重构单点登陆模块，现适用于几乎所有前后分离场景。

重做缓存配置，优化shiro多次重复读取问题
添加shiro-redis配置(boot版)

build.gradle

@@ -25,7 +25,7 @@ buildscript {
         swagger_version = '2.7.0'
         fastjson_version = '1.2.44'
         pinyin4j_version = '2.5.1'
-        kisso_version = '3.6.13'
+//        kisso_version = '3.6.13'
         caffeine_version = '2.6.1'
         shiro_version = '1.4.0'
     }
@@ -72,10 +72,10 @@ subprojects {
         testCompile("junit:junit:$junit_version")
 
         // session
-        // compile('org.springframework.session:spring-session-data-redis')
+//        compile('org.springframework.session:spring-session-data-redis')
 
         // shiro
-        // compile('org.apache.shiro:shiro-spring:$shiro_version')
+        compile("org.apache.shiro:shiro-spring:$shiro_version")
 
         // commons
         compile("commons-io:commons-io:$commons_io_version")
@@ -120,7 +120,7 @@ subprojects {
         compile('com.github.shihyuho:jackson-dynamic-filter:1.0')
 
         // sso
-        compile("com.baomidou:kisso:$kisso_version")
+//        compile("com.baomidou:kisso:$kisso_version")
 
         // activiti
 //        compile("org.activiti:activiti-spring-boot-starter-basic:$activiti_starter_version")

zen-api/src/main/kotlin/com/gxzc/zen/umps/common/ZenShiroRealm.kt

@@ -0,0 +1,60 @@
+package com.gxzc.zen.umps.common
+
+import com.gxzc.zen.api.sys.service.ISysUserService
+import org.apache.shiro.authc.AuthenticationInfo
+import org.apache.shiro.authc.AuthenticationToken
+import org.apache.shiro.authc.SimpleAuthenticationInfo
+import org.apache.shiro.authc.UnknownAccountException
+import org.apache.shiro.authz.AuthorizationInfo
+import org.apache.shiro.authz.SimpleAuthorizationInfo
+import org.apache.shiro.realm.AuthorizingRealm
+import org.apache.shiro.subject.PrincipalCollection
+import org.slf4j.LoggerFactory
+import org.springframework.beans.factory.annotation.Autowired
+
+/**
+ *
+ * @author NorthLan
+ * @date 2018/4/23
+ * @url https://noahlan.com
+ */
+class ZenShiroRealm : AuthorizingRealm() {
+    companion object {
+        private val logger = LoggerFactory.getLogger(ZenShiroRealm::class.java)
+    }
+
+    @Autowired
+    private lateinit var userService: ISysUserService
+
+    init {
+        this.name = "zenShiro"
+    }
+
+    /**
+     * 登陆验证
+     */
+    override fun doGetAuthenticationInfo(token: AuthenticationToken): AuthenticationInfo {
+        logger.debug("ZenShiroRealm doGetAuthenticationInfo [${token.principal}]")
+        val account = token.principal as String
+
+        // 获取用户信息
+        val user = userService.getUserByAccountCacheable(account) ?: throw UnknownAccountException()
+
+        // TODO 账号锁定判定
+
+        // TODO 获取权限信息
+
+
+        return SimpleAuthenticationInfo(user.account, user.password, ZenSimpleByteSource(user.account + user.salt), user.username)
+    }
+
+    /**
+     * 权限 角色 hasRoles hasPermission
+     */
+    override fun doGetAuthorizationInfo(principals: PrincipalCollection?): AuthorizationInfo {
+        logger.debug("ZenShiroRealm doGetAuthorizationInfo [$principals]")
+        return SimpleAuthorizationInfo().apply {
+            addRole("testRole")
+        }
+    }
+}

zen-api/src/main/kotlin/com/gxzc/zen/umps/common/ZenSimpleByteSource.kt

@@ -0,0 +1,106 @@
+package com.gxzc.zen.umps.common
+
+import org.apache.shiro.codec.Base64
+import org.apache.shiro.codec.CodecSupport
+import org.apache.shiro.codec.Hex
+import org.apache.shiro.util.ByteSource
+import java.io.File
+import java.io.InputStream
+import java.io.Serializable
+import java.util.*
+
+/**
+ * 实现序列化接口,否则 序列化 反序列化 凉凉
+ * @author NorthLan
+ * @date 2018/4/24
+ * @url https://noahlan.com
+ */
+class ZenSimpleByteSource : ByteSource, Serializable {
+    companion object {
+        private const val serialVersionUID = 5640224091610182940L
+    }
+
+    private var bytes: ByteArray? = null
+    private var cachedHex: String? = null
+    private var cachedBase64: String? = null
+
+    constructor()
+    constructor(bytes: ByteArray?) {
+        this.bytes = bytes
+    }
+
+    constructor(chars: CharArray?) {
+        this.bytes = CodecSupport.toBytes(chars)
+    }
+
+    constructor(string: String?) {
+        this.bytes = CodecSupport.toBytes(string)
+    }
+
+    constructor(source: ByteSource?) {
+        this.bytes = source?.bytes
+    }
+
+    constructor(file: File?) {
+        this.bytes = BytesHelper().getBytes(file)
+    }
+
+    constructor(stream: InputStream?) {
+        this.bytes = BytesHelper().getBytes(stream)
+    }
+
+    override fun toHex(): String? {
+        if (this.cachedHex == null) {
+            this.cachedHex = Hex.encodeToString(getBytes())
+        }
+        return this.cachedHex
+    }
+
+    override fun isEmpty(): Boolean {
+        return this.bytes == null || this.bytes!!.isEmpty()
+    }
+
+    override fun getBytes(): ByteArray? {
+        return this.bytes
+    }
+
+    override fun toBase64(): String {
+        if (this.cachedBase64 == null) {
+            this.cachedBase64 = Base64.encodeToString(getBytes())
+        }
+        return this.cachedBase64!!
+    }
+
+    override fun toString(): String {
+        return toBase64()
+    }
+
+    override fun hashCode(): Int {
+        return if (isEmpty) {
+            0
+        } else Arrays.hashCode(this.bytes)
+    }
+
+    override fun equals(other: Any?): Boolean {
+        if (other === this) {
+            return true
+        }
+        if (other is ByteSource) {
+            val bs = other as ByteSource?
+            return Arrays.equals(getBytes(), bs!!.bytes)
+        }
+        return false
+    }
+
+    private class BytesHelper : CodecSupport {
+        constructor()
+
+        fun getBytes(file: File?): ByteArray {
+            return toBytes(file)
+        }
+
+        fun getBytes(stream: InputStream?): ByteArray {
+            return toBytes(stream)
+        }
+    }
+}

zen-api/src/main/kotlin/com/gxzc/zen/umps/config/CORSFilter.kt

@@ -1,33 +0,0 @@
-package com.gxzc.zen.umps.config
-
-import org.springframework.http.HttpMethod
-import org.springframework.stereotype.Component
-import org.springframework.web.filter.OncePerRequestFilter
-import javax.servlet.FilterChain
-import javax.servlet.http.HttpServletRequest
-import javax.servlet.http.HttpServletResponse
-
-/**
- *
- * @author NorthLan
- * @date 2018/3/1
- * @url https://noahlan.com
- */
-@Component
-class CORSFilter : OncePerRequestFilter() {
-    override fun doFilterInternal(request: HttpServletRequest, response: HttpServletResponse, filterChain: FilterChain) {
-        response.let {
-            it.addHeader("Access-Control-Allow-Origin", request.getHeader("Origin"))//request.getHeader("Origin")
-            it.addHeader("Access-Control-Allow-Credentials", "true")
-            it.addHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH")
-            it.addHeader("Access-Control-Max-Age", "3600")
-            it.addHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept")
-            val method = HttpMethod.valueOf(request.method)
-            if (method == HttpMethod.POST || method == HttpMethod.PUT) {
-                it.addHeader("Access-Control-Expose-Headers", "Location")
-            }
-        }
-
-        filterChain.doFilter(request, response)
-    }
-}

zen-api/src/main/kotlin/com/gxzc/zen/umps/config/KissoAuthorization.kt

@@ -1,31 +0,0 @@
-package com.gxzc.zen.umps.config
-
-import com.baomidou.kisso.SSOAuthorization
-import com.baomidou.kisso.Token
-import com.gxzc.zen.api.sys.service.ISysPermissionService
-import com.gxzc.zen.common.util.PlatformUtil
-import com.gxzc.zen.common.util.SpringContextHolder
-import com.gxzc.zen.umps.util.PermissionUtil
-import org.apache.commons.lang3.StringUtils
-
-/**
- * Kisso权限验证
- * 支持多级权限
- * 精确到按钮级别
- */
-class KissoAuthorization : SSOAuthorization {
-    override fun isPermitted(token: Token?, permission: String?): Boolean {
-        if (token == null) {
-            return false
-        }
-
-        if (!StringUtils.isNumeric(token.uid.toString())) {
-            return false
-        }
-        val realPerm = "${PlatformUtil.getPlatformId()}:$permission"
-        return PermissionUtil.isPermitted(realPerm, permissionService.getPermissionSetByUserId(token.uid.toLong()))
-    }
-
-    //    private val cacheManager = SpringContextHolder.getBean(CacheManager::class.java)
-    private val permissionService = SpringContextHolder.getBean(ISysPermissionService::class.java)
-}

zen-api/src/main/kotlin/com/gxzc/zen/umps/config/KissoConfig.kt

@@ -1,20 +0,0 @@
-package com.gxzc.zen.umps.config
-
-import com.baomidou.kisso.web.WebKissoConfigurer
-import org.springframework.context.annotation.Bean
-import org.springframework.context.annotation.Configuration
-
-/**
- *
- * @author NorthLan
- * @date 2018/3/5
- * @url https://noahlan.com
- */
-@Configuration
-class KissoConfig {
-
-    @Bean
-    fun webKissoConfigurer(): WebKissoConfigurer {
-        return WebKissoConfigurer("properties/sso.properties").also { it.initKisso() }
-    }
-}

zen-api/src/main/kotlin/com/gxzc/zen/umps/config/KissoHandlerInterceptor.kt

@@ -1,21 +0,0 @@
-package com.gxzc.zen.umps.config
-
-import com.baomidou.kisso.web.handler.KissoDefaultHandler
-import javax.servlet.http.HttpServletRequest
-import javax.servlet.http.HttpServletResponse
-
-/**
- * SSO拦截处理器
- * @author NorthLan
- * @date 2018/3/10
- * @url https://noahlan.com
- */
-class KissoHandlerInterceptor : KissoDefaultHandler() {
-
-    /**
-     * 由于前后分离,所以将非ajax返回处理为ajax返回 (401)
-     */
-    override fun preTokenIsNull(request: HttpServletRequest?, response: HttpServletResponse?): Boolean {
-        return super.preTokenIsNullAjax(request, response)
-    }
-}

