Shiro权限框架深度解析
Apache Shiro 是 Java 领域最经典的安全框架之一,本文档深入剖析 Shiro 的认证、授权、Session管理、加密机制,以及与Spring Boot的深度集成方案。
一、Shiro核心概念
1.1 三大核心组件
Apache Shiro
Subject 主体
SecurityManager 安全管理器
Realm 域
当前用户身份信息
登录/登出操作
权限检查
认证器 Authenticator
授权器 Authorizer
会话管理器 SessionManager
加密组件 CryptoSupport
JdbcRealm 数据库认证
IniRealm INI配置认证
TextConfigurationRealm
自定义Realm
1.2 Shiro架构图
Subject
+login(AuthenticationToken)
+logout()
+hasRole(String)
+isPermitted(String)
+getPrincipal()
SecurityManager
+authenticate(AuthenticationToken)
+authorize(PrincipalCollection)
+getSession()
Authenticator
+authenticate(AuthenticationToken)
Authorizer
+checkRole(PrincipalCollection, String)
+checkPermission(PrincipalCollection, String)
+hasRole(PrincipalCollection, String)
+isPermitted(PrincipalCollection, String)
SessionManager
+getSession()
+createSession()
Realm
+getAuthenticationInfo(AuthenticationToken)
+getAuthorizationInfo(PrincipalCollection)
SubjectAdapter
+SecurityManager securityManager
1.3 Shiro 与 Spring Security 对比
| 特性 | Shiro | Spring Security |
|---|---|---|
| 学习曲线 | 平缓 | 陡峭 |
| 文档完整性 | 一般 | 完善 |
| 社区活跃度 | 一般 | 活跃 |
| OAuth2支持 | 需要扩展 | 原生支持 |
| Session管理 | 自带 | 需Spring Session |
| 缓存支持 | Shiro-Cache | Spring Cache |
| 过滤器链 | 简单 | 复杂但强大 |
| 适用场景 | 中小型项目 | 企业级项目 |
二、认证流程深度解析
2.1 认证流程图
Realm Authenticator SecurityManager Subject 客户端 Realm Authenticator SecurityManager Subject 客户端 alt [认证成功] [认证失败] login(username, password) authenticate(token) authenticate(token) getAuthenticationInfo(token) SimpleAuthenticationInfo AuthenticationInfo 认证成功,存储SubjectContext 创建Session 抛出AuthenticationException 异常穿透 抛出AuthenticationException 认证失败
2.2 认证核心接口
java
// org.apache.shiro.authc.AuthenticationToken
public interface AuthenticationToken extends Serializable {
/**
* 获取主体(用户名)
*/
PrincipalCollection getPrincipal();
/**
* 获取凭证(密码)
*/
Object getCredentials();
}
java
// org.apache.shiro.authc.AuthenticationInfo
public interface AuthenticationInfo extends Serializable {
/**
* 获取主身份集合
*/
PrincipalCollection getPrincipals();
/**
* 获取凭证(已加密)
*/
Object getCredentials();
/**
* 凭证是否匹配
*/
default boolean isCredentialsMatch(AuthenticationToken token) {
return getCredentials.equals(token.getCredentials());
}
}2.3 UsernamePasswordToken
java
// org.apache.shiro.authc.UsernamePasswordToken
public class UsernamePasswordToken implements HostAuthenticationToken {
private String username;
private char[] password;
private boolean rememberMe;
private String host;
public UsernamePasswordToken(String username, char[] password) {
this(username, password, false, null);
}
public UsernamePasswordToken(String username, String password,
boolean rememberMe, String host) {
this.username = username;
this.password = password != null ? password.toCharArray() : null;
this.rememberMe = rememberMe;
this.host = host;
}
// getters and setters
}2.4 认证流程源码解析
java
// org.apache.shiro.mgt.ExecutingSecurityManager
public interface Authenticator {
/**
* 执行认证
* @param token 认证令牌
* @return 认证信息
* @throws AuthenticationException 认证异常
*/
AuthenticationInfo authenticate(AuthenticationToken token)
throws AuthenticationException;
/**
* 是否支持该Token类型
*/
boolean supports(AuthenticationToken token);
}
java
// org.apache.shiro.mgt.ModularRealmAuthenticator 核心实现
public class ModularRealmAuthenticator extends AbstractAuthenticator {
private Collection<Realm> realms;
private AuthenticationStrategy authenticationStrategy;
@Override
protected AuthenticationInfo doAuthenticate(
AuthenticationToken token) throws AuthenticationException {
// 1. 确保只有一个Realm被调用(单Realm场景)
Collection<Realm> realms = getRealms();
if (realms.size() == 1) {
