关键词:
CAS 5.3.1系列之自定义Shiro认证策略(四)
CAS官方文档是介绍基于配置实现shiro认证的,可以参考官方文档,不过我们也可以通过自定义认证策略的方式实现jdbc认证,pom先加入相关jar
<!-- Custom Authentication -->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-core-authentication-api</artifactId>
<version>$cas.version</version>
</dependency>
<!-- Custom Configuration -->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-core-configuration-api</artifactId>
<version>$cas.version</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-generic</artifactId>
<version>$cas.version</version>
</dependency>
如果要用公网提供的基于配置实现的,需要加入:
<!-- Shiro Authentication -->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-shiro-authentication</artifactId>
<version>$cas.version</version>
</dependency>
要自定义shiroRealm的,加入shiro相关jar:
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
</dependency>
实现一个Shiro Realm类,仅供参考:
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.muses.jeeplatform.cas.user.model.User;
import org.muses.jeeplatform.cas.user.service.UserService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.jdbc.core.BeanPropertyRowMapper;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.jdbc.datasource.DriverManagerDataSource;
/**
* <pre>
*
* </pre>
*
* <pre>
* @author mazq
* 修改记录
* 修改后版本: 修改人: 修改日期: 2020/04/26 11:33 修改内容:
* </pre>
*/
public class ShiroAuthorizingRealm extends AuthorizingRealm
Logger LOG = LoggerFactory.getLogger(ShiroAuthorizingRealm.class);
/**注解引入业务类**/
//@Autowired
//UserService userService;
/**
* 登录信息和用户验证信息验证(non-Javadoc)
* @see org.apache.shiro.realm.AuthenticatingRealm#doGetAuthenticationInfo(AuthenticationToken)
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException
String username = (String)token.getPrincipal(); //得到用户名
String password = new String((char[])token.getCredentials()); //得到密码
LOG.info("Shiro doGetAuthenticationInfo>> username:,password:",username,password);
//User user = userService.findByUsername(username);
// JDBC模板依赖于连接池来获得数据的连接,所以必须先要构造连接池
DriverManagerDataSource dataSource = new DriverManagerDataSource();
dataSource.setDriverClassName("com.mysql.jdbc.Driver");
dataSource.setUrl("jdbc:mysql://192.168.0.152:33306/jeeplatform");
dataSource.setUsername("root");
dataSource.setPassword("minstone");
// 创建JDBC模板
JdbcTemplate jdbcTemplate = new JdbcTemplate();
jdbcTemplate.setDataSource(dataSource);
String sql = "SELECT * FROM sys_user WHERE username = ?";
User user = (User) jdbcTemplate.queryForObject(sql, new Object[]username, new BeanPropertyRowMapper(User.class));
Subject subject = getCurrentExecutingSubject();
//获取Shiro管理的Session
Session session = getShiroSession(subject);
//Shiro添加会话
session.setAttribute("username", username);
session.setAttribute(ShiroConsts.SESSION_USER, user);
/**检测是否有此用户 **/
if(user == null)
throw new UnknownAccountException();//没有找到账号异常
/**检验账号是否被锁定 **/
if(Boolean.TRUE.equals(user.getLocked()))
throw new LockedAccountException();//抛出账号锁定异常
/**AuthenticatingRealm使用CredentialsMatcher进行密码匹配**/
if(null != username && null != password)
return new SimpleAuthenticationInfo(username, password, getName());
else
return null;
/**
* 授权查询回调函数, 进行鉴权但缓存中无用户的授权信息时调用,负责在应用程序中决定用户的访问控制的方法(non-Javadoc)
* @see AuthorizingRealm#doGetAuthorizationInfo(PrincipalCollection)
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection pc)
String username = (String)pc.getPrimaryPrincipal();
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
// authorizationInfo.setRoles(userService.getRoles(username));
// authorizationInfo.setStringPermissions(userService.getPermissions(username));
System.out.println("Shiro授权");
return authorizationInfo;
@Override
public void clearCachedAuthorizationInfo(PrincipalCollection principals)
super.clearCachedAuthorizationInfo(principals);
@Override
public void clearCachedAuthenticationInfo(PrincipalCollection principals)
super.clearCachedAuthenticationInfo(principals);
@Override
public void clearCache(PrincipalCollection principals)
super.clearCache(principals);
protected Subject getCurrentExecutingSubject()
return SecurityUtils.getSubject();
protected Session getShiroSession(Subject subject)
return subject.getSession();
自定义授权handler类实现AbstractUsernamePasswordAuthenticationHandler抽象类:
package org.muses.jeeplatform.cas.authentication.handler;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;
import org.apereo.cas.authentication.*;
import org.apereo.cas.authentication.AuthenticationException;
import org.apereo.cas.authentication.exceptions.AccountDisabledException;
import org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler;
import org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.services.ServicesManager;
import javax.security.auth.login.AccountLockedException;
import javax.security.auth.login.AccountNotFoundException;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.auth.login.FailedLoginException;
import java.security.GeneralSecurityException;
/**
* <pre>
*
* </pre>
*
* <pre>
* @author mazq
* 修改记录
* 修改后版本: 修改人: 修改日期: 2020/04/26 11:03 修改内容:
* </pre>
*/
public class ShiroAuthenticationHandler extends AbstractUsernamePasswordAuthenticationHandler
public ShiroAuthenticationHandler(String name, ServicesManager servicesManager, PrincipalFactory principalFactory, Integer order)
super(name, servicesManager, principalFactory, order);
@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(UsernamePasswordCredential credential, String originalPassword) throws GeneralSecurityException, PreventedException
try
UsernamePasswordToken token = new UsernamePasswordToken(credential.getUsername(), credential.getPassword());
if (credential instanceof RememberMeUsernamePasswordCredential)
token.setRememberMe(RememberMeUsernamePasswordCredential.class.cast(credential).isRememberMe());
Subject subject = getCurrentExecutingSubject();
subject.login(token);
//获取Shiro管理的Session
//Session session = getShiroSession(subject);
final String username = subject.getPrincipal().toString();
return createHandlerResult(credential, this.principalFactory.createPrincipal(username));
catch (final UnknownAccountException uae)
throw new AccountNotFoundException(uae.getMessage());
catch (final IncorrectCredentialsException ice)
throw new FailedLoginException(ice.getMessage());
catch (final LockedAccountException | ExcessiveAttemptsException lae)
throw new AccountLockedException(lae.getMessage());
catch (final ExpiredCredentialsException eae)
throw new CredentialExpiredException(eae.getMessage());
catch (final DisabledAccountException eae)
throw new AccountDisabledException(eae.getMessage());
catch (final AuthenticationException e)
throw new FailedLoginException(e.getMessage());
protected Subject getCurrentExecutingSubject()
return SecurityUtils.getSubject();
protected Session getShiroSession(Subject subject)
return subject.getSession();
@Override
public boolean supports(Credential credential)
return false;
同理实现一个Shiro配置类:
package org.muses.jeeplatform.cas.authentication.config;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apereo.cas.authentication.AuthenticationEventExecutionPlan;
import org.apereo.cas.authentication.AuthenticationEventExecutionPlanConfigurer;
import org.apereo.cas.authentication.AuthenticationHandler;
import org.apereo.cas.authentication.PrePostAuthenticationHandler;
import org.apereo.cas.authentication.principal.DefaultPrincipalFactory;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.ServicesManager;
import org.muses.jeeplatform.cas.authentication.handler.ShiroAuthenticationHandler;
import org.muses.jeeplatform.cas.authentication.handler.UsernamePasswordAuthenticationHandler;
import org.muses.jeeplatform.cas.authentication.shiro.ShiroAuthorizingRealm;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.config.MethodInvokingFactoryBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.LinkedHashMap;
import java.util.Map;
/**
* <pre>
*
* </pre>
*
* <pre>
* @author mazq
* 修改记录
* 修改后版本: 修改人: 修改日期: 2020/04/26 16:35 修改内容:
* </pre>
*/
@Configuration("ShiroAuthenticationConfiguration")
@EnableConfigurationProperties(CasConfigurationProperties.class)
public class ShiroAuthenticationConfiguration implements AuthenticationEventExecutionPlanConfigurer
@Autowired
private CasConfigurationProperties casProperties;
@Autowired
@Qualifier("servicesManager")
private ServicesManager servicesManager;
//@Bean
public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager)
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
//拦截器.
