基于shiro的改造集成真正支持restful请求

这个模块分离至项目[api权限管理系统与前后端分离实践]api权限管理系统与前后端分离实践，感觉那样太长了找不到重点，分离出来要好点。

首先说明设计的这个安全体系是是RBAC(基于角色的权限访问控制)授权模型，即用户--角色--资源，用户不直接和权限打交道，角色拥有资源，用户拥有这个角色就有权使用角色所用户的资源。所有这里没有权限一说，签发jwt里面也就只有用户所拥有的角色而没有权限。

为啥说是真正的restful风格集成，虽说shiro对rest不友好但他本身是有支持rest集成的filter--HttpMethodPermissionFilter，这个shiro rest的 风格拦截器，会自动根据请求方法构建权限字符串( GET=read,POST=create,PUT=update,DELETE=delete)构建权限字符串;eg: /users=rest[user] , 会 自动拼接出user:read,user:create,user:update,user:delete”权限字符串进行权限匹配(所有都得匹配，isPermittedAll)。

但是这样感觉不利于基于jwt的角色的权限控制，在细粒度上验权url(即支持get,post,delete鉴别)就更没法了(个人见解)。打个比方：我们对一个用户签发的jwt写入角色列(role_admin,role_customer)。对不同request请求：url="api/resource/",httpMethod="GET"，url="api/resource",httpMethod="POST",在基于角色-资源的授权模型中，这两个url相同的请求对HttpMethodPermissionFilter是一种请求，用户对应的角色拥有的资源url="api/resource"，只要请求的url是"api/resource"，不论它的请求方式是什么，都会判定通过这个请求，这在restful风格的api中肯定是不可取的，对同一资源有些角色可能只要查询的权限而没有修改增加的权限。

可能会说在jwt中再增加权限列就好了嘛，但是在基于用户-资源的授权模型中，虽然能判别是不同的请求，但是太麻烦了，对每个资源我们都要设计对应的权限列然后再塞入到jwt中，对每个用户都要单独授权资源这也是不可取的。

对shiro的改造这里自定义了一些规则:
shiro过滤器链的url=url+"=="+httpMethod
eg:对于url="api/resource/",httpMethod="GET"的资源,其拼接出来的过滤器链匹配url=api/resource==GET
这样对相同的url而不同的访问方式，会判定为不同的资源，即资源不再简单是url，而是url和httpMethod的组合。基于角色的授权模型中，角色所拥有的资源形式为url+"=="+httpMethod。
这里改变了过滤器的过滤匹配url规则，重写PathMatchingFilterChainResolver的getChain方法，增加对上述规则的url的支持。

/* ** @Author tomsun28* @Description * @Date 21:12 2018/4/20*/
public class RestPathMatchingFilterChainResolver extends PathMatchingFilterChainResolver {private static final Logger LOGGER = LoggerFactory.getLogger(RestPathMatchingFilterChainResolver.class);public RestPathMatchingFilterChainResolver() {super();}public RestPathMatchingFilterChainResolver(FilterConfig filterConfig) {super(filterConfig);}/* ** @Description 重写filterChain匹配* @Param [request, response, originalChain]* @Return javax.servlet.FilterChain*/@Overridepublic FilterChain getChain(ServletRequest request, ServletResponse response, FilterChain originalChain) {FilterChainManager filterChainManager = this.getFilterChainManager();if (!filterChainManager.hasChains()) {return null;} else {String requestURI = this.getPathWithinApplication(request);Iterator var6 = filterChainManager.getChainNames().iterator();String pathPattern;boolean flag = true;String[] strings = null;do {if (!var6.hasNext()) {return null;}pathPattern = (String)var6.next();strings = pathPattern.split("==");if (strings.length == 2) {// 分割出url+httpMethod,判断httpMethod和request请求的method是否一致,不一致直接falseif (WebUtils.toHttp(request).getMethod().toUpperCase().equals(strings[1].toUpperCase())) {flag = false;} else {flag = true;}} else {flag = false;}pathPattern = strings[0];} while(!this.pathMatches(pathPattern, requestURI) || flag);if (LOGGER.isTraceEnabled()) {LOGGER.trace("Matched path pattern [" + pathPattern + "] for requestURI [" + requestURI + "].  Utilizing corresponding filter chain...");}if (strings.length == 2) {pathPattern = pathPattern.concat("==").concat(WebUtils.toHttp(request).getMethod().toUpperCase());}return filterChainManager.proxy(originalChain, pathPattern);}}}