return doSingleRealmAuthenticate(token, realms.iterator().next());
}
// 2. 多Realm场景
return doMultiRealmAuthenticate(token, realms);
}
private AuthenticationInfo doSingleRealmAuthenticate(
AuthenticationToken token, Realm realm) {
if (!realm.supports(token)) {
throw new UnsupportedTokenException(
"Realm [" + realm + "] does not support authentication token [" +
token + "]");
}
// 调用Realm获取认证信息
AuthenticationInfo info = realm.getAuthenticationInfo(token);
return info;
}
private AuthenticationInfo doMultiRealmAuthenticate(
AuthenticationToken token, Collection<Realm> realms) {
AuthenticationStrategy strategy = getAuthenticationStrategy();
// 使用策略进行多Realm认证
AuthenticationInfo aggregate = strategy.beforeAllAttempts(
realms, token);
for (Realm realm : realms) {
aggregate = strategy.beforeAttempt(realm, token, aggregate);
if (realm.supports(token)) {
AuthenticationInfo info = realm.getAuthenticationInfo(token);
aggregate = strategy.afterAttempt(realm, token, info, aggregate);
}
}
return strategy.afterAllAttempts(token, aggregate);
}
}三、授权流程深度解析
3.1 授权核心接口
java
// org.apache.shiro.authz.Authorizer
public interface Authorizer {
/**
* 检查是否拥有指定角色
*/
boolean hasRole(PrincipalCollection principals, String roleIdentifier);
/**
* 检查是否拥有所有指定角色
*/
boolean hasAllRoles(PrincipalCollection principals, Collection<String> roleIdentifiers);
/**
* 检查是否拥有指定权限
*/
boolean isPermitted(PrincipalCollection principals, String permission);
/**
* 检查是否拥有所有指定权限
*/
boolean isPermittedAll(PrincipalCollection principals, String... permissions);
/**
* 权限检查,若无权限则抛出异常
*/
void checkPermission(PrincipalCollection principals, String permission)
throws AuthorizationException;
/**
* 角色检查,若无角色则抛出异常
*/
void checkRole(PrincipalCollection principals, String roleIdentifier)
throws AuthorizationException;
}3.2 授权流程图
权限缓存 Realm Authorizer SecurityManager Subject 权限缓存 Realm Authorizer SecurityManager Subject alt [缓存命中] [缓存未命中] hasRole/isPermitted 权限检查 获取AuthorizationInfo 直接返回权限 查询数据库 存入缓存 返回权限 true/false
3.3 ModularRealmAuthorizer 源码解析
java
// org.apache.shiro.mgt.ModularRealmAuthorizer
public class ModularRealmAuthorizer implements Authorizer,
ConfigurableSecurityManager {
private Collection<Realm> realms;
@Override
public boolean hasRole(PrincipalCollection principals, String role) {
assertRealmsConfigured();
for (Realm realm : realms) {
if (!(realm instanceof Authorizer)) {
continue;
}
Authorizer authorizer = (Authorizer) realm;
if (authorizer.hasRole(principals, role)) {
return true;
}
}
return false;
}
@Override
public boolean isPermitted(PrincipalCollection principals, String permission) {
assertRealmsConfigured();
for (Realm realm : realms) {
if (!(realm instanceof Authorizer)) {
continue;
}
Authorizer authorizer = (Authorizer) realm;
if (authorizer.isPermitted(principals, permission)) {
return true;
}
}
return false;
}
}四、Realm体系深度解析
4.1 Realm接口定义
java
// org.apache.shiro.realm.Realm
public interface Realm {
/**
* Realm的唯一标识
*/
String getName();
/**
* 是否支持该认证Token
*/
boolean supports(AuthenticationToken token);
/**
* 获取认证信息(密码验证)
*/
AuthenticationInfo getAuthenticationInfo(AuthenticationToken token)
throws AuthenticationException;
}
java
// org.apache.shiro.realm.AuthorizingRealm
public abstract class AuthorizingRealm extends AuthenticatingRealm
implements Authorizer {
/**
* 获取授权信息(角色和权限)
*/
protected abstract AuthorizationInfo doGetAuthorizationInfo(
PrincipalCollection principals);
/**
* 密码匹配器
*/
private CredentialsMatcher credentialsMatcher;
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken token) throws AuthenticationException {
// 子类实现,从数据源获取认证信息
return null;
}
@Override
