zoukankan      html  css  js  c++  java
  • springboot shiro 多realm配置认证、授权

    shiro进行登录认证和权限管理的实现。其中需求涉及使用两个角色分别是:门店,公司。现在要两者实现分开登录。即需要两个Realm——MyShiroRealmSHOP和MyShiroRealmCOMPANY,分别处理门店,公司的验证功能。

    但是正常情况下,当定义了多个Realm,无论是门店登录还是公司登录,都会由这两个Realm共同处理。这是因为,当配置了多个Realm时,我们通常使用的认证器是shiro自带的org.apache.shiro.authc.pam.ModularRealmAuthenticator,其中决定使用的Realm的是doAuthenticate()方法,源代码如下:

    protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {
            assertRealmsConfigured();
            Collection<Realm> realms = getRealms();
            if (realms.size() == 1) {
                return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);
            } else {
                return doMultiRealmAuthentication(realms, authenticationToken);
            }
        }
    

      

    上述代码的意思就是如果有多个Realm就会使用所有配置的Realm。 只有一个的时候,就直接使用当前的Realm。

    为了实现需求,我会创建一个org.apache.shiro.authc.pam.ModularRealmAuthenticator的子类,并重写doAuthenticate()方法,让特定的Realm完成特定的功能。如何区分呢?我会同时创建一个org.apache.shiro.authc.UsernamePasswordToken的子类,在其中添加一个字段VirtualType,用来标识登录的类型,即是门店登录还是公司登录。具体步骤如下:

    public enum VirtualType {
        COMPANY,        // 公司
        SHOP            // 门店
    }
    

      接下来新建org.apache.shiro.authc.UsernamePasswordToken的子类UserToken

    import org.apache.shiro.authc.UsernamePasswordToken;
    
    public class UserToken extends UsernamePasswordToken {
        private VirtualType virtualType;
    
        public UserToken(final String username, final String password, VirtualType virtualType) {
            super(username, password);
            this.virtualType = virtualType;
        }
    
        public VirtualType getVirtualType() {
            return virtualType;
        }
    
        public void setVirtualType(VirtualType virtualType) {
            this.virtualType = virtualType;
        }
    }
    

      新建org.apache.shiro.authc.pam.ModularRealmAuthenticator的子类UserModularRealmAuthenticator:

    import org.apache.shiro.authc.AuthenticationException;
    import org.apache.shiro.authc.AuthenticationInfo;
    import org.apache.shiro.authc.AuthenticationToken;
    import org.apache.shiro.authc.pam.ModularRealmAuthenticator;
    import org.apache.shiro.realm.Realm;
    
    public class UserModularRealmAuthenticator extends ModularRealmAuthenticator {
    
        private static final Logger logger = LoggerFactory.getLogger(UserModularRealmAuthenticator.class);
    
        @Override
        protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken)
                throws AuthenticationException {
            logger.info("UserModularRealmAuthenticator:method doAuthenticate() execute ");
            // 判断getRealms()是否返回为空
            assertRealmsConfigured();
            // 强制转换回自定义的CustomizedToken
            UserToken userToken = (UserToken) authenticationToken;
            // 登录类型
            VirtualType virtualType = userToken.getVirtualType();
            // 所有Realm
            Collection<Realm> realms = getRealms();
            // 登录类型对应的所有Realm
            Collection<Realm> typeRealms = new ArrayList<>();
            for (Realm realm : realms) {
                if (realm.getName().contains(virtualType.toString()))  // 注:这里使用类名包含枚举,区分realm
                    typeRealms.add(realm);
            }
            // 判断是单Realm还是多Realm
            if (typeRealms.size() == 1) {
                logger.info("doSingleRealmAuthentication() execute ");
                return doSingleRealmAuthentication(typeRealms.iterator().next(), userToken);
            } else {
                logger.info("doMultiRealmAuthentication() execute ");
                return doMultiRealmAuthentication(typeRealms, userToken);
            }
        }
    }
    

      创建分别处理门店登录还是公司登录的Realm: 

    import org.apache.shiro.authc.*;
    import org.apache.shiro.authz.AuthorizationInfo;
    import org.apache.shiro.authz.SimpleAuthorizationInfo;
    import org.apache.shiro.realm.AuthorizingRealm;
    import org.apache.shiro.subject.PrincipalCollection;
    import org.springframework.beans.factory.annotation.Autowired;
    
    import java.util.HashSet;
    import java.util.Set;
    
