前言

  如果oauth原理还不清楚的地方,其参考这里。 

一、基本思路脑图

二、客户端shiro配置

  shiro配置文件

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"xmlns:util="http://www.springframework.org/schema/util"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsdhttp://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"><!-- 缓存管理器 --><bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"><property name="cacheManagerConfigFile" value="classpath:ehcache/ehcache.xml"/></bean><!-- Realm实现 --><bean id="oAuth2Realm" class="com.hjzgg.auth.client.shiro.OAuth2Realm"><property name="cachingEnabled" value="true"/><property name="authenticationCachingEnabled" value="true"/><property name="authenticationCacheName" value="authenticationCache"/><property name="authorizationCachingEnabled" value="true"/><property name="authorizationCacheName" value="authorizationCache"/><property name="clientId" value="c1ebe466-1cdc-4bd3-ab69-77c3561b9dee"/><property name="clientSecret" value="d8346ea2-6017-43ed-ad68-19c0f971738b"/><property name="accessTokenUrl" value="http://127.0.0.1:8080/auth-web/oauth/accessToken"/><property name="userInfoUrl" value="http://127.0.0.1:8080/auth-web/oauth/userInfo"/><property name="redirectUrl" value="http://127.0.0.1:8080/auth-client/login"/></bean><!-- 会话ID生成器 --><bean id="sessionIdGenerator" class="org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator"/><!-- 会话Cookie模板 --><bean id="sessionIdCookie" class="org.apache.shiro.web.servlet.SimpleCookie"><constructor-arg value="sid"/><property name="httpOnly" value="true"/><property name="maxAge" value="-1"/></bean><bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimpleCookie"><constructor-arg value="rememberMe"/><property name="httpOnly" value="true"/><property name="maxAge" value="2592000"/><!-- 30天 --></bean><!-- rememberMe管理器 --><bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager"><!-- rememberMe cookie加密的密钥 建议每个项目都不一样 默认AES算法 密钥长度(128 256 512 位)--><property name="cipherKey"value="#{T(org.apache.shiro.codec.Base64).decode('4AvVhmFLUs0KTA3Kprsdag==')}"/><property name="cookie" ref="rememberMeCookie"/></bean><!-- 会话DAO --><bean id="sessionDAO" class="org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO"><property name="activeSessionsCacheName" value="shiro-activeSessionCache"/><property name="sessionIdGenerator" ref="sessionIdGenerator"/></bean><!-- 会话管理器 --><bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"><property name="globalSessionTimeout" value="1800000"/><property name="deleteInvalidSessions" value="true"/><property name="sessionValidationSchedulerEnabled" value="true"/><property name="sessionDAO" ref="sessionDAO"/><property name="sessionIdCookieEnabled" value="true"/><property name="sessionIdCookie" ref="sessionIdCookie"/></bean><!-- 安全管理器 --><bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"><property name="realm" ref="oAuth2Realm"/><property name="sessionManager" ref="sessionManager"/><property name="cacheManager" ref="cacheManager"/><property name="rememberMeManager" ref="rememberMeManager"/></bean><!-- 相当于调用SecurityUtils.setSecurityManager(securityManager) --><bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"><property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager"/><property name="arguments" ref="securityManager"/></bean><!-- OAuth2身份验证过滤器 --><bean id="oAuth2AuthenticationFilter" class="com.hjzgg.auth.client.shiro.OAuth2AuthenticationFilter"><property name="authcCodeParam" value="code"/><property name="failureUrl" value="/oauth2Failure.jsp"/></bean><!-- Shiro的Web过滤器 --><bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"><property name="securityManager" ref="securityManager"/><property name="loginUrl" value="http://127.0.0.1:8080/auth-web/oauth/authorize?client_id=c1ebe466-1cdc-4bd3-ab69-77c3561b9dee&response_type=code&redirect_uri=http://127.0.0.1:8080/oauth-client/login"/><property name="successUrl" value="/index.jsp"/><property name="filters"><util:map><entry key="oauth2Authc" value-ref="oAuth2AuthenticationFilter"/></util:map></property><property name="filterChainDefinitions"><value>/oauth2Failure.jsp = anon/login = oauth2Authc/logout = logout/** = user</value></property></bean><!-- Shiro生命周期处理器--><bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/></beans>