protected AuthorizationInfo doGetAuthorizationInfo(
PrincipalCollection principals) {
// 子类实现,从数据源获取授权信息
return null;
}
}4.2 自定义Realm实现
java
// 自定义用户Realm
public class CustomRealm extends AuthorizingRealm {
@Autowired
private UserService userService;
@Autowired
private RoleService roleService;
@Autowired
private PermissionService permissionService;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(
PrincipalCollection principals) {
// 1. 获取登录用户名
String username = principals.getPrimaryPrincipal().toString();
// 2. 查询用户信息
User user = userService.findByUsername(username);
if (user == null) {
throw new UnknownAccountException("User not found: " + username);
}
// 3. 查询角色和权限
Set<String> roles = roleService.findRoleNamesByUserId(user.getId());
Set<String> permissions = permissionService.findPermissionsByUserId(user.getId());
// 4. 构建AuthorizationInfo
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
info.setRoles(roles);
info.setStringPermissions(permissions);
return info;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
// 1. 查询用户
User user = userService.findByUsername(upToken.getUsername());
if (user == null) {
throw new UnknownAccountException("User not found");
}
// 2. 检查账户状态
if (user.isLocked()) {
throw new LockedAccountException("Account is locked");
}
if (!user.isEnabled()) {
throw new DisabledAccountException("Account is disabled");
}
// 3. 返回认证信息(包含加密密码)
return new SimpleAuthenticationInfo(
user.getUsername(),
user.getPassword(),
ByteSource.Util.bytes(user.getSalt()),
getName()
);
}
@Override
public boolean supports(AuthenticationToken token) {
return token instanceof UsernamePasswordToken;
}
}4.3 JdbcRealm数据库认证
java
// JdbcRealm配置示例
public class JdbcRealmConfig {
@Bean
public JdbcRealm jdbcRealm(DataSource dataSource) {
JdbcRealm realm = new JdbcRealm();
realm.setDataSource(dataSource);
realm.setPermissionsLookupEnabled(true);
// 认证查询
realm.setAuthenticationQuery(
"SELECT password, salt FROM sys_user WHERE username = ? AND enabled = 1");
// 角色查询
realm.setUserRolesQuery(
"SELECT r.role_name FROM sys_role r " +
"INNER JOIN sys_user_role ur ON r.id = ur.role_id " +
"INNER JOIN sys_user u ON u.id = ur.user_id " +
"WHERE u.username = ?");
// 权限查询
realm.setPermissionsQuery(
"SELECT p.permission FROM sys_permission p " +
"INNER JOIN sys_role_permission rp ON p.id = rp.permission_id " +
"INNER JOIN sys_role r ON r.id = rp.role_id " +
"INNER JOIN sys_user_role ur ON r.id = ur.role_id " +
"INNER JOIN sys_user u ON u.id = ur.user_id " +
"WHERE u.username = ?");
return realm;
}
}4.4 IniRealm配置认证
ini
[users]
# 用户名=密码,角色1,角色2
admin=admin123,admin,user
user1=user123,user
guest=guest123,guest
[roles]
# 角色名=权限1,权限2
admin=system:*,user:*,role:*
user=user:view,user:edit
guest=guest:view
[urls]
# URL路径=角色
/admin/**=authc,admin
/user/**=authc,user
/guest/**=authc
/public/**=anon五、权限标识WildcardPermission
5.1 权限格式
Shiro使用WildcardPermission支持通配符权限:
resource:action:instance| 示例 | 说明 |
|---|---|
| user:view | view权限,作用于所有user实例 |
| user:view:1 | view权限,作用于id=1的user |
| user:*:1 | 所有权限,作用于id=1的user |
| system:* | system模块的所有权限 |
| : | 全局所有权限 |
5.2 权限匹配规则
java
@Test
public void testWildcardPermission() {
// 精确匹配
Permission p1 = new WildcardPermission("user:view:1");
assertTrue(p1.implies(new WildcardPermission("user:view:1")));
// 通配符匹配
Permission p2 = new WildcardPermission("user:view:*");
assertTrue(p2.implies(new WildcardPermission("user:view:1")));
assertTrue(p2.implies(new WildcardPermission("user:view:2")));
// 角色权限验证
Permission adminPermission = new WildcardPermission("system:user:*,role:*");
// 验证:用户管理权限
assertTrue(adminPermission.implies(
