準備:
springboot 2.5.5
jdk 1.8
沒有操作刷新token功能,也沒有放redis做緩存
1.導入依賴
<!--shiro--><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-spring</artifactId><version>1.7.1</version></dependency><!--集成jwt實現token認證--><dependency><groupId>com.auth0</groupId><artifactId>java-jwt</artifactId><version>3.2.0</version></dependency>
2.創建JWTUtil工具類
import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.ronsafe.wlw.mapper.UserMapper;
import org.springframework.beans.factory.annotation.Autowired;import javax.servlet.http.HttpServletRequest;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;public class JWTUtil {// 過期時間 2 小時private static final long EXPIRE_TIME = 2 * 60 * 60 * 1000;// 密鑰private static final String SECRET = "jwt+shiro";@Autowiredprivate UserMapper userMapper;/*** 生成 token*/public static String createToken(String username) {try {Date date = new Date(System.currentTimeMillis() + EXPIRE_TIME);Algorithm algorithm = Algorithm.HMAC256(SECRET);//jwt的header部分Map<String ,Object> map=new HashMap<>();map.put("alg","HS256");map.put("typ","JWT");// 附帶username信息return JWT.create().withHeader(map)//jwt的header部分.withClaim("username", username)//私有聲明.withExpiresAt(date)//過期時間.withIssuedAt(new Date())//簽發時間.sign(algorithm);//簽名} catch (Exception e) {return null;}}/*** 校驗 token 是否正確*///校驗token的有效性,1、token的header和payload是否沒改過;2、沒有過期public static boolean verify(String token) {try {//解密JWTVerifier verifier=JWT.require(Algorithm.HMAC256(SECRET)).build();
// System.out.println("5555555->error1111111111");verifier.verify(token);return true;}catch (Exception e){return false;}}/*** 獲得token中的信息,無需secret解密也能獲得*/public static String getUsername(String token) {try {DecodedJWT jwt = JWT.decode(token);return jwt.getClaim("username").asString();} catch (JWTDecodeException e) {return null;}}public static String getCurrentUsername(HttpServletRequest request){String accessToken = request.getHeader("Jmt-token");return getUsername(accessToken);}
}
golang token,3.創建類JwtToken
import org.apache.shiro.authc.AuthenticationToken;public class JwtToken implements AuthenticationToken {private String token;public JwtToken(String token) {this.token = token;}@Overridepublic Object getPrincipal() {return token;}@Overridepublic Object getCredentials() {return token;}}
4.創建ShiroRealm類
import com.ronsafe.wlw.util.JWTUtil;
import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.stereotype.Component;@Component
@Slf4j
public class ShiroRealm extends AuthorizingRealm {/*** 根據token判斷此Authenticator是否使用該realm* 必須重寫此方法,不然會報錯*/@Overridepublic boolean supports(AuthenticationToken token) {return token instanceof JwtToken;}/*** 默認使用此方法進行用戶名正確與否驗證,錯誤拋出異常即可。*/@Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
// System.out.println("7777777777777777");String token = (String) authenticationToken.getCredentials();// 解密獲得username,用于和數據庫進行對比String username = null;try {username= JWTUtil.getUsername(token);}catch (Exception e){throw new AuthenticationException("token非法,不是規范的token,可能被篡改了,或者過期了");}if (username == null || !JWTUtil.verify(token)) {
// System.out.println("5555555->error2222222222");throw new AuthenticationException("token認證失效,token錯誤或者過期,重新登陸");}
// System.out.println("8888888888888888888888");return new SimpleAuthenticationInfo(token,token,"ShiroRealm");}/*** 只有當需要檢測用戶權限的時候才會調用此方法,例如checkRole,checkPermission之類的*/@Overrideprotected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {return null;}
}
5.創建類JwtFilter
import com.alibaba.fastjson.JSON;
import com.ronsafe.wlw.util.Result;
import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authz.UnauthorizedException;
import org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter;
import org.apache.shiro.web.util.WebUtils;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.RequestMethod;import javax.servlet.ServletOutputStream;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;@Slf4j
public class JwtFilter extends BasicHttpAuthenticationFilter {private boolean allowOrigin = true;public JwtFilter(){}public JwtFilter(boolean allowOrigin){this.allowOrigin = allowOrigin;}/*** 如果帶有 token,則對 token 進行檢查,否則直接通過*/@Overrideprotected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws UnauthorizedException {
// System.out.println("555555555555555555");try {executeLogin(request, response);} catch (Exception e) {
// System.out.println("5555555->error333333333333");//token 錯誤responseError(response);}
// System.out.println("1010101010");return true;}/*** 判斷用戶是否想要登入。* 檢測 header 里面是否包含 token 字段*/@Overrideprotected boolean isLoginAttempt(ServletRequest request, ServletResponse response) {HttpServletRequest req = (HttpServletRequest) request;String token = req.getHeader("Jmt-token");return token != null;}/*** 執行登陸操作*/@Overrideprotected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception {
// System.out.println("6666666666666");HttpServletRequest httpServletRequest = (HttpServletRequest) request;String token = httpServletRequest.getHeader("Jmt-token");JwtToken jwtToken = new JwtToken(token);// 提交給realm進行登入,如果錯誤它會拋出異常并被捕獲getSubject(request, response).login(jwtToken);// 如果沒有拋出異常則代表登入成功,返回true
// System.out.println("9999999999999999999");return true;}/*** 對跨域提供支持*/@Overrideprotected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {HttpServletRequest httpServletRequest = (HttpServletRequest) request;HttpServletResponse httpServletResponse = (HttpServletResponse) response;httpServletResponse.setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin"));httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS,PUT,DELETE");httpServletResponse.setHeader("Access-Control-Allow-Headers", httpServletRequest.getHeader("Access-Control-Request-Headers"));//前后端分離,shiro過濾器配置引起的跨域問題// 是否允許發送Cookie,默認Cookie不包括在CORS請求之中。設為true時,表示服務器允許Cookie包含在請求中。httpServletResponse.setHeader("Access-Control-Allow-Credentials", "true");//前后端分離,shiro過濾器配置引起的跨域問題// 跨域時會首先發送一個option請求,這里我們給option請求直接返回正常狀態if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) {httpServletResponse.setStatus(HttpStatus.OK.value());return false;}return super.preHandle(request, response);}/*** 非法請求返回401,前端攔截到登錄頁*/private void responseError(ServletResponse response) {HttpServletResponse httpServletResponse = WebUtils.toHttp(response);httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());httpServletResponse.setCharacterEncoding("UTF-8");httpServletResponse.setContentType("application/json; charset=utf-8");try (ServletOutputStream out = httpServletResponse.getOutputStream()) {
// System.out.println("5555555->error444444444444444");out.write(JSON.toJSONString(Result.fail(401,"身份驗證失敗,請重新登陸!")).getBytes("utf-8"));} catch (IOException e) {throw new AuthenticationException("直接返回Response信息出現IOException異常:" + e.getMessage());}}
}
shiro單點登錄,6.創建類ShiroConfig
import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;
import org.apache.shiro.mgt.DefaultSubjectDAO;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;import javax.servlet.Filter;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;@Slf4j
@Configuration
public class ShiroConfig {/*** 先經過token過濾器,如果檢測到請求頭存在 token,則用 token 去 login,接著走 Realm 去驗證*/@Beanpublic ShiroFilterFactoryBean factory(@Qualifier("securityManager")DefaultWebSecurityManager securityManager) {
// System.out.println("1111111111111");ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();factoryBean.setSecurityManager(securityManager);Map<String, Filter> filterMap = new LinkedHashMap<>();// 添加自己的過濾器并且取名為jwtfilterMap.put("jwt", new JwtFilter());factoryBean.setFilters(filterMap);// 設置無權限時跳轉的 url;factoryBean.setUnauthorizedUrl("/unauthorized/relogin");Map<String, String> filterRuleMap = new HashMap<>();//添加不需要攔截的urlfilterRuleMap.put("/unauthorized/**","anon");
// //登錄不需要攔截filterRuleMap.put("/login","anon");
// //處理swagger不能訪問問題filterRuleMap.put("/swagger-ui.html", "anon");filterRuleMap.put("/swagger**/**", "anon");filterRuleMap.put("/webjars/**", "anon");filterRuleMap.put("/v2/**", "anon");//這個需要放到最下面// 所有請求通過我們自己的JWT FilterfilterRuleMap.put("/**", "jwt");factoryBean.setFilterChainDefinitionMap(filterRuleMap);
// System.out.println("2222222222222222222222");return factoryBean;}/*** 注入 securityManager*/@Bean(name = "securityManager")public DefaultWebSecurityManager securityManager(ShiroRealm customRealm) {
