lsm/sa-token
1
0
Fork 0
mirror of https://gitee.com/dromara/sa-token.git synced 2025-05-06 21:57:59 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
c91412e542
sa-token/sa-token-doc/fun/auth-framework-function-test.md
click33 f8afd89154 v1.39.0 update
2024-08-28 09:58:06 +08:00

1956 lines
56 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Java 权限认证框架功能 测试 / 对比 / 迁移。
对比以下框架的常见功能,为项目技术栈迁移提供代码示例
- Sa-Token
- Apache Shiro
- Spring Security
- JWT
> [!TIP| label:注意事项]
> - 因个人精力&能力有限本篇只展示部分常见功能的对比也欢迎大家一起贡献案例提交pr。
> - 代码案例仓库:[https://gitee.com/sa-tokens/auth-framework-function-test](https://gitee.com/sa-tokens/auth-framework-function-test)
> - 注:本篇主要展示一些常见功能不同框架的实现差异,而非每个框架的所含功能点对比。
---
### 依赖引入
<!------------------------------ tabs:start ------------------------------>
<!------------- tab:Sa-Token ------------->
``` xml
<!-- Sa-Token 权限认证, 在线文档https://sa-token.cc/ -->
<dependency>
<groupId>cn.dev33</groupId>
<artifactId>sa-token-spring-boot3-starter</artifactId>
<version>1.39.0</version>
</dependency>
```
<!------------- tab:Shiro ------------->
``` xml
<!-- Shiro 安全控制 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring-boot-web-starter</artifactId>
<version>1.13.0</version>
</dependency>
```
<!------------- tab:SpringSecurity ------------->
``` xml
<!-- SpringSecurity -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>3.3.2</version>
</dependency>
```
SpringBoot 项目下一般不用特别指定 SpringSecurity 版本号
<!------------- tab:JWT ------------->
``` xml
<!-- Hutool 工具类框架,其中包含 jwt 实现 -->
<dependency>
<groupId>cn.hutool</groupId>
<artifactId>hutool-all</artifactId>
<version>5.8.29</version>
</dependency>
```
<!---------------------------- tabs:end ------------------------------>
### 会话登录 & 会话状态查询
<!------------------------------ tabs:start ------------------------------>
<!------------- tab:Sa-Token ------------->
测试 Controller
``` java
@RestController
@RequestMapping("/acc/")
public class LoginController {
@Autowired
SysUserDao sysUserDao;
// 测试登录
@RequestMapping("doLogin")
public AjaxJson doLogin(String username, String password) {
// 校验
SysUser user = sysUserDao.findByUsername(username);
if(user == null) {
return AjaxJson.getError("用户不存在");
}
if(!user.getPassword().equals(password)) {
return AjaxJson.getError("密码错误");
}
// 登录
StpUtil.login(user.getId());
StpUtil.getSession().set("user", user);
return AjaxJson.getSuccess("登录成功");
}
// 查询登录状态
@RequestMapping("isLogin")
public AjaxJson isLogin() {
if(StpUtil.isLogin()) {
return AjaxJson.getSuccess("已登录账号id" + StpUtil.getLoginId());
}
return AjaxJson.getError("未登录");
}
}
```
<!------------- tab:Shiro ------------->
自定义 Realm
``` java
public class MyRealm extends AuthorizingRealm {
@Autowired
private SysUserDao sysUserDao;
// 加载用户信息
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) {
String username = (String)token.getPrincipal();
SysUser sysUser = sysUserDao.findByUsername(username);
if(sysUser == null){
return null;
}
return new SimpleAuthenticationInfo(
sysUser,
sysUser.getPassword(),
getName()
);
}
// 加载权限信息
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
return null;
}
}
```
Shiro 配置类
``` java
@Configuration
public class ShiroConfigure {
@Bean
public MyRealm myRealm() {
return new MyRealm();
}
@Bean
public DefaultWebSecurityManager securityManager() {
DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
manager.setRealm(myRealm());
return manager;
}
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean() {
ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
bean.setSecurityManager(securityManager());
return bean;
}
}
```
测试 Controller
``` java
@RestController
@RequestMapping("/acc/")
public class LoginController {
// 测试登录 ---- http://localhost:8082/acc/doLogin?username=zhang&password=123456
@RequestMapping("doLogin")
public AjaxJson doLogin(String username, String password) {
Subject subject = SecurityUtils.getSubject();
try {
subject.login(new UsernamePasswordToken(username, password));
return AjaxJson.getSuccess("登录成功!");
} catch (AuthenticationException e) {
e.printStackTrace();
return AjaxJson.getError(e.getMessage());
}
}
// 查询登录状态 ---- http://localhost:8082/acc/isLogin
@RequestMapping("isLogin")
public AjaxJson isLogin() {
Subject subject = SecurityUtils.getSubject();
if(subject.isAuthenticated()) {
SysUser sysUser = (SysUser)subject.getPrincipal();
return AjaxJson.getSuccess("已登录账号id" + sysUser.getId());
}
return AjaxJson.getError("未登录");
}
}
```
<!------------- tab:SpringSecurity ------------->
定义 SpringSecurity 配置类
``` java
@Configuration
public class SpringSecurityConfigure {
/**
* Spring Security的核心过滤器链配置
*/
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
// 定义安全请求拦截规则
httpSecurity.authorizeHttpRequests(router -> {
router
// 放行接口
.requestMatchers("/acc/doLogin", "/acc/isLogin").permitAll()
// 所有请求都需要认证
.anyRequest().authenticated();
;
});
// 默认的表单登录
httpSecurity.formLogin(withDefaults());
// 是否启用 csrf 防御
httpSecurity.csrf( csrf -> csrf.disable() );
// 一些安全相关的全局响应头
httpSecurity.headers(httpSecurityHeadersConfigurer -> {
httpSecurityHeadersConfigurer.cacheControl(HeadersConfigurer.CacheControlConfig::disable);
httpSecurityHeadersConfigurer.frameOptions(HeadersConfigurer.FrameOptionsConfig::disable);
});
return httpSecurity.build();
}
/**
* Spring Security 认证管理器
*/
@Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration config) throws Exception {
return config.getAuthenticationManager();
}
}
```
定义 SpringSecurity UserDetails 管理器
``` java
/**
* 自定义 SpringSecurity UserDetails 管理器
*
* @author click33
* @since 2024/8/8
*/
@Component
public class CustomUserDetailsManager implements UserDetailsManager {
@Autowired
SysUserDao sysUserDao;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
SysUser sysUser = sysUserDao.findByUsername(username);
if(sysUser == null){
throw new UsernameNotFoundException("用户不存在");
}
return User.withUsername(sysUser.getUsername())
