zoukankan      html  css  js  c++  java

  • springboot shiro 多realm配置认证、授权

    shiro进行登录认证和权限管理的实现。其中需求涉及使用两个角色分别是:门店,公司。现在要两者实现分开登录。即需要两个Realm——MyShiroRealmSHOP和MyShiroRealmCOMPANY,分别处理门店,公司的验证功能。

    但是正常情况下,当定义了多个Realm,无论是门店登录还是公司登录,都会由这两个Realm共同处理。这是因为,当配置了多个Realm时,我们通常使用的认证器是shiro自带的org.apache.shiro.authc.pam.ModularRealmAuthenticator,其中决定使用的Realm的是doAuthenticate()方法,源代码如下:

    protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {
        assertRealmsConfigured();
        Collection<Realm> realms = getRealms();
        if (realms.size() == 1) {
            return doSingleRealmAuthentication(realms.iterator().next(), authenticationToken);
        } else {
            return doMultiRealmAuthentication(realms, authenticationToken);
        }
    }

      

    上述代码的意思就是如果有多个Realm就会使用所有配置的Realm。 只有一个的时候,就直接使用当前的Realm。

    为了实现需求,我会创建一个org.apache.shiro.authc.pam.ModularRealmAuthenticator的子类,并重写doAuthenticate()方法,让特定的Realm完成特定的功能。如何区分呢?我会同时创建一个org.apache.shiro.authc.UsernamePasswordToken的子类,在其中添加一个字段VirtualType,用来标识登录的类型,即是门店登录还是公司登录。具体步骤如下:

    public enum VirtualType {
    COMPANY,        // 公司
    SHOP            // 门店
}

      接下来新建org.apache.shiro.authc.UsernamePasswordToken的子类UserToken

    import org.apache.shiro.authc.UsernamePasswordToken;

public class UserToken extends UsernamePasswordToken {
    private VirtualType virtualType;

    public UserToken(final String username, final String password, VirtualType virtualType) {
        super(username, password);
        this.virtualType = virtualType;
    }

    public VirtualType getVirtualType() {
        return virtualType;
    }

    public void setVirtualType(VirtualType virtualType) {
        this.virtualType = virtualType;
    }
}

      新建org.apache.shiro.authc.pam.ModularRealmAuthenticator的子类UserModularRealmAuthenticator:

    import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.pam.ModularRealmAuthenticator;
import org.apache.shiro.realm.Realm;

public class UserModularRealmAuthenticator extends ModularRealmAuthenticator {

    private static final Logger logger = LoggerFactory.getLogger(UserModularRealmAuthenticator.class);

    @Override
    protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken)
            throws AuthenticationException {
        logger.info("UserModularRealmAuthenticator:method doAuthenticate() execute ");
        // 判断getRealms()是否返回为空
        assertRealmsConfigured();
        // 强制转换回自定义的CustomizedToken
        UserToken userToken = (UserToken) authenticationToken;
        // 登录类型
        VirtualType virtualType = userToken.getVirtualType();
        // 所有Realm
        Collection<Realm> realms = getRealms();
        // 登录类型对应的所有Realm
        Collection<Realm> typeRealms = new ArrayList<>();
        for (Realm realm : realms) {
            if (realm.getName().contains(virtualType.toString()))  // 注:这里使用类名包含枚举,区分realm
                typeRealms.add(realm);
        }
        // 判断是单Realm还是多Realm
        if (typeRealms.size() == 1) {
            logger.info("doSingleRealmAuthentication() execute ");
            return doSingleRealmAuthentication(typeRealms.iterator().next(), userToken);
        } else {
            logger.info("doMultiRealmAuthentication() execute ");
            return doMultiRealmAuthentication(typeRealms, userToken);
        }
    }
}

      创建分别处理门店登录还是公司登录的Realm: 

    import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;

import java.util.HashSet;
import java.util.Set;

/**公司登陆realm
 */
public class MyShiroRealmCOMPANY extends AuthorizingRealm {

    @Autowired
    IUserService userService;

    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
        String username = (String) principals.getPrimaryPrincipal(); // 一定是String类型,在SimpleAuthenticationInfo
        SystemUser systemUser = userService.getUserByName(username, VirtualType.COMPANY);
        if (systemUser == null) {
            throw new RuntimeException("system concurrent exception: COMPANY user not found:username=" + username);
        }

        SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();

        Set<String> stringPermissions = new HashSet<>(256);
         // 字符串资源
        authorizationInfo.addStringPermissions(stringPermissions);
        return authorizationInfo;
    }

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
//        UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
        UserToken token = (UserToken)authenticationToken;
            // 逻辑登陆
        return new SimpleAuthenticationInfo(token.getPrincipal(), token.getCredentials(), getName());
    }
}

      

    import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;

import java.util.HashSet;
import java.util.Set;

/**门店登陆realm
 */
public class MyShiroRealmSHOP extends AuthorizingRealm {

    @Autowired
    IUserService userService;

    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
        String username = (String) principals.getPrimaryPrincipal(); // 一定是String类型,在SimpleAuthenticationInfo
        SystemUser systemUser = userService.getUserByName(username, VirtualType.SHOP);
        if (systemUser == null) {
            throw new RuntimeException("system concurrent exception: SHOP user not found:username=" + username);
        }

        SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();

        Set<String> stringPermissions = new HashSet<>(256);
     // 字符串资源
        authorizationInfo.addStringPermissions(stringPermissions);
        return authorizationInfo;
    }

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
//        UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
        UserToken token = (UserToken)authenticationToken;
        // 逻辑登陆
        return new SimpleAuthenticationInfo(token.getPrincipal(), token.getCredentials(), getName());
    }
}