  注重看一下Realm的参数配置和 shiroFilter loginUrl的配置

  自定义Realm实现

package com.hjzgg.auth.client.shiro;import org.apache.oltu.oauth2.client.OAuthClient;
import org.apache.oltu.oauth2.client.URLConnectionClient;
import org.apache.oltu.oauth2.client.request.OAuthBearerClientRequest;
import org.apache.oltu.oauth2.client.request.OAuthClientRequest;
import org.apache.oltu.oauth2.client.response.OAuthAccessTokenResponse;
import org.apache.oltu.oauth2.client.response.OAuthResourceResponse;
import org.apache.oltu.oauth2.common.OAuth;
import org.apache.oltu.oauth2.common.message.types.GrantType;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;public class OAuth2Realm extends AuthorizingRealm {private String clientId;  private String clientSecret;  private String accessTokenUrl;  private String userInfoUrl;  private String redirectUrl;public String getClientId() {return clientId;}public void setClientId(String clientId) {this.clientId = clientId;}public String getClientSecret() {return clientSecret;}public void setClientSecret(String clientSecret) {this.clientSecret = clientSecret;}public String getAccessTokenUrl() {return accessTokenUrl;}public void setAccessTokenUrl(String accessTokenUrl) {this.accessTokenUrl = accessTokenUrl;}public String getUserInfoUrl() {return userInfoUrl;}public void setUserInfoUrl(String userInfoUrl) {this.userInfoUrl = userInfoUrl;}public String getRedirectUrl() {return redirectUrl;}public void setRedirectUrl(String redirectUrl) {this.redirectUrl = redirectUrl;}public boolean supports(AuthenticationToken token) {return token instanceof OAuth2Token; //表示此Realm只支持OAuth2Token类型
    }  protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();return authorizationInfo;  }  protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {OAuth2Token oAuth2Token = (OAuth2Token) token;  String code = oAuth2Token.getAuthCode(); //获取 auth code  String username = extractUsername(code); // 提取用户名  SimpleAuthenticationInfo authenticationInfo =new SimpleAuthenticationInfo(username, code, getName());  return authenticationInfo;  }  private String extractUsername(String code) {  try {  OAuthClient oAuthClient = new OAuthClient(new URLConnectionClient());OAuthClientRequest accessTokenRequest = OAuthClientRequest.tokenLocation(accessTokenUrl)  .setGrantType(GrantType.AUTHORIZATION_CODE).setClientId(clientId).setClientSecret(clientSecret)  .setCode(code).setRedirectURI(redirectUrl)  .buildQueryMessage();  //获取access token  OAuthAccessTokenResponse oAuthResponse =oAuthClient.accessToken(accessTokenRequest, OAuth.HttpMethod.POST);String accessToken = oAuthResponse.getAccessToken();  //获取user infoOAuthClientRequest userInfoRequest =   new OAuthBearerClientRequest(userInfoUrl).setAccessToken(accessToken).buildQueryMessage();  OAuthResourceResponse resourceResponse = oAuthClient.resource(userInfoRequest, OAuth.HttpMethod.GET, OAuthResourceResponse.class);String username = resourceResponse.getBody();  return username;  } catch (Exception e) {  throw new OAuth2AuthenticationException(e);  }  }
}

  注重看一下realm中如何获取 用户信息的

  自定义Filter实现

package com.hjzgg.auth.client.shiro;import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authc.AuthenticatingFilter;
import org.apache.shiro.web.util.WebUtils;import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;public class OAuth2AuthenticationFilter extends AuthenticatingFilter {//oauth2 authc code参数名  private String authcCodeParam = "code";  //客户端id  private String clientId;  //服务器端登录成功/失败后重定向到的客户端地址  private String redirectUrl;  //oauth2服务器响应类型  private String responseType = "code";  private String failureUrl;public String getAuthcCodeParam() {return authcCodeParam;}public void setAuthcCodeParam(String authcCodeParam) {this.authcCodeParam = authcCodeParam;}public String getClientId() {return clientId;}public void setClientId(String clientId) {this.clientId = clientId;}public String getRedirectUrl() {return redirectUrl;}public void setRedirectUrl(String redirectUrl) {this.redirectUrl = redirectUrl;}public String getResponseType() {return responseType;}public void setResponseType(String responseType) {this.responseType = responseType;}public String getFailureUrl() {return failureUrl;}public void setFailureUrl(String failureUrl) {this.failureUrl = failureUrl;}protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) throws Exception {HttpServletRequest httpRequest = (HttpServletRequest) request;String code = httpRequest.getParameter(authcCodeParam);  return new OAuth2Token(code);  }  protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {  return false;  }  protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {  String error = request.getParameter("error");  String errorDescription = request.getParameter("error_description");  if(!StringUtils.isEmpty(error)) {//如果服务端返回了错误WebUtils.issueRedirect(request, response, failureUrl + "?error=" + error + "error_description=" + errorDescription);return false;  }  Subject subject = getSubject(request, response);if(!subject.isAuthenticated()) {  if(StringUtils.isEmpty(request.getParameter(authcCodeParam))) {  //如果用户没有身份验证,且没有auth code,则重定向到服务端授权
                saveRequestAndRedirectToLogin(request, response);  return false;  }  }  //执行父类里的登录逻辑,调用Subject.login登录  return executeLogin(request, response);  }  //登录成功后的回调方法 重定向到成功页面  protected boolean onLoginSuccess(AuthenticationToken token, Subject subject, ServletRequest request,  ServletResponse response) throws Exception {  issueSuccessRedirect(request, response);  return false;  }  //登录失败后的回调   protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException ae, ServletRequest request,ServletResponse response) {  Subject subject = getSubject(request, response);  if (subject.isAuthenticated() || subject.isRemembered()) {  try { //如果身份验证成功了 则也重定向到成功页面
                issueSuccessRedirect(request, response);  } catch (Exception e) {  e.printStackTrace();  }  } else {  try { //登录失败时重定向到失败页面
                WebUtils.issueRedirect(request, response, failureUrl);  } catch (IOException e) {e.printStackTrace();  }  }  return false;  }
}