new WildcardPermission("system:user:create")));
assertTrue(adminPermission.implies(
new WildcardPermission("system:user:delete:5")));
// 验证:角色管理权限
assertTrue(adminPermission.implies(
new WildcardPermission("system:role:assign")));
// 验证:不匹配的权限
assertFalse(adminPermission.implies(
new WildcardPermission("system:config:update")));
}5.3 多级权限配置
java
@Configuration
public class ShiroConfig {
@Bean
public Realm customRealm() {
CustomRealm realm = new CustomRealm();
// 设置权限匹配器
realm.setPermissionResolver(new WildcardPermissionResolver());
// 设置角色匹配器
realm.setRolePermissionResolver(new ChainablePermissionResolver(
new WildcardPermissionResolver(),
new SimplePermissionResolver()));
// 启用缓存
realm.setCachingEnabled(true);
realm.setAuthorizationCachingEnabled(true);
return realm;
}
}六、Session管理
6.1 Session接口
java
// org.apache.shiro.session.Session
public interface Session {
/**
* 获取会话ID
*/
Serializable getId();
/**
* 获取会话开始时间
*/
Date getStartTimestamp();
/**
* 获取最后访问时间
*/
Date getLastAccessTime();
/**
* 超时时间(毫秒)
*/
long getTimeout();
/**
* 设置超时时间
*/
void setTimeout(long maxIdleTimeInMillis);
/**
* 停止会话
*/
void stop();
/**
* 获取属性
*/
Object getAttribute(Object key);
/**
* 设置属性
*/
void setAttribute(Object key, Object value);
/**
* 删除属性
*/
Object removeAttribute(Object key);
}6.2 SessionManager体系
<<interface>>
SessionManager
+start()
+getSession()
<<abstract>>
ValidatingSessionManager
+start()
+getSession()
ServletContainerSessionManager
// 使用Servlet容器的Session
DefaultSessionManager
// 默认的Session管理
EnterpriseCacheSessionManager
// 企业缓存Session管理
6.3 Shiro与Spring Session集成
java
@Configuration
public class ShiroSessionConfig {
@Autowired
private RedisConnectionFactory connectionFactory;
@Bean
public SessionDAO sessionDAO() {
// RedisSessionDAO使用Redis存储Session
RedisSessionDAO sessionDAO = new RedisSessionDAO();
sessionDAO.setRedisManager(redisManager());
sessionDAO.setSessionIdGenerator(new JavaUuidSessionIdGenerator());
// 设置过期时间
sessionDAO.setExpireSeconds(1800); // 30分钟
return sessionDAO;
}
@Bean
public RedisManager redisManager() {
RedisManager manager = new RedisManager();
manager.setHost("localhost:6379");
manager.setTimeout(3000);
manager.setPassword("redis-password");
return manager;
}
@Bean
public SessionManager sessionManager() {
DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
sessionManager.setSessionDAO(sessionDAO());
// Session验证间隔
sessionManager.setSessionValidationScheduler(
new ExecutorServiceSessionValidationScheduler(sessionManager));
sessionManager.setSessionValidationInterval(3600000); // 1小时
// 全局Session超时
sessionManager.setGlobalSessionTimeout(1800000); // 30分钟
// 删除无效Session
sessionManager.setDeleteInvalidSessions(true);
return sessionManager;
}
}七、加密机制
7.1 Hash算法
java
// 常用Hash加密
@Test
public void testHashAlgorithm() {
String password = "admin123";
String salt = "random-salt";
// MD5加密(已不推荐)
Md5Hash md5Hash = new Md5Hash(password, salt, 2);
System.out.println("MD5: " + md5Hash.toHex());
// SHA-256加密
Sha256Hash sha256Hash = new Sha256Hash(password, salt, 1024);
System.out.println("SHA-256: " + sha256Hash.toHex());
// SHA-512加密
Sha512Hash sha512Hash = new Sha512Hash(password, salt, 4096);
System.out.println("SHA-512: " + sha512Hash.toHex());
// 通用Hash请求
Hash hash = new SimpleHash("SHA-256", password, salt, 1024);
System.out.println("Generic: " + hash.toHex());
}7.2 密码加密服务
java
@Service
public class PasswordHashService {
private final HashService hashService;
@PostConstruct
public void init() {
// 配置Hash服务
DefaultHashService hashService = new DefaultHashService();
hashService.setHashAlgorithmName("SHA-256");
