package com.example.springboot.security.config; import com.example.springboot.security.JWTRealm; import com.example.springboot.security.NoSessionFilter; import com.example.springboot.security.StatelessDefaultSubjectFactory; import com.example.springboot.security.UserRealm; import org.apache.shiro.authc.credential.HashedCredentialsMatcher; import org.apache.shiro.codec.Base64; import org.apache.shiro.mgt.DefaultSessionStorageEvaluator; import org.apache.shiro.mgt.DefaultSubjectDAO; import org.apache.shiro.spring.LifecycleBeanPostProcessor; import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor; import org.apache.shiro.spring.web.ShiroFilterFactoryBean; import org.apache.shiro.web.mgt.CookieRememberMeManager; import org.apache.shiro.web.mgt.DefaultWebSecurityManager; import org.apache.shiro.web.servlet.SimpleCookie; import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.DependsOn; import javax.servlet.Filter; import java.util.Arrays; import java.util.HashMap; import java.util.LinkedHashMap; import java.util.Map; @Configuration public class ShiroConfig { /** * Shiro生命周期处理器 * * @return */ @Bean public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() { return new LifecycleBeanPostProcessor(); } /** * 开启Shiro的注解(如@RequiresRoles,@RequiresPermissions),需借助SpringAOP扫描使用Shiro注解的类,并在必要时进行安全逻辑验证 * DefaultAdvisorAutoProxyCreator的顺序必须在shiroFilterFactoryBean之前,不然SecurityUtils.getSubject().getPrincipal()获取不到参数 * * @return */ @Bean @DependsOn({"lifecycleBeanPostProcessor"}) public DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator() { DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator(); advisorAutoProxyCreator.setProxyTargetClass(true); return advisorAutoProxyCreator; } @Bean public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor() { AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor(); authorizationAttributeSourceAdvisor.setSecurityManager(defaultSecurityManager()); return authorizationAttributeSourceAdvisor; } @Bean(name = "shiroFilterFactoryBean") public ShiroFilterFactoryBean shiroFilterFactoryBean() { ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); shiroFilterFactoryBean.setSecurityManager(defaultSecurityManager()); // 过滤规则 Map linkedHashMap = new LinkedHashMap<>(); // 无状态登录情况下关闭了shiro中的session,导致所有需要加上authc接口请求时候都会报错, // 所以使用@RequiresRoles,@RequiresPermissions注解,aop方式实现接口的权限校验 /* 添加shiro的内置过滤器,自定义url规则 * Shiro自带拦截器配置规则 * rest:比如/admins/user/**=rest[user],根据请求的方法,相当于/admins/user/**=perms[user:method] ,其中method为post,get,delete等 * port:比如/admins/user/**=port[8081],当请求的url的端口不是8081是跳转到schemal://serverName:8081?queryString,其中schmal是协议http或https等,serverName是你访问的host,8081是url配置里port的端口,queryString是你访问的url里的?后面的参数 * perms:比如/admins/user/**=perms[user:add:*],perms参数可以写多个,多个时必须加上引号,并且参数之间用逗号分割,比如/admins/user/**=perms["user:add:*,user:modify:*"],当有多个参数时必须每个参数都通过才通过,想当于isPermitedAll()方法 * roles:比如/admins/user/**=roles[admin],参数可以写多个,多个时必须加上引号,并且参数之间用逗号分割,当有多个参数时,比如/admins/user/**=roles["admin,guest"],每个参数通过才算通过,相当于hasAllRoles()方法。