  注重看一下 如何构造的 AuthToken

三、服务端配置

  shiro配置文件

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"xmlns:util="http://www.springframework.org/schema/util"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsdhttp://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"><!-- 缓存管理器 --><bean id="cacheManager" class="com.hjzgg.auth.util.SpringCacheManagerWrapper"><property name="cacheManager" ref="springCacheManager"/></bean><bean id="springCacheManager" class="org.springframework.cache.ehcache.EhCacheCacheManager"><property name="cacheManager" ref="ehcacheManager"/></bean><!--ehcache--><bean id="ehcacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"><property name="configLocation" value="classpath:ehcache/ehcache.xml"/></bean><!-- 凭证匹配器 --><bean id="credentialsMatcher" class="com.hjzgg.auth.shiro.RetryLimitHashedCredentialsMatcher"><constructor-arg ref="cacheManager"/><property name="hashAlgorithmName" value="md5"/><property name="hashIterations" value="2"/><property name="storedCredentialsHexEncoded" value="true"/></bean><!-- Realm实现 --><bean id="userRealm" class="com.hjzgg.auth.shiro.UserRealm"><!--<property name="credentialsMatcher" ref="credentialsMatcher"/>--><property name="cachingEnabled" value="false"/><!--<property name="authenticationCachingEnabled" value="true"/>--><!--<property name="authenticationCacheName" value="authenticationCache"/>--><!--<property name="authorizationCachingEnabled" value="true"/>--><!--<property name="authorizationCacheName" value="authorizationCache"/>--></bean><!-- 会话ID生成器 --><bean id="sessionIdGenerator" class="org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator"/><!-- 会话Cookie模板 --><bean id="sessionIdCookie" class="org.apache.shiro.web.servlet.SimpleCookie"><constructor-arg value="sid"/><property name="httpOnly" value="true"/><property name="maxAge" value="-1"/></bean><bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimpleCookie"><constructor-arg value="rememberMe"/><property name="httpOnly" value="true"/><property name="maxAge" value="2592000"/><!-- 30天 --></bean><!-- rememberMe管理器 --><bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager"><!-- rememberMe cookie加密的密钥 建议每个项目都不一样 默认AES算法 密钥长度(128 256 512 位)--><property name="cipherKey"value="#{T(org.apache.shiro.codec.Base64).decode('4AvVhmFLUs0KTA3Kprsdag==')}"/><property name="cookie" ref="rememberMeCookie"/></bean><!-- 会话DAO --><bean id="sessionDAO" class="org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO"><property name="activeSessionsCacheName" value="shiro-activeSessionCache"/><property name="sessionIdGenerator" ref="sessionIdGenerator"/></bean><!-- 会话管理器 --><bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"><property name="globalSessionTimeout" value="1800000"/><property name="deleteInvalidSessions" value="true"/><property name="sessionValidationSchedulerEnabled" value="true"/><property name="sessionDAO" ref="sessionDAO"/><property name="sessionIdCookieEnabled" value="true"/><property name="sessionIdCookie" ref="sessionIdCookie"/></bean><!-- 安全管理器 --><bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"><property name="realm" ref="userRealm"/><property name="sessionManager" ref="sessionManager"/><property name="cacheManager" ref="cacheManager"/><property name="rememberMeManager" ref="rememberMeManager"/></bean><!-- 相当于调用SecurityUtils.setSecurityManager(securityManager) --><bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"><property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager"/><property name="arguments" ref="securityManager"/></bean><bean name="formAuthenticationFilter" class="com.hjzgg.auth.shiro.FormAuthenticationFilter"/><!-- Shiro的Web过滤器 --><bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"><property name="securityManager" ref="securityManager"/><property name="filters"><util:map><entry key="authc" value-ref="formAuthenticationFilter"/></util:map></property><property name="loginUrl" value="/login.jsp"/><property name="successUrl" value="/index.jsp"/><property name="filterChainDefinitions"><value>/logout = logout/login.jsp = authc/oauth/authorize=anon/oauth/accessToken=anon/oauth/userInfo=anon/** = roles[admin]</value></property></bean><!-- Shiro生命周期处理器--><bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/></beans>