zen-api/src/main/kotlin/com/gxzc/zen/umps/config/KissoPermissionInterceptor.kt

@@ -1,61 +0,0 @@
-package com.gxzc.zen.umps.config
-
-import com.baomidou.kisso.SSOConfig
-import com.baomidou.kisso.SSOToken
-import com.baomidou.kisso.annotation.Action
-import com.baomidou.kisso.annotation.Permission
-import com.baomidou.kisso.web.interceptor.SSOPermissionInterceptor
-import org.springframework.web.method.HandlerMethod
-import javax.servlet.http.HttpServletRequest
-
-
-/**
- * 自定义权限验证 修改
- * 当无 @Permission 注解时可配置的跳过权限验证
- * @author NorthLan
- * @date 2018/3/10
- * @url https://noahlan.com
- */
-class KissoPermissionInterceptor : SSOPermissionInterceptor() {
-    var nothingAnnotationPass = false
-
-    override fun isVerification(request: HttpServletRequest, handler: Any?, token: SSOToken?): Boolean {
-        /*
-         * URL 权限认证
-		 */
-        if (SSOConfig.getInstance().isPermissionUri) {
-            val uri = request.requestURI
-            if (uri == null || this.authorization.isPermitted(token, uri)) {
-                return true
-            }
-        }
-        /*
-		 * 注解权限认证
-		 */
-        val handlerMethod = handler as HandlerMethod
-        val method = handlerMethod.method
-        val pm = method.getAnnotation(Permission::class.java)
-        if (pm != null) {
-            if (pm.action === Action.Skip) {
-                /**
-                 * 忽略拦截
-                 */
-                return true
-            } else if ("" != pm.value && this.authorization.isPermitted(token, pm.value)) {
-                /**
-                 * 权限合法
-                 */
-                return true
-            }
-        } else if (this.nothingAnnotationPass) {
-            /**
-             * 无注解情况下，设置为true，不进行权限验证
-             */
-            return true
-        }
-        /*
-		 * 非法访问
-		 */
-        return false
-    }
-}

zen-api/src/main/kotlin/com/gxzc/zen/umps/config/KissoWebAppConfigurer.kt

@@ -1,45 +0,0 @@
-package com.gxzc.zen.umps.config
-
-import com.baomidou.kisso.web.interceptor.SSOSpringInterceptor
-import org.springframework.context.annotation.Configuration
-import org.springframework.web.bind.annotation.ControllerAdvice
-import org.springframework.web.servlet.config.annotation.InterceptorRegistry
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter
-
-/**
- * kisso配置
- * 跳过 swagger-ui 验证
- */
-@ControllerAdvice
-@Configuration
-class KissoWebAppConfigurer : WebMvcConfigurerAdapter() {
-
-    override fun addInterceptors(registry: InterceptorRegistry) {
-        // 登录拦截
-        registry.addInterceptor(SSOSpringInterceptor().apply { handlerInterceptor = KissoHandlerInterceptor() })
-                .addPathPatterns("/**")
-                .excludePathPatterns(
-                        "/auth/login",
-                        "/swagger-ui.html",       // swagger-ui html
-                        "/v2/api-docs",           // swagger
-                        "/webjars/**",            // swagger-ui webjars
-                        "/swagger-resources/**",  // swagger-ui resources
-                        "/configuration/**"      // swagger configuration
-                )
-        // 权限拦截
-        registry.addInterceptor(KissoPermissionInterceptor().apply {
-            authorization = KissoAuthorization()
-            nothingAnnotationPass = true
-        })
-                .addPathPatterns("/**")
-                .excludePathPatterns(
-                        "/auth/login",
-                        "/swagger-ui.html",       // swagger-ui html
-                        "/v2/api-docs",           // swagger
-                        "/webjars/**",            // swagger-ui webjars
-                        "/swagger-resources/**",  // swagger-ui resources
-                        "/configuration/**"      // swagger configuration
-                )
-//        super.addInterceptors(registry)
-    }
-}

zen-api/src/main/kotlin/com/gxzc/zen/umps/config/ShiroConfig.kt

@@ -0,0 +1,179 @@
+package com.gxzc.zen.umps.config
+
+import com.gxzc.zen.umps.common.ZenShiroRealm
+import com.gxzc.zen.umps.constant.ZenHttpSession
+import com.gxzc.zen.umps.filter.AjaxAuthorizationFilter
+import com.gxzc.zen.umps.filter.UrlPermissionsFilter
+import com.gxzc.zen.umps.filter.ZenCorsAnonymousFilter
+import com.gxzc.zen.umps.filter.ZenCorsPathMatchingFilter
+import org.apache.shiro.authc.credential.HashedCredentialsMatcher
+import org.apache.shiro.spring.LifecycleBeanPostProcessor
+import org.apache.shiro.spring.web.ShiroFilterFactoryBean
+import org.apache.shiro.web.filter.authc.AnonymousFilter
+import org.apache.shiro.web.mgt.DefaultWebSecurityManager
+import org.apache.shiro.web.servlet.SimpleCookie
+import org.springframework.boot.context.properties.ConfigurationProperties
+import org.springframework.boot.web.servlet.FilterRegistrationBean
+import org.springframework.context.annotation.Bean
+import org.springframework.context.annotation.Configuration
+import org.springframework.context.annotation.DependsOn
+import org.springframework.data.redis.connection.jedis.JedisConnectionFactory
+import org.springframework.data.redis.core.RedisTemplate
+import org.springframework.data.redis.serializer.Jackson2JsonRedisSerializer
+import org.springframework.data.redis.serializer.JdkSerializationRedisSerializer
+import org.springframework.data.redis.serializer.StringRedisSerializer
+import org.springframework.web.filter.DelegatingFilterProxy
+import javax.servlet.DispatcherType
+import javax.servlet.Filter
+
+
+/**
+ * Shiro配置
+ * @author NorthLan
+ * @date 2018/4/21
+ * @url https://noahlan.com
+ */
+@Configuration
+class ShiroConfig {
+
+    @Bean
+    @ConfigurationProperties(prefix = "shiro.redis")
+    fun shiroRedisProperties(): ShiroRedisProperties {
+        return ShiroRedisProperties()
+    }
+
+    @Bean("shiroFilterRegistrationBean")
+    @DependsOn("shiroFilter")
+    fun filterRegistrationBean(): FilterRegistrationBean {
+        return FilterRegistrationBean().apply {
+            filter = DelegatingFilterProxy("shiroFilter")
+            isEnabled = true
+            addUrlPatterns("/*")
+            setDispatcherTypes(DispatcherType.REQUEST)
+        }
+    }
+
+    @Bean(name = ["shiroFilter"])
+    fun shiroFilter(): ShiroFilterFactoryBean {
+        return ShiroFilterFactoryBean().apply {
+            securityManager = securityManager()
+//            loginUrl = "/login"
+//            unauthorizedUrl = "/unauthor"
+
+            filters = hashMapOf<String, Filter>(
+                    "canon" to ZenCorsAnonymousFilter(),
+                    "cors" to ZenCorsPathMatchingFilter(),
+                    "perms" to UrlPermissionsFilter(),
+                    "authc" to AjaxAuthorizationFilter(),
+                    "anon" to AnonymousFilter()
+            )
+            /**
+             * anon（匿名）  org.apache.shiro.web.filter.authc.AnonymousFilter
+             * authc（身份验证）       org.apache.shiro.web.filter.authc.FormAuthenticationFilter
+             * authcBasic（http基本验证）    org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter
+             * logout（退出）        org.apache.shiro.web.filter.authc.LogoutFilter
+             * noSessionCreation（不创建session） org.apache.shiro.web.filter.session.NoSessionCreationFilter
+             * perms(许可验证)  org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter
+             * port（端口验证）   org.apache.shiro.web.filter.authz.PortFilter
+             * rest  (rest方面)  org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter
+             * roles（权限验证）  org.apache.shiro.web.filter.authz.RolesAuthorizationFilter
+             * ssl （ssl方面）   org.apache.shiro.web.filter.authz.SslFilter
+             * member （用户方面）  org.apache.shiro.web.filter.authc.UserFilter
+             * user  表示用户不一定已通过认证,只要曾被Shiro记住过登录状态的用户就可以正常发起请求,比如rememberMe
+             */
+            filterChainDefinitionMap = hashMapOf<String, String>(
+                    "/auth/login" to "canon", // 登陆
+                    "/auth/setcookie" to "canon", // 设置cookie
+                    "/auth/hello" to "canon", // 获取cookie
+                    "/auth/logout" to "logout", // 登出
+                    //
+                    "/base/**" to "canon",
+                    "/css/**" to "canon",
+                    "/layer/**" to "canon",
+                    "/**" to "cors,authc"
+            )
+        }
+    }
+
+    @Bean(name = ["securityManager"])
+    fun securityManager(): DefaultWebSecurityManager {
+        return DefaultWebSecurityManager().apply {
+            setRealm(userRealm())
+            cacheManager = redisCacheManager()
+            sessionManager = defaultWebSessionManager()
+        }
+    }
+
+    @Bean(name = ["sessionManager"])
+    fun defaultWebSessionManager(): ZenWebSessionManager {
+        return ZenWebSessionManager().apply {
+            setCacheManager(redisCacheManager())
+            globalSessionTimeout = 1800000
+            isDeleteInvalidSessions = true
+            isSessionValidationSchedulerEnabled = true
+            isDeleteInvalidSessions = true
+            sessionDAO = redisSessionDAO()
+            sessionIdCookie = SimpleCookie(ZenHttpSession.DEFAULT_SESSION_ID_NAME).apply {
+                isHttpOnly = true
+            }
+        }
+    }
+
+    @Bean
+    fun redisSessionDAO(): ShiroRedisSessionDAO {
+        return ShiroRedisSessionDAO(redisTemplate(), shiroRedisProperties())
+    }
+
+    @Bean
+    @DependsOn(value = ["shiroLifecycleBeanPostProcessor", "shrioRedisCacheManager"])
+    fun userRealm(): ZenShiroRealm {
+        return ZenShiroRealm().apply {
+            cacheManager = redisCacheManager()
+            isCachingEnabled = true
+            isAuthenticationCachingEnabled = true
+            isAuthorizationCachingEnabled = true
+
+            //TODO 以下 hash 验证,后期的重试 ban 可重写此类实现
+            credentialsMatcher = HashedCredentialsMatcher().also {
+                it.hashAlgorithmName = "md5"
+                it.hashIterations = 2 // 两次md5
+            }
+        }
+    }
+
+    @Bean(name = ["shrioRedisCacheManager"])
+    @DependsOn(value = ["shiroRedisTemplate"])
+    fun redisCacheManager(): ShiroRedisCacheManager {
+        return ShiroRedisCacheManager(redisTemplate(), shiroRedisProperties())
+    }
+
+    @Bean(name = ["shiroRedisTemplate"])
+    fun redisTemplate(): RedisTemplate<String, Any> {
+        return RedisTemplate<String, Any>().apply {
+            connectionFactory = connectionFactory()
+
+            val stringSerializer = StringRedisSerializer()
+            keySerializer = stringSerializer
+            valueSerializer = JdkSerializationRedisSerializer()
+            hashKeySerializer = stringSerializer
+            hashValueSerializer = Jackson2JsonRedisSerializer(Any::class.java)
+        }
+    }
+
+    @Bean("shiroRedisConnectionFactory")
+    fun connectionFactory(): JedisConnectionFactory {
+        val properties = shiroRedisProperties()
+        return JedisConnectionFactory().apply {
+            database = properties.database
+            hostName = properties.host
+            password = properties.password
+            port = properties.port
+            timeout = properties.timeout
+        }
+    }
+
+    @Bean("shiroLifecycleBeanPostProcessor")
+    fun lifecycleBeanPostProcessor(): LifecycleBeanPostProcessor {
+        return LifecycleBeanPostProcessor()
+    }
+}