hashService.setPrivateSalt(Bytes.random(16)); // 私盐
hashService.setGeneratePublicSalt(true); // 生成公盐
hashService.setHashIterations(1024);
this.hashService = hashService;
}
/**
* 加密密码
*/
public String hashPassword(String plaintext) {
HashRequest request = new HashRequest.Builder()
.setSource(plaintext)
.build();
return hashService.computeHash(request).toHex();
}
/**
* 验证密码
*/
public boolean verifyPassword(String plaintext, String hashed) {
HashRequest request = new HashRequest.Builder()
.setSource(plaintext)
.setHash(hashed)
.build();
HashResponse response = hashService.computeHash(request);
return response.isHashValid();
}
}7.3 CredentialsMatcher
java
// 自定义凭证匹配器
public class CustomCredentialsMatcher extends HashMatcher {
public CustomCredentialsMatcher() {
super();
}
@Override
public boolean doCredentialsMatch(AuthenticationToken token,
AuthenticationInfo info) {
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
SimpleAuthenticationInfo simpleInfo = (SimpleAuthenticationInfo) info;
// 1. 获取提交的密码
String submittedPassword = new String(upToken.getPassword());
// 2. 获取存储的密码
String storedPassword = simpleInfo.getCredentials().toString();
// 3. 使用BCrypt验证
return BCrypt.checkpw(submittedPassword, storedPassword);
}
}八、Spring Boot集成
8.1 依赖配置
xml
<!-- pom.xml -->
<dependencies>
<!-- Shiro核心 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.13.0</version>
</dependency>
<!-- Shiro Spring集成 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.13.0</version>
</dependency>
<!-- Shiro Web支持 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.13.0</version>
</dependency>
<!-- Shiro Cache -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-cache</artifactId>
<version>1.13.0</version>
</dependency>
<!-- Shiro Session Redis -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-redis</artifactId>
<version>4.5.3</version>
</dependency>
<!-- ehcache缓存 -->
<dependency>
<groupId>net.sf.ehcache</groupId>
<artifactId>ehcache-core</artifactId>
<version>2.6.11</version>
</dependency>
</dependencies>8.2 ShiroConfig配置类
java
@Configuration
public class ShiroConfig {
@Bean
public SecurityManager securityManager(
Realm customRealm,
SessionManager sessionManager,
CacheManager cacheManager) {
DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
manager.setRealm(customRealm);
manager.setSessionManager(sessionManager);
manager.setCacheManager(cacheManager);
// 设置SubjectDAO
SubjectDAO subjectDAO = new DefaultSubjectDAO();
subjectDAO.setSessionStorageEvaluator(sessionStorageEvaluator());
manager.setSubjectDAO(subjectDAO);
return manager;
}
@Bean
public DefaultWebSessionStorageEvaluator sessionStorageEvaluator() {
DefaultWebSessionStorageEvaluator evaluator =
new DefaultWebSessionStorageEvaluator();
evaluator.setSessionStorageEnabled(false); // 禁用Session存储
return evaluator;
}
@Bean
public Realm customRealm(CredentialsMatcher credentialsMatcher) {
CustomRealm realm = new CustomRealm();
realm.setName("customRealm");
realm.setCachingEnabled(true);
realm.setAuthorizationCachingEnabled(true);
realm.setCredentialsMatcher(credentialsMatcher);
return realm;
}
@Bean
public CredentialsMatcher credentialsMatcher() {
// 使用Hash凭证匹配器
HashedCredentialsMatcher matcher = new HashedCredentialsMatcher();
matcher.setHashAlgorithmName("SHA-256");
matcher.setHashIterations(1024);
matcher.setStoredCredentialsHexEncoded(false);
return matcher;
}
}8.3 ShiroFilter配置
java
@Configuration
public class ShiroFilterConfig {
@Bean
public ShiroFilterChainDefinition shiroFilterChainDefinition() {
DefaultShiroFilterChainDefinition definition =
new DefaultShiroFilterChainDefinition();
// 匿名访问路径