  注重看一下filterChainDefinitions的配置

  自定义Filter实现

package com.hjzgg.auth.shiro;import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;import org.apache.commons.lang3.StringUtils;
import org.apache.oltu.oauth2.common.OAuth;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authc.AuthenticatingFilter;
import org.apache.shiro.web.util.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;public class FormAuthenticationFilter extends AuthenticatingFilter {public static final String DEFAULT_ERROR_KEY_ATTRIBUTE_NAME = "shiroLoginFailure";public static final String DEFAULT_USERNAME_PARAM = "username";public static final String DEFAULT_PASSWORD_PARAM = "password";public static final String DEFAULT_REMEMBER_ME_PARAM = "rememberMe";private static final Logger log = LoggerFactory.getLogger(FormAuthenticationFilter.class);private String usernameParam = "username";private String passwordParam = "password";private String rememberMeParam = "rememberMe";private String failureKeyAttribute = "shiroLoginFailure";public FormAuthenticationFilter() {this.setLoginUrl("/login.jsp");}public void setLoginUrl(String loginUrl) {String previous = this.getLoginUrl();if(previous != null) {this.appliedPaths.remove(previous);}super.setLoginUrl(loginUrl);if(log.isTraceEnabled()) {log.trace("Adding login url to applied paths.");}this.appliedPaths.put(this.getLoginUrl(), (Object)null);}public String getUsernameParam() {return this.usernameParam;}public void setUsernameParam(String usernameParam) {this.usernameParam = usernameParam;}public String getPasswordParam() {return this.passwordParam;}public void setPasswordParam(String passwordParam) {this.passwordParam = passwordParam;}public String getRememberMeParam() {return this.rememberMeParam;}public void setRememberMeParam(String rememberMeParam) {this.rememberMeParam = rememberMeParam;}public String getFailureKeyAttribute() {return this.failureKeyAttribute;}public void setFailureKeyAttribute(String failureKeyAttribute) {this.failureKeyAttribute = failureKeyAttribute;}protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {if(this.isLoginRequest(request, response)) {if(this.isLoginSubmission(request, response)) {if(log.isTraceEnabled()) {log.trace("Login submission detected.  Attempting to execute login.");}return this.executeLogin(request, response);} else {if(log.isTraceEnabled()) {log.trace("Login page view.");}return true;}} else {if(log.isTraceEnabled()) {log.trace("Attempting to access a path which requires authentication.  Forwarding to the Authentication url [" + this.getLoginUrl() + "]");}this.saveRequestAndRedirectToLogin(request, response);return false;}}protected boolean isLoginSubmission(ServletRequest request, ServletResponse response) {return request instanceof HttpServletRequest && WebUtils.toHttp(request).getMethod().equalsIgnoreCase("POST");}protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) {String username = this.getUsername(request);String password = this.getPassword(request);return this.createToken(username, password, request, response);}protected boolean isRememberMe(ServletRequest request) {return WebUtils.isTrue(request, this.getRememberMeParam());}protected boolean onLoginSuccess(AuthenticationToken token, Subject subject, ServletRequest request, ServletResponse response) throws Exception {if(StringUtils.isNotEmpty(this.getResponseType(request)) && StringUtils.isNotEmpty(this.getRedirectURI(request))) {String authorizeURI = "/oauth/authorize?";this.setSuccessUrl(authorizeURI + ((HttpServletRequest)request).getQueryString());}this.issueSuccessRedirect(request, response);return false;}protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e, ServletRequest request, ServletResponse response) {if(log.isDebugEnabled()) {log.debug("Authentication exception", e);}this.setFailureAttribute(request, e);return true;}protected void setFailureAttribute(ServletRequest request, AuthenticationException ae) {String className = ae.getClass().getName();request.setAttribute(this.getFailureKeyAttribute(), className);}protected String getUsername(ServletRequest request) {return WebUtils.getCleanParam(request, this.getUsernameParam());}protected String getPassword(ServletRequest request) {return WebUtils.getCleanParam(request, this.getPasswordParam());}private String getRedirectURI(ServletRequest request) {return WebUtils.getCleanParam(request, OAuth.OAUTH_REDIRECT_URI);}private String getResponseType(ServletRequest request) {return WebUtils.getCleanParam(request, OAuth.OAUTH_RESPONSE_TYPE);}
}