Map<String,String> filterChainDefinitionMap = new LinkedHashMap<>();
// 配置不会被拦截的链接 顺序判断
filterChainDefinitionMap.put("/static/**", "anon");
filterChainDefinitionMap.put("/upload/**", "anon");
filterChainDefinitionMap.put("/plugins/**", "anon");
filterChainDefinitionMap.put("/code", "anon");
filterChainDefinitionMap.put("/login", "anon");
filterChainDefinitionMap.put("/logincheck", "anon");
filterChainDefinitionMap.put("/**", "authc");
shiroFilterFactoryBean.setLoginUrl("/login");
shiroFilterFactoryBean.setSuccessUrl("/index");
shiroFilterFactoryBean.setUnauthorizedUrl("/login");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroFilterFactoryBean;
@Bean
public ShiroAuthorizingRealm shiroAuthorizingRealm()
ShiroAuthorizingRealm myShiroRealm = new ShiroAuthorizingRealm();
//myShiroRealm.setCachingEnabled(false);
//启用身份验证缓存,即缓存AuthenticationInfo信息,默认false
myShiroRealm.setAuthenticationCachingEnabled(false);
//启用授权缓存,即缓存AuthorizationInfo信息,默认false
myShiroRealm.setAuthorizationCachingEnabled(false);
return myShiroRealm;
@Bean
public SecurityManager securityManager()
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(shiroAuthorizingRealm());
return securityManager;
/**
* Spring静态注入
* @return
*/
@Bean
public MethodInvokingFactoryBean getMethodInvokingFactoryBean()
MethodInvokingFactoryBean factoryBean = new MethodInvokingFactoryBean();
factoryBean.setStaticMethod("org.apache.shiro.SecurityUtils.setSecurityManager");
factoryBean.setArguments(new Object[]securityManager());
return factoryBean;
@Bean
public AuthenticationHandler myAuthenticationHandler()
return new ShiroAuthenticationHandler(ShiroAuthenticationHandler.class.getName(),
servicesManager, new DefaultPrincipalFactory(), 1);
@Override
public void configureAuthenticationExecutionPlan(AuthenticationEventExecutionPlan plan)
plan.registerAuthenticationHandler(myAuthenticationHandler());
在META-INF文件夹,新增一个命名为spring.factories的文件
org.springframework.boot.autoconfigure.EnableAutoConfiguration=org.muses.jeeplatform.cas.authentication.config.ShiroAuthenticationConfiguration
为什么要这样做?因为这样做才能将配置类加载到spring容器,详情需要跟下源码,可以参考我博客:SpringBoot源码学习系列之自动配置原理简介
代码例子参考:github下载链接
详情可以参考官方文档:https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties.html
优质参考博客:
https://www.cnblogs.com/jpeanut/tag/CAS/
https://blog.csdn.net/anumbrella/category_7765386.html
cas5.3.1系列之客户端对接(代码片段)
CAS5.3.1系列之客户端对接(五)我们要接入客户端可以常用第三方的库cas-client-autoconfig-support来对接,比较快捷,迅速实现,或者可以用cas-client-support-springboot集成到boot项目pom配置:<!--CAS依赖包--><dependency><groupId>net.... 查看详情
shiro之自定义realm之继承authorizingrealm(代码片段)
一.Realm基本架构为了快速上手,我们需要知道的是,Shiro将数据库中的数据,存放到Realm这种对象中。而Shiro提供的Realm体系较为复杂,一般我们为了使用Shiro的基本目的就是:认证、授权。所以,一般在真... 查看详情
关于shiro的认证策略
在ModularRealmAuthenticator认证器中,Shiro在认证过程中会调用认证策略,在认证器的是有策略成员变量的,所以我们可以自定的设置策略方式即可以在applicationContext.xml中在配置securityManager时引用认证器时,在认证器中配置... 查看详情
