Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

前后端分离下的用户认证和鉴权实践(四) 基于shiro的后端认证和鉴权 #5

Open
ZhuXS opened this issue Oct 16, 2017 · 0 comments
Open

前后端分离下的用户认证和鉴权实践(四) 基于shiro的后端认证和鉴权 #5

ZhuXS opened this issue Oct 16, 2017 · 0 comments

Comments

@ZhuXS
Copy link
Owner

ZhuXS commented Oct 16, 2017

对于访问后端服务器的所有请求,都要进行认证和鉴权

  • 认证:当前用户是否登录,是否为系统的合法用户
  • 鉴权:当前用户是否具有调用当前接口的权限

对于登录到系统的用户,首先要进行认证和授权。

  • 根据用户输入的用户名密码进行身份验证
  • 查找该用户所具有的Role和Permission,并将其赋给当前用户 
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
      //获取当前用户
       UserDto user = (UserDto) SecurityUtils.getSubject().getSession().getAttribute("user");

      //把principals放session中,key=userId value=principals
      SecurityUtils.getSubject().getSession().setAttribute(String.valueOf(user.getId()),SecurityUtils.getSubject().getPrincipals());

      SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
      //赋予角色
      for(RoleDto role:user.getRoles()){
          info.addRole(role.getName());
      }
      //赋予权限
      for(PermissionDto permission:user.getPermissions()){
          //System.out.println(permission.getName());
          info.addStringPermission(permission.getName());
      }
      return info;
  }

  @Override
  protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
      UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
      String userName = token.getUsername();
      User user = userDao.findUserByUsername(userName);
      UserDto userDto = convertToDto(user);
      if(user != null){
          //登陆成功
          Session session = SecurityUtils.getSubject().getSession();
          session.setAttribute("user",userDto);
                      return new SimpleAuthenticationInfo(
                  userName, //用户
                  user.getPassword(), //密码
                  getName() //realm name
          );
      } else {
          throw new UnknownAccountException();
      }
  }

服务器要配置Filter链以进行认证和鉴权,对用户的访问和重定向等进行限制

  • 认证失败、鉴权失败如何重定向
  • 哪些接口需要哪些权限和角色才能够访问 
    Bean(name = "shiroFilter")
  public ShiroFilterFactoryBean shiroFilterFactoryBean(){
      ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
      shiroFilterFactoryBean.setSecurityManager(securityManager());

      Map<String, Filter> filters = new LinkedHashMap<String,Filter>();
      LogoutFilter logoutFilter = new LogoutFilter();
      logoutFilter.setRedirectUrl("/login");
      shiroFilterFactoryBean.setFilters(filters);
      shiroFilterFactoryBean.setLoginUrl("/notAuthc");

      Map<String,String> filterChainDefinitionManager = new LinkedHashMap<String,String>();
      filterChainDefinitionManager.put("/logout","logout");
      filterChainDefinitionManager.put("/userInfo","authc");
      filterChainDefinitionManager.put("/jobs/**","perms[WORDCOUNT:CREATE]");
      filterChainDefinitionManager.put("/admin/**","roles[Admin]");
      shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionManager);

      shiroFilterFactoryBean.setSuccessUrl("/");
      shiroFilterFactoryBean.setUnauthorizedUrl("/notAuthz");
      return shiroFilterFactoryBean;
  }

一个用户访问后端接口的完整过程

  • 登录请求
  • 认证
  • 授权
  • 访问接口
  • 认证、鉴权
    • 成功则允许调用
    • 不成功则重定向请求到相应url
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ZhuXS