  注重看一下onLoginSuccess函数的逻辑

  自定义Realm实现

package com.hjzgg.auth.shiro;import com.hjzgg.auth.domain.dto.LightUserResult;
import com.hjzgg.auth.service.UserApiImpl;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;import javax.annotation.Resource;
import java.util.Arrays;
import java.util.HashSet;/*** <p>Version: 1.0*/
public class UserRealm extends AuthorizingRealm {@Resourceprivate UserApiImpl userApi;@Overrideprotected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {String username = (String)principals.getPrimaryPrincipal();LightUserResult user = userApi.queryUserByName(username);SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();authorizationInfo.setRoles(new HashSet<>(Arrays.asList(user.getRole())));//暂时不加权限return authorizationInfo;}@Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {String username = (String)token.getPrincipal();LightUserResult user = userApi.queryUserByName(username);if(user == null) {throw new UnknownAccountException();//没找到帐号
        }//交给AuthenticatingRealm使用CredentialsMatcher进行密码匹配,如果觉得人家的不好可以自定义实现SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(user.getUserName(), //用户名user.getPassword(), //密码//ByteSource.Util.bytes(user.getPassword()),//salt=username+saltgetName()  //realm name
        );return authenticationInfo;}@Overridepublic void clearCachedAuthorizationInfo(PrincipalCollection principals) {super.clearCachedAuthorizationInfo(principals);}@Overridepublic void clearCachedAuthenticationInfo(PrincipalCollection principals) {super.clearCachedAuthenticationInfo(principals);}@Overridepublic void clearCache(PrincipalCollection principals) {super.clearCache(principals);}public void clearAllCachedAuthorizationInfo() {getAuthorizationCache().clear();}public void clearAllCachedAuthenticationInfo() {getAuthenticationCache().clear();}public void clearAllCache() {clearAllCachedAuthenticationInfo();clearAllCachedAuthorizationInfo();}
}

