网站维护发展,湛江建设免费网站,七冶建设集团网站 江苏,百度收录在线提交JWT #xff08;Json Web Token#xff09;是一种开放标准#xff08;RFC 7519#xff09;#xff0c;用于在不同系统之间传递安全声明#xff08;例如身份验证信息#xff09;的一种紧凑且自包含的方式。是轻量级的、跨平台的、自包含的#xff08;含有足够的信息Json Web Token是一种开放标准RFC 7519用于在不同系统之间传递安全声明例如身份验证信息的一种紧凑且自包含的方式。是轻量级的、跨平台的、自包含的含有足够的信息避免频繁查询数据库并且因为使用了数字签名所以是可信任的。 Apache Shiro 是一个强大且易于使用的 Java 安全框架提供了身份验证、授权、加密、会话管理等功能。Shiro 入门参考官方 10 Minute Tutorial 。 pom参考
spring-boot 2.7.6
shiro-spring 1.12.0
java-jwt 3.2.0
参考官方 Spring-Shiro 整合教程 dependencygroupIdorg.springframework.boot/groupIdartifactIdspring-boot-starter-web/artifactIdversion2.7.6/version/dependencydependencygroupIdorg.apache.shiro/groupIdartifactIdshiro-spring/artifactIdversion1.12.0/version/dependencydependencygroupIdcom.auth0/groupIdartifactIdjava-jwt/artifactIdversion3.2.0/version/dependency
配置 JWT
public class JWTUtils {// 过期时间6小时private static final long EXPIRE_TIME 6*60*60*1000;/*** 校验token是否正确* param token 密钥* param secret 用户的密码* return 是否正确*/public static boolean verify(String token, String username, String secret) {try {Algorithm algorithm Algorithm.HMAC256(secret);JWTVerifier verifier JWT.require(algorithm).withClaim(username, username).build();DecodedJWT jwt verifier.verify(token);return true;} catch (Exception exception) {return false;}}/*** 获得token中的信息无需secret解密也能获得* return token中包含的用户名*/public static String getUsername(String token) {try {DecodedJWT jwt JWT.decode(token);return jwt.getClaim(username).asString();} catch (JWTDecodeException e) {return null;}}/*** 生成签名,6h后过期* param username 用户名* param secret 用户的密码* return 加密的token*/public static String sign(String username, String secret) {try {Date date new Date(System.currentTimeMillis()EXPIRE_TIME);Algorithm algorithm Algorithm.HMAC256(secret);// 附带username信息return JWT.create().withClaim(username, username).withExpiresAt(date).sign(algorithm);} catch (UnsupportedEncodingException e) {return null;}}
}
配置JWTToken
Shiro的验证token信息实体。
public class JWTToken implements AuthenticationToken {// 密钥private String token;public JWTToken(String token) {this.token token;}Overridepublic Object getPrincipal() {return token;}Overridepublic Object getCredentials() {return token;}
}
实现realm
即验证逻辑需要自己实现
Service
public class UserRealm extends AuthorizingRealm {Autowiredprivate UserManage userManage;/*** 必须重写此方法不然Shiro会报错*/Overridepublic boolean supports(AuthenticationToken token) {return token instanceof JWTToken;}/*** 只有当需要检测用户权限的时候才会调用此方法例如checkRole,checkPermission之类的*/Overrideprotected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {return new SimpleAuthorizationInfo();}Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {String token (String) authenticationToken.getCredentials();// 解密获得usernameString user JWTUtils.getUser(token);//通过token user实现自己的验证逻辑}
}重写filter
所有的请求都会先经过 Filter
代码的执行流程 preHandle - isAccessAllowed - isLoginAttempt - executeLogin
public class JWTFilter extends BasicHttpAuthenticationFilter {private Logger LOGGER LoggerFactory.getLogger(this.getClass());/*** 判断用户是否想要登入。* 检测header里面是否包含Authorization字段即可*/Overrideprotected boolean isLoginAttempt(ServletRequest request, ServletResponse response) {HttpServletRequest req (HttpServletRequest) request;String authorization req.getHeader(Authorization);return authorization ! null;}/****/Overrideprotected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception {HttpServletRequest httpServletRequest (HttpServletRequest) request;String authorization httpServletRequest.getHeader(Authorization);JWTToken token new JWTToken(authorization);// 提交给realm进行登入如果错误他会抛出异常并被捕获getSubject(request, response).login(token);// 