definition.addPathDefinition("/public/**", "anon");
definition.addPathDefinition("/login", "anon");
definition.addPathDefinition("/api/auth/**", "anon");
// 需要认证的路径
definition.addPathDefinition("/user/**", "authc");
definition.addPathDefinition("/admin/**", "authc,roles[admin]");
// 登出
definition.addPathDefinition("/logout", "logout");
// 默认跳转
definition.addPathDefinition("/**", "authc");
return definition;
}
}8.4 Controller登录实现
java
@RestController
@RequestMapping("/auth")
public class AuthController {
@Autowired
private SecurityManager securityManager;
@PostMapping("/login")
public Result login(@RequestBody LoginRequest request) {
// 1. 创建Token
UsernamePasswordToken token = new UsernamePasswordToken(
request.getUsername(),
request.getPassword().toCharArray()
);
token.setRememberMe(request.isRememberMe());
token.setHost(request.getIp());
// 2. 获取Subject
Subject subject = SecurityUtils.getSubject();
try {
// 3. 执行登录
subject.login(token);
// 4. 返回结果
return Result.success(Map.of(
"username", subject.getPrincipal(),
"sessionId", subject.getSession().getId()
));
} catch (UnknownAccountException e) {
return Result.fail("用户名不存在");
} catch (IncorrectCredentialsException e) {
return Result.fail("密码错误");
} catch (LockedAccountException e) {
return Result.fail("账户已被锁定");
} catch (AuthenticationException e) {
return Result.fail("认证失败: " + e.getMessage());
}
}
@PostMapping("/logout")
public Result logout() {
Subject subject = SecurityUtils.getSubject();
subject.logout();
return Result.success("已退出登录");
}
}8.5 注解式权限控制
java
@Configuration
@EnableAspectJAutoProxy
public class AopAnnotationsConfig {
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(
SecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor advisor =
new AuthorizationAttributeSourceAdvisor();
advisor.setSecurityManager(securityManager);
return advisor;
}
}
@Service
public class UserService {
/**
* 需要admin角色
*/
@RequiresRoles("admin")
public void deleteUser(Long userId) {
userRepository.deleteById(userId);
}
/**
* 需要user:view权限
*/
@RequiresPermissions("user:view")
public User getUser(Long userId) {
return userRepository.findById(userId)
.orElseThrow(() -> new UserNotFoundException(userId));
}
/**
* 需要admin和user角色
*/
@RequiresRoles(value = {"admin", "user"}, logical = Logical.AND)
public void updateUser(Long userId, UserUpdateRequest request) {
// 更新逻辑
}
/**
* 需要通过权限检查
*/
@RequiresAuthentication
public UserProfile getProfile() {
Subject subject = SecurityUtils.getSubject();
String username = subject.getPrincipal().toString();
return userService.findByUsername(username);
}
}8.6 全局异常处理
java
@RestControllerAdvice
public class ShiroExceptionHandler {
@ExceptionHandler(UnknownAccountException.class)
public Result handleUnknownAccount(UnknownAccountException e) {
return Result.fail("账户不存在");
}
@ExceptionHandler(IncorrectCredentialsException.class)
public Result handleIncorrectCredentials(IncorrectCredentialsException e) {
return Result.fail("密码错误");
}
@ExceptionHandler(LockedAccountException.class)
public Result handleLockedAccount(LockedAccountException e) {
return Result.fail("账户已被锁定");
}
@ExceptionHandler(UnauthorizedException.class)
public Result handleUnauthorized(UnauthorizedException e) {
return Result.fail("无权限访问");
}
@ExceptionHandler(AuthorizationException.class)
public Result handleAuthorization(AuthorizationException e) {
return Result.fail("权限不足");
}
}九、缓存配置
9.1 Ehcache配置
java
@Configuration
public class ShiroCacheConfig {
@Bean
public CacheManager cacheManager() {
// 使用Ehcache
EhCacheManager cacheManager = new EhCacheManager();
cacheManager.setCacheManagerConfigFilePath("classpath:ehcache.xml");