  注重看下认证信息和权限信息的获取

  oauth相关接口的实现

package com.hjzgg.auth.controller;import com.alibaba.fastjson.JSONObject;
import com.hjzgg.auth.domain.dto.LightUserResult;
import com.hjzgg.auth.service.UserApiImpl;
import com.hjzgg.auth.util.OAuthValidate;
import com.hjzgg.auth.util.RedisUtil;
import org.apache.commons.lang3.StringUtils;
import org.apache.oltu.oauth2.as.issuer.MD5Generator;
import org.apache.oltu.oauth2.as.issuer.OAuthIssuer;
import org.apache.oltu.oauth2.as.issuer.OAuthIssuerImpl;
import org.apache.oltu.oauth2.as.request.OAuthAuthzRequest;
import org.apache.oltu.oauth2.as.request.OAuthTokenRequest;
import org.apache.oltu.oauth2.as.response.OAuthASResponse;
import org.apache.oltu.oauth2.common.OAuth;
import org.apache.oltu.oauth2.common.error.OAuthError;
import org.apache.oltu.oauth2.common.exception.OAuthProblemException;
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
import org.apache.oltu.oauth2.common.message.OAuthResponse;
import org.apache.oltu.oauth2.common.message.types.GrantType;
import org.apache.oltu.oauth2.common.message.types.ParameterStyle;
import org.apache.oltu.oauth2.common.message.types.ResponseType;
import org.apache.oltu.oauth2.common.utils.OAuthUtils;
import org.apache.oltu.oauth2.rs.request.OAuthAccessResourceRequest;
import org.apache.oltu.oauth2.rs.response.OAuthRSResponse;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.annotation.Resource;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.net.URI;
import java.net.URISyntaxException;/*** Created by hujunzheng on 2017/5/23.*/
@Controller
@RequestMapping(value = "oauth")
public class OAuthController {@Resourceprivate UserApiImpl userApi;@Value(value = "#{config['expiresIn']}")private String expiresIn;/*** 获取授权码-服务端** @param request* @return* @throws OAuthProblemException* @throws OAuthSystemException*/@RequestMapping(value = "/authorize", method = RequestMethod.GET)@ResponseBodypublic Object authorize(HttpServletRequest request) throws URISyntaxException, OAuthProblemException, OAuthSystemException {try {// 构建OAuth授权请求OAuthAuthzRequest oauthRequest = new OAuthAuthzRequest(request);//得到到客户端重定向地址String responseType = oauthRequest.getParam(OAuth.OAUTH_RESPONSE_TYPE);String redirectURI = oauthRequest.getParam(OAuth.OAUTH_REDIRECT_URI);// 1.获取OAuth客户端idString clientId = oauthRequest.getClientId();// 校验客户端id是否正确LightUserResult lightUserResult = userApi.queryUserByClientId(clientId);if (null == lightUserResult) {OAuthResponse response =OAuthASResponse.errorResponse(HttpServletResponse.SC_BAD_REQUEST).setError(OAuthError.TokenResponse.INVALID_CLIENT).setErrorDescription("无效的客户端ID").buildJSONMessage();return new ResponseEntity(response.getBody(), HttpStatus.valueOf(response.getResponseStatus()));}Subject subject = SecurityUtils.getSubject();//如果用户没有登录,跳转到登陆页面if (!subject.isAuthenticated()) {if (!login(subject, request)) {//登录失败时跳转到登陆页面HttpHeaders headers = new HttpHeaders();headers.setLocation(new URI(request.getContextPath() + "/login.jsp?"+ OAuth.OAUTH_REDIRECT_URI + "=" + redirectURI+ "&" + OAuth.OAUTH_RESPONSE_TYPE + "=" + responseType+ "&" + OAuth.OAUTH_CLIENT_ID + "=" + clientId));return new ResponseEntity(headers, HttpStatus.TEMPORARY_REDIRECT);}}// 2.生成授权码String authCode = null;// ResponseType仅支持CODE和TOKENif (responseType.equals(ResponseType.CODE.toString())) {OAuthIssuerImpl oAuthIssuer = new OAuthIssuerImpl(new MD5Generator());authCode = oAuthIssuer.authorizationCode();// 存入缓存中authCode-username
                RedisUtil.getRedis().set(authCode, lightUserResult.getUserName());}//进行OAuth响应构建OAuthASResponse.OAuthAuthorizationResponseBuilder builder =OAuthASResponse.authorizationResponse(request,HttpServletResponse.SC_FOUND);//设置授权码
            builder.setCode(authCode);//构建响应final OAuthResponse response = builder.location(redirectURI).buildQueryMessage();//根据OAuthResponse返回ResponseEntity响应HttpHeaders headers = new HttpHeaders();headers.setLocation(new URI(response.getLocationUri()));return new ResponseEntity(headers, HttpStatus.valueOf(response.getResponseStatus()));} catch (OAuthProblemException e) {//出错处理String redirectUri = e.getRedirectUri();if (OAuthUtils.isEmpty(redirectUri)) {//告诉客户端没有传入redirectUri直接报错return new ResponseEntity("OAuth callback url needs to be provided by client!!!", HttpStatus.NOT_FOUND);}//返回错误消息(如?error=)final OAuthResponse response =OAuthASResponse.errorResponse(HttpServletResponse.SC_FOUND).error(e).location(redirectUri).buildQueryMessage();HttpHeaders headers = new HttpHeaders();headers.setLocation(new URI(response.getLocationUri()));return new ResponseEntity(headers, HttpStatus.valueOf(response.getResponseStatus()));} catch (Exception e) {return new ResponseEntity("内部错误", HttpStatus.valueOf(HttpServletResponse.SC_INTERNAL_SERVER_ERROR));}}private boolean login(Subject subject, HttpServletRequest request) {if ("get".equalsIgnoreCase(request.getMethod())) {return false;}String username = request.getParameter("username");String password = request.getParameter("password");if (StringUtils.isEmpty(username) || StringUtils.isEmpty(password)) {return false;}UsernamePasswordToken token = new UsernamePasswordToken(username, password);try {subject.login(token);return true;} catch (Exception e) {request.setAttribute("error", "登录失败:" + e.getClass().getName());return false;}}/*** 获取访问令牌** @param request* @return* @throws OAuthProblemException* @throws OAuthSystemException*/@RequestMapping(value = "accessToken", method = RequestMethod.POST)@ResponseBodypublic Object accessToken(HttpServletRequest request) throws OAuthProblemException, OAuthSystemException {try {// 构建OAuth请求OAuthTokenRequest tokenRequest = new OAuthTokenRequest(request);// 1.