Shiro无状态的探索

[TOC]

Shiro如何做到无状态

一、介绍

1、为什么要做无状态

前后端分离带来的优越性，使得更多的企业选择它。分离后的两者，交互只有后端接口返回Json数据（或其他类型数据），前端页面的跳转等无需经过后端，故传统的Session（通过在浏览器中的JSESSIONID，对应服务内存中的存储的Session数据来完成Session的功能）不在存在，所以后端需要和前端约定认证方式，而Token不失为一种解决方案。

二、使用

声明：以下基于项目 SpringCloud项目 Lemon 完成设计，直接看效果分析，请下载项目，确保sql执行，数据库密码Redis密码修改好(目前已改为配置中心，请按照项目内，开发文档进行使用)，启动lemon-user子应用即可。

1、正常配置Shiro（参考网上教程即可）

2、无状态Shiro

A、拦截器

import com.alibaba.fastjson.JSONObject;
import com.lemon.shiro.token.StatelessToken;
import com.lemon.utils.CookieUtils;
import com.lemon.web.constant.base.ConstantApi;
import org.apache.shiro.web.filter.AccessControlFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.StringUtils;

import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;

/**
 * 无状态拦截器
 * 
 * @author sjp
 * @date 2019/4/30
 **/
public class StatelessAuthcFilter extends AccessControlFilter {

	private Logger logger = LoggerFactory.getLogger(this.getClass());

    /**
     * 判断请求是否需要被拦截，拦截后执行onAccessDenied方法
     * 
     * @param request req
     * @param response res
     * @param mappedValue map
     * @return true 不拦截 false 拦截
     */
	@Override
	protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
		return false;
	}

	@Override
	protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
		Cookie[] cookies = ((HttpServletRequest) request).getCookies();
		// 用户唯一id
		String uidStr = CookieUtils.getParamFromCookie(cookies, ConstantApi.UID);
		if (StringUtils.isEmpty(uidStr)) {
			onLoginFail(response);
			return false;
		}
		Long uid = Long.parseLong(uidStr);
		// 用户token
		String token = CookieUtils.getParamFromCookie(cookies, ConstantApi.TOKEN);
		if (StringUtils.isEmpty(token)) {
			onLoginFail(response);
			return false;
		}
		// 用户所在平台
		String sid = CookieUtils.getParamFromCookie(cookies, ConstantApi.SID);
		if (StringUtils.isEmpty(sid)) {
			onLoginFail(response);
			return false;
		}
		// 客户端请求的参数列表
		Map<String, String[]> params = new HashMap<>(request.getParameterMap());
		StatelessToken statelessToken = new StatelessToken(uid, token, params);
		try {
			// 委托给Realm进行登录
			getSubject(request, response).login(statelessToken);
		} catch (Exception e) {
			logger.info("auth error->uid:{},sid:{},token:{},e:{}", uid, sid, token, e);
			// 登录失败
			onLoginFail(response);
			return false;
		}
		return true;
	}

	/**
	 * 登录失败时默认返回401状态码
	 */
	private void onLoginFail(ServletResponse response) throws IOException {
		HttpServletResponse httpResponse = (HttpServletResponse) response;
		httpResponse.setStatus(HttpServletResponse.SC_OK);
		httpResponse.setContentType("application/json;charset=UTF-8");
		httpResponse.getWriter().write("error");
	}

}

B、登录认证器和无状态Token认证器

package com.lemon.relam;

import com.lemon.entity.LoginInfoEntity;
import com.lemon.repository.LoginInfoRepository;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;

import javax.annotation.Resource;
import java.util.HashSet;
import java.util.Set;

/**
 * 登陆和授权认证器
 *
 * @author sjp 2018/12/9
 */
public class LoginRelam extends AuthorizingRealm {

	@Resource
	private LoginInfoRepository	loginInfoRepository;

	private static final String	MONSTER	= "monster";

	/**
	 * 登陆
	 *
	 * @param authenticationToken token
	 * @return info
	 * @throws AuthenticationException exception
	 */
	@Override
	protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken)
			throws AuthenticationException {
		UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) authenticationToken;
		LoginInfoEntity loginInfoEntity = loginInfoRepository.getByLoginName(usernamePasswordToken.getUsername());
		if (loginInfoEntity == null) {
			throw new UnknownAccountException("用户不存在！");
		}
		if (MONSTER.equals(loginInfoEntity.getLoginName())) {
			throw new LockedAccountException("用户被锁定");
		}
		// 盐值加密，确保凭证一样加密后字符串不一样
		ByteSource credentialsSalt = ByteSource.Util.bytes(loginInfoEntity.getLoginName());
		return new SimpleAuthenticationInfo(loginInfoEntity.getLoginName(), loginInfoEntity.getLoginPwd(),
				credentialsSalt, getName());
	}