zen-api/src/main/kotlin/com/gxzc/zen/umps/config/ShiroRedisCache.kt

@@ -0,0 +1,118 @@
+package com.gxzc.zen.umps.config
+
+import com.gxzc.zen.common.config.cache.redis.RedisKeyGenerator
+import com.gxzc.zen.umps.util.SerializeUtils
+import org.apache.shiro.cache.Cache
+import org.apache.shiro.cache.CacheException
+import org.apache.shiro.subject.PrincipalCollection
+import org.slf4j.LoggerFactory
+import org.springframework.data.redis.core.RedisTemplate
+import java.nio.charset.Charset
+import java.util.*
+import java.util.concurrent.TimeUnit
+
+
+/**
+ *
+ * @author NorthLan
+ * @date 2018/4/23
+ * @url https://noahlan.com
+ */
+@Suppress("UNCHECKED_CAST")
+class ShiroRedisCache<V> : Cache<Any, V> {
+    companion object {
+        private val logger = LoggerFactory.getLogger(ShiroRedisCache::class.java)
+    }
+
+    private var redisTemplate: RedisTemplate<String, V>
+    private var prefix = "zen_shiro_redis:"
+    private var charset: Charset = Charsets.UTF_8
+    private val properties: ShiroRedisProperties
+
+    constructor(redisTemplate: RedisTemplate<String, V>, properties: ShiroRedisProperties) {
+        this.redisTemplate = redisTemplate
+        this.properties = properties
+    }
+
+    constructor(redisTemplate: RedisTemplate<String, V>, prefix: String, properties: ShiroRedisProperties, charset: Charset = Charsets.UTF_8) {
+        this.redisTemplate = redisTemplate
+        this.prefix = prefix
+        this.properties = properties
+        this.charset = charset
+    }
+
+    override fun values(): MutableCollection<V> {
+        val keys = keys()
+        val values = ArrayList<V>(keys.size)
+        for (k in keys) {
+            get(k)?.let {
+                values.add(it)
+            }
+        }
+        return values
+    }
+
+    override fun clear() {
+        redisTemplate.delete(keys())
+    }
+
+    override fun put(p0: Any?, p1: V?): V? {
+        logger.debug("Put/ Key: $p0, value: $p1")
+        if (p0 == null || p1 == null) {
+            return null
+        }
+        return try {
+            redisTemplate.boundValueOps(getByteKey(p0)).set(p1)
+//            vo.expire(properties.cacheTime, TimeUnit.SECONDS)
+            p1
+        } catch (e: Throwable) {
+            throw CacheException(e)
+        }
+    }
+
+    override fun remove(p0: Any?): V? {
+        logger.debug("Remove/ Key: $p0")
+        if (p0 == null) {
+            return null
+        }
+        return try {
+            val key = getByteKey(p0)
+            val v = redisTemplate.boundValueOps(key).get()
+            redisTemplate.delete(key)
+            v
+        } catch (e: Throwable) {
+            throw CacheException(e)
+        }
+    }
+
+    override fun size(): Int {
+        return keys().size
+    }
+
+    override fun get(p0: Any?): V? {
+        logger.debug("Get/ key: $p0")
+        if (p0 == null) {
+            return null
+        }
+        return try {
+            val vo = redisTemplate.boundValueOps(getByteKey(p0))
+            vo.expire(properties.cacheTime, TimeUnit.SECONDS)
+            vo.get()
+        } catch (e: Throwable) {
+            throw CacheException(e)
+        }
+    }
+
+    override fun keys(): MutableSet<String> {
+        logger.debug("Keys/ ")
+        return redisTemplate.keys(getByteKey("*"))
+    }
+
+    private fun getByteKey(key: Any): String? {
+        return when (key) {
+            is String -> "${this.prefix}${RedisKeyGenerator.SEPARATOR}$key"
+            is PrincipalCollection -> getByteKey(key.primaryPrincipal)
+            else -> SerializeUtils.serialize(key).toString()
+        }
+    }
+}

zen-api/src/main/kotlin/com/gxzc/zen/umps/config/ShiroRedisCacheManager.kt

@@ -0,0 +1,27 @@
+package com.gxzc.zen.umps.config
+
+import org.apache.shiro.cache.AbstractCacheManager
+import org.apache.shiro.cache.Cache
+import org.springframework.data.redis.core.RedisTemplate
+
+
+/**
+ *
+ * @author NorthLan
+ * @date 2018/4/23
+ * @url https://noahlan.com
+ */
+class ShiroRedisCacheManager : AbstractCacheManager {
+    private val redisTemplate: RedisTemplate<String, Any>
+
+    private val properties: ShiroRedisProperties
+
+    constructor(redisTemplate: RedisTemplate<String, Any>, properties: ShiroRedisProperties) {
+        this.redisTemplate = redisTemplate
+        this.properties = properties
+    }
+
+    override fun createCache(p0: String): Cache<*, *> {
+        return ShiroRedisCache(redisTemplate, p0, properties)
+    }
+}

zen-api/src/main/kotlin/com/gxzc/zen/umps/config/ShiroRedisProperties.kt

@@ -0,0 +1,88 @@
+package com.gxzc.zen.umps.config
+
+/**
+ *
+ * @author NorthLan
+ * @date 2018/4/24
+ * @url https://noahlan.com
+ */
+class ShiroRedisProperties {
+    /**
+     * Database index used by the connection factory.
+     */
+    var database = 1
+
+    /**
+     * Redis url, which will overrule host, port and password if set.
+     */
+    var url: String? = null
+
+    /**
+     * Redis server host.
+     */
+    var host = "localhost"
+
+    /**
+     * Login password of the redis server.
+     */
+    var password: String? = null
+
+    /**
+     * Redis server port.
+     */
+    var port = 6379
+
+    /**
+     * Connection timeout in milliseconds.
+     */
+    var timeout: Int = 0
+
+    /**
+     * Session Prefix
+     */
+    var sessionPrefix: String? = null
+
+    /**
+     * Seconds
+     */
+    var sessionTime: Long = 0
+
+    /**
+     * Redis cache key prefix
+     */
+    var cachePrefix: String? = null
+
+    /**
+     * Redis cache expires (Seconds)
+     */
+    var cacheTime: Long = 0
+
+    var pool: Pool = Pool()
+
+    class Pool {
+        /**
+         * Max number of "idle" connections in the pool. Use a negative value to indicate
+         * an unlimited number of idle connections.
+         */
+        var maxIdle = 8
+
+        /**
+         * Target for the minimum number of idle connections to maintain in the pool. This
+         * setting only has an effect if it is positive.
+         */
+        var minIdle = 0
+
+        /**
+         * Max number of connections that can be allocated by the pool at a given time.
+         * Use a negative value for no limit.
+         */
+        var maxActive = 8
+
+        /**
+         * Maximum amount of time (in milliseconds) a connection allocation should block
+         * before throwing an exception when the pool is exhausted. Use a negative value
+         * to block indefinitely.
+         */
+        var maxWait = -1
+    }
+}

zen-api/src/main/kotlin/com/gxzc/zen/umps/config/ShiroRedisSessionDAO.kt

@@ -0,0 +1,71 @@
+package com.gxzc.zen.umps.config
+
+import com.gxzc.zen.common.config.cache.redis.RedisKeyGenerator
+import org.apache.shiro.session.Session
+import org.apache.shiro.session.mgt.eis.AbstractSessionDAO
+import org.slf4j.LoggerFactory
+import org.springframework.data.redis.core.RedisTemplate
+import java.io.Serializable
+import java.nio.charset.Charset
+import java.util.concurrent.TimeUnit
+
+
+/**
+ * Shiro SessionDAO
+ * 若继承自 AbstractSessionDAO 则不会将Session缓存(shiro-activeSessioCache:xxx)
+ * 继承自 EnterpriseCacheSessionDAO 或 CachingSessionDAO 则自动将session缓存
+ * 由于本项目使用Redis作为缓存框架,所以不需要额外缓存开销
+ * @author NorthLan
+ * @date 2018/4/24
+ * @url https://noahlan.com
+ */
+class ShiroRedisSessionDAO : AbstractSessionDAO {
+    companion object {
+        private val logger = LoggerFactory.getLogger(ShiroRedisSessionDAO::class.java)
+    }
+
+    private val properties: ShiroRedisProperties
+    private val redisTemplate: RedisTemplate<String, Any>
+    private var charset: Charset = Charsets.UTF_8
+
+    constructor(redisTemplate: RedisTemplate<String, Any>, properties: ShiroRedisProperties, charset: Charset = Charsets.UTF_8) : super() {
+        this.redisTemplate = redisTemplate
+        this.properties = properties
+        this.charset = charset
+    }
+
+    private fun getKey(originalKey: String): String {
+        return "${properties.sessionPrefix}${RedisKeyGenerator.SEPARATOR}$originalKey"
+    }
+
+    override fun update(session: Session) {
+        logger.debug("Update Session: ${session.id}")
+        redisTemplate.opsForValue().set(getKey(session.id.toString()), session, properties.sessionTime, TimeUnit.SECONDS)
+    }
+
+    override fun getActiveSessions(): MutableCollection<Session> {
+        logger.debug("Get Active Sessions")
+        return mutableListOf()
+    }
+
+    override fun doReadSession(sessionId: Serializable): Session? {
+        logger.debug("Read Session: $sessionId")
+        return redisTemplate.opsForValue().get(getKey(sessionId.toString())) as? Session
+    }
+
+    /**
+     * 创建 session
+     */
+    override fun doCreate(session: Session): Serializable {
+        val sid = this.generateSessionId(session)
+        this.assignSessionId(session, sid)
+        logger.debug("Create Session: $sid")
+        redisTemplate.opsForValue().set(getKey(sid.toString()), session, properties.sessionTime, TimeUnit.SECONDS)
+        return sid
+    }
+
+    override fun delete(session: Session) {
+        logger.debug("Delete Session: ${session.id}")
+        redisTemplate.delete(getKey(session.id.toString()))
+    }
+}