.password("{noop}" + sysUser.getPassword())
.build();
}
@Override
public void createUser(UserDetails user) {
}
@Override
public void updateUser(UserDetails user) {
}
@Override
public void deleteUser(String username) {
}
@Override
public void changePassword(String oldPassword, String newPassword) {
}
@Override
public boolean userExists(String username) {
return false;
}
}
```
测试 Controller
``` java
@RestController
@RequestMapping("/acc/")
public class LoginController {
@Autowired
AuthenticationManager authenticationManager;
@Autowired
SysUserDao sysUserDao;
// 测试登录 ---- http://localhost:8083/acc/doLogin?username=zhang&password=123456
@RequestMapping("doLogin")
public AjaxJson doLogin(String username, String password, HttpServletRequest request) {
try {
// 验证账号密码
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(username, password);
usernamePasswordAuthenticationToken.setDetails(sysUserDao.findByUsername(username));
Authentication authentication = authenticationManager.authenticate(usernamePasswordAuthenticationToken);
// 存入上下文
SecurityContextHolder.getContext().setAuthentication(authentication);
request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, SecurityContextHolder.getContext());
// 返回
return AjaxJson.getSuccess("登录成功!");
} catch (Exception e) {
e.printStackTrace();
return AjaxJson.getError(e.getMessage());
}
}
// 查询登录状态 ---- http://localhost:8083/acc/isLogin
@RequestMapping("isLogin")
public AjaxJson isLogin() {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
return AjaxJson.getSuccess("是否登录:" + !(authentication instanceof AnonymousAuthenticationToken))
.set("principal", authentication.getPrincipal())
.set("details", authentication.getDetails());
}
}
```
<!------------- tab:JWT ------------->
测试 Controller
``` java
@RestController
@RequestMapping("/acc/")
public class LoginController {
@Autowired
SysUserDao sysUserDao;
// 测试登录
@RequestMapping("doLogin")
public AjaxJson doLogin(String username, String password) {
// 校验
SysUser user = sysUserDao.findByUsername(username);
if(user == null) {
return AjaxJson.getError("用户不存在");
}
if(!user.getPassword().equals(password)) {
return AjaxJson.getError("密码错误");
}
// 登录
String token = JwtUtil.createToken(user.getId(), user, 60 * 60 * 2);
return AjaxJson.getSuccess("登录成功").set("token", token);
}
// 查询登录状态
@RequestMapping("isLogin")
public AjaxJson isLogin(HttpServletRequest request) {
try{
String token = request.getHeader("token");
JWT jwt = JwtUtil.parseToken(token);
return AjaxJson.getSuccess("已登录")
.set("id", jwt.getPayload("userId"))
.set("user", jwt.getPayload("user"));
} catch (Exception e) {
e.printStackTrace();
return AjaxJson.getError("未登录");
}
}
}
```
<!---------------------------- tabs:end ------------------------------>
### 会话注销
<!------------------------------ tabs:start ------------------------------>
<!------------- tab:Sa-Token ------------->
``` java
@RequestMapping("logout")
public AjaxJson logout() {
StpUtil.logout();
return AjaxJson.getSuccess("注销成功");
}
```
<!------------- tab:Shiro ------------->
``` java
@RequestMapping("logout")
public AjaxJson logout() {
SecurityUtils.getSubject().logout();
return AjaxJson.getSuccess("注销成功");
}
```
<!------------- tab:SpringSecurity ------------->
``` java
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
// 其它配置 ...
// 注销相关配置
httpSecurity.logout(logout -> {
logout.logoutUrl("/acc/logout");
logout.logoutSuccessHandler((request, response, authentication) -> {
response.setStatus(200);
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json; charset=utf-8");
String jsonStr = new ObjectMapper().writeValueAsString(AjaxJson.getSuccess("注销成功!"));
response.getWriter().write(jsonStr);
});
});
return httpSecurity.build();
}
```
<!------------- tab:JWT ------------->
JWT 无法注销已经颁发的 token 。
<!---------------------------- tabs:end ------------------------------>
### 账号密码登录MD5 加 salt
<!------------------------------ tabs:start ------------------------------>
<!------------- tab:Sa-Token ------------->
测试 Controller
``` java
@RequestMapping("doLogin")
public AjaxJson doLogin(String username, String password) {
// 校验
SysUser user = sysUserDao.findByUsername(username);
if(user == null) {
return AjaxJson.getError("用户不存在");
}
String salt = "abc";
if(!user.getPassword().equals(SaSecureUtil.md5(salt + password))) {
return AjaxJson.getError("密码错误");
}
// 登录
StpUtil.login(user.getId());
StpUtil.getSession().set("user", user);
return AjaxJson.getSuccess("登录成功");
}
```
<!------------- tab:Shiro ------------->
自定义 Realm Bean 设定密码凭证器
``` java
@Bean
public MyRealm myRealm() {
MyRealm realm = new MyRealm();
// 设定凭证匹配器
HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher();
credentialsMatcher.setHashAlgorithmName("md5");
realm.setCredentialsMatcher(credentialsMatcher);
// 返回
return realm;
}
```
自定义 Realm 实现类 doGetAuthenticationInfo 方法返回 slat 信息
``` java
// 加载用户信息
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) {
String username = (String)token.getPrincipal();
SysUser sysUser = sysUserDao.findByUsername(username);
if(sysUser == null){
return null;
}
return new SimpleAuthenticationInfo(
sysUser,
sysUser.getPassword(),
ByteSource.Util.bytes("abc"), // 指定 slat 信息
getName()
);
}
```
登录代码照旧
<!------------- tab:SpringSecurity ------------->
CustomUserDetailsManager 的 loadUserByUsername 指定 MD5 算法
``` java
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
SysUser sysUser = sysUserDao.findByUsername(username);
if(sysUser == null){
throw new UsernameNotFoundException("用户不存在");
}
return User.withUsername(sysUser.getUsername())
.password("{MD5}" + sysUser.getPassword())
.build();
}
```
登录时指定 salt
``` java
@RequestMapping("doLogin")
public AjaxJson doLogin(String username, String password, HttpServletRequest request) {
try {
// 验证账号密码
String salt = "abc";
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(username, salt + password);
// 其它代码照旧 ...