	/**
	 * 授权
	 *
	 * @param principalCollection p
	 * @return a
	 */
	@Override
	protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
		Object principal = principalCollection.getPrimaryPrincipal();
		Set<String> roles = new HashSet<>();
		roles.add("user");
         // 此处授权角色仅供测试
		if ("admin".equals(principal)) {
			roles.add("admin");
		}
		return new SimpleAuthorizationInfo(roles);
	}

}

package com.lemon.shiro.realm;

import com.lemon.shiro.token.StatelessToken;
import com.lemon.tools.RedissonTools;
import com.lemon.web.constant.base.ConstantCache;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.util.StringUtils;

import javax.annotation.Resource;
import java.util.HashSet;
import java.util.Set;

/**
 * 无状态认证器
 * 
 * @author sjp
 * @date 2019/4/30
 **/
public class StatelessRealm extends AuthorizingRealm {

	@Resource
	private RedissonTools redissonTools;

	@Override
	public boolean supports(AuthenticationToken token) {
		// 仅支持StatelessToken类型的Token
		return token instanceof StatelessToken;
	}

	@Override
	protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
		Set<String> roles = new HashSet<>();
		// 此处可以来获取权限
		return new SimpleAuthorizationInfo(roles);
	}

	@Override
	protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken)
			throws AuthenticationException {
		StatelessToken statelessToken = (StatelessToken) authenticationToken;
		Long uid = statelessToken.getUid();
         // 从Redis获取服务器存储的Token，用来和前端传入的Token对比 
		// String token = redissonTools.get(ConstantCache.KEY.LOGIN_TOKEN.key + uid);
         // 临时测试 可以设置常量
		String token = "testToken";
         token = StringUtils.isEmpty(token) ? "" : token;
		return new SimpleAuthenticationInfo(uid, token, getName());
	}

}

C、配置类

import com.lemon.relam.LoginRelam;
import com.lemon.shiro.factory.StatelessDefaultSubjectFactory;
import com.lemon.shiro.filter.StatelessAuthcFilter;
import com.lemon.shiro.realm.StatelessRealm;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;
import org.apache.shiro.mgt.DefaultSubjectDAO;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.realm.Realm;
import org.apache.shiro.session.mgt.DefaultSessionManager;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.DependsOn;
import org.springframework.web.filter.DelegatingFilterProxy;

import javax.servlet.Filter;
import java.util.LinkedHashMap;
import java.util.LinkedList;
import java.util.Map;

/**
 * Shiro配置
 * 
 * @author sjp
 */
@Configuration
public class ShiroConfig {

	/**
	 * 使用FilterRegistrationBean管理DelegatingFilterProxy的生命周期，代替spring项目中shiro在web.xml的配置
	 *
	 * @return FilterRegistrationBean<DelegatingFilterProxy>
	 */
	@Bean
	public FilterRegistrationBean<DelegatingFilterProxy> delegatingFilterProxy() {
		FilterRegistrationBean<DelegatingFilterProxy> filterRegistrationBean = new FilterRegistrationBean<>();
		DelegatingFilterProxy proxy = new DelegatingFilterProxy();
		filterRegistrationBean.setFilter(proxy);
		// 保留Filter原有的init，destroy方法的调用
		proxy.setTargetFilterLifecycle(true);
		proxy.setTargetBeanName("shiroFilter");
		return filterRegistrationBean;
	}

	/**
	 * 配置shiro filter
	 *
	 * @return ShiroFilterFactoryBean
	 */
	@Bean("shiroFilter")
	public ShiroFilterFactoryBean shirFilter() {
		ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
		shiroFilterFactoryBean.setSecurityManager(securityManager());
		Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
		filterChainDefinitionMap.put("/user/login", "anon");
		filterChainDefinitionMap.put("/user/register", "anon");
		filterChainDefinitionMap.put("/user/logout", "anon");
		filterChainDefinitionMap.put("/**", "statelessAuthcFilter");
		shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
		// 自定义拦截器
		Map<String, Filter> filtersMap = new LinkedHashMap<>();
		filtersMap.put("statelessAuthcFilter", new StatelessAuthcFilter());
		shiroFilterFactoryBean.setFilters(filtersMap);
		return shiroFilterFactoryBean;
	}