zen-api/src/main/kotlin/com/gxzc/zen/umps/config/ZenWebSessionManager.kt

@@ -0,0 +1,309 @@
+package com.gxzc.zen.umps.config
+
+import org.apache.shiro.session.ExpiredSessionException
+import org.apache.shiro.session.InvalidSessionException
+import org.apache.shiro.session.Session
+import org.apache.shiro.session.UnknownSessionException
+import org.apache.shiro.session.mgt.DefaultSessionManager
+import org.apache.shiro.session.mgt.DelegatingSession
+import org.apache.shiro.session.mgt.SessionContext
+import org.apache.shiro.session.mgt.SessionKey
+import org.apache.shiro.web.servlet.Cookie
+import org.apache.shiro.web.servlet.ShiroHttpServletRequest
+import org.apache.shiro.web.servlet.ShiroHttpSession
+import org.apache.shiro.web.servlet.SimpleCookie
+import org.apache.shiro.web.session.mgt.WebSessionKey
+import org.apache.shiro.web.util.WebUtils
+import org.slf4j.LoggerFactory
+import java.io.Serializable
+import javax.servlet.ServletRequest
+import javax.servlet.ServletResponse
+import javax.servlet.http.HttpServletRequest
+import javax.servlet.http.HttpServletResponse
+
+
+/**
+ * Copied form @link DefaultWebSessionManager
+ * 解决一次登陆多次直接读取缓存的问题
+ * 在读取前先读取本地缓存(目前存放于spring-session 中 attribute)
+ * @author NorthLan
+ * @date 2018/4/25
+ * @url https://noahlan.com
+ */
+@Suppress("unused")
+class ZenWebSessionManager : DefaultSessionManager {
+    companion object {
+        private val log = LoggerFactory.getLogger(ZenWebSessionManager::class.java)
+    }
+
+    var sessionIdCookie: Cookie? = null
+    var sessionIdCookieEnabled: Boolean = false
+    var sessionIdUrlRewritingEnabled: Boolean = false
+
+    constructor() {
+        val cookie = SimpleCookie(ShiroHttpSession.DEFAULT_SESSION_ID_NAME)
+        cookie.isHttpOnly = true //more secure, protects against XSS attacks
+        this.sessionIdCookie = cookie
+        this.sessionIdCookieEnabled = true
+        this.sessionIdUrlRewritingEnabled = true
+    }
+
+    private fun storeSessionId(currentId: Serializable?, request: HttpServletRequest, response: HttpServletResponse) {
+        if (currentId == null) {
+            val msg = "sessionId cannot be null when persisting for subsequent requests."
+            throw IllegalArgumentException(msg)
+        }
+        val template = sessionIdCookie
+        val cookie = SimpleCookie(template)
+        val idString = currentId.toString()
+        cookie.value = idString
+        cookie.saveTo(request, response)
+        log.trace("Set session ID cookie for session with id {}", idString)
+    }
+
+    private fun removeSessionIdCookie(request: HttpServletRequest, response: HttpServletResponse) {
+        sessionIdCookie?.removeFrom(request, response)
+    }
+
+    private fun getSessionIdCookieValue(request: ServletRequest, response: ServletResponse): String? {
+        if (!sessionIdCookieEnabled) {
+            log.debug("Session ID cookie is disabled - session id will not be acquired from a request cookie.")
+            return null
+        }
+        if (request !is HttpServletRequest) {
+            log.debug("Current request is not an HttpServletRequest - cannot get session ID cookie.  Returning null.")
+            return null
+        }
+        return sessionIdCookie?.readValue(request, WebUtils.toHttp(response))
+    }
+
+    private fun getReferencedSessionId(request: ServletRequest, response: ServletResponse): Serializable? {
+
+        var id = getSessionIdCookieValue(request, response)
+        if (id != null) {
+            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE,
+                    ShiroHttpServletRequest.COOKIE_SESSION_ID_SOURCE)
+        } else {
+            //not in a cookie, or cookie is disabled - try the request URI as a fallback (i.e. due to URL rewriting):
+
+            //try the URI path segment parameters first:
+            id = getUriPathSegmentParamValue(request, ShiroHttpSession.DEFAULT_SESSION_ID_NAME)
+
+            if (id == null) {
+                //not a URI path segment parameter, try the query parameters:
+                val name = getSessionIdName()
+                id = request.getParameter(name)
+                if (id == null) {
+                    //try lowercase:
+                    id = request.getParameter(name.toLowerCase())
+                }
+            }
+            if (id != null) {
+                request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE,
+                        ShiroHttpServletRequest.URL_SESSION_ID_SOURCE)
+            }
+        }
+        if (id != null) {
+            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, id)
+            //automatically mark it valid here.  If it is invalid, the
+            //onUnknownSession method below will be invoked and we'll remove the attribute at that time.
+            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, java.lang.Boolean.TRUE)
+        }
+
+        // always set rewrite flag - SHIRO-361
+        request.setAttribute(ShiroHttpServletRequest.SESSION_ID_URL_REWRITING_ENABLED, sessionIdUrlRewritingEnabled)
+
+        return id
+    }
+
+    //SHIRO-351
+    //also see http://cdivilly.wordpress.com/2011/04/22/java-servlets-uri-parameters/
+    //since 1.2.2
+    private fun getUriPathSegmentParamValue(servletRequest: ServletRequest, paramName: String): String? {
+
+        if (servletRequest !is HttpServletRequest) {
+            return null
+        }
+        var uri: String? = servletRequest.requestURI ?: return null
+
+        val queryStartIndex = uri!!.indexOf('?')
+        if (queryStartIndex >= 0) { //get rid of the query string
+            uri = uri.substring(0, queryStartIndex)
+        }
+
+        var index = uri.indexOf(';') //now check for path segment parameters:
+        if (index < 0) {
+            //no path segment params - return:
+            return null
+        }
+
+        //there are path segment params, let's get the last one that may exist:
+
+        val token = "$paramName="
+
+        uri = uri.substring(index + 1) //uri now contains only the path segment params
+
+        //we only care about the last JSESSIONID param:
+        index = uri.lastIndexOf(token)
+        if (index < 0) {
+            //no segment param:
+            return null
+        }
+
+        uri = uri.substring(index + token.length)
+
+        index = uri.indexOf(';') //strip off any remaining segment params:
+        if (index >= 0) {
+            uri = uri.substring(0, index)
+        }
+
+        return uri //what remains is the value
+    }
+
+    override fun retrieveSession(sessionKey: SessionKey): Session? {
+        val sessionId = getSessionId(sessionKey)
+        if (sessionId == null) {
+            log.debug("Unable to resolve session ID from SessionKey [{}].  Returning null to indicate a " + "session could not be found.", sessionKey)
+            return null
+        }
+        ////////////////////////Add by noahlan//////////////////////////////////
+        var request: ServletRequest? = null
+        if (sessionKey is WebSessionKey) {
+            request = sessionKey.servletRequest
+        }
+        if (request != null) {
+            val s = request.getAttribute(sessionId.toString())
+            if (s != null) {
+                return s as Session
+            }
+        }
+        ////////////////////////////////////////////////////////////////////////
+        val s = retrieveSessionFromDataSource(sessionId)
+        if (s == null) {
+            //session ID was provided, meaning one is expected to be found, but we couldn't find one:
+            val msg = "Could not find session with ID [$sessionId]"
+            throw UnknownSessionException(msg)
+        }
+
+        ////////////////////////Add by noahlan//////////////////////////////////
+        if (request != null) {
+            request.setAttribute(sessionId.toString(), s)
+        }
+        ///////////////////////////////////////////////////////////////////////
+        return s
+    }
+
+    //since 1.2.1
+    private fun getSessionIdName(): String {
+        var name: String? = this.sessionIdCookie?.name
+        if (name == null) {
+            name = ShiroHttpSession.DEFAULT_SESSION_ID_NAME
+        }
+        return name
+    }
+
+    override fun createExposedSession(session: Session, context: SessionContext?): Session {
+        if (!WebUtils.isWeb(context)) {
+            return super.createExposedSession(session, context)
+        }
+        val request = WebUtils.getRequest(context)
+        val response = WebUtils.getResponse(context)
+        val key = WebSessionKey(session.id, request, response)
+        return DelegatingSession(this, key)
+    }
+
+    override fun createExposedSession(session: Session, key: SessionKey?): Session {
+        if (!WebUtils.isWeb(key)) {
+            return super.createExposedSession(session, key)
+        }
+
+        val request = WebUtils.getRequest(key)
+        val response = WebUtils.getResponse(key)
+        val sessionKey = WebSessionKey(session.id, request, response)
+        return DelegatingSession(this, sessionKey)
+    }
+
+    /**
+     * Stores the Session's ID, usually as a Cookie, to associate with future requests.
+     *
+     * @param session the session that was just [created][.createSession].
+     */
+    override fun onStart(session: Session, context: SessionContext?) {
+        super.onStart(session, context)
+
+        if (!WebUtils.isHttp(context)) {
+            log.debug("SessionContext argument is not HTTP compatible or does not have an HTTP request/response " + "pair. No session ID cookie will be set.")
+            return
+
+        }
+        val request = WebUtils.getHttpRequest(context)
+        val response = WebUtils.getHttpResponse(context)
+
+        if (sessionIdCookieEnabled) {
+            val sessionId = session.id
+            storeSessionId(sessionId, request, response)
+        } else {
+            log.debug("Session ID cookie is disabled.  No cookie has been set for new session with id {}", session!!.id)
+        }
+
+        request.removeAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE)
+        request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_IS_NEW, java.lang.Boolean.TRUE)
+    }
+
+    public override fun getSessionId(key: SessionKey): Serializable? {
+        var id: Serializable? = super.getSessionId(key)
+        if (id == null && WebUtils.isWeb(key)) {
+            val request = WebUtils.getRequest(key)
+            val response = WebUtils.getResponse(key)
+            id = getSessionId(request, response)
+        }
+        return id
+    }
+
+    protected fun getSessionId(request: ServletRequest, response: ServletResponse): Serializable? {
+        return getReferencedSessionId(request, response)
+    }
+
+    override fun onExpiration(s: Session, ese: ExpiredSessionException?, key: SessionKey?) {
+        super.onExpiration(s, ese, key)
+        onInvalidation(key)
+    }
+
+    override fun onInvalidation(session: Session, ise: InvalidSessionException, key: SessionKey) {
+        super.onInvalidation(session, ise, key)
+        onInvalidation(key)
+    }
+
+    private fun onInvalidation(key: SessionKey?) {
+        val request = WebUtils.getRequest(key)
+        request?.removeAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID)
+        if (WebUtils.isHttp(key)) {
+            log.debug("Referenced session was invalid.  Removing session ID cookie.")
+            removeSessionIdCookie(WebUtils.getHttpRequest(key), WebUtils.getHttpResponse(key))
+        } else {
+            log.debug("SessionKey argument is not HTTP compatible or does not have an HTTP request/response " + "pair. Session ID cookie will not be removed due to invalidated session.")
+        }
+    }
+
+    override fun onStop(session: Session, key: SessionKey?) {
+        super.onStop(session, key)
+        if (WebUtils.isHttp(key)) {
+            val request = WebUtils.getHttpRequest(key)
+            val response = WebUtils.getHttpResponse(key)
+            log.debug("Session has been stopped (subject logout or explicit stop).  Removing session ID cookie.")
+            removeSessionIdCookie(request, response)
+        } else {
+            log.debug("SessionKey argument is not HTTP compatible or does not have an HTTP request/response " + "pair. Session ID cookie will not be removed due to stopped session.")
+        }
+    }
+
+    /**
+     * This is a native session manager implementation, so this method returns `false` always.
+     *
+     * @return `false` always
+     * @since 1.2
+     */
+    fun isServletContainerSessions(): Boolean {
+        return false
+    }
+}