如果没有抛出异常则代表登入成功返回truereturn true;}/*** 这里我们详细说明下为什么最终返回的都是true即允许访问* 例如我们提供一个地址 GET /article* 登入用户和游客看到的内容是不同的* 如果在这里返回了false请求会被直接拦截用户看不到任何东西* 所以我们在这里返回trueController中可以通过 subject.isAuthenticated() 来判断用户是否登入* 如果有些资源只有登入用户才能访问我们只需要在方法上面加上 RequiresAuthentication 注解即可* 但是这样做有一个缺点就是不能够对GET,POST等请求进行分别过滤鉴权(因为我们重写了官方的方法)但实际上对应用影响不大*/Overrideprotected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {if (isLoginAttempt(request, response)) {try {executeLogin(request, response);} catch (Exception e) {response401(request, response);}}return true;}/*** 对跨域提供支持*/Overrideprotected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {HttpServletRequest httpServletRequest (HttpServletRequest) request;HttpServletResponse httpServletResponse (HttpServletResponse) response;httpServletResponse.setHeader(Access-control-Allow-Origin, httpServletRequest.getHeader(Origin));httpServletResponse.setHeader(Access-Control-Allow-Methods, GET,POST,OPTIONS,PUT,DELETE);httpServletResponse.setHeader(Access-Control-Allow-Headers, httpServletRequest.getHeader(Access-Control-Request-Headers));// 跨域时会首先发送一个option请求这里我们给option请求直接返回正常状态if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) {httpServletResponse.setStatus(HttpStatus.OK.value());return false;}return super.preHandle(request, response);}/*** 将非法请求跳转到 /401*/private void response401(ServletRequest req, ServletResponse resp) {try {HttpServletResponse httpServletResponse (HttpServletResponse) resp;httpServletResponse.sendRedirect(/401);} catch (IOException e) {LOGGER.error(e.getMessage());}}
}
配置shiro
Configuration
public class ShiroConfig {Bean(securityManager)public DefaultWebSecurityManager getManager(UserRealm realm) {DefaultWebSecurityManager manager new DefaultWebSecurityManager();// 使用自己的realmmanager.setRealm(realm);/** 关闭shiro自带的session详情见文档* http://shiro.apache.org/session-management.html#SessionManagement-StatelessApplications%28Sessionless%29*/DefaultSubjectDAO subjectDAO new DefaultSubjectDAO();DefaultSessionStorageEvaluator defaultSessionStorageEvaluator new DefaultSessionStorageEvaluator();defaultSessionStorageEvaluator.setSessionStorageEnabled(false);subjectDAO.setSessionStorageEvaluator(defaultSessionStorageEvaluator);manager.setSubjectDAO(subjectDAO);return manager;}Bean(shiroFilter)public ShiroFilterFactoryBean factory(DefaultWebSecurityManager securityManager) {ShiroFilterFactoryBean factoryBean new ShiroFilterFactoryBean();// 添加自己的过滤器并且取名为jwtMapString, Filter filterMap new HashMap();filterMap.put(jwt, new JWTFilter());factoryBean.setFilters(filterMap);factoryBean.setSecurityManager(securityManager);/** 自定义url规则* http://shiro.apache.org/web.html#urls-*/MapString, String filterRuleMap new HashMap();//所有请求通过我们自己的JWT FilterfilterRuleMap.put(/**, jwt);// 不需要验证接口filterRuleMap.put(/user/getById, anon);factoryBean.setFilterChainDefinitionMap(filterRuleMap);return factoryBean;}/*** 下面的代码是添加注解支持*/BeanDependsOn(lifecycleBeanPostProcessor)public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator new DefaultAdvisorAutoProxyCreator();// 强制使用cglib防止重复代理和可能引起代理出错的问题// https://zhuanlan.zhihu.com/p/29161098defaultAdvisorAutoProxyCreator.setProxyTargetClass(true);return defaultAdvisorAutoProxyCreator;}Beanpublic LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {return new LifecycleBeanPostProcessor();}Beanpublic AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager) {AuthorizationAttributeSourceAdvisor advisor new AuthorizationAttributeSourceAdvisor();advisor.setSecurityManager(securityManager);return advisor;}
}
url规则可用filter参考Apache Shiro Web Support | Apache Shiro