	/**
	 * 配置securityManager
	 *
	 * @return SecurityManager
	 */
	@Bean
	public SecurityManager securityManager() {
		DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
		// 设置不储存session
		((DefaultSessionStorageEvaluator) ((DefaultSubjectDAO) securityManager.getSubjectDAO())
				.getSessionStorageEvaluator()).setSessionStorageEnabled(false);
		// 设置会话管理器
		securityManager.setSessionManager(defaultSessionManager());
		// 设置无状态SubjectFactory
		securityManager.setSubjectFactory(statelessDefaultSubjectFactory());
		// 设置realm
		LinkedList<Realm> realms = new LinkedList<>();
		realms.add(loginRealm());
		realms.add(statelessRealm());
		securityManager.setRealms(realms);
		return securityManager;
	}

	/**
	 * 会话管理器
	 * 
	 * @return DefaultSessionManager
	 */
	@Bean
	public DefaultSessionManager defaultSessionManager() {
		DefaultSessionManager defaultSessionManager = new DefaultSessionManager();
		defaultSessionManager.setSessionValidationSchedulerEnabled(false);
		return defaultSessionManager;
	}

	/**
	 * 无状态SubjectFactory
	 *
	 * @return StatelessDefaultSubjectFactory
	 */
	@Bean
	public StatelessDefaultSubjectFactory statelessDefaultSubjectFactory() {
		return new StatelessDefaultSubjectFactory();
	}

	/**
	 * 配置shiroRelam并指定凭证匹配器
	 *
	 * @return LoginRealm
	 */
	@Bean
	public LoginRelam loginRealm() {
		LoginRelam loginRelam = new LoginRelam();
		loginRelam.setCredentialsMatcher(hashedCredentialsMatcher());
		return loginRelam;
	}

	/**
	 * 配置无状态登陆realm
	 *
	 * @return StatelessRealm
	 */
	@Bean
	public StatelessRealm statelessRealm() {
		StatelessRealm statelessRealm = new StatelessRealm();
		statelessRealm.setCachingEnabled(false);
		return statelessRealm;
	}

	/**
	 * 凭证匹配器
	 * 
	 * @return HashedCredentialsMatcher
	 */
	@Bean
	public HashedCredentialsMatcher hashedCredentialsMatcher() {
		HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher();
		hashedCredentialsMatcher.setHashAlgorithmName("md5");
		hashedCredentialsMatcher.setHashIterations(5);
		return hashedCredentialsMatcher;
	}

	/// @Bean
	// public ShiroDialect shiroDialect() {
	// return new ShiroDialect();
	// }

	/**
	 * 配置 LifecycleBeanPostProcessor. 可以自定的来调用配置在 Spring IOC 容器中 shiro bean 的生命周期方法.
	 *
	 * @return LifecycleBeanPostProcessor
	 */
	@Bean
	public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
		return new LifecycleBeanPostProcessor();
	}

	/**
	 * 启用 IOC 容器中使用 shiro 的注解. 但必须在配置了 LifecycleBeanPostProcessor 之后才可以使用
	 *
	 * @return DefaultAdvisorAutoProxyCreator
	 */
	@Bean
	@DependsOn("lifecycleBeanPostProcessor")
	public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
		DefaultAdvisorAutoProxyCreator proxyCreator = new DefaultAdvisorAutoProxyCreator();
		// true 基于类方法代码，false 基于接口代理
		proxyCreator.setProxyTargetClass(true);
		return proxyCreator;
	}

	/**
	 * 开启shiro aop注解支持. 使用代理方式;所以需要开启代码支持;
	 * 
	 * @return AuthorizationAttributeSourceAdvisor
	 */
	@Bean
	public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor() {
		AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();
		advisor.setSecurityManager(securityManager());
		return advisor;
	}