zen-api/src/main/kotlin/com/gxzc/zen/umps/constant/ZenHttpSession.kt

@@ -0,0 +1,12 @@
+package com.gxzc.zen.umps.constant
+
+/**
+ * 静态枚举
+ * @author NorthLan
+ * @date 2018/4/25
+ * @url https://noahlan.com
+ */
+object ZenHttpSession {
+    const val DEFAULT_SESSION_ID_NAME = "ZENJSID"
+    const val DEFAULT_SESSION_USERINFO = "USERINFO"
+}

zen-api/src/main/kotlin/com/gxzc/zen/umps/filter/AjaxAuthorizationFilter.kt

@@ -0,0 +1,40 @@
+package com.gxzc.zen.umps.filter
+
+import org.apache.shiro.web.filter.authc.FormAuthenticationFilter
+import org.springframework.http.HttpMethod
+import org.springframework.http.HttpStatus
+import javax.servlet.ServletRequest
+import javax.servlet.ServletResponse
+import javax.servlet.http.HttpServletRequest
+import javax.servlet.http.HttpServletResponse
+
+
+/**
+ * 对没有登录的请求进行拦截, 全部返回json信息. 覆盖掉shiro原本的跳转login.jsp的拦截方式
+ *
+ * 拦截状态码修改为401-UNAUTHORIZED
+ * @author NorthLan
+ * @date 2018/4/23
+ * @url https://noahlan.com
+ */
+class AjaxAuthorizationFilter : FormAuthenticationFilter() {
+
+    override fun isAccessAllowed(request: ServletRequest, response: ServletResponse, mappedValue: Any?): Boolean {
+        if (request is HttpServletRequest) {
+            if (HttpMethod.valueOf(request.method) == HttpMethod.OPTIONS) {
+                return true
+            }
+        }
+        return super.isAccessAllowed(request, response, mappedValue)
+    }
+
+    override fun onAccessDenied(request: ServletRequest, response: ServletResponse): Boolean {
+        response as HttpServletResponse
+        response.apply {
+            characterEncoding = "UTF-8"
+            contentType = "application/json"
+            sendError(HttpStatus.UNAUTHORIZED.value(), "you need login first...") // 401
+        }
+        return false
+    }
+}

zen-api/src/main/kotlin/com/gxzc/zen/umps/filter/UrlPermissionsFilter.kt

@@ -0,0 +1,24 @@
+package com.gxzc.zen.umps.filter
+
+import org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter
+import org.springframework.http.HttpMethod
+import javax.servlet.ServletRequest
+import javax.servlet.ServletResponse
+import javax.servlet.http.HttpServletRequest
+
+/**
+ *
+ * @author NorthLan
+ * @date 2018/4/25
+ * @url https://noahlan.com
+ */
+class UrlPermissionsFilter : PermissionsAuthorizationFilter() {
+    override fun isAccessAllowed(request: ServletRequest, response: ServletResponse, mappedValue: Any?): Boolean {
+        if (request is HttpServletRequest) {
+            if (HttpMethod.valueOf(request.method) == HttpMethod.OPTIONS) {
+                return true
+            }
+        }
+        return super.isAccessAllowed(request, response, mappedValue)
+    }
+}

zen-api/src/main/kotlin/com/gxzc/zen/umps/filter/ZenCorsAnonymousFilter.kt

@@ -0,0 +1,40 @@
+package com.gxzc.zen.umps.filter
+
+import org.apache.shiro.web.filter.PathMatchingFilter
+import org.apache.shiro.web.util.WebUtils
+import org.springframework.http.HttpMethod
+import org.springframework.http.HttpStatus
+import javax.servlet.ServletRequest
+import javax.servlet.ServletResponse
+
+/**
+ * Cors 的 canon 过滤器
+ * @author NorthLan
+ * @date 2018/4/25
+ * @url https://noahlan.com
+ */
+class ZenCorsAnonymousFilter : PathMatchingFilter() {
+
+    /**
+     * Always returns <code>true</code> allowing unchecked access to the underlying path or resource.
+     *
+     * @return <code>true</code> always, allowing unchecked access to the underlying path or resource.
+     */
+    override fun onPreHandle(request: ServletRequest?, response: ServletResponse?, mappedValue: Any?): Boolean {
+        val httpRequest = WebUtils.toHttp(request)
+        val httpResponse = WebUtils.toHttp(response)
+        httpResponse.apply {
+            setHeader("Access-control-Allow-Origin", httpRequest.getHeader("Origin"))
+            setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH")
+            addHeader("Access-Control-Allow-Credentials", "true")
+            setHeader("Access-Control-Allow-Headers", httpRequest.getHeader("Access-Control-Request-Headers"))
+            val method = HttpMethod.valueOf(httpRequest.method)
+            if (method == HttpMethod.POST || method == HttpMethod.PUT) {
+                addHeader("Access-Control-Expose-Headers", "Location")
+            } else if (method == HttpMethod.OPTIONS) {
+                status = HttpStatus.OK.value()
+            }
+        }
+        return true
+    }
+}

zen-api/src/main/kotlin/com/gxzc/zen/umps/filter/ZenCorsPathMatchingFilter.kt

@@ -0,0 +1,35 @@
+package com.gxzc.zen.umps.filter
+
+import org.apache.shiro.web.filter.PathMatchingFilter
+import org.apache.shiro.web.util.WebUtils
+import org.springframework.http.HttpMethod
+import org.springframework.http.HttpStatus
+import javax.servlet.ServletRequest
+import javax.servlet.ServletResponse
+
+/**
+ *
+ * @author NorthLan
+ * @date 2018/4/25
+ * @url https://noahlan.com
+ */
+class ZenCorsPathMatchingFilter : PathMatchingFilter() {
+
+    override fun onPreHandle(request: ServletRequest?, response: ServletResponse?, mappedValue: Any?): Boolean {
+        val httpRequest = WebUtils.toHttp(request)
+        val httpResponse = WebUtils.toHttp(response)
+        httpResponse.apply {
+            setHeader("Access-control-Allow-Origin", httpRequest.getHeader("Origin"))
+            setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH")
+            addHeader("Access-Control-Allow-Credentials", "true")
+            setHeader("Access-Control-Allow-Headers", httpRequest.getHeader("Access-Control-Request-Headers"))
+            val method = HttpMethod.valueOf(httpRequest.method)
+            if (method == HttpMethod.POST || method == HttpMethod.PUT) {
+                addHeader("Access-Control-Expose-Headers", "Location")
+            } else if (method == HttpMethod.OPTIONS) {
+                status = HttpStatus.OK.value()
+            }
+        }
+        return super.onPreHandle(request, response, mappedValue)
+    }
+}

zen-api/src/main/kotlin/com/gxzc/zen/umps/util/Byte2Hex.kt

@@ -0,0 +1,50 @@
+package com.gxzc.zen.umps.util
+
+import java.util.*
+
+/**
+ * 字节 16进制字串转换工具类
+ * @author NorthLan
+ * @date 2018/4/23
+ * @url https://noahlan.com
+ */
+object Byte2Hex {
+
+    /**
+     *
+     * 字节转换为 16 进制字符串
+     *
+     * @param b
+     * 字节
+     * @return
+     */
+    fun byte2Hex(b: Byte): String {
+        var hex = Integer.toHexString(b.toInt())
+        if (hex.length > 2) {
+            hex = hex.substring(hex.length - 2)
+        }
+        while (hex.length < 2) {
+            hex = "0$hex"
+        }
+        return hex
+    }
+
+
+    /**
+     *
+     * 字节数组转换为 16 进制字符串
+     *
+     * @param bytes
+     * 字节数组
+     * @return
+     */
+    fun byte2Hex(bytes: ByteArray): String {
+        val formatter = Formatter()
+        for (b in bytes) {
+            formatter.format("%02x", b)
+        }
+        val hash = formatter.toString()
+        formatter.close()
+        return hash
+    }
+}

zen-api/src/main/kotlin/com/gxzc/zen/umps/util/MD5Salt.kt

@@ -1,13 +1,7 @@
 package com.gxzc.zen.umps.util
 
-import com.baomidou.kisso.common.encrypt.MD5
 import org.slf4j.LoggerFactory
-import com.baomidou.kisso.SSOConfig
-import com.baomidou.kisso.common.encrypt.Byte2Hex
-import com.sun.xml.internal.fastinfoset.algorithm.BuiltInEncodingAlgorithmFactory.getAlgorithm
 import java.security.MessageDigest
-import com.baomidou.kisso.SSOConfig.CUT_SYMBOL
-import java.nio.charset.Charset
 
 
 /**
@@ -19,6 +13,8 @@ import java.nio.charset.Charset
 class MD5Salt {
     companion object {
         private val logger = LoggerFactory.getLogger(MD5Salt::class.java)
+        private const val ALGORITHM = "MD5"
+        private const val CUT_SYMBOL = "#"
 
         /**
          * md5 盐值加密字符串
@@ -29,7 +25,7 @@ class MD5Salt {
          * @return
          */
         fun md5SaltEncode(salt: String, rawText: String): String? {
-            return MD5Salt(salt, MD5.ALGORITHM).encode(rawText)
+            return MD5Salt(salt, ALGORITHM).encode(rawText)
         }
 
         /**
@@ -43,7 +39,7 @@ class MD5Salt {
          * @return
          */
         fun md5SaltValid(salt: String, encodeText: String, rawText: String): Boolean {
-            return MD5Salt(salt, MD5.ALGORITHM).isValid(encodeText, rawText)
+            return MD5Salt(salt, ALGORITHM).isValid(encodeText, rawText)
         }
     }
 