// System.out.println("333333333333333");DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();//設置自定義realm.securityManager.setRealm(customRealm);//關閉shiro自帶的sessionDefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();DefaultSessionStorageEvaluator defaultSessionStorageEvaluator = new DefaultSessionStorageEvaluator();defaultSessionStorageEvaluator.setSessionStorageEnabled(false);subjectDAO.setSessionStorageEvaluator(defaultSessionStorageEvaluator);securityManager.setSubjectDAO(subjectDAO);
// System.out.println("444444444444444");return securityManager;}/*** 添加注解支持*/@Beanpublic DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();// 強制使用cglib,防止重復代理和可能引起代理出錯的問題defaultAdvisorAutoProxyCreator.setProxyTargetClass(true);return defaultAdvisorAutoProxyCreator;}@Beanpublic AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(@Qualifier("securityManager") DefaultWebSecurityManager securityManager) {AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();advisor.setSecurityManager(securityManager);return advisor;}@Beanpublic LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {return new LifecycleBeanPostProcessor();}
}
7.創建類LoginController
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.ronsafe.wlw.entity.SysUser;
import com.ronsafe.wlw.service.UserService;
import com.ronsafe.wlw.util.JWTUtil;
import com.ronsafe.wlw.util.PasswordUtil;
import com.ronsafe.wlw.util.Result;
import com.ronsafe.wlw.util.StatusCode;
import com.ronsafe.wlw.vo.UserVO;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import org.springframework.beans.BeanUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.*;import java.util.HashMap;/*** @Author R0137 csy* @Date 2021/11/9 14:46*/
@RestController
@Api(tags = "系統管理")
public class LoginController {@Autowiredprivate UserService userService;@CrossOrigin@PostMapping("/login")@ApiOperation("登錄")public Result login(String username,String password){QueryWrapper<SysUser> wrapper=new QueryWrapper<>();wrapper.eq("username",username);SysUser user = userService.getOne(wrapper);if (user==null) return Result.fail(StatusCode.LOGINERROR,"用戶不存在!");password = PasswordUtil.encrypt(username,password,user.getSalt());if(!user.getPassword().equals(password)) return Result.fail(StatusCode.LOGINERROR,"密碼錯誤!");String token = JWTUtil.createToken(username);HashMap<String, Object> result = new HashMap<>();UserVO userVO = new UserVO();BeanUtils.copyProperties(user,userVO);result.put("token",token);result.put("user",userVO);return Result.success(result);}
}
至此所有集成代碼都粘貼完畢,下面粘一下工具類
public class Result {//是否成功private boolean flag;//返回的狀態碼private Integer code;//返回信息private String message;//返回數據private Object data;//全參構造方法public Result(boolean flag, Integer code, String message, Object data) {//super();this.flag = flag;this.code = code;this.message = message;this.data = data;}//無參構造方法public Result() {}//沒有返回數據的方法public Result(boolean flag, Integer code, String message) {super();this.flag = flag;this.code = code;this.message = message;}// 通用的成功 無返回結果public static Result success() {return new Result(true, StatusCode.OK, "OK", null);}// 通用的成功 有返回結果public static Result success(Object data) {return new Result(true, StatusCode.OK, "OK", data);}// 通用的失敗創建接口 沒有返回結果public static Result fail(int statusCode, String message) {return new Result(false, statusCode, message, null);}// 通用的失敗創建接口 有返回結果public static Result fail(int statusCode, String message, Object data) {return new Result(false, statusCode, message, data);}public boolean isFlag() {return flag;}public void setFlag(boolean flag) {this.flag = flag;}public Integer getCode() {return code;}public void setCode(Integer code) {this.code = code;}public String getMessage() {return message;}public void setMessage(String message) {this.message = message;}public Object getData() {return data;}public void setData(Object data) {this.data = data;}
}
package com.ronsafe.wlw.util;import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.PBEParameterSpec;
import java.security.Key;
import java.security.SecureRandom;