// 返回
return AjaxJson.getSuccess("登录成功!");
} catch (Exception e) {
e.printStackTrace();
return AjaxJson.getError(e.getMessage());
}
}
```
<!------------- tab:JWT ------------->
测试 Controller
``` java
@RequestMapping("doLogin")
public AjaxJson doLogin(String username, String password) {
// 校验
SysUser user = sysUserDao.findByUsername(username);
if(user == null) {
return AjaxJson.getError("用户不存在");
}
String salt = "abc";
if(!user.getPassword().equals(SecureUtil.md5(salt + password))) {
return AjaxJson.getError("密码错误");
}
// 登录
String token = JwtUtil.createToken(user.getId(), user, 60 * 60 * 2);
return AjaxJson.getSuccess("登录成功").set("token", token);
}
```
<!---------------------------- tabs:end ------------------------------>
### 从上下文获取当前登录 User 信息
<!------------------------------ tabs:start ------------------------------>
<!------------- tab:Sa-Token ------------->
``` java
// 从上下文获取当前登录 User 信息
@RequestMapping("getCurrUser")
public AjaxJson getCurrUser() {
return AjaxJson.getSuccess()
.set("id", StpUtil.getLoginId())
.set("user", StpUtil.getSession().get("user"));
}
```
<!------------- tab:Shiro ------------->
``` java
// 从上下文获取当前登录 User 信息
@RequestMapping("getCurrUser")
public AjaxJson getCurrUser() {
Subject subject = SecurityUtils.getSubject();
SysUser sysUser = (SysUser)subject.getPrincipal();
return AjaxJson.getSuccess()
.set("id", sysUser.getId())
.set("user", sysUser);
}
```
<!------------- tab:SpringSecurity ------------->
``` java
// 从上下文获取当前登录 User 信息
@RequestMapping("getCurrUser")
public AjaxJson getCurrUser() {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if(!(authentication instanceof AnonymousAuthenticationToken)) {
SysUser sysUser = (SysUser)authentication.getDetails();
return AjaxJson.getSuccess()
.set("id", sysUser.getId())
.set("user", sysUser);
}
return AjaxJson.getError("未登录");
}
```
<!------------- tab:JWT ------------->
``` java
// 从上下文获取当前登录 User 信息
@RequestMapping("getCurrUser")
public AjaxJson getCurrUser(HttpServletRequest request) {
try{
String token = request.getHeader("token");
JWT jwt = JwtUtil.parseToken(token);
SysUser sysUser = jwt.getPayloads().get("user", SysUser.class);
return AjaxJson.getSuccessData(sysUser);
} catch (Exception e) {
e.printStackTrace();
return AjaxJson.getError("未登录");
}
}
```
<!---------------------------- tabs:end ------------------------------>
### 从会话上下文上存取值
<!------------------------------ tabs:start ------------------------------>
<!------------- tab:Sa-Token ------------->
``` java
// 测试从从会话上下文存取值
@RequestMapping("testSession")
public AjaxJson test() {
SaSession session = StpUtil.getSession();
System.out.println("从 session 上取值:" + session.get("name"));
session.set("name", "zhang");
System.out.println("从 session 上取值:" + session.get("name"));
return AjaxJson.getSuccess();
}
```
<!------------- tab:Shiro ------------->
``` java
// 测试从从会话上下文存取值
@RequestMapping("testSession")
public AjaxJson test() {
Subject subject = SecurityUtils.getSubject();
Session session = subject.getSession();
System.out.println("从 session 上取值:" + session.getAttribute("name"));
session.setAttribute("name", "zhang");
System.out.println("从 session 上取值:" + session.getAttribute("name"));
return AjaxJson.getSuccess();
}
```
<!------------- tab:SpringSecurity ------------->
``` java
// 测试从从会话上下文存取值
@RequestMapping("testSession")
public AjaxJson testSession(HttpServletRequest request) {
HttpSession session = request.getSession();
System.out.println("从 session 上取值:" + session.getAttribute("name"));
session.setAttribute("name", "zhang");
System.out.println("从 session 上取值:" + session.getAttribute("name"));
return AjaxJson.getSuccess();
}
```
<!------------- tab:JWT ------------->
<!---------------------------- tabs:end ------------------------------>
### 角色认证 & 权限认证
<!------------------------------ tabs:start ------------------------------>
<!------------- tab:Sa-Token ------------->
自定义 StpInterface 实现类
``` java
@Component
public class StpInterfaceImpl implements StpInterface {
// 加载角色信息
@Override
public List<String> getPermissionList(Object loginId, String loginType) {
return Arrays.asList("admin", "super-admin", "ceo");
}
// 加载权限信息
@Override
public List<String> getRoleList(Object loginId, String loginType) {
return Arrays.asList("user:add", "user:delete", "user:update");
}
}
```
测试 Controller
``` java
@RestController
@RequestMapping("/jur/")
public class JurController {
// 角色判断 ---- http://localhost:8082/jur/assertRole
@RequestMapping("assertRole")
public AjaxJson assertRole() {
// is 模式,返回 true 或 false
System.out.println("单个角色判断:" + StpUtil.hasRole("admin"));
System.out.println("多个角色判断(and)" + StpUtil.hasRoleAnd("admin", "dev-admin"));
System.out.println("多个角色判断(or)" + StpUtil.hasRoleOr("admin", "dev-admin"));
// check 模式,无角色时抛出异常
StpUtil.checkRole("admin"); // 单个 check
StpUtil.checkRoleAnd("admin", "dev-admin"); // 多个 check (and)
StpUtil.checkRoleOr("admin", "dev-admin"); // 多个 check (or)
return AjaxJson.getSuccess();
}
// 权限判断 ---- http://localhost:8082/jur/assertPermission
@RequestMapping("assertPermission")
public AjaxJson assertPermission() {
// is 模式,返回 true 或 false
System.out.println("单个权限判断:" + StpUtil.hasPermission("user:add"));
System.out.println("多个权限判断(and)" + StpUtil.hasPermissionAnd("user:add", "user:delete22"));
System.out.println("多个权限判断(or)" + StpUtil.hasPermissionOr("user:add", "user:delete22"));
// check 模式,无权限时抛出异常