@@ -67,7 +63,7 @@ class MD5Salt {
         try {
             val md = MessageDigest.getInstance(this.algorithm)
             //加密后的字符串
-            return Byte2Hex.byte2Hex(md.digest(mergeRawTextAndSalt(rawText).toByteArray(Charset.forName(SSOConfig.getSSOEncoding()))))
+            return Byte2Hex.byte2Hex(md.digest(mergeRawTextAndSalt(rawText).toByteArray()))
         } catch (e: Exception) {
             logger.error(" MD5Salt encode exception.")
             e.printStackTrace()
@@ -114,7 +110,7 @@ class MD5Salt {
         } else {
             val mt = StringBuffer()
             mt.append(tmp)
-            mt.append(SSOConfig.CUT_SYMBOL)
+            mt.append(CUT_SYMBOL)
             mt.append(this.salt)
             mt.toString()
         }

zen-api/src/main/kotlin/com/gxzc/zen/umps/util/SSOUtil.kt

@@ -1,7 +1,5 @@
 package com.gxzc.zen.umps.util
 
-import com.baomidou.kisso.SSOHelper
-import com.baomidou.kisso.SSOToken
 import com.gxzc.zen.api.sys.model.SysUser
 import com.gxzc.zen.common.util.HttpUtil
 import javax.servlet.http.HttpServletRequest
@@ -21,15 +19,18 @@ object SSOUtil {
     }
 
     /**
+     * TODO 改改改
      * 从token中获取当前用户id
      */
     fun getCurUserIdByToken(request: HttpServletRequest): Long? {
         val token = try {
-            SSOHelper.attrToken<SSOToken>(request) ?: SSOHelper.getToken(request)
+//            SSOHelper.attrToken<SSOToken>(request) ?: SSOHelper.getToken(request)
+            1L
         } catch (e: Throwable) {
             null
         }
-        return token?.uid?.toLong()
+        return 1L
+//        return token?.uid?.toLong()
     }
 
     /**

zen-api/src/main/kotlin/com/gxzc/zen/umps/util/SerializeUtils.kt

@@ -0,0 +1,82 @@
+package com.gxzc.zen.umps.util
+
+import org.slf4j.LoggerFactory
+import java.io.*
+
+
+/**
+ * 序列化工具
+ * @author NorthLan
+ * @date 2018/4/23
+ * @url https://noahlan.com
+ */
+object SerializeUtils {
+    val logger = LoggerFactory.getLogger(SerializeUtils::class.java)
+
+    /**
+     * deserialize
+     * @param bytes
+     * @return
+     */
+    fun deserialize(bytes: ByteArray): Any? {
+        var result: Any? = null
+        if (isEmpty(bytes)) {
+            return null
+        }
+
+        try {
+            val byteStream = ByteArrayInputStream(bytes)
+            try {
+                val objectInputStream = ObjectInputStream(byteStream)
+                try {
+                    result = objectInputStream.readObject()
+                } catch (ex: ClassNotFoundException) {
+                    throw Exception("Failed to deserialize object type", ex)
+                }
+
+            } catch (ex: Throwable) {
+                throw Exception("Failed to deserialize", ex)
+            }
+
+        } catch (e: Exception) {
+            logger.error("Failed to deserialize", e)
+        }
+        return result
+    }
+
+    fun isEmpty(data: ByteArray?): Boolean {
+        return data == null || data.isEmpty()
+    }
+
+    /**
+     * serialize
+     * @param object
+     * @return
+     */
+    fun serialize(`object`: Any?): ByteArray? {
+        var result: ByteArray? = null
+        if (`object` == null) {
+            return ByteArray(0)
+        }
+        try {
+            val byteStream = ByteArrayOutputStream(128)
+            try {
+                if (`object` !is Serializable) {
+                    throw IllegalArgumentException(
+                            SerializeUtils::class.java.simpleName + " requires a Serializable payload "
+                                    + "but received an object of type [" + `object`.javaClass.name + "]")
+                }
+                val objectOutputStream = ObjectOutputStream(byteStream)
+                objectOutputStream.writeObject(`object`)
+                objectOutputStream.flush()
+                result = byteStream.toByteArray()
+            } catch (ex: Throwable) {
+                throw Exception("Failed to serialize", ex)
+            }
+        } catch (ex: Exception) {
+            logger.error("Failed to serialize", ex)
+        }
+
+        return result
+    }
+}

zen-api/src/test/kotlin/com.gxzc.zen.umps.security/PasswordGen.kt

@@ -0,0 +1,17 @@
+package com.gxzc.zen.umps.security
+
+import org.apache.shiro.crypto.hash.SimpleHash
+import org.junit.Test
+
+/**
+ *
+ * @author NorthLan
+ * @date 2018/4/24
+ * @url https://noahlan.com
+ */
+class PasswordGen {
+    @Test
+    fun genPassword() {
+        println(SimpleHash("md5", "123456", "admin" + "kidntkdij", 2))
+    }
+}

zen-core/src/main/kotlin/com/gxzc/zen/common/config/cache/caffeine/CaffeineConfig.kt

@@ -19,13 +19,12 @@ import java.util.concurrent.TimeUnit
 @Configuration
 @EnableCaching
 @ConfigurationProperties(prefix = "cache.caffeine")
-@ConditionalOnProperty(prefix = "spring.cache", name = ["type"], havingValue = "caffeine")
+@ConditionalOnProperty(prefix = "cache.caffeine", name = ["enable"], havingValue = "true")
 class CaffeineConfig {
 
     var cacheSpecs: Map<String, CacheSpec>? = null
 
-    @Bean
-    @Primary
+    @Bean("caffeineCacheManager")
     fun caffeineCacheManager(): CacheManager {
         return SimpleCacheManager().also {
             it.setCaches(buildCache())

zen-core/src/main/kotlin/com/gxzc/zen/common/config/cache/redis/RedisConfig.kt

@@ -1,16 +1,34 @@
 package com.gxzc.zen.common.config.cache.redis
 
-import com.fasterxml.jackson.databind.DeserializationFeature
-import com.fasterxml.jackson.databind.ObjectMapper
+import org.apache.commons.pool2.impl.GenericObjectPool
+import org.springframework.beans.factory.ObjectProvider
+import org.springframework.beans.factory.annotation.Qualifier
+import org.springframework.boot.autoconfigure.condition.ConditionalOnClass
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty
+import org.springframework.boot.autoconfigure.data.redis.RedisProperties
+import org.springframework.boot.context.properties.EnableConfigurationProperties
 import org.springframework.cache.CacheManager
 import org.springframework.cache.annotation.EnableCaching
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
+import org.springframework.context.annotation.Primary
 import org.springframework.data.redis.cache.RedisCacheManager
+import org.springframework.data.redis.connection.RedisClusterConfiguration
+import org.springframework.data.redis.connection.RedisConnectionFactory
+import org.springframework.data.redis.connection.RedisNode
+import org.springframework.data.redis.connection.RedisSentinelConfiguration
+import org.springframework.data.redis.connection.jedis.JedisConnectionFactory
 import org.springframework.data.redis.core.RedisTemplate
+import org.springframework.data.redis.core.StringRedisTemplate
 import org.springframework.data.redis.serializer.GenericJackson2JsonRedisSerializer
 import org.springframework.data.redis.serializer.StringRedisSerializer
+import org.springframework.util.Assert
+import org.springframework.util.StringUtils
+import redis.clients.jedis.JedisPoolConfig
+import java.net.URI
+import java.net.URISyntaxException
+import java.util.*
 
 /**
  * Redis 缓存配置
@@ -22,10 +40,12 @@ import org.springframework.data.redis.serializer.StringRedisSerializer
 @Configuration
 @EnableCaching
 @ConditionalOnProperty(prefix = "spring.cache", name = ["type"], havingValue = "redis")
+@EnableConfigurationProperties(RedisProperties::class)
 class RedisConfig {
 
-    @Bean
-    fun cacheManager(redisTemplate: RedisTemplate<Any, Any>): CacheManager {
+    @Bean("redisCacheManager")
+    @Primary
+    fun cacheManager(@Qualifier("redisTemplate") redisTemplate: RedisTemplate<Any, Any>): CacheManager {
         return RedisCacheManager(redisTemplate.apply {
             val stringRedisSerializer = StringRedisSerializer()
             keySerializer = stringRedisSerializer
@@ -33,4 +53,171 @@ class RedisConfig {
             valueSerializer = GenericJackson2JsonRedisSerializer()
         })
     }
+
+    /**
+     * Redis connection configuration.
+     */
+    @Configuration
+    @ConditionalOnClass(GenericObjectPool::class)
+    protected class RedisConnectionConfiguration(private val properties: RedisProperties,
+                                                 sentinelConfiguration: ObjectProvider<RedisSentinelConfiguration>,
+                                                 clusterConfiguration: ObjectProvider<RedisClusterConfiguration>) {
+
+        private val sentinelConfiguration: RedisSentinelConfiguration? = sentinelConfiguration.ifAvailable
+
+        private val clusterConfiguration: RedisClusterConfiguration? = clusterConfiguration.ifAvailable
+
+        protected val sentinelConfig: RedisSentinelConfiguration?
+            get() {
+                if (this.sentinelConfiguration != null) {
+                    return this.sentinelConfiguration
+                }
+                val sentinelProperties = this.properties.sentinel
+                if (sentinelProperties != null) {
+                    val config = RedisSentinelConfiguration()
+                    config.master(sentinelProperties.master)
+                    config.setSentinels(createSentinels(sentinelProperties))
+                    return config
+                }
+                return null
+            }
+
+        @Bean("redisConnectionFactory")
+        @Primary
+//        @ConditionalOnMissingBean(RedisConnectionFactory::class)
+        fun redisConnectionFactory(): JedisConnectionFactory {
+            return applyProperties(createJedisConnectionFactory())
+        }
+
+        protected fun applyProperties(
+                factory: JedisConnectionFactory): JedisConnectionFactory {
+            configureConnection(factory)
+            if (this.properties.isSsl) {
+                factory.isUseSsl = true
+            }
+            factory.database = this.properties.database
+            if (this.properties.timeout > 0) {
+                factory.timeout = this.properties.timeout
+            }
+            return factory
+        }
+
+        private fun configureConnection(factory: JedisConnectionFactory) {
+            if (StringUtils.hasText(this.properties.url)) {
+                configureConnectionFromUrl(factory)
+            } else {
+                factory.hostName = this.properties.host
+                factory.port = this.properties.port
+                if (this.properties.password != null) {
+                    factory.password = this.properties.password
+                }
+            }
+        }
+
+        private fun configureConnectionFromUrl(factory: JedisConnectionFactory) {
+            val url = this.properties.url
+            if (url.startsWith("rediss://")) {
+                factory.isUseSsl = true
+            }
+            try {
+                val uri = URI(url)
+                factory.hostName = uri.host
+                factory.port = uri.port
+                if (uri.userInfo != null) {
+                    var password = uri.userInfo
+                    val index = password.indexOf(":")
+                    if (index >= 0) {
+                        password = password.substring(index + 1)
+                    }
+                    factory.password = password
+                }
+            } catch (ex: URISyntaxException) {
+                throw IllegalArgumentException("Malformed 'spring.redis.url' $url",
+                        ex)
+            }
+
+        }
+
+        /**
+         * Create a [RedisClusterConfiguration] if necessary.
+         * @return null if no cluster settings are set.
+         */
+        protected fun getClusterConfiguration(): RedisClusterConfiguration? {
+            if (this.clusterConfiguration != null) {
+                return this.clusterConfiguration
+            }
+            if (this.properties.cluster == null) {
+                return null
+            }
+            val clusterProperties = this.properties.cluster
+            val config = RedisClusterConfiguration(
+                    clusterProperties.nodes)
+
+            if (clusterProperties.maxRedirects != null) {
+                config.maxRedirects = clusterProperties.maxRedirects!!
+            }
+            return config
+        }
+
+        private fun createSentinels(sentinel: RedisProperties.Sentinel): List<RedisNode> {
+            val nodes = ArrayList<RedisNode>()
+            for (node in StringUtils
+                    .commaDelimitedListToStringArray(sentinel.nodes)) {
+                try {
+                    val parts = StringUtils.split(node, ":")
+                    Assert.state(parts.size == 2, "Must be defined as 'host:port'")
+                    nodes.add(RedisNode(parts[0], Integer.valueOf(parts[1])))
+                } catch (ex: RuntimeException) {
+                    throw IllegalStateException(
+                            "Invalid redis sentinel property '$node'", ex)
+                }
+
+            }
+            return nodes
+        }
+
+        private fun createJedisConnectionFactory(): JedisConnectionFactory {
+            val poolConfig = if (this.properties.pool != null)
+                jedisPoolConfig()
+            else
+                JedisPoolConfig()
+
+            if (sentinelConfig != null) {
+                return JedisConnectionFactory(sentinelConfig, poolConfig)
+            }
+            return if (getClusterConfiguration() != null) {
+                JedisConnectionFactory(getClusterConfiguration(), poolConfig)
+            } else JedisConnectionFactory(poolConfig)
+        }
+
+        private fun jedisPoolConfig(): JedisPoolConfig {
+            val config = JedisPoolConfig()
+            val props = this.properties.pool
+            config.maxTotal = props.maxActive
+            config.maxIdle = props.maxIdle
+            config.minIdle = props.minIdle
+            config.maxWaitMillis = props.maxWait.toLong()
+            return config
+        }
+
+    }
+
+    @Configuration
+    class RedisConfiguration {
+        @Bean
+        @ConditionalOnMissingBean(name = ["redisTemplate"])
+        fun redisTemplate(@Qualifier("redisConnectionFactory") redisConnectionFactory: RedisConnectionFactory): RedisTemplate<Any, Any> {
+            val template = RedisTemplate<Any, Any>()
+            template.connectionFactory = redisConnectionFactory
+            return template
+        }
+
+        @Bean
+        @ConditionalOnMissingBean(StringRedisTemplate::class)
+        fun stringRedisTemplate(@Qualifier("redisConnectionFactory") redisConnectionFactory: RedisConnectionFactory): StringRedisTemplate {
+            val template = StringRedisTemplate()
+            template.connectionFactory = redisConnectionFactory
+            return template
+        }
+    }
 }