    /**公司登陆realm
     */
    public class MyShiroRealmCOMPANY extends AuthorizingRealm {
    
        @Autowired
        IUserService userService;
    
        @Override
        protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
            String username = (String) principals.getPrimaryPrincipal(); // 一定是String类型,在SimpleAuthenticationInfo
            SystemUser systemUser = userService.getUserByName(username, VirtualType.COMPANY);
            if (systemUser == null) {
                throw new RuntimeException("system concurrent exception: COMPANY user not found:username=" + username);
            }
    
            SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
    
            Set<String> stringPermissions = new HashSet<>(256);
         // 字符串资源 authorizationInfo.addStringPermissions(stringPermissions); return authorizationInfo; } @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { // UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken; UserToken token = (UserToken)authenticationToken;
    // 逻辑登陆 return new SimpleAuthenticationInfo(token.getPrincipal(), token.getCredentials(), getName()); } }

      

    import org.apache.shiro.authc.*;
    import org.apache.shiro.authz.AuthorizationInfo;
    import org.apache.shiro.authz.SimpleAuthorizationInfo;
    import org.apache.shiro.realm.AuthorizingRealm;
    import org.apache.shiro.subject.PrincipalCollection;
    import org.springframework.beans.factory.annotation.Autowired;
    
    import java.util.HashSet;
    import java.util.Set;
    
    /**门店登陆realm
     */
    public class MyShiroRealmSHOP extends AuthorizingRealm {
    
        @Autowired
        IUserService userService;
    
        @Override
        protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
            String username = (String) principals.getPrimaryPrincipal(); // 一定是String类型,在SimpleAuthenticationInfo
            SystemUser systemUser = userService.getUserByName(username, VirtualType.SHOP);
            if (systemUser == null) {
                throw new RuntimeException("system concurrent exception: SHOP user not found:username=" + username);
            }
    
            SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
    
            Set<String> stringPermissions = new HashSet<>(256);
         // 字符串资源
            authorizationInfo.addStringPermissions(stringPermissions);
            return authorizationInfo;
        }
    
        @Override
        protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
    //        UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
            UserToken token = (UserToken)authenticationToken;
            // 逻辑登陆
            return new SimpleAuthenticationInfo(token.getPrincipal(), token.getCredentials(), getName());
        }
    }
    

      ShiroConfig配置

        @Bean("securityManager")
        public SecurityManager securityManager(RedisTemplate redisTemplate) {          // redisTemplate配置的redis缓存,可忽略
            DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
            List<Realm> realms = new ArrayList<>();
            //添加多个Realm
            realms.add(myShiroRealmSHOP(redisTemplate));
            realms.add(myShiroRealmCOMPANY(redisTemplate));
            securityManager.setAuthenticator(modularRealmAuthenticator());          // 需要再realm定义之前
            securityManager.setRealms(realms);
            securityManager.setSessionManager(myShiroSession(redisTemplate));
            return securityManager;
        }
    
        /**
         * 系统自带的Realm管理,主要针对多realm 认证
         */
        @Bean
        public ModularRealmAuthenticator modularRealmAuthenticator() {
            //自己重写的ModularRealmAuthenticator
            UserModularRealmAuthenticator modularRealmAuthenticator = new UserModularRealmAuthenticator();
            modularRealmAuthenticator.setAuthenticationStrategy(new AtLeastOneSuccessfulStrategy());
            return modularRealmAuthenticator;
        }
    
        @Bean("myShiroRealmSHOP")
        public MyShiroRealmSHOP myShiroRealmSHOP(RedisTemplate redisTemplate) {
            return new MyShiroRealmSHOP();
        }
    
        @Bean("myShiroRealmCOMPANY")
        public MyShiroRealmCOMPANY myShiroRealmCOMPANY(RedisTemplate redisTemplate) {
            return new MyShiroRealmCOMPANY();
        }
    

      登陆即可:

    subject.login(new UserToken(username, password, virtualType))  

