Shiro提供了完整的企業級會話管理功能，不依賴于底層容器Tomcat等,即直接使用Shiro的會話管理可以直接替換如Web容器的會話管理.

會話

所謂會話，即用戶訪問應用時保持的連接關系，在多次交互中應用能夠識別出當前訪問的用戶是誰，且可以在多次交互中保存一些數據。如訪問一些網站時登錄成功后，網站可以記住用戶，且在退出之前都可以識別當前用戶是誰。

Shiro是基于Session管理權限,應用單體項目可以,但是前后端分離的項目需要增加單點登錄功能不可能使用?session?的方式進行鑒權，所以 JWT 就被派上了用場，可以通過一個加密token來進行前后端的鑒權。

1?增加pom.xml

<dependency> <groupId>com.auth0groupId> <artifactId>java-jwtartifactId>dependency>

2?增加狀態碼定義

/** * 定義的靜態編碼 */public final class AppCode { public static final String SUCESS = "200"; public static final String UNAUTHENTICATED = "401"; public static final String UNAUTHORIZED = "403"; public static final String NOT_FOUND = "404"; public static final String ERROR = "500";}

3?增加JwtUtils.java工具類

package com.wei.utils.jwt;import com.auth0.jwt.JWT;import com.auth0.jwt.JWTVerifier;import com.auth0.jwt.algorithms.Algorithm;import com.auth0.jwt.exceptions.JWTDecodeException;import com.auth0.jwt.exceptions.JWTVerificationException;import com.auth0.jwt.interfaces.DecodedJWT;import java.util.Date;public class JwtUtils { private static final long EXPIRE_TIME = 1 * 60 * 1000; private static final String CLAIM_NAME = "username"; public static String createToken(String username, String password) { Date date = new Date(System.currentTimeMillis() + EXPIRE_TIME); //加密處理密碼 Algorithm algorithm = Algorithm.HMAC256(password); return JWT.create() .withClaim(CLAIM_NAME, username) .withExpiresAt(date) .sign(algorithm); } public static boolean verify(String username, String dbPwd, String token) { Algorithm algorithm = Algorithm.HMAC256(dbPwd); JWTVerifier jwtVerifier = JWT.require(algorithm) .withClaim(CLAIM_NAME, username).build(); try { jwtVerifier.verify(token); } catch (JWTVerificationException e) { return false; } return true; } public static String getUserName(String token) { try { DecodedJWT jwt = JWT.decode(token); return jwt.getClaim(CLAIM_NAME).asString(); } catch (JWTDecodeException e) { return null; } }}

4?增加JwtToken包裝類

package com.wei.web.shiro.jwt;import org.apache.shiro.authc.HostAuthenticationToken;public class JwtToken implements HostAuthenticationToken { private String username; private char[] password; private String host; private String token; public JwtToken(String token) { this.token = token; } public JwtToken(String username, char[] password) { this(username, password, (String) null); } public JwtToken(String username, String password) { this(username, (char[]) (null != password ? password.toCharArray() : null), (String) null); } public JwtToken(String username, char[] password, String host) { this.username = username; this.password = password; this.host = host; } @Override public String getHost() { return host; } @Override public Object getPrincipal() { return this.getToken(); } @Override public Object getCredentials() { return this.getToken(); } public String getUsername() { return username; } public void setUsername(String username) { this.username = username; } public char[] getPassword() { return password; } public void setPassword(char[] password) { this.password = password; } public void setHost(String host) { this.host = host; } public String getToken() { return token; } public void setToken(String token) { this.token = token; }}