zen-core/src/main/kotlin/com/gxzc/zen/common/config/cache/redis/RedisKeyGenerator.kt

@@ -7,7 +7,7 @@ package com.gxzc.zen.common.config.cache.redis
  * @url https://noahlan.com
  */
 object RedisKeyGenerator {
-    private const val SEPARATOR = ":"
+    const val SEPARATOR = ":"
 
     /**
      * 根据传入的keys组合key

zen-core/src/main/kotlin/com/gxzc/zen/common/util/RedisCacheUtil.kt

@@ -10,9 +10,9 @@ import kotlin.reflect.KClass
  * @author NorthLan at 2018/2/8
  */
 object RedisCacheUtil {
-    private val cacheManager = SpringContextHolder.getBean(CacheManager::class.java)
+    private val cacheManager = SpringContextHolder.getBean<CacheManager>("redisCacheManager")
 
-    fun getCahce(key: String): Cache? {
+    private fun getCahce(key: String): Cache? {
         return cacheManager.getCache(key)
     }
 

zen-web/src/main/kotlin/com/gxzc/zen/MainApplication.kt

@@ -2,11 +2,13 @@ package com.gxzc.zen
 
 import org.springframework.boot.SpringApplication
 import org.springframework.boot.autoconfigure.SpringBootApplication
+import org.springframework.boot.autoconfigure.data.redis.RedisAutoConfiguration
 import org.springframework.boot.builder.SpringApplicationBuilder
 import org.springframework.boot.web.support.SpringBootServletInitializer
 
 
-@SpringBootApplication//(exclude = [])
+@SpringBootApplication(exclude = [RedisAutoConfiguration::class])
+//@ImportResource(locations = ["classpath:application-shiro.xml"])
 //@EnableRedisHttpSession
 class MainApplication : SpringBootServletInitializer() {
     override fun configure(builder: SpringApplicationBuilder?): SpringApplicationBuilder? {

zen-web/src/main/kotlin/com/gxzc/zen/web/sys/controller/AuthController.kt

@@ -1,21 +1,21 @@
 package com.gxzc.zen.web.sys.controller
 
-import com.baomidou.kisso.SSOConfig
-import com.baomidou.kisso.SSOHelper
-import com.baomidou.kisso.SSOToken
-import com.baomidou.kisso.annotation.Action
-import com.baomidou.kisso.annotation.Login
-import com.gxzc.zen.api.sys.service.ISysUserService
 import com.gxzc.zen.common.base.BaseController
 import com.gxzc.zen.common.dto.RequestDto
 import com.gxzc.zen.common.dto.ResponseDto
 import com.gxzc.zen.common.exception.ZenException
 import com.gxzc.zen.common.exception.ZenExceptionEnum
-import com.gxzc.zen.umps.util.MD5Salt
+import com.gxzc.zen.common.util.HttpUtil
+import com.gxzc.zen.umps.constant.ZenHttpSession
 import io.swagger.annotations.ApiOperation
-import org.springframework.beans.factory.annotation.Autowired
+import org.apache.shiro.SecurityUtils
+import org.apache.shiro.authc.AuthenticationException
+import org.apache.shiro.authc.UnknownAccountException
+import org.apache.shiro.authc.UsernamePasswordToken
+import org.slf4j.LoggerFactory
 import org.springframework.http.ResponseEntity
 import org.springframework.web.bind.annotation.*
+import javax.servlet.http.Cookie
 
 /**
  * 身份验证相关控制器
@@ -26,51 +26,75 @@ import org.springframework.web.bind.annotation.*
 @RestController
 @RequestMapping("auth")
 class AuthController : BaseController() {
-    @Autowired
-    private lateinit var userService: ISysUserService
+    companion object {
+        private val logger = LoggerFactory.getLogger(AuthController::class.java)
+    }
+
+//    @Autowired
+//    private lateinit var userService: ISysUserService
 
-    @Login(action = Action.Skip)
     @ApiOperation(value = "登录")
     @PostMapping("/login")
     fun login(@RequestBody data: RequestDto): ResponseEntity<*> {
+//        val a = System.currentTimeMillis()
         // 验证输入合法性
         val account = data["account"]?.toString()?.trim()
         val password = data["password"]?.toString()
-        val rememberMe = data["rememberMe"]?.let { it as Boolean }
+        val rememberMe = data["rememberMe"] as? Boolean ?: false
 
         if (account.isNullOrEmpty() || password.isNullOrEmpty()) {
             throw ZenException(ZenExceptionEnum.REQUEST_NULL)
         }
-        // 验证账号密码
-        val user = userService.getUserByAccountCacheable(account!!)
-                ?: throw ZenException(ZenExceptionEnum.AUTH_ACCOUNT_NOT_EXISTS)
 
-        // 对密码进行盐值处理比对
-        if (!MD5Salt.md5SaltValid(user.salt!!, user.password!!, password!!)) {
+        try {
+            SecurityUtils.getSubject().login(UsernamePasswordToken(account, password, rememberMe, getRequest().remoteHost))
+        } catch (e: AuthenticationException) {
+            logger.warn("login error,", e)
             throw ZenException(ZenExceptionEnum.AUTH_PASSWORD_ERROR)
+        } catch (e: UnknownAccountException) {
+//            logger.warn("login error,", e)
+            throw ZenException(ZenExceptionEnum.AUTH_ACCOUNT_NOT_EXISTS)
         }
+        return ResponseEntity.ok(ResponseDto())
+    }
 
-        // 生成登陆 token->cookie
-        if (rememberMe != null && rememberMe) {
-            SSOConfig.getInstance().cookieMaxage = 604800 // 7天
-        } else {
-            val attrMaxAge = getRequest().getAttribute(SSOConfig.SSO_COOKIE_MAXAGE)?.let {
-                it as Int
+    @ApiOperation("设置cookie")
+    @PostMapping("/setcookie")
+    fun token(@RequestBody cookies: List<RequestDto>): ResponseEntity<*> {
+        cookies.forEach {
+            getResponse().addCookie(Cookie(it["name"]?.toString(), it["value"]?.toString()).apply {
+                path = "/"
+//                secure = it["secure"] as Boolean
+//                isHttpOnly = it["httpOnly"] as Boolean
+            })
+        }
+        return ResponseEntity.ok(ResponseDto())
+    }
+
+    @ApiOperation("获取cookie")
+    @GetMapping("/hello")
+    fun hello(): ResponseEntity<*> {
+        // 用户是否已经登陆
+        return if (SecurityUtils.getSubject().isAuthenticated) {
+            val cks = HttpUtil.getRequest().cookies
+            val ck = cks?.find {
+                it.name == ZenHttpSession.DEFAULT_SESSION_ID_NAME
             }
-            if (attrMaxAge != null) {
-                getRequest().removeAttribute(SSOConfig.SSO_COOKIE_MAXAGE)
+            if (ck == null) {
+                ResponseEntity.ok(null)
+            } else {
+                ResponseEntity.ok(cks)
             }
+        } else {
+            ResponseEntity.ok(null)
         }
-        SSOHelper.setSSOCookie(getRequest(), getResponse(), SSOToken().also {
-            it.uid = user.id.toString()
-        }, true)
-        return ResponseEntity.ok(ResponseDto())
     }
 