    这里需要注意的是,上述配置的Authenticator主要针对登陆认证,对于授权时没有控制的,使用资源注入时会发现,使用的是myShiroRealmSHOP的doGetAuthorizationInfo方法(上面SHOP的定义在前),没有走对应的realm的授权,产生问题错乱;

    新建org.apache.shiro.authz.ModularRealmAuthorizer子类:

    import org.apache.shiro.authz.Authorizer;
    import org.apache.shiro.authz.ModularRealmAuthorizer;
    import org.apache.shiro.realm.Realm;
    import org.apache.shiro.subject.PrincipalCollection;
    public class UserModularRealmAuthorizer extends ModularRealmAuthorizer { @Override public boolean isPermitted(PrincipalCollection principals, String permission) { assertRealmsConfigured(); for (Realm realm : getRealms()) { if (!(realm instanceof Authorizer)){ continue;} // todo 授权配置 if (realm.getName().contains(VirtualType.COMPANY.toString())) {    // 判断realm if (permission.contains("company")) {    // 判断是否改realm的资源 return ((MyShiroRealmCOMPANY) realm).isPermitted(principals, permission); // 使用改realm的授权方法 } } if (realm.getName().contains(VirtualType.SHOP.toString())) { if (permission.contains("shop")) { return ((MyShiroRealmSHOP) realm).isPermitted(principals, permission); } } } return false; } }

      然后在ShiroConfig更改:

        @Bean("securityManager")
        public SecurityManager securityManager(RedisTemplate redisTemplate) {
            DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
            // 使用注解,@RequiresPermissions,读取缓存权限信息保存key对象为:{@link org.apache.shiro.subject.SimplePrincipalCollection},所以redis缓存配置的String不能转换
    //        securityManager.setCacheManager(redisCacheManager(redisTemplate));
            List<Realm> realms = new ArrayList<>();
            //添加多个Realm
            realms.add(myShiroRealmSHOP(redisTemplate));
            realms.add(myShiroRealmCOMPANY(redisTemplate));
            securityManager.setAuthenticator(modularRealmAuthenticator());
            securityManager.setAuthorizer(modularRealmAuthorizer());    // 这里
            securityManager.setRealms(realms);
            securityManager.setSessionManager(myShiroSession(redisTemplate));
            return securityManager;
        }
    
        /**
         * 系统自带的Realm管理,主要针对多realm 认证
         */
        @Bean
        public ModularRealmAuthenticator modularRealmAuthenticator() {
            //自己重写的ModularRealmAuthenticator
            UserModularRealmAuthenticator modularRealmAuthenticator = new UserModularRealmAuthenticator();
            modularRealmAuthenticator.setAuthenticationStrategy(new AtLeastOneSuccessfulStrategy());
            return modularRealmAuthenticator;
        }
    
        /**
         * 系统自带的Realm管理,主要针对多realm 授权
         */
        @Bean
        public ModularRealmAuthorizer modularRealmAuthorizer() {
            //自己重写的ModularRealmAuthorizer
            UserModularRealmAuthorizer modularRealmAuthorizer = new UserModularRealmAuthorizer();
            return modularRealmAuthorizer;
        }
    
        @Bean("myShiroRealmSHOP")
        public MyShiroRealmSHOP myShiroRealmSHOP(RedisTemplate redisTemplate) {
            return new MyShiroRealmSHOP();
        }
    
        @Bean("myShiroRealmCOMPANY")
        public MyShiroRealmCOMPANY myShiroRealmCOMPANY(RedisTemplate redisTemplate) {
            return new MyShiroRealmCOMPANY();
        }
    

      


    参考:https://blog.csdn.net/cckevincyh/article/details/79629022 

  • 相关阅读:
    bzoj 1093: [ZJOI2007]最大半连通子图
    bzoj 1266 1266: [AHOI2006]上学路线route
    poj 2104 K-th Number
    洛谷 P3313 [SDOI2014]旅行
    cogs 306. [SGOI] 糊涂的记者
    cogs 1164. 跑步
    洛谷 1821: [JSOI2010]Group 部落划分 Group
    洛谷 U3357 C2-走楼梯
    洛谷 P3014 [USACO11FEB]牛线Cow Line
    洛谷 P2982 [USACO10FEB]慢下来Slowing down
  • 原文地址:https://www.cnblogs.com/skyLogin/p/10871347.html
Copyright © 2011-2022 走看看