return cacheManager;
}
}
xml
<!-- ehcache.xml -->
<ehcache xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="ehcache.xsd"
updateCheck="false">
<!-- 认证缓存 -->
<cache name="authenticationCache"
maxEntriesLocalHeap="2000"
eternal="false"
timeToIdleSeconds="3600"
timeToLiveSeconds="0"
overflowToDisk="false"/>
<!-- 授权缓存 -->
<cache name="authorizationCache"
maxEntriesLocalHeap="2000"
eternal="false"
timeToIdleSeconds="3600"
timeToLiveSeconds="0"
overflowToDisk="false"/>
<!-- Session缓存 -->
<cache name="shiro-activeSessionCache"
maxEntriesLocalHeap="10000"
eternal="false"
timeToIdleSeconds="1800"
timeToLiveSeconds="0"
overflowToDisk="false"/>
</ehcache>9.2 Redis缓存配置
java
@Configuration
public class ShiroRedisCacheConfig {
@Bean
public CacheManager shiroRedisCacheManager(
RedisTemplate<String, Object> redisTemplate) {
RedisCacheManager cacheManager = new RedisCacheManager();
cacheManager.setRedisManager(redisManager());
// 缓存过期时间
cacheManager.setExpire(1800); // 30分钟
// 缓存键前缀
cacheManager.setKeyPrefix("shiro:cache:");
return cacheManager;
}
@Bean
public RedisManager redisManager() {
RedisManager manager = new RedisManager();
manager.setHost("localhost:6379");
manager.setTimeout(3000);
return manager;
}
}十、过滤器链
10.1 常用过滤器
| 过滤器 | 说明 | 用法 |
|---|---|---|
| anon | 匿名访问 | anon |
| authc | 需要认证 | authc |
| authcBasic | HTTP Basic认证 | authcBasic |
| user | 认证或记住我 | user |
| logout | 登出 | logout |
| perms | 权限检查 | perms[user:view] |
| roles | 角色检查 | roles[admin,user] |
| ssl | 需要HTTPS | ssl |
| port | 端口检查 | port[8080] |
10.2 自定义过滤器
java
// JWT认证过滤器
public class JwtAuthFilter extends AuthenticatingFilter {
@Override
protected AuthenticationToken createToken(
HttpServletRequest request,
HttpServletResponse response) throws Exception {
String token = getToken(request);
if (token == null || token.isEmpty()) {
return null;
}
// 解析JWT获取用户信息
Claims claims = jwtService.parseToken(token);
return new JwtToken(
claims.getSubject(),
token,
claims.getIssuedAt().getTime()
);
}
@Override
protected boolean onAccessDenied(
HttpServletRequest request,
HttpServletResponse response) throws Exception {
String token = getToken(request);
if (token == null) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return false;
}
// 尝试登录
return executeLogin(request, response);
}
private String getToken(HttpServletRequest request) {
String header = request.getHeader("Authorization");
if (header != null && header.startsWith("Bearer ")) {
return header.substring(7);
}
return null;
}
}10.3 过滤器配置
java
@Configuration
public class ShiroFilterConfig {
@Bean
public ShiroFilterChainDefinition shiroFilterChainDefinition() {
DefaultShiroFilterChainDefinition definition =
new DefaultShiroFilterChainDefinition();
// API路径 - JWT认证
definition.addPathDefinition("/api/**", "jwtAuth,noSessionCreation,authc");
// 静态资源 - 匿名访问
definition.addPathDefinition("/static/**", "anon");
definition.addPathDefinition("/public/**", "anon");
// 登录相关 - 匿名访问
definition.addPathDefinition("/login", "anon");
definition.addPathDefinition("/auth/login", "anon");
// 登出
definition.addPathDefinition("/logout", "logout");
// 管理后台 - 角色控制
definition.addPathDefinition("/admin/**", "authc,roles[admin]");
// 其他 - 需认证
definition.addPathDefinition("/**", "authc");
return definition;
}
@Bean
public JwtAuthFilter jwtAuthFilter() {
return new JwtAuthFilter();
}
}十一、RememberMe功能
11.1 RememberMe配置
java
@Configuration
public class ShiroConfig {
@Bean
public SecurityManager securityManager(..., RememberMeManager rememberMeManager) {
DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
// ...
