在前后端分離項目中使用SpringBoot集成Shiro

1、在前后端分離項目中使用springboot集成shiro在前后端分別項目中用法springboot集成shiro前言這次在處理一個小項目時用到了前后端分別，服務(wù)端用法springboot2.x。權(quán)限驗證用法了shiro。前后端分別首先需要解決的是跨域問題，post接口跨域時會預(yù)發(fā)送一個options哀求，掃瞄器收到響應(yīng)后會繼續(xù)執(zhí)行post哀求。前后端分別后為了保持會話狀態(tài)用法session持久化插件shiro-redis，持久化session可以持久化到關(guān)系型數(shù)據(jù)庫，也可以持久化到非關(guān)系型數(shù)據(jù)庫（主要是重寫sessiondao）。shiro已提供了sessiondao接口和抽象類。假如項目中用

2、到swagger的話，還需要把swagger相關(guān)url放行。搭建依靠 org.crazycake shiro-redis 3.2.3 org.apache.shiroshiro-spring1.4.1shiro權(quán)限配置1、shiroconfig。這里主要是shiro核心配置。比如securitymanager、sessionmanager、cachemanager。publicclassshiroconfigvalue("$spring.redis.shiro.host")privatestringhost;value("$spring.r

3、edis.shiro.port")privateintport;value("$spring.redis.shiro.timeout")privateinttimeout;value("$spring.redis.shiro.password")privatestringpassword;/*權(quán)限規(guī)章配置*/beanpublicshirofilterfactorybeanshirofilterfactorybean(securitymanagersecuritymanager)shirofilterfac

4、torybeanshirofilterfactorybean=newshirofilterfactorybean();shirofilterfactorybean.setsecuritymanager(securitymanager);mapfilters=shirofilterfactorybean.getfilters();filters.put("authc",newmyformauthorizationfilter();mapfilterchaindefinitionmap=newlinkedhashmap();/swagger資源不攔截filter

5、chaindefinitionmap.put("/swagger-ui.html","anon");filterchaindefinitionmap.put("/swagger-resources/*/*","anon");filterchaindefinitionmap.put("/v2/api-docs","anon");filterchaindefinitionmap.put

6、("/webjars/springfox-swagger-ui/*","anon");filterchaindefinitionmap.put("/configuration/security","anon");filterchaindefinitionmap.put("/configuration/ui","anon");filterchaindefinitionmap.put(

7、"/login/ajaxlogin","anon");filterchaindefinitionmap.put("/login/unauth","anon");filterchaindefinitionmap.put("/login/logout","anon");filterchaindefinitionmap.put("/login/register&

8、quot;,"anon");filterchaindefinitionmap.put("/*","authc");shirofilterfactorybean.setloginurl("/login/unauth");shirofilterfactorybean.setfilterchaindefinitionmap(filterchaindefinitionmap);returnshirofilterfactorybean;/*shiro平安管理器（

9、權(quán)限驗證核心配置）*/beanpublicsecuritymanagersecuritymanager()defaultwebsecuritymanagersecuritymanager=newdefaultwebsecuritymanager();securitymanager.setrealm(myshirorealm();securitymanager.setsessionmanager(sessionmanager();securitymanager.setcachemanager(cachemanager();returnsecuritymanager;/*會話管理*/beanpub

10、licsessionmanagersessionmanager()mysessionmanagersessionmanager=newmysessionmanager();sessionmanager.setsessionidurlrewritingenabled(false);/取消登陸跳轉(zhuǎn)url后面的jsessionid參數(shù)sessionmanager.setsessiondao(sessiondao();sessionmanager.setglobalsessiontimeout(-1);/不過期returnsessionmanager;/*用法的是shiro-redis開源插件緩存依靠

11、*/beanpublicredismanagerredismanager()redismanagerredismanager=newredismanager();redismanager.sethost(host+":"+port);redismanager.settimeout(timeout);redismanager.setpassword(password);returnredismanager;/*用法的是shiro-redis開源插件session持久化*/publicredissessiondaosessiondao()redissession