StpUtil.checkPermission("user:add"); // 单个 check
StpUtil.checkPermissionAnd("user:add", "user:delete22"); // 多个 check (and)
StpUtil.checkPermissionOr("user:add", "user:delete22"); // 多个 check (or)
return AjaxJson.getSuccess();
}
}
```
<!------------- tab:Shiro ------------->
自定义 Realm 里重写方法 doGetAuthorizationInfo
``` java
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
// 加载角色信息
authorizationInfo.addRoles(Arrays.asList("admin", "super-admin", "ceo"));
// 加载权限信息
authorizationInfo.addStringPermissions(Arrays.asList("user:add", "user:delete", "user:update"));
return authorizationInfo;
}
```
测试 Controller
``` java
@RestController
@RequestMapping("/jur/")
public class JurController {
// 角色判断
@RequestMapping("assertRole")
public AjaxJson assertRole() {
Subject subject = SecurityUtils.getSubject();
// is 模式,返回 true 或 false
System.out.println("单个角色判断:" + subject.hasRole("admin"));
System.out.println("多个角色判断(and)" + subject.hasAllRoles(Arrays.asList("admin", "dev-admin")));
System.out.println("多个角色判断(or)" + (subject.hasRole("admin") || subject.hasRole("dev-admin")));
// check 模式,无角色时抛出异常
subject.checkRole("admin"); // 单个 check
subject.checkRoles("admin", "dev-admin"); // 多个 check (and)
return AjaxJson.getSuccess();
}
// 权限判断
@RequestMapping("assertPermission")
public AjaxJson assertPermission() {
Subject subject = SecurityUtils.getSubject();
// is 模式,返回 true 或 false
System.out.println("单个权限判断:" + subject.isPermitted("user:add"));
System.out.println("多个权限判断(and)" + subject.isPermittedAll("user:add", "user:delete22"));
System.out.println("多个权限判断(or)" + (subject.isPermitted("user:add") || subject.isPermitted("user:delete22")));
// check 模式,无权限时抛出异常
subject.checkPermission("user:add"); // 单个 check
subject.checkPermissions("user:add", "user:delete22"); // 多个 check (and)
return AjaxJson.getSuccess();
}
}
```
<!------------- tab:SpringSecurity ------------->
CustomUserDetailsManager 的 loadUserByUsername 里返回用户的 角色 或 权限 信息
``` java
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
SysUser sysUser = sysUserDao.findByUsername(username);
if(sysUser == null){
throw new UsernameNotFoundException("用户不存在");
}
// 不可以同时返回 roles 和 authorities因为会相互覆盖SpringSecurity 源码有bug
return User.withUsername(sysUser.getUsername())
.password("{noop}" + sysUser.getPassword())
// .roles("admin", "super-admin", "ceo")
.authorities("user:add", "user:delete", "user:update")
.build();
}
```
测试 Controller
``` java
@RestController
@RequestMapping("/jur/")
public class JurController {
// 角色判断
@RequestMapping("assertRole")
public AjaxJson assertRole() {
SecurityExpressionRoot securityExpressionRoot = new SecurityExpressionRoot(SecurityContextHolder.getContext().getAuthentication()) {};
System.out.println("单个角色判断:" + securityExpressionRoot.hasRole("admin"));
System.out.println("多个角色判断(and)" + (securityExpressionRoot.hasRole("admin") && securityExpressionRoot.hasRole("dev-admin")));
System.out.println("多个角色判断(or)" + securityExpressionRoot.hasAnyRole("admin", "dev-admin"));
return AjaxJson.getSuccess();
}
// 权限判断
@RequestMapping("assertPermission")
public AjaxJson assertPermission() {
SecurityExpressionRoot securityExpressionRoot = new SecurityExpressionRoot(SecurityContextHolder.getContext().getAuthentication()) {};
System.out.println("单个权限判断:" + securityExpressionRoot.hasAuthority("user:add"));
System.out.println("多个权限判断(and)" + (securityExpressionRoot.hasAuthority("user:add") && securityExpressionRoot.hasAuthority("user:delete2")));
System.out.println("多个权限判断(or)" + securityExpressionRoot.hasAnyAuthority("user:add", "user:delete2"));
return AjaxJson.getSuccess();
}
}
```
<!------------- tab:JWT ------------->
<!---------------------------- tabs:end ------------------------------>
### 注解鉴权
<!------------------------------ tabs:start ------------------------------>
<!------------- tab:Sa-Token ------------->
SaTokenConfigure 配置注解拦截器
``` java
@Configuration
public class SaTokenConfigure implements WebMvcConfigurer {
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(new SaInterceptor()).addPathPatterns("/**");
}
}
```
测试 Controller
``` java
@RestController
@RequestMapping("/at-check/")
public class AtCheckController {
// 登录校验
@SaCheckLogin
@RequestMapping("checkLogin")
public AjaxJson checkLogin() {
return AjaxJson.getSuccess();
}
// 角色校验
@SaCheckRole("admin")
@RequestMapping("checkRole")
public AjaxJson checkRole() {
return AjaxJson.getSuccess();
}
// 权限校验
@SaCheckPermission("user:add")
@RequestMapping("checkPermission")
public AjaxJson checkPermission() {
return AjaxJson.getSuccess();
}
// 忽略认证校验
@SaIgnore
@SaCheckLogin
@RequestMapping("ignoreCheck")
public AjaxJson ignoreCheck() {
return AjaxJson.getSuccess();
}
}
```
<!------------- tab:Shiro ------------->
测试 Controller
``` java
@RestController
@RequestMapping("/at-check/")
public class AtCheckController {
// 登录校验
@RequiresAuthentication
@RequestMapping("checkLogin")
public AjaxJson checkLogin() {
return AjaxJson.getSuccess();
}
// 角色校验
@RequiresRoles("admin")
@RequestMapping("checkRole")
public AjaxJson checkRole() {
return AjaxJson.getSuccess();
}
// 权限校验
@RequiresPermissions("user:add")
@RequestMapping("checkPermission")
public AjaxJson checkPermission() {
return AjaxJson.getSuccess();
}
}
```
<!------------- tab:SpringSecurity ------------->
`SpringSecurityConfigure` 配置类加上 `@EnableMethodSecurity` 注解
``` java
@Configuration
@EnableMethodSecurity
public class SpringSecurityConfigure {
// ...