     @ApiOperation(value = "登出")
     @DeleteMapping("/logout")
     fun logout(): ResponseEntity<*> {
-        SSOHelper.clearLogin(getRequest(), getResponse())
+        SecurityUtils.getSubject().logout()
+//        SSOHelper.clearLogin(getRequest(), getResponse())
         return ResponseEntity.ok(ResponseDto())
     }
 }

zen-web/src/main/kotlin/com/gxzc/zen/web/sys/controller/JsonpTest.kt

@@ -1,31 +0,0 @@
-package com.gxzc.zen.web.sys.controller
-
-import com.baomidou.kisso.annotation.Action
-import com.baomidou.kisso.annotation.Login
-import com.gxzc.zen.common.util.HttpUtil
-import lombok.extern.slf4j.Slf4j
-import org.springframework.http.ResponseEntity
-import org.springframework.web.bind.annotation.ControllerAdvice
-import org.springframework.web.bind.annotation.GetMapping
-import org.springframework.web.bind.annotation.RequestMapping
-import org.springframework.web.servlet.mvc.method.annotation.AbstractJsonpResponseBodyAdvice
-import javax.servlet.http.Cookie
-
-/**
- *
- * @author NorthLan
- * @date 2018/4/20
- * @url https://noahlan.com
- */
-@ControllerAdvice
-@RequestMapping("/jsonp")
-@Slf4j
-class JsonpTest : AbstractJsonpResponseBodyAdvice("callback") {
-
-    @GetMapping("getCookie")
-    @Login(action = Action.Skip)
-    fun getCookie(): ResponseEntity<*> {
-
-        return ResponseEntity.ok(HttpUtil.getRequest().cookies)
-    }
-}

zen-web/src/main/kotlin/com/gxzc/zen/web/sys/controller/SysDicController.kt

@@ -1,7 +1,5 @@
 package com.gxzc.zen.web.sys.controller
 
-import com.baomidou.kisso.annotation.Action
-import com.baomidou.kisso.annotation.Login
 import com.gxzc.zen.api.sys.model.SysDic
 import com.gxzc.zen.api.sys.service.ISysDicService
 import com.gxzc.zen.common.base.BaseController
@@ -31,7 +29,6 @@ class SysDicController : BaseController() {
     private lateinit var sysDicService: ISysDicService
 
     @GetMapping("/list")
-    @Login(action = Action.Skip)
     @ZenResponseFilter(type = SysDic::class, filter = ["createBy", "updateBy", "createTime", "updateTime"])
     fun getList(@RequestParam(required = false) keyword: String?,
                 @RequestParam(required = false) searchOption: Int?): ResponseEntity<*> {

zen-web/src/main/kotlin/com/gxzc/zen/web/sys/controller/SysParamController.kt

@@ -1,7 +1,5 @@
 package com.gxzc.zen.web.sys.controller
 
-import com.baomidou.kisso.annotation.Action
-import com.baomidou.kisso.annotation.Login
 import com.gxzc.zen.api.sys.model.SysParam
 import com.gxzc.zen.api.sys.service.ISysParamService
 import com.gxzc.zen.common.base.BaseController
@@ -31,7 +29,6 @@ class SysParamController : BaseController() {
     private lateinit var sysParamService: ISysParamService
 
     @GetMapping("/list")
-    @Login(action = Action.Skip)
     @ZenResponseFilter(type = SysParam::class, filter = ["createBy", "updateBy", "createTime", "updateTime"])
     fun getList(@RequestParam(required = false) keyword: String?,
                 @RequestParam(required = false) searchOption: Int?,

zen-web/src/main/kotlin/com/gxzc/zen/web/sys/controller/TestController.kt

@@ -1,8 +1,5 @@
 package com.gxzc.zen.web.sys.controller
 
-import com.baomidou.kisso.annotation.Action
-import com.baomidou.kisso.annotation.Login
-import com.baomidou.kisso.annotation.Permission
 import com.baomidou.mybatisplus.mapper.EntityWrapper
 import com.gxzc.zen.api.shared.service.TestSharedService
 import com.gxzc.zen.api.sys.mapper.SysDicMapper
@@ -19,6 +16,8 @@ import com.gxzc.zen.common.dto.RequestDto
 import com.gxzc.zen.orm.annotation.ZenTransactional
 import com.xxl.job.core.biz.AdminBiz
 import com.xxl.job.core.rpc.netcom.NetComClientProxy
+import org.apache.shiro.SecurityUtils
+import org.apache.shiro.authc.UsernamePasswordToken
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.core.io.InputStreamResource
 import org.springframework.core.io.Resource
@@ -51,13 +50,11 @@ class TestController : BaseController() {
     private lateinit var testSharedService: TestSharedService
 
     @GetMapping("logicDel")
-    @Login(action = Action.Skip)
     fun testLogicDelete() {
         sysDicService.deleteById(4L)
     }
 
     @PutMapping("metaObject")
-    @Login(action = Action.Skip)
     fun testCustomMetaObjectHandler() {
         sysDicService.updateById(SysDic().apply {
             id = 4
@@ -66,7 +63,6 @@ class TestController : BaseController() {
     }
 
     @GetMapping("logicSelect")
-    @Login(action = Action.Skip)
     fun testLogicSelect() {
         val cookies = getRequest().cookies
         println(cookies)
@@ -74,7 +70,6 @@ class TestController : BaseController() {
     }
 
     @PostMapping("testInput")
-    @Login(action = Action.Skip)
     @ZenRequestTypes(
             KVType("dataA", SysDic::class),
             KVType("dataB", SysUser::class))
@@ -88,7 +83,6 @@ class TestController : BaseController() {
     private lateinit var sysDicMapper: SysDicMapper
 
     @PostMapping("")
-    @Login(action = Action.Skip)
     fun test() {
         val result = sysDicMapper.selectWOLogic(EntityWrapper<SysDic>().eq("id", 1))
         var a = 0
@@ -96,7 +90,6 @@ class TestController : BaseController() {
     }
 
     @GetMapping("/download")
-    @Login(action = Action.Skip)
     fun download(param: String): ResponseEntity<Resource> {
 
         // ...
@@ -118,7 +111,6 @@ class TestController : BaseController() {
     }
 
     @PostMapping("request")
-    @Login(action = Action.Skip)
     @ZenRequestTypes(KVType("data", SysRole::class, KVTypeEnum.LIST))
     fun request(@RequestBody data: RequestDto): ResponseEntity<*> {
         val b = data["data"] as List<SysRole>
@@ -126,7 +118,6 @@ class TestController : BaseController() {
     }
 
     @GetMapping("tran")
-    @Login(action = Action.Skip)
     @ZenTransactional
     fun tran() {
         sysDicService.selectList(null)
@@ -135,24 +126,20 @@ class TestController : BaseController() {
     }
 
     @GetMapping("/testpermission")
-    @Permission("backup:crud")
     fun testpermission() {
 
     }
 
     @GetMapping("/testpermission1")
-    @Permission("backup:c")
     fun testpermission1() {
 
     }
 
     @GetMapping("/testpermission2")
-    @Permission("backup2:c")
     fun testpermission2() {
     }
 
     @GetMapping("job")
-    @Login(action = Action.Skip)
     fun job() {
         val biz = NetComClientProxy(AdminBiz::class.java, "http://127.0.0.1:8090${AdminBiz.MAPPING}", null).`object` as AdminBiz
         val result = biz.triggerJob(1)
@@ -162,19 +149,16 @@ class TestController : BaseController() {
     }
 
     @GetMapping("jobInsert")
-    @Login(action = Action.Skip)
     fun jobInsert() {
         testSharedService.insert()
     }
 
     @GetMapping("jobSelect")
-    @Login(action = Action.Skip)
     fun jobSelect() {
         testSharedService.select()
     }
 
     @GetMapping("testRedirect")
-    @Login(action = Action.Skip)
     fun testRedirect() {
 //        println(getRequest().requestURI)
 //        println(getRequest().requestURL)
@@ -192,23 +176,34 @@ class TestController : BaseController() {
 //        })
 //        getResponse().sendRedirect("http://192.168.1.213:8082/test/testpermission1")
 //        getRequest().session.setAttribute("test", "test")
-        getRequest().session.getAttribute("test")
+        val ret = getRequest().session.getAttribute("tests")
+        val ret2 = SecurityUtils.getSubject().session.getAttribute("aaa")
+        var a = 1
+        a = 2
     }
 
     @GetMapping("getCookie")
-    @Login(action = Action.Skip)
     fun getCookie(): ResponseEntity<*> {
-        val cookies = getRequest().cookies
-        var ret = Cookie("default", "1")
-        if (cookies.isNotEmpty()) {
-            ret = cookies[0]
-            println(ret.toString())
-        }
-        return ResponseEntity.ok(ret)
+        getRequest().session.setAttribute("tests", "hahaha")
+        SecurityUtils.getSubject().session.setAttribute("aaa", "aaa")
+//        val cookies = getRequest().cookies
+//        var ret = Cookie("default", "1")
+//        if (cookies.isNotEmpty()) {
+//            ret = cookies[0]
+//            println(ret.toString())
+//        }
+        return ResponseEntity.ok(null)
+    }
+
+    @GetMapping("testLogin")
+    fun testLogin(): ResponseEntity<*> {
+        val token = UsernamePasswordToken("test", "123")
+        SecurityUtils.getSubject().login(token)
+        SecurityUtils.getSubject().session.setAttribute("aaa", "aaa")
+        return ResponseEntity.ok(null)
     }
 
     @GetMapping("setCookie")
-    @Login(action = Action.Skip)
     fun setCookie() {
         getResponse().addCookie(Cookie("set", "aaaaaa").apply {
             domain = "test.com"

zen-web/src/main/kotlin/com/gxzc/zen/web/sys/controller/UploadController.kt

@@ -1,7 +1,5 @@
 package com.gxzc.zen.web.sys.controller
 
-import com.baomidou.kisso.annotation.Action
-import com.baomidou.kisso.annotation.Login
 import com.gxzc.zen.common.base.BaseController
 import org.springframework.http.ResponseEntity
 import org.springframework.web.bind.annotation.PostMapping
@@ -19,7 +17,6 @@ import java.io.File
 class UploadController : BaseController() {
 
     @PostMapping("tmp")
-    @Login(action = Action.Skip)
     fun uploadTempFile(file: MultipartFile, haha: MultipartFile): ResponseEntity<*> {
 
 

zen-web/src/main/resources/application-cache.yml

@@ -33,6 +33,7 @@ cache:
   # weakValues: false # 该key对应的values是否为弱引用 与softValues冲突
   # softValues: false # 该key对应的values是否为软引用
   #################################################################################
+    enable: false
     cache-specs: # see also {CaffeineSpec}
       user: # cache name
         initialCapacity: -1 # 初始化容量 默认-1

zen-web/src/main/resources/application-umps.yml

@@ -11,4 +11,20 @@
 #  secretkey: C691d971EJ3H376G81 # 对称加密使用
 #  cookie:
 #    name: ks
-#    domain: .zen.com
+#    domain: .zen.com
+shiro:
+  redis:
+    database: 1 # redis数据库索引
+    host: 192.168.1.10
+    port: 6379
+    password:
+    timeout: 5000 # 连接超时时间（毫秒）
+    sessionPrefix: zen_s #
+    sessionTime: 1800 # 秒
+    cachePrefix: zen_c
+    cacheTime: 1800 # s
+    pool:
+      min-idle: 1 # 连接池中的最小空闲连接
+      max-idle: 20 # 连接池中的最大空闲连接
+      max-active: 20 # 连接池最大连接数（使用负值表示没有限制）
+      max-wait: -1 # 连接池最大阻塞等待时间（使用负值表示没有限制）

zen-web/src/main/resources/application.yml

@@ -34,7 +34,9 @@ spring:
 logging:
   level:
     root: info
-    com.gxzc.zen: debug
+    com.gxzc:
+      zen: debug
+      zen.umps.config: warn
     com.xxl.job.core: warn
     com.atomikos: warn
   path: logs/