manager.setRememberMeManager(rememberMeManager);
return manager;
}
@Bean
public RememberMeManager rememberMeManager() {
CookieRememberMeManager manager = new CookieRememberMeManager();
SimpleCookie cookie = new SimpleCookie("rememberMe");
cookie.setMaxAge(86400 * 7); // 7天
cookie.setHttpOnly(true);
cookie.setSameSite("Strict");
manager.setCookie(cookie);
// 设置加密密钥
manager.setCipherKey(Base64.decode(
"shiroRememberMeCipherKey=="));
return manager;
}
}11.2 使用RememberMe
java
// 登录时启用RememberMe
@PostMapping("/login")
public Result login(@RequestBody LoginRequest request) {
UsernamePasswordToken token = new UsernamePasswordToken(
request.getUsername(),
request.getPassword().toCharArray()
);
// 启用RememberMe
token.setRememberMe(true);
Subject subject = SecurityUtils.getSubject();
subject.login(token);
return Result.success();
}
// 检查是否RememberMe登录
Subject subject = SecurityUtils.getSubject();
if (subject.isAuthenticated() || subject.isRemembered()) {
// 已登录或RememberMe登录
}十二、多Realm认证
12.1 多Realm配置
java
@Configuration
public class ShiroConfig {
@Bean
public SecurityManager securityManager() {
DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
// 配置多个Realm
List<Realm> realms = new ArrayList<>();
realms.add(jdbcRealm());
realms.add(oauth2Realm());
realms.add(ldapRealm());
// 使用认证策略
ModularRealmAuthenticator authenticator = new ModularRealmAuthenticator();
authenticator.setRealms(realms);
// 认证策略:第一个成功的优先
authenticator.setAuthenticationStrategy(
new FirstSuccessfulAuthenticationStrategy());
// 或者:至少一个成功
// authenticator.setAuthenticationStrategy(
// new AtLeastOneSuccessfulAuthenticationStrategy());
// 或者:全部成功
// authenticator.setAuthenticationStrategy(
// new AllSuccessfulAuthenticationStrategy());
manager.setAuthenticator(authenticator);
return manager;
}
}12.2 认证策略对比
| 策略 | 说明 | 使用场景 |
|---|---|---|
| FirstSuccessfulAuthenticationStrategy | 第一个成功即返回 | 单一数据源 |
| AtLeastOneSuccessfulAuthenticationStrategy | 至少一个成功 | 多数据源,任一可认证 |
| AllSuccessfulAuthenticationStrategy | 全部成功 | 高安全要求 |
十三、总结
13.1 核心流程
anon
authc
用户名密码
OAuth
JWT
成功
失败
命中
未命中
请求到达
路径匹配
匿名访问
创建Subject
认证Token
JdbcRealm / 自定义Realm
OAuth2Realm
JwtRealm
密码匹配
获取AuthorizationInfo
抛出异常
权限缓存
返回缓存
查询数据库
权限验证
返回错误
通过/拒绝
13.2 配置检查清单
| 检查项 | 说明 |
|---|---|
| Realm配置 | 确保实现正确的Realm |
| CredentialsMatcher | 密码加密算法配置 |
| SessionManager | 分布式Session配置 |
| CacheManager | 权限缓存配置 |
| FilterChain | 路径过滤规则 |
| RememberMe | Cookie安全配置 |
13.3 常见问题
| 问题 | 解决方案 |
|---|---|
| 认证失败无响应 | 检查Realm的supports()方法 |
| 权限缓存无效 | 检查CacheManager配置 |
| Session丢失 | 检查SessionManager配置 |
| RememberMe不生效 | 检查Cookie的HttpOnly配置 |
Shiro 作为轻量级安全框架,以其简洁的API和灵活的配置,成为中小型项目安全认证的首选。掌握其核心组件和配置方法,能够快速构建可靠的安全体系。