}
```
测试 Controller
``` java
@RestController
@RequestMapping("/at-check/")
public class AtCheckController {
// 登录校验
@PreAuthorize("isAuthenticated()")
@RequestMapping("checkLogin")
public AjaxJson checkLogin() {
return AjaxJson.getSuccess();
}
// 角色校验
@PreAuthorize("hasRole('admin')")
@RequestMapping("checkRole")
public AjaxJson checkRole() {
return AjaxJson.getSuccess();
}
// 权限校验
@PreAuthorize("hasAuthority('user:add')")
@RequestMapping("checkPermission")
public AjaxJson checkPermission() {
return AjaxJson.getSuccess();
}
}
```
<!------------- tab:JWT ------------->
<!---------------------------- tabs:end ------------------------------>
### 路由拦截鉴权
<!------------------------------ tabs:start ------------------------------>
<!------------- tab:Sa-Token ------------->
SaTokenConfigure 配置
``` java
@Override
public void addInterceptors(InterceptorRegistry registry) {
// 注册 Sa-Token 拦截器打开注解鉴权功能
registry.addInterceptor(new SaInterceptor(handle -> {
SaRouter.match("/route-check/getInfo1").stop(); // 不拦截
SaRouter.match("/route-check/getInfo2").check(r -> StpUtil.checkLogin()); // 需要登录
SaRouter.match("/route-check/getInfo3").check(r -> StpUtil.checkRole("admin2")); // 需要角色
SaRouter.match("/route-check/getInfo4").check(r -> StpUtil.checkPermission("user:add3")); // 需要权限
})).addPathPatterns("/**");
}
```
<!------------- tab:Shiro ------------->
过滤器配置
``` java
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean() {
ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
bean.setSecurityManager(securityManager());
// 路由拦截鉴权
Map<String,String> filterMap = new LinkedHashMap<>();
filterMap.put("/route-check/getInfo", "anon"); // 不拦截
filterMap.put("/route-check/getInfo2", "authc"); // 需要登录
filterMap.put("/route-check/getInfo3", "perms[admin2]"); // 需要角色
filterMap.put("/route-check/getInfo4", "perms[user:add3]"); // 需要权限
bean.setFilterChainDefinitionMap(filterMap);
bean.setLoginUrl("/401"); // 未登录时跳转的 url
bean.setUnauthorizedUrl("/403"); // 未授权时跳转的 url
return bean;
}
```
<!------------- tab:SpringSecurity ------------->
SpringSecurityConfigure 配置
``` java
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
// 定义安全请求拦截规则
httpSecurity.authorizeHttpRequests(router -> {
router
.requestMatchers("/route-check/getInfo1").permitAll() // 不拦截
.requestMatchers("/route-check/getInfo2").authenticated() // 需要登录
.requestMatchers("/route-check/getInfo3").hasRole("admin") // 需要 admin 角色
.requestMatchers("/route-check/getInfo4").hasAuthority("user:add") // 需要 user:add 权限
.anyRequest().permitAll(); // 所有请求都放行
});
return httpSecurity.build();
}
```
<!------------- tab:JWT ------------->
<!---------------------------- tabs:end ------------------------------>
### 鉴权未通过的处理方案
<!------------------------------ tabs:start ------------------------------>
<!------------- tab:Sa-Token ------------->
定义全局异常处理类
``` java
@RestControllerAdvice
public class GlobalException {
@ExceptionHandler(NotLoginException.class)
public AjaxJson handlerException(NotLoginException e) {
return AjaxJson.get(401, "未登录");
}
@ExceptionHandler(NotRoleException.class)
public AjaxJson handlerException(NotRoleException e) {
return AjaxJson.get(403, "缺少角色:" + e.getRole());
}
@ExceptionHandler(NotPermissionException.class)
public AjaxJson handlerException(NotPermissionException e) {
return AjaxJson.get(403, "缺少权限:" + e.getPermission());
}
}
```
<!------------- tab:Shiro ------------->
过滤器配置
``` java
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean() {
ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
// ...
bean.setLoginUrl("/401"); // 未登录时跳转的 url
bean.setUnauthorizedUrl("/403"); // 未授权时跳转的 url
return bean;
}
```
定义路由
``` java
@RestController
public class ShiroErrorController {
@RequestMapping("/401")
public Object error401(HttpServletRequest request, HttpServletResponse response) {
response.setStatus(200);
return AjaxJson.get(401, "not login");
}
@RequestMapping("/403")
public Object error403(HttpServletRequest request, HttpServletResponse response) {
response.setStatus(200);
return AjaxJson.get(403, "鉴权未通过");
}
}
```
<!------------- tab:SpringSecurity ------------->
实现 `AccessDeniedHandler`, `AuthenticationEntryPoint` 接口
``` java
@Component
public class CustomAccessDeniedHandler implements AccessDeniedHandler, AuthenticationEntryPoint, Serializable {
// 未登录异常
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException {
//验证为未登陆状态会进入此方法,认证错误
response.setStatus(401);
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json; charset=utf-8");
PrintWriter printWriter = response.getWriter();
String body = "请先进行登录";
printWriter.write(body);
printWriter.flush();
}
// 权限不足
@Override
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException {
// 登陆状态下,权限不足执行该方法
response.setStatus(200);
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json; charset=utf-8");
PrintWriter printWriter = response.getWriter();
String body = "权限不足";
printWriter.write(body);
printWriter.flush();
}
}
```
注入 `SecurityFilterChain`
``` java
// 未登录处理逻辑、权限不足处理逻辑
@Autowired
private CustomAccessDeniedHandler accessDeniedHandler;
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
// 异常处理
httpSecurity.exceptionHandling(httpSecurityExceptionHandlingConfigurer -> {
// 权限不足处理方案
httpSecurityExceptionHandlingConfigurer.accessDeniedHandler(accessDeniedHandler);
// 未登录 处理逻辑
httpSecurityExceptionHandlingConfigurer.authenticationEntryPoint(accessDeniedHandler);
});
return httpSecurity.build();
}
```
<!------------- tab:JWT ------------->
使用 `try-catch` 捕获,或定义全局异常处理
``` java
@RestControllerAdvice
public class GlobalException {
// 全局异常拦截(拦截项目中的所有异常)
@ExceptionHandler
public AjaxJson handlerException(Exception e, HttpServletRequest request, HttpServletResponse response) {
// 打印堆栈,以供调试
System.out.println("全局异常---------------");
e.printStackTrace();
// 返回给前端
return AjaxJson.getError(e.getMessage());
}
}
```
<!---------------------------- tabs:end ------------------------------>
### 和 Thymeleaf 集成
<!------------------------------ tabs:start ------------------------------>
<!------------- tab:Sa-Token ------------->
`pom.xml` 依赖
``` xml
<!-- 在 thymeleaf 标签中使用 Sa-Token -->
<dependency>
<groupId>cn.dev33</groupId>
<artifactId>sa-token-dialect-thymeleaf</artifactId>
<version>${sa-token.version}</version>
</dependency>
```
`SaTokenConfigure` 增加配置 `Sa-Token` 标签方言对象
``` java
// Sa-Token 标签方言 (Thymeleaf版)
@Bean
public SaTokenDialect getSaTokenDialect() {
return new SaTokenDialect();