5?增加JwtFilter繼承BasicHttpAuthenticationFilter

public?class?JwtFilter?extends?BasicHttpAuthenticationFilter?{????private?static?final?Logger?LOGGER?=?LoggerFactory.getLogger(JwtFilter.class); private static final String AUTHZ_HEADER = "token";????private?static?final?String?CHARSET?=?"UTF-8"; /** * 處理未經驗證的請求 */ @Override protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception { boolean loggedIn = false; if (this.isLoginAttempt(request, response)) { loggedIn = this.executeLogin(request, response);????????} if (!loggedIn) { this.sendChallenge(request, response);????????} return loggedIn;????} /** * 請求是否已經登錄(攜帶token) */ @Override protected boolean isLoginAttempt(ServletRequest request, ServletResponse response) { String authzHeader = WebUtils.toHttp(request).getHeader(AUTHZ_HEADER); return authzHeader != null;????} /** * 執行登錄方法(由自定義realm判斷,吃掉異常返回false) */ @Override protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception { String token = WebUtils.toHttp(request).getHeader(AUTHZ_HEADER); if (null == token) { String msg = "executeLogin method token must not be null"; throw new IllegalStateException(msg); } //交給realm判斷是否有權限,沒權限返回false交給onAccessDenied JwtToken jwtToken = new JwtToken(token); try { this.getSubject(request, response).login(jwtToken); return true; } catch (AuthenticationException e) { return false; }????} /** * 構建未授權的請求返回,filter層的異常不受exceptionAdvice控制,這里返回401,把返回的json丟到response中 */ @Override protected boolean sendChallenge(ServletRequest request, ServletResponse response) { HttpServletResponse httpResponse = WebUtils.toHttp(response); String contentType = "application/json;charset=" + CHARSET; httpResponse.setStatus(Integer.parseInt(AppCode.UNAUTHENTICATED)); httpResponse.setContentType(contentType); try { String msg = "對不起,您無權限進行操作!"; ResultVo resultVo = new ResultVo(AppCode.UNAUTHENTICATED,msg,""); JsonMapper mapper = new JsonMapper(); PrintWriter printWriter = httpResponse.getWriter(); printWriter.append(mapper.writeValueAsString(resultVo));// byte[] data = unauthentication.toString().getBytes(CHARSET);// OutputStream outputStream = httpResponse.getOutputStream();// outputStream.write(data); } catch (IOException e) { LOGGER.error("sendChallenge error,can not resolve httpServletResponse"); } return false; } /** * 請求前處理,處理跨域 */ @Override protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception { HttpServletRequest httpServletRequest = (HttpServletRequest) request; HttpServletResponse httpServletResponse = (HttpServletResponse) response; httpServletResponse .setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin")); httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET,POST,OPTIONS,PUT,DELETE"); httpServletResponse.setHeader("Access-Control-Allow-Headers", httpServletRequest.getHeader("Access-Control-Request-Headers")); // 跨域時,option請求直接返回正常狀態 if (httpServletRequest.getMethod().equals(RequestMethod.OPTIONS.name())) { httpServletResponse.setStatus(HttpStatus.OK.value()); return false; } return super.preHandle(request, response); }}

6?修改ShiroRealm對象,修改認證與鑒權方法,并增加supports方法

/** * 設置realm支持的authenticationToken類型 */@Overridepublic boolean supports(AuthenticationToken token){ return null != token && token instanceof JwtToken;}//JWT授權@Overrideprotected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) throws AuthenticationException{ String token = principalCollection.toString(); //根據token獲取權限授權 String code = JwtUtils.getUserName(token); //可以根據獲取的人員信息賦值權限 Employee employee = employeeService.getEmployeeByCode(code); SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo(); authorizationInfo.addRole(AppPermission.ADMIN); //authorizationInfo.setRoles(employee.getRoles()); //authorizationInfo.setStringPermissions(employee.getPermissions()); return authorizationInfo;}/** * 登陸認證 * * @param authenticationToken jwtFilter傳入的token * @return 登陸信息 * @throws AuthenticationException 未登陸拋出異常 */@Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { //getCredentials getPrincipal getToken 都是返回jwt生成的token串 String token = (String) authenticationToken.getCredentials(); String code = JwtUtils.getUserName(token); if (code == null) { return null; } Employee employee = employeeService.getEmployeeByCode(code); if(employee==null){ return null; } if (!JwtUtils.verify(code, employee.getPassword(), token)) { return null; } return new SimpleAuthenticationInfo(token, token, getName());}

6?修改ShiroConfig對象,只需要在設置ShiroFilterFactoryBean對象將JWTFilter對象加入到shiroFilterFactoryBean中即可

filters.put("authc", new JwtFilter());

7?修改登錄/登出的方法

@Overridepublic String login(String code, String password){ AssertUtils.notEmpty(code,"用戶名不能為空!"); AssertUtils.notEmpty(password,"密碼不能為空!"); Employee employee = getEmployeeByCode(code); if(employee==null){ return ""; } if(password.equals(employee.getPassword())){ return JwtUtils.createToken(code,password); } return "";}@Overridepublic boolean logout() { Subject subject = SecurityUtils.getSubject(); subject.logout(); return true;} 與50位技術專家面對面20年技術見證，附贈技術全景圖

總結

以上是生活随笔為你收集整理的shiro 字段不是username 和password_Shiro整合JWT的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。