12、daoredissessiondao=newredissessiondao();redissessiondao.setredismanager(redismanager();returnredissessiondao;/*緩存管理*/beanpubliccachemanagercachemanager()rediscachemanagerrediscachemanager=newrediscachemanager();rediscachemanager.setredismanager(redismanager();returnrediscachemanager;/*權(quán)限管理*/beanpubl

13、icmyshirorealmmyshirorealm()returnnewmyshirorealm();2、myshirorealm用戶身份驗證、自定義權(quán)限。publicclassmyshirorealmextendsauthorizingrealmprivateloggerlogger=loggerfactory.getlogger(myshirorealm.class);resourceuserdaouserdao;overrideprotectedauthorizationinfodogetauthorizationinfo(principalcollectionprincipalcol

14、lection)("=權(quán)限驗證=");returnnull;overrideprotectedauthenticationinfodogetauthenticationinfo(authenticationtokenauthenticationtoken)throwsauthenticationexceptionusernamepasswordtokentoken=(usernamepasswordtoken)authenticationtoken;usercurrentuser=userdao.finduser(token.getus

15、ername();if(null=currentuser)thrownewauthenticationexception("賬戶不存在");if(!currentuser.getpassword().equals(newstring(token.getpassword()thrownewincorrectcredentialsexception("賬戶密碼不正確");if(currentuser.getisdel()=1)thrownewlockedaccountexception("賬戶已凍結(jié)&

16、quot;);subjectsubject=securityutils.getsubject();biuserbiuser=newbiuser();biuser.setuserid(currentuser.getuserid();biuser.setorgid(currentuser.getorgid();biuser.setusername(currentuser.getusername();biuser.setpassword(currentuser.getpassword();biuser.setsessionid(subject.getsession().getid().tostrin

17、g();biuser.setisdel(currentuser.getisdel();biuser.setcreatetime(currentuser.getcreatetime();("=已授權(quán)"+biuser.tostring()+"=");returnnewsimpleauthenticationinfo(biuser,biuser.getpassword(),biuser.getusername();3、mysessionmanager。shiro權(quán)限驗證是按照客戶端cookie中的jsess

18、ionid值來確定身份是否合格。前后端分別后這個地方需要處理。客戶端調(diào)用服務(wù)端登陸接口，驗證通過后返回給客戶端一個token值（這里我放的是sessionid）?？蛻舳吮４鎡oken值，然后調(diào)用其他接口時把token值放在header中。對前端來說也就是放在ajax的headers參數(shù)中。publicclassmysessionmanagerextendsdefaultwebsessionmanagerprivatestaticfinalstringauthorization="authorization"privatestaticfinalstringre

19、ferenced_session_id_source="statelessrequest"publicmysessionmanager()overrideprotectedserializablegetsessionid(servletrequestrequest,servletresponseresponse)/先前端ajaxheaders中獵取這個參數(shù)用來推斷授權(quán)stringid=webutils.tohttp(request).getheader(authorization);if(stringutils.haslength(id)request.se

20、tattribute(shirohttpservletrequest.referenced_session_id_source,referenced_session_id_source);request.setattribute(shirohttpservletrequest.referenced_session_id,id);request.setattribute(shirohttpservletrequest.referenced_session_id_is_valid,boolean.true);returnid;else/先前端的cookie中取值returnsuper.getses

21、sionid(request,response);4、myformauthorizationfilter。對于跨域的post哀求，掃瞄器發(fā)起post哀求前都會發(fā)送一個options哀求已確定服務(wù)器是否可用，options哀求通過后繼續(xù)執(zhí)行post哀求，而shiro自帶的權(quán)限驗證是無法處理options哀求的，所以這里需要重寫isaccessallowed辦法。publicclassmyformauthorizationfilterextendsformauthenticationfilterprotectedbooleanisaccessallowed(servletrequestservletrequest,servletresponseservletresponse,objecto)httpservletrequesthttpservletrequest=webutils.tohttp(servletrequest);if("options".equals(httpservletrequest.getmetho