}
```
新建 `ThymeleafConfigure` 注入全局变量
``` java
@Configuration
public class ThymeleafConfigure {
// 为 Thymeleaf 注入全局变量,以便在页面中调用 Sa-Token 的方法
@Autowired
public void configureThymeleafStaticVars(ThymeleafViewResolver viewResolver) {
viewResolver.addStaticVariable("stp", StpUtil.stpLogic);
}
}
```
新建 `Controller`
``` java
@Controller
public class HomeController {
@RequestMapping("/")
public Object index(HttpServletRequest request) {
request.setAttribute("isLogin", StpUtil.isLogin());
return new ModelAndView("index.html");
}
}
```
新建 `templates/index.html`
``` html
<!DOCTYPE html>
<html lang="zh" xmlns:sa="http://www.thymeleaf.org/extras/sa-token">
<head>
<title>Sa-Token 集成 Thymeleaf 标签方言</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no">
</head>
<body>
<div class="view-box" style="padding: 30px;">
<h2>Sa-Token 集成 Thymeleaf 标签方言 —— 测试页面</h2>
<p>当前是否登录:<span th:text="${stp.isLogin()}"></span></p>
<p>
<a href="login" target="_blank">登录</a>
<a href="logout" target="_blank">注销</a>
</p>
<p>登录之后才能显示:<span sa:login>value</span></p>
<p>不登录才能显示:<span sa:notLogin>value</span></p>
<p>具有角色 admin 才能显示:<span sa:hasRole="admin">value</span></p>
<p>同时具备多个角色才能显示:<span sa:hasRoleAnd="admin, ceo, cto">value</span></p>
<p>只要具有其中一个角色就能显示:<span sa:hasRoleOr="admin, ceo, cto">value</span></p>
<p>不具有角色 admin 才能显示:<span sa:notRole="admin">value</span></p>
<p>具有权限 user-add 才能显示:<span sa:hasPermission="user-add">value</span></p>
<p>同时具备多个权限才能显示:<span sa:hasPermissionAnd="user-add, user-delete, user-get">value</span></p>
<p>只要具有其中一个权限就能显示:<span sa:hasPermissionOr="user-add, user-delete, user-get">value</span></p>
<p>不具有权限 user-add 才能显示:<span sa:notPermission="user-add">value</span></p>
<p th:if="${stp.isLogin()}">
从SaSession中取值
<span th:text="${stp.getSession().get('name', '')}"></span>
</p>
</div>
</body>
</html>
```
<!------------- tab:Shiro ------------->
`pom.xml` 依赖
``` xml
<!-- Shiro 整合 Thymeleaf 依赖 -->
<dependency>
<groupId>com.github.theborakompanioni</groupId>
<artifactId>thymeleaf-extras-shiro</artifactId>
<version>2.1.0</version>
</dependency>
```
`ShiroConfigure` 增加配置 `Shiro` 方言对象
``` java
@Bean
public ShiroDialect shiroDialect() {
return new ShiroDialect();
}
```
新建 `Controller`
``` java
@Controller
public class HomeController {
@RequestMapping("/")
public Object index(HttpServletRequest request) {
Subject subject = SecurityUtils.getSubject();
request.setAttribute("isLogin", subject.isAuthenticated());
return new ModelAndView("index.html");
}
}
```
新建 `templates/index.html`
``` html
<!DOCTYPE html>
<html lang="zh" xmlns:shiro="http://www.pollix.at/thymeleaf/shiro">
<head>
<title>Shiro 集成 Thymeleaf 标签方言</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no">
</head>
<body>
<div class="view-box" style="padding: 30px;">
<h2>Shiro 集成 Thymeleaf 标签方言 —— 测试页面</h2>
<p>当前是否登录:<span th:text="${isLogin}"></span></p>
<p>
<a href="/acc/doLogin?username=zhang&password=123456" target="_blank">登录</a>
<a href="/acc/logout" target="_blank">注销</a>
</p>
<p>登录之后才能显示:<span shiro:authenticated>value</span></p>
<p>不登录才能显示:<span shiro:guest >value</span></p>
<p>具有角色 admin 才能显示:<span shiro:hasRole="admin">value</span></p>
<p>同时具备多个角色才能显示:<span shiro:hasAllRoles="admin, ceo, cto">value</span></p>
<p>只要具有其中一个角色就能显示:<span shiro:hasAnyRoles="admin, ceo, cto">value</span></p>
<p>不具有角色 admin 才能显示:<span shiro:lacksRole="admin">value</span></p>
<p>具有权限 user-add 才能显示:<span shiro:hasPermission="user-add">value</span></p>
<p>同时具备多个权限才能显示:<span shiro:hasAllPermissions="user-add, user-delete, user-get">value</span></p>
<p>只要具有其中一个权限就能显示:<span shiro:hasAnyPermissions="user-add, user-delete, user-get">value</span></p>
<p>不具有权限 user-add 才能显示:<span shiro:lacksPermission="user-add">value</span></p>
<p shiro:authenticated>
当前登录账号:<span shiro:principal></span>
</p>
</div>
</body>
</html>
```
<!------------- tab:SpringSecurity ------------->
`pom.xml` 引入依赖
``` xml
<!-- SpringSecurity 整合 Thymeleaf 依赖 -->
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity6</artifactId>
<version>3.1.2.RELEASE</version>
</dependency>
```
新建 `Controller`
``` java
@RestController
public class HomeController {
// 首页
@RequestMapping("/")
public Object index(HttpServletRequest request) {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
request.setAttribute("isLogin", !(authentication instanceof AnonymousAuthenticationToken));
return new ModelAndView("index.html");
}
}
```
新建 `templates/index.html`
``` html
<!DOCTYPE html>
<html lang="zh" xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity6">
<head>
<title>Shiro 集成 Thymeleaf 标签方言</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no">
</head>
<body>
<div class="view-box" style="padding: 30px;">
<h2>Shiro 集成 Thymeleaf 标签方言 —— 测试页面</h2>
<p>当前是否登录:<span th:text="${isLogin}"></span></p>
<p>
<a href="/acc/doLogin?username=zhang&password=123456" target="_blank">登录</a>
<a href="/acc/logout" target="_blank">注销</a>
</p>
<p>登录之后才能显示:<span sec:authorize="isAuthenticated()">value</span></p>
<p>不登录才能显示:<span sec:authorize="!isAuthenticated()" >value</span></p>
<p>具有角色 admin 才能显示:<span sec:authorize="hasRole('admin')">value</span></p>
<p>同时具备多个角色才能显示:<span sec:authorize="hasRole('admin') && hasRole('ceo') && hasRole('cto')">value</span></p>
<p>只要具有其中一个角色就能显示:<span sec:authorize="hasAnyRole('admin', 'ceo', 'cto')">value</span></p>
<p>不具有角色 admin 才能显示:<span sec:authorize="!hasRole('admin')">value</span></p>
<p>具有权限 user-add 才能显示:<span sec:authorize="hasAuthority('user-add')">value</span></p>
<p>同时具备多个权限才能显示:<span sec:authorize="hasAuthority('user-add') && hasAuthority('user-delete') && hasAuthority('user-get')">value</span></p>
<p>只要具有其中一个权限就能显示:<span sec:authorize="hasAnyAuthority('user-add', 'user-delete', 'user-get')">value</span></p>
<p>不具有权限 user-add 才能显示:<span sec:authorize="!hasAuthority('user-add')">value</span></p>
<p sec:authorize="isAuthenticated()">
当前登录账号:<span sec:authentication="details"></span>
</p>
</div>
</body>
</html>
```
<!------------- tab:JWT ------------->
<!---------------------------- tabs:end ------------------------------>
### 前后端分离
<!------------------------------ tabs:start ------------------------------>
<!------------- tab:Sa-Token ------------->
1、在登录时将 token 信息返回到前端
``` java
// 测试登录
@RequestMapping("doLogin")
public AjaxJson doLogin(String username, String password) {
// 校验
SysUser user = sysUserDao.findByUsername(username);
// user 信息校验代码不再赘述 ...