import java.util.Random;public class PasswordUtil {/*** 隨機數* @param place 定義隨機數的位數*/public static String randomGen(int place) {String base = "qwertyuioplkjhgfdsazxcvbnmQAZWSXEDCRFVTGBYHNUJMIKLOP0123456789";StringBuffer sb = new StringBuffer();Random rd = new Random();for(int i=0;i<place;i++) {sb.append(base.charAt(rd.nextInt(base.length())));}return sb.toString();}/*** JAVA6支持以下任意一種算法 PBEWITHMD5ANDDES PBEWITHMD5ANDTRIPLEDES* PBEWITHSHAANDDESEDE PBEWITHSHA1ANDRC2_40 PBKDF2WITHHMACSHA1* *//*** 定義使用的算法為:PBEWITHMD5andDES算法*/public static final String ALGORITHM = "PBEWithMD5AndDES";//加密算法public static final String Salt = "63293188";//密鑰/*** 定義迭代次數為1000次*/private static final int ITERATIONCOUNT = 1000;/*** 獲取加密算法中使用的鹽值,解密中使用的鹽值必須與加密中使用的相同才能完成操作. 鹽長度必須為8字節* * @return byte[] 鹽值* */public static byte[] getSalt() throws Exception {// 實例化安全隨機數SecureRandom random = new SecureRandom();// 產出鹽return random.generateSeed(8);}public static byte[] getStaticSalt() {// 產出鹽return Salt.getBytes();}/*** 根據PBE密碼生成一把密鑰* * @param password* 生成密鑰時所使用的密碼* @return Key PBE算法密鑰* */private static Key getPBEKey(String password) {// 實例化使用的算法SecretKeyFactory keyFactory;SecretKey secretKey = null;try {keyFactory = SecretKeyFactory.getInstance(ALGORITHM);// 設置PBE密鑰參數PBEKeySpec keySpec = new PBEKeySpec(password.toCharArray());// 生成密鑰secretKey = keyFactory.generateSecret(keySpec);} catch (Exception e) {// TODO Auto-generated catch blocke.printStackTrace();}return secretKey;}/*** 加密明文字符串* * @param plaintext* 待加密的明文字符串* @param password* 生成密鑰時所使用的密碼* @param salt* 鹽值* @return 加密后的密文字符串* @throws Exception*/public static String encrypt(String plaintext, String password, String salt) {Key key = getPBEKey(password);byte[] encipheredData = null;PBEParameterSpec parameterSpec = new PBEParameterSpec(salt.getBytes(), ITERATIONCOUNT);try {Cipher cipher = Cipher.getInstance(ALGORITHM);cipher.init(Cipher.ENCRYPT_MODE, key, parameterSpec);//update-begin-author:sccott date:20180815 for:中文作為用戶名時,加密的密碼windows和linux會得到不同的結果 gitee/issues/IZUD7encipheredData = cipher.doFinal(plaintext.getBytes("utf-8"));//update-end-author:sccott date:20180815 for:中文作為用戶名時,加密的密碼windows和linux會得到不同的結果 gitee/issues/IZUD7} catch (Exception e) {}return bytesToHexString(encipheredData);}/*** 解密密文字符串* * @param ciphertext* 待解密的密文字符串* @param password* 生成密鑰時所使用的密碼(如需解密,該參數需要與加密時使用的一致)* @param salt* 鹽值(如需解密,該參數需要與加密時使用的一致)* @return 解密后的明文字符串* @throws Exception*/public static String decrypt(String ciphertext, String password, String salt) {Key key = getPBEKey(password);byte[] passDec = null;PBEParameterSpec parameterSpec = new PBEParameterSpec(salt.getBytes(), ITERATIONCOUNT);try {Cipher cipher = Cipher.getInstance(ALGORITHM);cipher.init(Cipher.DECRYPT_MODE, key, parameterSpec);passDec = cipher.doFinal(hexStringToBytes(ciphertext));}catch (Exception e) {// TODO: handle exception}return new String(passDec);}/*** 將字節數組轉換為十六進制字符串* * @param src* 字節數組* @return*/public static String bytesToHexString(byte[] src) {StringBuilder stringBuilder = new StringBuilder("");if (src == null || src.length <= 0) {return null;}for (int i = 0; i < src.length; i++) {int v = src[i] & 0xFF;String hv = Integer.toHexString(v);if (hv.length() < 2) {stringBuilder.append(0);}stringBuilder.append(hv);}return stringBuilder.toString();}/*** 將十六進制字符串轉換為字節數組* * @param hexString* 十六進制字符串* @return*/public static byte[] hexStringToBytes(String hexString) {if (hexString == null || hexString.equals("")) {return null;}hexString = hexString.toUpperCase();int length = hexString.length() / 2;char[] hexChars = hexString.toCharArray();byte[] d = new byte[length];for (int i = 0; i < length; i++) {int pos = i * 2;d[i] = (byte) (charToByte(hexChars[pos]) << 4 | charToByte(hexChars[pos + 1]));}return d;}private static byte charToByte(char c) {return (byte) "0123456789ABCDEF".indexOf(c);}}
jwt token。代碼粘完了,講一下流程
一些問題
1.沒有登出?
目前沒有結合redis存token,也不存在token在線操作刷新的問題,所以后端不需要做什么,如果用戶主動登出,前端刪除用戶信息,回到登錄界面即可,如果是token過期的話,用戶帶著過期的token過來會給前端返回401,前端攔截,再執行退出操作即可
2.獲取當前登錄用戶
通過jwtUtil工具類中的getCurrentUsername方法拿到用戶名,即可以拿到用戶
版权声明:本站所有资料均为网友推荐收集整理而来,仅供学习和研究交流使用。
工作时间:8:00-18:00
客服电话
电子邮件
admin@qq.com
扫码二维码
获取最新动态
