKEY");
//            if(captcha.equals("") || !random.equals(captcha)) {
//                return result(HTTP_VALID,"验证码错误",ICON_EXIST);
//            }
            /**
             * shiro 认证操作
             */
            //1.获取Subject对象
            Subject subject = SecurityUtils.getSubject();
            //2.封装用户数量
            
            UsernamePasswordToken token = new UsernamePasswordToken(admin.getLoginName(), DesAesUtil.encryptDES(admin.getPassword()));
            //3.执行登录方法
        
            subject.login(token);
            SysAdmin loginAdmin = (SysAdmin)SecurityUtils.getSubject().getPrincipal();
            session.setAttribute("sysAdmin", loginAdmin);
            JSONObject json = new JSONObject();
            json.put("url", "/Bmc/sys-menu/menu");
            return result(HTTP_SUCCESS , MSG_SUCCESS , ICON_SUCCESS , json);
        }catch (UnknownAccountException e) {
            return result(HTTP_VALID , "用户名不存在" , ICON_EXIST);
        }catch(IncorrectCredentialsException e) {
            return result(HTTP_VALID , "密码不正确" , ICON_EXIST);
        }catch(NullPointerException e) {
            return result(HTTP_VALID , "验证码过期" , ICON_EXIST);
        }catch(LockedAccountException e) {
            return result(HTTP_VALID , "该账号由于登录次数过多已被锁定" , ICON_EXIST);
        }catch(DisabledAccountException e) {
            return result(HTTP_VALID , "该账号未被启用" , ICON_EXIST);
        }catch(Exception e) {
            return result(HTTP_VALID , "该账号存在异常" , ICON_EXIST);
        } 
    }
    <ehcache xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:noNamespaceSchemaLocation="http://ehcache.org/ehcache.xsd"
         updateCheck="false">
    <defaultCache
            eternal="false"
            maxElementsInMemory="1000"
            overflowToDisk="false"
            diskPersistent="false"
            timeToIdleSeconds="0"
            timeToLiveSeconds="600"
            memoryStoreEvictionPolicy="LRU" />
            
 

    <!-- 登录失败次数缓存
        注意 timeToLiveSeconds 设置为300秒 也就是5分钟
         可以根据自己的需求更改
     -->
    <cache name="passwordRetryCache"
           maxEntriesLocalHeap="2000"
           eternal="false"
           timeToIdleSeconds="0"
           timeToLiveSeconds="300"
           overflowToDisk="false"
           statistics="true">
    </cache>
</ehcache>
  • 相关阅读:
    python:返回函数,闭包
    对象的行为和数组
    类、对象和包
    Java语言中的程序流程控制
    初识Java,Java语言概述
    有限广播地址与直接广播地址
    H3C模拟器HCL注意事项
    HDLC协议
    NETBIOS的作用
    HP DL380G7 RAID配置
  • 原文地址:https://www.cnblogs.com/ch94/p/16385465.html
Copyright © 2020-2023  润新知