// 登录
StpUtil.login(user.getId());
StpUtil.getSession().set("user", user);
return AjaxJson.getSuccess("登录成功").set("satoken", StpUtil.getTokenValue()); // 关键代码
}
```
2、前端改造
- 1、在登录请求时将返回的 token 保存到本地 `localStorage.setItem('satoken', res.satoken)`。
- 2、在后续每次请求中读取本地保存的 satoken 塞到请求 header 中
``` js
const header = {};
if(localStorage.satoken) {
header.satoken = localStorage.satoken;
}
// 后续提交请求...
```
<!------------- tab:Shiro ------------->
1、自定义 SessionManager从请求 header 里读取前端提交的 token
``` java
public class MySessionManager extends DefaultWebSessionManager {
private static final String TOKEN = "token";
private static final String REFERENCED_SESSION_ID_SOURCE = "Stateless request";
public MySessionManager() {
super();
}
@Override
protected Serializable getSessionId(ServletRequest request, ServletResponse response) {
String id = WebUtils.toHttp(request).getHeader(TOKEN);
// 如果请求头中有 token 则其值为sessionId
if (!StringUtils.isEmpty(id)) {
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE, REFERENCED_SESSION_ID_SOURCE);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, id);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE);
return id;
} else {
//否则按默认规则从cookie取sessionId
return super.getSessionId(request, response);
}
}
}
```
2、注入到 SecurityManager 中
``` java
@Configuration
public class ShiroConfigure {
// 省略其它次要代码 ...
@Bean
public DefaultWebSecurityManager securityManager() {
DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
manager.setRealm(myRealm());
manager.setSessionManager(sessionManager());
return manager;
}
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean() {
ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
bean.setSecurityManager(securityManager());
return bean;
}
// 自定义sessionManager
@Bean
public SessionManager sessionManager() {
MySessionManager mySessionManager = new MySessionManager();
return mySessionManager;
}
}
```
3、测试 Controller登录时将 token 信息返回到前端
``` java
// 测试登录
@RequestMapping("doLogin")
public AjaxJson doLogin(String username, String password) {
Subject subject = SecurityUtils.getSubject();
try {
subject.login(new UsernamePasswordToken(username, password));
String token = subject.getSession().getId().toString(); // 关键代码
return AjaxJson.getSuccess("登录成功!").set("token", token); // 关键代码
} catch (AuthenticationException e) {
e.printStackTrace();
return AjaxJson.getError(e.getMessage());
}
}
```
4、前端改造
- 1、在登录请求时将返回的 token 保存到本地 `localStorage.setItem('token', res.token)`。
- 2、在后续每次请求中读取本地保存的 token 塞到请求 header 中
``` js
const header = {};
if(localStorage.token) {
header.token = localStorage.token;
}
// 后续提交请求...