重写PathMatchingFilter的路径匹配方法pathsMatch()，加入httpMethod支持。

/* ** @Author tomsun28* @Description 重写过滤链路径匹配规则，增加REST风格post,get.delete,put..支持* @Date 23:37 2018/4/19*/
public abstract class BPathMatchingFilter extends PathMatchingFilter {public BPathMatchingFilter() {}/* ** @Description 重写URL匹配  加入httpMethod支持* @Param [path, request]* @Return boolean*/@Overrideprotected boolean pathsMatch(String path, ServletRequest request) {String requestURI = this.getPathWithinApplication(request);// path: url==method eg: http://api/menu==GET   需要解析出path中的url和httpMethodString[] strings = path.split("==");if (strings.length <= 1) {// 分割出来只有URLreturn this.pathsMatch(strings[0], requestURI);} else {// 分割出url+httpMethod,判断httpMethod和request请求的method是否一致,不一致直接falseString httpMethod = WebUtils.toHttp(request).getMethod().toUpperCase();return httpMethod.equals(strings[1].toUpperCase()) && this.pathsMatch(strings[0], requestURI);}}
}

这样增加httpMethod的改造就完成了，重写ShiroFilterFactoryBean使其使用改造后的chainResolver：RestPathMatchingFilterChainResolver

/* ** @Author tomsun28* @Description rest支持的shiroFilterFactoryBean* @Date 21:35 2018/4/20*/
public class RestShiroFilterFactoryBean extends ShiroFilterFactoryBean {private static final Logger LOGGER = LoggerFactory.getLogger(RestShiroFilterFactoryBean.class);public RestShiroFilterFactoryBean() {super();}@Overrideprotected AbstractShiroFilter createInstance() throws Exception {LOGGER.debug("Creating Shiro Filter instance.");SecurityManager securityManager = this.getSecurityManager();String msg;if (securityManager == null) {msg = "SecurityManager property must be set.";throw new BeanInitializationException(msg);} else if (!(securityManager instanceof WebSecurityManager)) {msg = "The security manager does not implement the WebSecurityManager interface.";throw new BeanInitializationException(msg);} else {FilterChainManager manager = this.createFilterChainManager();RestPathMatchingFilterChainResolver chainResolver = new RestPathMatchingFilterChainResolver();chainResolver.setFilterChainManager(manager);return new RestShiroFilterFactoryBean.SpringShiroFilter((WebSecurityManager)securityManager, chainResolver);}}private static final class SpringShiroFilter extends AbstractShiroFilter {protected SpringShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver resolver) {if (webSecurityManager == null) {throw new IllegalArgumentException("WebSecurityManager property cannot be null.");} else {this.setSecurityManager(webSecurityManager);if (resolver != null) {this.setFilterChainResolver(resolver);}}}}
}