//要实现or的效果看http://zgzty.blog.163.com/blog/static/83831226201302983358670/ * anon:比如/admins/**=anon 没有参数,表示可以匿名使用 * authc:比如/admins/user/**=authc表示需要认证才能使用,没有参数 * authcBasic:比如/admins/user/**=authcBasic没有参数表示httpBasic认证 * ssl:比如/admins/user/**=ssl没有参数,表示安全的url请求,协议为https * user:比如/admins/user/**=user没有参数表示必须存在用户,当登入操作时不做检查 * 详情见文档 http://shiro.apache.org/web.html#urls- * */ // 用户权限 // linkedHashMap.put("/api/user/selectPage", "perms[user:select]"); // linkedHashMap.put("/api/user/selectById", "perms[user:select]"); // linkedHashMap.put("/api/user/updateById", "perms[user:update]"); // linkedHashMap.put("/api/user/removeByIds", "perms[user:delete]"); // // 商品权限 // linkedHashMap.put("/api/product/deleteBatchIds", "perms[product:delete]"); // linkedHashMap.put("/api/product/updateById", "perms[product:update]"); // linkedHashMap.put("/api/product/insert", "perms[product:add]"); // // // 角色权限 // linkedHashMap.put("/api/role/saveOrUpdate", "perms[role:add,role:update]"); // linkedHashMap.put("/api/role/removeByIds", "perms[role:delete]"); // linkedHashMap.put("/api/role/getById", "perms[role:select]"); // linkedHashMap.put("/api/role/selectPage", "perms[role:select]"); // // // 菜单权限 // linkedHashMap.put("/api/menuList/removeByIds", "perms[menuList:delete]"); // linkedHashMap.put("/api/menuList/saveOrUpdate", "perms[menuList:add,menuList:update]"); // // // 订单权限 // linkedHashMap.put("/api/order/deleteBatchIds", "perms[order:delete]"); // linkedHashMap.put("/api/order/updateById", "perms[order:update]"); // // // 授权的权限 // linkedHashMap.put("/api/rolePermission/saveOrUpdate", "perms[rolePermission:add]"); // linkedHashMap.put("/api/rolePermission/removeByIds", "perms[rolePermission:delete]"); // 自定义过滤器 HashMap filterHashMap = new HashMap<>(); filterHashMap.put("jwt", new NoSessionFilter()); shiroFilterFactoryBean.setFilters(filterHashMap); // 登录之后才可以请求的接口 linkedHashMap.put("/api/**", "jwt"); shiroFilterFactoryBean.setFilterChainDefinitionMap(linkedHashMap); return shiroFilterFactoryBean; } @Bean public DefaultWebSecurityManager defaultSecurityManager() { DefaultWebSecurityManager defaultWebSecurityManager = new DefaultWebSecurityManager(); defaultWebSecurityManager.setRealms(Arrays.asList(userRealm(), jwtRealm())); // 禁用shiro中的session DefaultSubjectDAO defaultSubjectDAO = new DefaultSubjectDAO(); DefaultSessionStorageEvaluator defaultSessionStorageEvaluator = new DefaultSessionStorageEvaluator(); defaultSessionStorageEvaluator.setSessionStorageEnabled(false); defaultSubjectDAO.setSessionStorageEvaluator(defaultSessionStorageEvaluator); defaultWebSecurityManager.setSubjectDAO(defaultSubjectDAO); defaultWebSecurityManager.setSubjectFactory(subjectFactory()); return defaultWebSecurityManager; } /** * 登录的认证和授权 * * @return */ @Bean public UserRealm userRealm() { UserRealm userRealm = new UserRealm(); userRealm.setCredentialsMatcher(hashedCredentialsMatcher()); return userRealm; } /** * token的认证和授权 * * @return */ @Bean public JWTRealm jwtRealm() { return new JWTRealm(); } @Bean public StatelessDefaultSubjectFactory subjectFactory() { return new StatelessDefaultSubjectFactory(); } /* * 凭证匹配器 由于我们的密码校验交给Shiro的SimpleAuthenticationInfo进行处理了 */ @Bean public HashedCredentialsMatcher hashedCredentialsMatcher() { HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher(); hashedCredentialsMatcher.setHashAlgorithmName("MD5");// 散列算法:这里使用MD5算法; hashedCredentialsMatcher.setHashIterations(1024);// 散列的次数,比如散列两次,相当于MD5(MD5("")); return hashedCredentialsMatcher; } @Bean public CookieRememberMeManager cookieRememberMeManager() { CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager(); SimpleCookie simpleCookie = new SimpleCookie("rememberMe"); simpleCookie.setMaxAge(259200000); cookieRememberMeManager.setCookie(simpleCookie); cookieRememberMeManager.setCipherKey(Base64.decode("6ZmI6I2j5Y+R5aSn5ZOlAA==")); return cookieRememberMeManager; } }