获取OAuth客户端idString clientId = tokenRequest.getClientId();// 校验客户端id是否正确LightUserResult lightUserResult = userApi.queryUserByClientId(clientId);if (null == lightUserResult) {OAuthResponse oAuthResponse = OAuthResponse.errorResponse(HttpServletResponse.SC_BAD_REQUEST).setError(OAuthError.TokenResponse.INVALID_CLIENT).setErrorDescription("无效的客户端ID").buildJSONMessage();return new ResponseEntity(oAuthResponse.getBody(), HttpStatus.valueOf(oAuthResponse.getResponseStatus()));}// 2.检查客户端安全key是否正确if (!lightUserResult.getClientSecret().equals(tokenRequest.getClientSecret())) {OAuthResponse oAuthResponse = OAuthResponse.errorResponse(HttpServletResponse.SC_UNAUTHORIZED).setError(OAuthError.TokenResponse.UNAUTHORIZED_CLIENT).setErrorDescription("客户端安全key认证不通过").buildJSONMessage();return new ResponseEntity<>(oAuthResponse.getBody(), HttpStatus.valueOf(oAuthResponse.getResponseStatus()));}// 3.检查授权码是否正确String authCode = tokenRequest.getParam(OAuth.OAUTH_CODE);// 检查验证类型,此处只检查AUTHORIZATION_CODE类型,其他的还有password或REFRESH_TOKENif (!tokenRequest.getParam(OAuth.OAUTH_GRANT_TYPE).equals(GrantType.AUTHORIZATION_CODE.toString())) {if (null == RedisUtil.getRedis().get(authCode)) {OAuthResponse response = OAuthASResponse.errorResponse(HttpServletResponse.SC_BAD_REQUEST).setError(OAuthError.TokenResponse.INVALID_GRANT).setErrorDescription("授权码错误").buildJSONMessage();return new ResponseEntity(response.getBody(), HttpStatus.valueOf(response.getResponseStatus()));}}// 4.生成访问令牌Access TokenOAuthIssuer oAuthIssuer = new OAuthIssuerImpl(new MD5Generator());final String accessToken = oAuthIssuer.accessToken();// 将访问令牌加入缓存:accessToken-username
            RedisUtil.getRedis().set(accessToken, lightUserResult.getUserName());// 5.生成OAuth响应OAuthResponse response = OAuthASResponse.tokenResponse(HttpServletResponse.SC_OK).setAccessToken(accessToken).setExpiresIn(expiresIn).buildJSONMessage();return new ResponseEntity(response.getBody(), HttpStatus.valueOf(response.getResponseStatus()));} catch (Exception e) {e.printStackTrace();return new ResponseEntity("内部错误", HttpStatus.valueOf(HttpServletResponse.SC_INTERNAL_SERVER_ERROR));}}@RequestMapping("validate")@ResponseBodypublic JSONObject oauthValidate(HttpServletRequest request) throws OAuthSystemException, OAuthProblemException {ResponseEntity responseEntity = OAuthValidate.oauthValidate(request);JSONObject result = new JSONObject();result.put("msg", responseEntity.getBody());result.put("code", responseEntity.getStatusCode().value());return result;}@RequestMapping(value = "userInfo", method = RequestMethod.GET)@ResponseBodypublic Object userInfo(HttpServletRequest request) throws OAuthSystemException, OAuthProblemException {try {//构建OAuth资源请求OAuthAccessResourceRequest oauthRequest =new OAuthAccessResourceRequest(request, ParameterStyle.QUERY);//获取Access TokenString accessToken = oauthRequest.getAccessToken();//验证Access TokenResponseEntity responseEntity = OAuthValidate.oauthValidate(request);if (responseEntity.getStatusCode() != HttpStatus.OK) {// 如果不存在/过期了,返回未验证错误,需重新验证OAuthResponse oauthResponse = OAuthRSResponse.errorResponse(HttpServletResponse.SC_UNAUTHORIZED).setRealm("auth-web").setError(OAuthError.ResourceResponse.INVALID_TOKEN).buildHeaderMessage();HttpHeaders headers = new HttpHeaders();headers.add(OAuth.HeaderType.WWW_AUTHENTICATE,oauthResponse.getHeader(OAuth.HeaderType.WWW_AUTHENTICATE));return new ResponseEntity(headers, HttpStatus.UNAUTHORIZED);}//返回用户名String username = RedisUtil.getRedis().get(accessToken);return new ResponseEntity(username, HttpStatus.OK);} catch (OAuthProblemException e) {//检查是否设置了错误码String errorCode = e.getError();if (OAuthUtils.isEmpty(errorCode)) {OAuthResponse oauthResponse = OAuthRSResponse.errorResponse(HttpServletResponse.SC_UNAUTHORIZED).setRealm("auth-web").buildHeaderMessage();HttpHeaders headers = new HttpHeaders();headers.add(OAuth.HeaderType.WWW_AUTHENTICATE,oauthResponse.getHeader(OAuth.HeaderType.WWW_AUTHENTICATE));return new ResponseEntity(headers, HttpStatus.UNAUTHORIZED);}OAuthResponse oauthResponse = OAuthRSResponse.errorResponse(HttpServletResponse.SC_UNAUTHORIZED).setRealm("auth-web").setError(e.getError()).setErrorDescription(e.getDescription()).setErrorUri(e.getUri()).buildHeaderMessage();HttpHeaders headers = new HttpHeaders();headers.add(OAuth.HeaderType.WWW_AUTHENTICATE,oauthResponse.getHeader(OAuth.HeaderType.WWW_AUTHENTICATE));return new ResponseEntity(HttpStatus.BAD_REQUEST);}}
}