cas5.3.1系列之使用casoverlay搭建服务端(代码片段)
一、CAS服务端搭建1.1CAS支持Http登录配置CAS默认是要https的链接才能登录的,不过学习的话是可以先去掉https限制,本博客介绍的是基于Cas5.3.1的,之前改过4.0,4.2.7的,详情见https://blog.csdn.net/u014427391/category_72662... 查看详情
细说shiro之自定义filter
写在前面我们知道,shiro框架在JavaWeb应用中使用时,本质上是通过filter方式集成的。也就是说,它是遵循过滤器链规则的:filter的执行顺序与在web.xml中定义的顺序一致,如下所示:<filter><filter-name>securityFilter</filter-nam... 查看详情
spring集成shiro之自定义过滤器
在web.xml中加入<!--Shiro配置--><filter><filter-name>shiroFilter</filter-name><filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class><init-par 查看详情
每天学点shiro-认证策略
1.认证策略(AuthenticationStrategy)主要分为三种, 1.1FirstSuccessfulStrategy:只要有一个成功则认证成功,返回第一个成功结果 1.2AtLeastOneSuccessfulStrategy: 只要有一个成功则认证成功,返回所有成功结果,默认的策略&nb... 查看详情
cas5.3.1系列之使用casoverlay搭建服务端(代码片段)
一、CAS服务端搭建1.1CAS支持Http登录配置CAS默认是要https的链接才能登录的,不过学习的话是可以先去掉https限制,本博客介绍的是基于Cas5.3.1的,之前改过4.0,4.2.7的,详情见https://blog.csdn.net/u014427391/category_7266258.htmlCAS5.3.1是基于S... 查看详情
springcloud系列之自定义gatewayfilterfactory(代码片段)
SpringCloud系列之自定义GatewayFilterFactory学习目的:知道创建一个网关sample知道网关的基本配置知道自定义GatewayFilterFactory类环境准备:JDK1.8SpringBoot2.2.3SpringCloud(Hoxton.SR7)Maven3.2+开发工具IntelliJIDEAsmartGit新增SpringBootInitializer项目:N 查看详情
shiro教程-基于url权限管理
shiro教程系列shiro教程(2)shiro教程(3)shiro教程(4)一、权限管理1.1 什么是权限管理基本上涉及到用户参与的系统都要进行权限管理,权限管理属于系统安全的范畴,权限管理实现对用户访问系统的控制,按照安全规则或... 查看详情
springboot整合springsecurity之自定义认证(代码片段)
一自定义认证页面1.1说明1.如果用户没有自定义登录页面,springsecurity默认会启动自身内部的登录页面,尽管自动生成的登录页面很方便快速启动和运行,但大多数应用程序都希望定义自己的登录页面。1.2自定义登录... 查看详情
(转)shiro多realm验证和认证策略(代码片段)
...算法,而Oracle使用SHA1加密算法。这就需要有多个Realm以及认证策略的问题。 通过查看源码可以看到 ModularRealmAuthenticator.class中的 doAuthenticateprotectedAuthe 查看详情
一篇适合小白的shiro教程(代码片段)
...tPrincipalcredential认证的实现Shiro认证的源码分析Shiro使用自定义Relam实现认证CustomerRealmCustomerRealmAuthenticatorTest测试Shiro的加密和随机盐Shiro中密码的加密策略Shiro中的加密方式Shiro中自定义加密RealmCustomerMD5RealmCustomerMD5AuthenticatorTest测... 查看详情
saltstack学习系列之自定义grains
Master端打开存放自定义grains的目录vim/etc/salt/masterfile_roots:base:-/srv/salt/建立自定义模块cd/srv/saltmkdir_grainscd_grains编写自定义grainscatdisk.pyimportosdefdisk():grains={}disk=os.popen(‘fdisk-l|grep‘Disk‘|grep-v‘ 查看详情
springboot系列之自定义枚举类的数据校验注解
SpringBoot系列之自定义枚举类的数据校验注解业务场景:数据校验,需要对枚举类型的数据传参,进行数据校验,不能随便传参。拓展,支持多个参数的枚举数据校验在网上找到很多参考资料,所以本博客基于这些博客进行拓展... 查看详情
shiro系列之shiro+mysql实现用户认证(authentication)(代码片段)
网上大多数介绍ApacheShiro的资料都是使用ini文件的简单配置为例,很少用讲到如何配合数据库来实现用户认证的。我也是刚刚开始接触Shiro,在这里介绍一个入门级别的Shiro+Mysql的配置方法,这个方法仅仅是个开始&#... 查看详情
shiro自定义密码匹配认证
项目集成shiro的时候,有写某个自定义类然后继承自AuthorizingRealm并且重写实现了他的2个方法:1、其中一个:认证回调验证账户密码的doGetAuthenticationInfo2、另外一个:授权查询验证权限的doGetAuthorizationInfook,上面没什么用,只是... 查看详情
springboot技术专题「实战开发系列」带你一同探索shiro整合jwt授权和认证实战开发(代码片段)
本章介绍一下常用的认证框架Shiro结合springboot以及集合jwt快速带您开发完成一个认证框架机制。Maven配置依赖<dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.3.2 查看详情