	// @Bean
	// public SessionManager configWebSessionManager(){
	// DefaultWebSessionManager manager = new DefaultWebSessionManager();
	// // 加入缓存管理器
	// //manager.setCacheManager(cacheManager);
	// //manager.setSessionDAO(sessionDao);
	// // 删除过期的session
	// manager.setDeleteInvalidSessions(true);
	// // 设置全局session超时时间
	// manager.setGlobalSessionTimeout(1800000);
	// // 是否定时检查session
	// manager.setSessionValidationSchedulerEnabled(true);
	// manager.setSessionIdCookie(simpleCookie());
	// return manager;
	// }

	// /**
	// * 注入cookie模板
	// * @return
	// */
	// @Bean
	// public SimpleCookie simpleCookie(){
	// SimpleCookie simpleCookie = new SimpleCookie("sid-shrio");
	// simpleCookie.setMaxAge(-1);
	// simpleCookie.setHttpOnly(true);
	// return simpleCookie;
	// }
}

D、工具类

ConstantApi

/**
 * API接口公用返回提示code定义
 * 
 * @author sjp
 * @date 2019/4/15
 **/
public interface ConstantApi {

    String	TOKEN	= "token";
    String	UID		= "uid";
    String	SID		= "sid";

}

cookieUtils

import org.springframework.util.CollectionUtils;

import javax.servlet.http.Cookie;
import java.util.Arrays;
import java.util.List;
import java.util.stream.Collectors;

/**
 * CookieUtils
 *
 * @author sjp
 * @date 2019/5/3
 */
public class CookieUtils {

	/**
	 * 从cookie中获取名称的值
	 * 
	 * @param cookies cookies
	 * @param name cookie值名称
	 * @return value cookie值
	 */
	public static String getParamFromCookie(Cookie[] cookies, String name) {
		if (cookies == null || cookies.length == 0) {
			return "";
		}
		List<Cookie> cookieList = Arrays.stream(cookies).filter(item -> name.equals(item.getName()))
				.collect(Collectors.toList());
		if (CollectionUtils.isEmpty(cookieList)) {
			return "";
		}
		return cookieList.get(0).getValue();
	}

}

RedissonTools

import org.redisson.api.RBucket;
import org.redisson.api.RLock;
import org.redisson.api.RMap;
import org.redisson.api.RedissonClient;
import org.springframework.stereotype.Service;

import javax.annotation.Resource;
import java.util.Map;
import java.util.concurrent.TimeUnit;

/**
 * redisson工具
 * 
 * @author sjp
 * @date 2019/1/16
 **/
@Service
public class RedissonTools {

	@Resource
	private RedissonClient	redissonClient;

	public <T> T get(String name) {
		RBucket<T> r = redissonClient.getBucket(name);
		return r.get();
	}

	public <T> void set(String name, T value) {
		RBucket<T> r = redissonClient.getBucket(name);
		r.setAsync(value);
	}

	public <T> T set(String name, T value, int expiredSeconds) {
		RBucket<T> r = redissonClient.getBucket(name);
		r.setAsync(value, expiredSeconds, TimeUnit.SECONDS);
		return r.get();
	}
}

import org.apache.commons.codec.digest.DigestUtils;

/**
 * Token生成器
 * 
 * @author sjp
 * @date 2019/2/25
 **/
public class TokenGenerate {

	/**
	 * 统一加密Key
	 */
	private static final String KEY = "LEMON_API";

	/**
	 * 生成token
	 *
	 * @param uid 用户的id
	 * @param sid 用户所在平台
	 * @return String token
	 */
	public static String getToken(Long uid, String sid) {
		String sb = uid + sid + System.currentTimeMillis() + KEY;
		return DigestUtils.md5Hex(sb).toUpperCase();
	}

}

有了以上的配置，我们就可以正常测试了，大家都知道Shiro的认证器可以多个，策略可以配置成：只要有一个通过即可。这样当用户首次登录的时候，我们希望他通过LoginRelam认证通过，在登录成功后，拿着服务器给的Token请求其他接口。StatelessRealm认证器就会通过认证放行。

为了确保用户的Token可以识别出用户身份，所以加密的时候选择将用户的UID加密进去，待下次请求使用同样的参数进行Md5对比，来确保用户信息安全。

三、心得

1、传统的Session如何做到绑定状态的？

通过JSESSIONID绑定当前登陆用户，如下图所示，浏览器的JsessionId对应着服务器内存中的某一个Session，而服务器的Session保存了代码中设置的信息，常用的 session.setAttribute("userInfo",userInfo) 设置用户的信息到Session中。如果清除掉JSESSIONID，则服务器认为该浏览器未登录，用户将会变为未登录状态。