package org.linlinjava.litemall.admin.shiro; import com.alibaba.druid.util.StringUtils; import org.apache.shiro.web.servlet.ShiroHttpServletRequest; import org.apache.shiro.web.session.mgt.DefaultWebSessionManager; import org.apache.shiro.web.util.WebUtils; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import java.io.Serializable; public class AdminWebSessionManager extends DefaultWebSessionManager { public static final String LOGIN_TOKEN_KEY = "X-Litemall-Admin-Token"; private static final String REFERENCED_SESSION_ID_SOURCE = "Stateless request"; @Override protected Serializable getSessionId(ServletRequest request, ServletResponse response) { String id = WebUtils.toHttp(request).getHeader(LOGIN_TOKEN_KEY); if (!StringUtils.isEmpty(id)) { request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE, REFERENCED_SESSION_ID_SOURCE); request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, id); request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE); return id; } else { return super.getSessionId(request, response); } } }
package org.linlinjava.litemall.admin.shiro; import org.apache.shiro.authc.*; import org.apache.shiro.authz.AuthorizationException; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.linlinjava.litemall.core.util.bcrypt.BCryptPasswordEncoder; import org.linlinjava.litemall.db.domain.LitemallAdmin; import org.linlinjava.litemall.db.service.LitemallAdminService; import org.linlinjava.litemall.db.service.LitemallPermissionService; import org.linlinjava.litemall.db.service.LitemallRoleService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.util.Assert; import org.springframework.util.StringUtils; import java.util.List; import java.util.Set; public class AdminAuthorizingRealm extends AuthorizingRealm { @Autowired private LitemallAdminService adminService; @Autowired private LitemallRoleService roleService; @Autowired private LitemallPermissionService permissionService; @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { if (principals == null) { throw new AuthorizationException("PrincipalCollection method argument cannot be null."); } LitemallAdmin admin = (LitemallAdmin) getAvailablePrincipal(principals); Integer[] roleIds = admin.getRoleIds(); Set<String> roles = roleService.queryByIds(roleIds); Set<String> permissions = permissionService.queryByRoleIds(roleIds); SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); info.setRoles(roles); info.setStringPermissions(permissions); return info; } @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { UsernamePasswordToken upToken = (UsernamePasswordToken) token; String username = upToken.getUsername(); String password = new String(upToken.getPassword()); if (StringUtils.isEmpty(username)) { throw new AccountException("用户名不能为空"); } if (StringUtils.isEmpty(password)) { throw new AccountException("密码不能为空"); } List<LitemallAdmin> adminList = adminService.findAdmin(username); Assert.state(adminList.size() < 2, "同一个用户名存在两个账户"); if (adminList.size() == 0) { throw new UnknownAccountException("找不到用户(" + username + ")的帐号信息"); } LitemallAdmin admin = adminList.get(0); BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(); if (!encoder.matches(password, admin.getPassword())) { throw new UnknownAccountException("找不到用户(" + username + ")的帐号信息"); } return new SimpleAuthenticationInfo(admin, password, getName()); } }
package org.linlinjava.litemall.admin.config; import org.apache.shiro.mgt.SecurityManager; import org.apache.shiro.realm.Realm; import org.apache.shiro.session.mgt.SessionManager; import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor; import org.apache.shiro.spring.web.ShiroFilterFactoryBean; import org.apache.shiro.web.mgt.DefaultWebSecurityManager; import org.linlinjava.litemall.admin.shiro.AdminAuthorizingRealm; import org.linlinjava.litemall.admin.shiro.AdminWebSessionManager; import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.DependsOn; import java.util.LinkedHashMap; import java.util.Map; @Configuration public class ShiroConfig { @Bean public Realm realm() { return new AdminAuthorizingRealm(); } @Bean public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) { ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); shiroFilterFactoryBean.setSecurityManager(securityManager); Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>(); filterChainDefinitionMap.put("/admin/auth/login", "anon"); filterChainDefinitionMap.put("/admin/auth/401", "anon"); filterChainDefinitionMap.put("/admin/auth/index", "anon"); filterChainDefinitionMap.put("/admin/auth/403", "anon"); filterChainDefinitionMap.put("/admin/index/index", "anon"); filterChainDefinitionMap.put("/admin/**", "authc"); shiroFilterFactoryBean.setLoginUrl("/admin/auth/401"); shiroFilterFactoryBean.setSuccessUrl("/admin/auth/index"); shiroFilterFactoryBean.setUnauthorizedUrl("/admin/auth/403"); shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap); return shiroFilterFactoryBean; } @Bean public SessionManager sessionManager() { return new AdminWebSessionManager(); } @Bean public DefaultWebSecurityManager defaultWebSecurityManager() { DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(); securityManager.setRealm(realm()); securityManager.setSessionManager(sessionManager()); return securityManager; } @Bean public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) { AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor(); authorizationAttributeSourceAdvisor.setSecurityManager(securityManager); return authorizationAttributeSourceAdvisor; } @Bean @DependsOn("lifecycleBeanPostProcessor") public static DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() { DefaultAdvisorAutoProxyCreator creator = new DefaultAdvisorAutoProxyCreator(); creator.setProxyTargetClass(true); return creator; } }
package org.linlinjava.litemall.admin.config; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authz.AuthorizationException; import org.linlinjava.litemall.core.util.ResponseUtil; import org.springframework.core.Ordered; import org.springframework.core.annotation.Order; import org.springframework.web.bind.annotation.ControllerAdvice; import org.springframework.web.bind.annotation.ExceptionHandler; import org.springframework.web.bind.annotation.ResponseBody; @ControllerAdvice @Order(value = Ordered.HIGHEST_PRECEDENCE) public class ShiroExceptionHandler { private final Log logger = LogFactory.getLog(ShiroExceptionHandler.class); @ExceptionHandler(AuthenticationException.class) @ResponseBody public Object unauthenticatedHandler(AuthenticationException e) { logger.warn(e.getMessage(), e); return ResponseUtil.unlogin(); } @ExceptionHandler(AuthorizationException.class) @ResponseBody public Object unauthorizedHandler(AuthorizationException e) { logger.warn(e.getMessage(), e); return ResponseUtil.unauthz(); } }