上面是一些核心的代码片段，更多请看项目代码。

对用户账户登录注册的过滤filter：PasswordFilter

/* ** @Author tomsun28* @Description 基于 用户名密码 的认证过滤器* @Date 20:18 2018/2/10*/
public class PasswordFilter extends AccessControlFilter {private static final Logger LOGGER = LoggerFactory.getLogger(PasswordFilter.class);private StringRedisTemplate redisTemplate;@Overrideprotected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {Subject subject = getSubject(request,response);// 如果其已经登录，再此发送登录请求if(null != subject && subject.isAuthenticated()){return true;}//  拒绝，统一交给 onAccessDenied 处理return false;}@Overrideprotected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {// 判断若为获取登录注册加密动态秘钥请求if (isPasswordTokenGet(request)) {//动态生成秘钥，redis存储秘钥供之后秘钥验证使用，设置有效期5秒用完即丢弃String tokenKey = CommonUtil.getRandomString(16);try {redisTemplate.opsForValue().set("PASSWORD_TOKEN_KEY_"+request.getRemoteAddr().toUpperCase(),tokenKey,5, TimeUnit.SECONDS);// 动态秘钥response返回给前端Message message = new Message();message.ok(1000,"issued tokenKey success").addData("tokenKey",tokenKey);RequestResponseUtil.responseWrite(JSON.toJSONString(message),response);}catch (Exception e) {LOGGER.warn(e.getMessage(),e);// 动态秘钥response返回给前端Message message = new Message();message.ok(1000,"issued tokenKey fail");RequestResponseUtil.responseWrite(JSON.toJSONString(message),response);}return false;}// 判断是否是登录请求if(isPasswordLoginPost(request)){AuthenticationToken authenticationToken = createPasswordToken(request);Subject subject = getSubject(request,response);try {subject.login(authenticationToken);//登录认证成功,进入请求派发json web token url资源内return true;}catch (AuthenticationException e) {LOGGER.warn(authenticationToken.getPrincipal()+"::"+e.getMessage(),e);// 返回response告诉客户端认证失败Message message = new Message().error(1002,"login fail");RequestResponseUtil.responseWrite(JSON.toJSONString(message),response);return false;}catch (Exception e) {LOGGER.error(e.getMessage(),e);// 返回response告诉客户端认证失败Message message = new Message().error(1002,"login fail");RequestResponseUtil.responseWrite(JSON.toJSONString(message),response);return false;}}// 判断是否为注册请求,若是通过过滤链进入controller注册if (isAccountRegisterPost(request)) {return true;}// 之后添加对账户的找回等// response 告知无效请求Message message = new Message().error(1111,"error request");RequestResponseUtil.responseWrite(JSON.toJSONString(message),response);return false;}private boolean isPasswordTokenGet(ServletRequest request) {
//        String tokenKey = request.getParameter("tokenKey");String tokenKey = RequestResponseUtil.getParameter(request,"tokenKey");return (request instanceof HttpServletRequest)&& ((HttpServletRequest) request).getMethod().toUpperCase().equals("GET")&& null != tokenKey && "get".equals(tokenKey);}private boolean isPasswordLoginPost(ServletRequest request) {
//        String password = request.getParameter("password");
//        String timestamp = request.getParameter("timestamp");
//        String methodName = request.getParameter("methodName");
//        String appId = request.getParameter("appId");Map<String ,String> map = RequestResponseUtil.getRequestParameters(request);String password = map.get("password");String timestamp = map.get("timestamp");String methodName = map.get("methodName");String appId = map.get("appId");return (request instanceof HttpServletRequest)&& ((HttpServletRequest) request).getMethod().toUpperCase().equals("POST")&& null != password&& null != timestamp&& null != methodName&& null != appId&& methodName.equals("login");}private boolean isAccountRegisterPost(ServletRequest request) {
//        String uid = request.getParameter("uid");
//        String methodName = request.getParameter("methodName");
//        String username = request.getParameter("username");
//        String password = request.getParameter("password");Map<String ,String> map = RequestResponseUtil.getRequestParameters(request);String uid = map.get("uid");String username = map.get("username");String methodName = map.get("methodName");String password = map.get("password");return (request instanceof HttpServletRequest)&& ((HttpServletRequest) request).getMethod().toUpperCase().equals("POST")&& null != username&& null != password&& null != methodName&& null != uid&& methodName.equals("register");}private AuthenticationToken createPasswordToken(ServletRequest request) {//        String appId = request.getParameter("appId");
//        String password = request.getParameter("password");
//        String timestamp = request.getParameter("timestamp");Map<String ,String> map = RequestResponseUtil.getRequestParameters(request);String appId = map.get("appId");String timestamp = map.get("timestamp");String password = map.get("password");String host = request.getRemoteAddr();String tokenKey = redisTemplate.opsForValue().get("PASSWORD_TOKEN_KEY_"+host.toUpperCase());return new PasswordToken(appId,password,timestamp,host,tokenKey);}public void setRedisTemplate(StringRedisTemplate redisTemplate) {this.redisTemplate = redisTemplate;}}