  注重看一下authorize授权方法的逻辑

四、流程图

  

五、优化

  服务端获取登录前url可以利用shiro的一个工具类WebUtils

  

  客户端向服务端发起授权请求时,如果服务端没有登录则先将对应的URL存储起来并重定向到服务端的登录页,待服务端登录成功之后,FormAuthenticationFilter会调用onLoginSuccess方法。

  

  再看看issueSuccessRedirect方法的源码,一看就不言而喻了。

  

六、源码下载

  更多详细信息,请参考源码哦!

shiro整合oauth相关推荐

  1. SpringBoot基于Shiro整合OAuth统一认证

    修改配置文件application.yml

  2. SpringBoot与Shiro整合-概述

    主要讲解如何使用Spring Boot与Shiro进行整合使用,实现强大的用户权限管理,其中涉及如何完成用户认证(即用户登录),用户授权,thymeleaf页面整合shiro权限标签等知识点 Spri ...

  3. springboot 与shiro整合

    shiro~ shiro快速入门 springboot 整合shiro 核心目标 清爽pom 用户认证授权认证,与数据库交互 shiro configuration 核心controller 获取sh ...

  4. Shiro 整合 SpringBoot

    Shiro 整合 SpringBoot shiro主要有三大功能模块 Subject:主体,一般指用户. SecurityManager:安全管理器,管理所有Subject,可以配合内部安全组件.(类 ...

  5. shiro整合mybatis数据库

    使用shiro实现用户拦截和登录验证之后,整合mybatis数据库 1.导入依赖 <dependencies><dependency><groupId>mysql& ...

  6. java shiro jwt_Springboot实现Shiro整合JWT的示例代码

    写在前面 之前想尝试把JWT和Shiro结合到一起,但是在网上查了些博客,也没太有看懂,所以就自己重新研究了一下Shiro的工作机制,然后自己想了个(傻逼)办法把JWT和Shiro整合到一起了 另外接 ...

  7. Shiro 整合SpringMVC 并实现权限管理,登录和注销

    Shiro 整合SpringMVC 并且实现权限管理,登录和注销 Apache Shiro是Java的一个安全框架.目前,使用Apache Shiro的人越来越多,因为它相当简单,对比Spring S ...

  8. Springboot -Shiro整合JWT(注解形式)

    Springboot -Shiro整合JWT(注解形式) 在这里只展示核心代码,具体的请访问github 参考timo 依赖导入 <dependencies><dependency& ...

  9. 《SpringBoot与Shiro整合-权限管理实战---从构建到模拟数据库登入》

    <SpringBoot与Shiro整合-权限管理实战> ---- 从构建到模拟数据库登入 ---- 点击下载源码 ---- 或者查看? 文章目录 <SpringBoot与Shiro整 ...

最新文章

  1. [GRYZ2015]快排练习
  2. Android 再谈handler
  3. js经典试题之数据类型
  4. html5播放视频只有声音不出现画面?
  5. mysql 日期和时间函数_介绍一下mysql的日期和时间函数
  6. Chrome保存mht网页文件的方法 – 无需任何插件,完美!
  7. win 10 1709安装linux,小编详解win10 1709安装教程
  8. 用 3 只“鸽子”,告诉你闪电网络如何改变加密消息传递方式!
  9. VB 创建快捷方式函数(可带参数)
  10. 他是第一个到达学校的人英语_孩子学英语效果慢?那是因为孩子还没学会掌握“自然拼读”...
  11. 【车辆计数】基于matlab形态学停车场车辆计数【含Matlab源码 628期】
  12. Linux考试题(带答案)
  13. stm32_电容触摸按键
  14. 未来已来 云上安全SaaS化势不可挡
  15. 用蒲公英进行内测更新
  16. Win10安装Kali子系统
  17. excel切片器显示错误_带切片器的Excel弹出选择器工具
  18. java入门基础(四)
  19. TouchGFX- 1 - 简介与安装
  20. 深入理解Java虚拟机(周志明第三版)- 第十二章:Java内存模型与线程

热门文章

  1. C# 写Windows服务
  2. html内通过parentNode来得到上级对象,与此对应的,还有childNodes[x]得到下级对象...
  3. Spring4实战学习笔记
  4. 度量,跟踪和日志记录
  5. Linux 文件系统剖析
  6. php连接Mysql
  7. int、bigint、smallint 和 tinyint
  8. Asp.net支持的最大上传文件大小
  9. posix_memalign
  10. linux下使用NetBeans调试libevent库