```
<!------------- tab:SpringSecurity ------------->
见下方 “集成 Redis” 部分,同时做到:集成 Redis + 前后端分离。
<!------------- tab:JWT ------------->
`JWT` 不依赖 `Cookie` 保存/传输 token因此无需特殊定制即可原生支持前后端分离模式。
<!---------------------------- tabs:end ------------------------------>
### 集成 Redis
<!------------------------------ tabs:start ------------------------------>
<!------------- tab:Sa-Token ------------->
pom.xml 引入依赖
``` xml
<!-- Sa-Token整合 Redis (使用jackson序列化方式) -->
<dependency>
<groupId>cn.dev33</groupId>
<artifactId>sa-token-redis-jackson</artifactId>
<version>${sa-token.version}</version>
</dependency>
<!-- 提供Redis连接池 -->
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-pool2</artifactId>
</dependency>
```
application.yml 新增连接配置
``` yaml
spring:
data:
# redis配置
redis:
# Redis数据库索引默认为0
database: 1
# Redis服务器地址
host: 127.0.0.1
# Redis服务器连接端口
port: 6379
# Redis服务器连接密码默认为空
password:
# 连接超时时间
timeout: 10s
lettuce:
pool:
# 连接池最大连接数
max-active: 200
# 连接池最大阻塞等待时间(使用负值表示没有限制)
max-wait: -1ms
# 连接池中的最大空闲连接
max-idle: 10
# 连接池中的最小空闲连接
min-idle: 0
```
其它代码照旧
<!------------- tab:Shiro ------------->
pom.xml 引入依赖
``` xml
<!-- Shiro 集成 Redis -->
<dependency>
<groupId>org.crazycake</groupId>
<artifactId>shiro-redis</artifactId>
<version>3.3.1</version>
</dependency>
```
application.yml 新增连接配置
``` yaml
spring:
redis:
shiro:
# Redis服务器地址
host: 127.0.0.1:6379
# Redis服务器连接密码默认为空
password:
# Redis数据库索引默认为0
database: 2
# 连接超时时间
timeout: 1800
```
ShiroConfigure 注入相关 Bean
``` java
@Configuration
public class ShiroConfigure {
// 自定义 securityManager
@Bean
public DefaultWebSecurityManager securityManager() {
DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
// manager.setRealm(myRealm());
// 自定义session管理 使用redis
manager.setSessionManager(sessionManager());
// 自定义缓存实现 使用redis
manager.setCacheManager(cacheManager());
return manager;
}
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean() {
ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
bean.setSecurityManager(securityManager());
return bean;
}
// -------- 以下为 shiro redis 相关 --------
// Shiro redis 连接信息
@Value("${spring.redis.shiro.host}")
private String host;
@Value("${spring.redis.shiro.database}")
private int database;
@Value("${spring.redis.shiro.timeout}")
private int timeout;
@Value("${spring.redis.shiro.password}")
private String password;
/**
* 配置shiro redisManager
*/
public RedisManager redisManager() {
RedisManager redisManager = new RedisManager();
redisManager.setHost(host);
if(StringUtils.hasText(password)){
redisManager.setPassword(password);
}
redisManager.setDatabase(database);
redisManager.setTimeout(timeout);
return redisManager;
}
/**
* cacheManager 缓存 redis 实现
*/
@Bean
public RedisCacheManager cacheManager() {
RedisCacheManager redisCacheManager = new RedisCacheManager();
redisCacheManager.setRedisManager(redisManager());
return redisCacheManager;
}
/**
* RedisSessionDAO redis 实现
*/
@Bean
public RedisSessionDAO redisSessionDAO() {
RedisSessionDAO redisSessionDAO = new RedisSessionDAO();
redisSessionDAO.setRedisManager(redisManager());
return redisSessionDAO;
}
// 自定义sessionManager
@Bean
public SessionManager sessionManager() {
MySessionManager mySessionManager = new MySessionManager();
mySessionManager.setSessionDAO(redisSessionDAO());
return mySessionManager;
}
}
```
SysUser 实体类要实现 Serializable 接口
``` java
@Data
@NoArgsConstructor
@AllArgsConstructor
public class SysUser implements Serializable {
// ...
}
```
其它代码照旧
<!------------- tab:SpringSecurity ------------->
(结合上部分,同时做到集成 Redis + 前后端分离)
1、`pom.xml` 引入依赖
``` xml
<!-- HttpSession 存储到 Redis -->
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session-data-redis</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>
```
2、`yml` 增加配置
``` yml
spring:
session:
store-type: redis
timeout: 8H
redis:
namespace: spring:session
data:
# redis配置
redis:
# Redis数据库索引默认为0
database: 3
# Redis服务器地址
host: 127.0.0.1
# Redis服务器连接端口
port: 6379
# Redis服务器连接密码默认为空
password:
# 连接超时时间
timeout: 10s
lettuce:
pool:
# 连接池最大连接数
max-active: 200
# 连接池最大阻塞等待时间(使用负值表示没有限制)
max-wait: -1ms
# 连接池中的最大空闲连接
max-idle: 10
# 连接池中的最小空闲连接
min-idle: 0
```
3、在 `CustomAccessDeniedHandler` 自定义认证异常处理类中,返回 `json` 格式数据
``` java
@Component
public class CustomAccessDeniedHandler implements AccessDeniedHandler, AuthenticationEntryPoint, Serializable {
// 未登录异常
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException {
//验证为未登陆状态会进入此方法,认证错误
response.setStatus(401);
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json; charset=utf-8");
PrintWriter printWriter = response.getWriter();
String body = new ObjectMapper().writeValueAsString(AjaxJson.get(401, "请先进行登录"));
printWriter.write(body);
printWriter.flush();
}
// 权限不足
@Override
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException {
// 登陆状态下,权限不足执行该方法
response.setStatus(200);
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json; charset=utf-8");
PrintWriter printWriter = response.getWriter();
String body = new ObjectMapper().writeValueAsString(AjaxJson.get(403, "权限不足"));
printWriter.write(body);
printWriter.flush();
}
}
```
4、别忘了注入到 `SecurityFilterChain` 过滤器链
``` java
// 异常处理
httpSecurity.exceptionHandling(httpSecurityExceptionHandlingConfigurer -> {
// 权限不足处理方案
httpSecurityExceptionHandlingConfigurer.accessDeniedHandler(accessDeniedHandler);
// 未登录 处理逻辑
httpSecurityExceptionHandlingConfigurer.authenticationEntryPoint(accessDeniedHandler);
});
```
5、在登录时返回对应 token 信息
``` java
// 测试登录
@RequestMapping("doLogin")
public AjaxJson doLogin(String username, String password, HttpServletRequest request) {
try {
// 验证账号密码
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(username, password);
usernamePasswordAuthenticationToken.setDetails(sysUserDao.findByUsername(username));
Authentication authentication = authenticationManager.authenticate(usernamePasswordAuthenticationToken);
// 存入上下文
SecurityContextHolder.getContext().setAuthentication(authentication);
request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, SecurityContextHolder.getContext());
// 返回
String token = request.getSession().getId();
return AjaxJson.getSuccess("登录成功!").set("token", token);
} catch (Exception e) {
e.printStackTrace();
return AjaxJson.getError(e.getMessage());
}
}
```
6、前端改造
- 1、在登录请求时将返回的 token 保存到本地 `localStorage.setItem('token', res.token)`。
- 2、在后续每次请求中读取本地保存的 token 塞到请求 header 中
``` js
const header = {};
if(localStorage.token) {
header.token = localStorage.token;
}
// 后续提交请求...
```
7、新建 `HttpSessionConfigure` 配置重写 `HttpSessionId` 读取策略,改为从 `header` 头读取 `token` 参数作为 `SessionId`
``` java
@Configuration
public class HttpSessionConfigure {
// HttpSession 读取策略,从 header 头读取 token 参数作为 session id
@Bean
public HeaderHttpSessionIdResolver httpSessionStrategy() {
System.out.println("----------------- 自定义 HttpSession Id 读取方式");
return new HeaderHttpSessionIdResolver("token");
}
}
```
<!------------- tab:JWT ------------->
<!---------------------------- tabs:end ------------------------------>
Reference in New Issue View Git Blame Copy Permalink