支持restful风格的jwt鉴权filter：BJwtFilter

/* ** @Author tomsun28* @Description 支持restful url 的过滤链  JWT json web token 过滤器，无状态验证* @Date 0:04 2018/4/20*/
public class BJwtFilter extends BPathMatchingFilter {private static final Logger LOGGER = LoggerFactory.getLogger(BJwtFilter.class);private StringRedisTemplate redisTemplate;private AccountService accountService;protected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse, Object mappedValue) throws Exception {Subject subject = getSubject(servletRequest,servletResponse);// 判断是否为JWT认证请求if ((null == subject || !subject.isAuthenticated()) && isJwtSubmission(servletRequest)) {AuthenticationToken token = createJwtToken(servletRequest);try {subject.login(token);
//                return this.checkRoles(subject,mappedValue) && this.checkPerms(subject,mappedValue);return this.checkRoles(subject,mappedValue);}catch (AuthenticationException e) {LOGGER.info(e.getMessage(),e);// 如果是JWT过期if (e.getMessage().equals("expiredJwt")) {// 这里初始方案先抛出令牌过期，之后设计为在Redis中查询当前appId对应令牌，其设置的过期时间是JWT的两倍，此作为JWT的refresh时间// 当JWT的有效时间过期后，查询其refresh时间，refresh时间有效即重新派发新的JWT给客户端，// refresh也过期则告知客户端JWT时间过期重新认证// 当存储在redis的JWT没有过期，即refresh time 没有过期String appId = WebUtils.toHttp(servletRequest).getHeader("appId");String jwt = WebUtils.toHttp(servletRequest).getHeader("authorization");String refreshJwt = redisTemplate.opsForValue().get("JWT-SESSION-"+appId);if (null != refreshJwt && refreshJwt.equals(jwt)) {// 重新申请新的JWT// 根据appId获取其对应所拥有的角色(这里设计为角色对应资源，没有权限对应资源)String roles = accountService.loadAccountRole(appId);long refreshPeriodTime = 36000L;  //seconds为单位,10 hoursString newJwt = JsonWebTokenUtil.issueJWT(UUID.randomUUID().toString(),appId,"token-server",refreshPeriodTime >> 2,roles,null, SignatureAlgorithm.HS512);// 将签发的JWT存储到Redis： {JWT-SESSION-{appID} , jwt}redisTemplate.opsForValue().set("JWT-SESSION-"+appId,newJwt,refreshPeriodTime, TimeUnit.SECONDS);Message message = new Message().ok(1005,"new jwt").addData("jwt",newJwt);RequestResponseUtil.responseWrite(JSON.toJSONString(message),servletResponse);return false;}else {// jwt时间失效过期,jwt refresh time失效 返回jwt过期客户端重新登录Message message = new Message().error(1006,"expired jwt");RequestResponseUtil.responseWrite(JSON.toJSONString(message),servletResponse);return false;}}// 其他的判断为JWT错误无效Message message = new Message().error(1007,"error Jwt");RequestResponseUtil.responseWrite(JSON.toJSONString(message),servletResponse);return false;}catch (Exception e) {// 其他错误LOGGER.warn(servletRequest.getRemoteAddr()+"JWT认证"+e.getMessage(),e);// 告知客户端JWT错误1005,需重新登录申请jwtMessage message = new Message().error(1007,"error jwt");RequestResponseUtil.responseWrite(JSON.toJSONString(message),servletResponse);return false;}}else {// 请求未携带jwt 判断为无效请求Message message = new Message().error(1111,"error request");RequestResponseUtil.responseWrite(JSON.toJSONString(message),servletResponse);return false;}}protected boolean onAccessDenied(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {Subject subject = getSubject(servletRequest,servletResponse);// 未认证的情况if (null == subject || !subject.isAuthenticated()) {// 告知客户端JWT认证失败需跳转到登录页面Message message = new Message().error(1006,"error jwt");RequestResponseUtil.responseWrite(JSON.toJSONString(message),servletResponse);}else {//  已经认证但未授权的情况// 告知客户端JWT没有权限访问此资源Message message = new Message().error(1008,"no permission");RequestResponseUtil.responseWrite(JSON.toJSONString(message),servletResponse);}// 过滤链终止return false;}private boolean isJwtSubmission(ServletRequest request) {String jwt = RequestResponseUtil.getHeader(request,"authorization");String appId = RequestResponseUtil.getHeader(request,"appId");return (request instanceof HttpServletRequest)&& !StringUtils.isEmpty(jwt)&& !StringUtils.isEmpty(appId);}private AuthenticationToken createJwtToken(ServletRequest request) {Map<String,String> maps = RequestResponseUtil.getRequestHeaders(request);String appId = maps.get("appId");String ipHost = request.getRemoteAddr();String jwt = maps.get("authorization");String deviceInfo = maps.get("deviceInfo");return new JwtToken(ipHost,deviceInfo,jwt,appId);}// 验证当前用户是否属于mappedValue任意一个角色private boolean checkRoles(Subject subject, Object mappedValue){String[] rolesArray = (String[]) mappedValue;return rolesArray == null || rolesArray.length == 0 || Stream.of(rolesArray).anyMatch(role -> subject.hasRole(role.trim()));}// 验证当前用户是否拥有mappedValue任意一个权限private boolean checkPerms(Subject subject, Object mappedValue){String[] perms = (String[]) mappedValue;boolean isPermitted = true;if (perms != null && perms.length > 0) {if (perms.length == 1) {if (!subject.isPermitted(perms[0])) {isPermitted = false;}} else {if (!subject.isPermittedAll(perms)) {isPermitted = false;}}}return isPermitted;}public void setRedisTemplate(StringRedisTemplate redisTemplate) {this.redisTemplate = redisTemplate;}public void setAccountService(AccountService accountService) {this.accountService = accountService;}
}

realm数据源，数据提供service，匹配matchs，自定义token，spring集成shiro配置等其他详见项目代码。
最后项目实现了基于jwt的动态restful api权限认证。

效果展示

github:
bootshiro
usthe

码云:
bootshiro
usthe

分享一波阿里云代金券快速上云

转载请注明 from tomsun28