      ShiroConfig配置

        @Bean("securityManager")
    public SecurityManager securityManager(RedisTemplate redisTemplate) {          // redisTemplate配置的redis缓存,可忽略
        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
        List<Realm> realms = new ArrayList<>();
        //添加多个Realm
        realms.add(myShiroRealmSHOP(redisTemplate));
        realms.add(myShiroRealmCOMPANY(redisTemplate));
        securityManager.setAuthenticator(modularRealmAuthenticator());          // 需要再realm定义之前
        securityManager.setRealms(realms);
        securityManager.setSessionManager(myShiroSession(redisTemplate));
        return securityManager;
    }

    /**
     * 系统自带的Realm管理,主要针对多realm 认证
     */
    @Bean
    public ModularRealmAuthenticator modularRealmAuthenticator() {
        //自己重写的ModularRealmAuthenticator
        UserModularRealmAuthenticator modularRealmAuthenticator = new UserModularRealmAuthenticator();
        modularRealmAuthenticator.setAuthenticationStrategy(new AtLeastOneSuccessfulStrategy());
        return modularRealmAuthenticator;
    }

    @Bean("myShiroRealmSHOP")
    public MyShiroRealmSHOP myShiroRealmSHOP(RedisTemplate redisTemplate) {
        return new MyShiroRealmSHOP();
    }

    @Bean("myShiroRealmCOMPANY")
    public MyShiroRealmCOMPANY myShiroRealmCOMPANY(RedisTemplate redisTemplate) {
        return new MyShiroRealmCOMPANY();
    }

      登陆即可:

    subject.login(new UserToken(username, password, virtualType))  

    这里需要注意的是,上述配置的Authenticator主要针对登陆认证,对于授权时没有控制的,使用资源注入时会发现,使用的是myShiroRealmSHOP的doGetAuthorizationInfo方法(上面SHOP的定义在前),没有走对应的realm的授权,产生问题错乱;

    新建org.apache.shiro.authz.ModularRealmAuthorizer子类:

    import org.apache.shiro.authz.Authorizer;
import org.apache.shiro.authz.ModularRealmAuthorizer;
import org.apache.shiro.realm.Realm;
import org.apache.shiro.subject.PrincipalCollection;
    
public class UserModularRealmAuthorizer extends ModularRealmAuthorizer {
    @Override
    public boolean isPermitted(PrincipalCollection principals, String permission) {
        assertRealmsConfigured();
        for (Realm realm : getRealms()) {
            if (!(realm instanceof Authorizer)){ continue;}
            //  todo 授权配置
            if (realm.getName().contains(VirtualType.COMPANY.toString())) {    // 判断realm
                if (permission.contains("company")) {    // 判断是否改realm的资源
                    return ((MyShiroRealmCOMPANY) realm).isPermitted(principals, permission);    // 使用改realm的授权方法
                }
            }
            if (realm.getName().contains(VirtualType.SHOP.toString())) {
                if (permission.contains("shop")) {
                    return ((MyShiroRealmSHOP) realm).isPermitted(principals, permission);
                }
            }
        }
        return false;
    }
}

      然后在ShiroConfig更改:

        @Bean("securityManager")
    public SecurityManager securityManager(RedisTemplate redisTemplate) {
        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
        // 使用注解,@RequiresPermissions,读取缓存权限信息保存key对象为:{@link org.apache.shiro.subject.SimplePrincipalCollection},所以redis缓存配置的String不能转换
//        securityManager.setCacheManager(redisCacheManager(redisTemplate));
        List<Realm> realms = new ArrayList<>();
        //添加多个Realm
        realms.add(myShiroRealmSHOP(redisTemplate));
        realms.add(myShiroRealmCOMPANY(redisTemplate));
        securityManager.setAuthenticator(modularRealmAuthenticator());
        securityManager.setAuthorizer(modularRealmAuthorizer());    // 这里
        securityManager.setRealms(realms);
        securityManager.setSessionManager(myShiroSession(redisTemplate));
        return securityManager;
    }

    /**
     * 系统自带的Realm管理,主要针对多realm 认证
     */
    @Bean
    public ModularRealmAuthenticator modularRealmAuthenticator() {
        //自己重写的ModularRealmAuthenticator
        UserModularRealmAuthenticator modularRealmAuthenticator = new UserModularRealmAuthenticator();
        modularRealmAuthenticator.setAuthenticationStrategy(new AtLeastOneSuccessfulStrategy());
        return modularRealmAuthenticator;
    }

    /**
     * 系统自带的Realm管理,主要针对多realm 授权
     */
    @Bean
    public ModularRealmAuthorizer modularRealmAuthorizer() {
        //自己重写的ModularRealmAuthorizer
        UserModularRealmAuthorizer modularRealmAuthorizer = new UserModularRealmAuthorizer();
        return modularRealmAuthorizer;
    }

    @Bean("myShiroRealmSHOP")
    public MyShiroRealmSHOP myShiroRealmSHOP(RedisTemplate redisTemplate) {
        return new MyShiroRealmSHOP();
    }

    @Bean("myShiroRealmCOMPANY")
    public MyShiroRealmCOMPANY myShiroRealmCOMPANY(RedisTemplate redisTemplate) {
        return new MyShiroRealmCOMPANY();
    }

      


    参考:https://blog.csdn.net/cckevincyh/article/details/79629022 
  • 相关阅读:
    环境变量不重启生效
    egret list不显示问题
    批处理收集
    吐槽阿里云数据库的备份还原
    一次没清缓存的坑
    imagepng或imagejpeg浏览器无显示问题
    xdebug调试一直等待连接
    Python快速学习07:文本文件的操作
    Python快速学习06:词典
    纸上谈兵: AVL树[转]
  • 原文地址:https://www.cnblogs.com/skyLogin/p/10871347.html
Copyright © 2011-2022 走看看