package cn.gygxzc.envir.config.shiro import cn.gygxzc.envir.config.shiro.cache.RedisConfiguration import cn.gygxzc.envir.config.shiro.filter.AjaxAuthorizationFilter import cn.gygxzc.envir.config.shiro.filter.UrlPermissionsFilter import cn.gygxzc.envir.config.shiro.filter.ZenCorsAnonymousFilter import cn.gygxzc.envir.config.shiro.filter.ZenCorsPathMatchingFilter import cn.gygxzc.envir.config.shiro.realm.ZenShiroRealm import org.apache.shiro.authc.credential.HashedCredentialsMatcher import org.apache.shiro.cache.CacheManager import org.apache.shiro.mgt.SecurityManager import org.apache.shiro.realm.AuthorizingRealm import org.apache.shiro.spring.LifecycleBeanPostProcessor import org.apache.shiro.spring.web.ShiroFilterFactoryBean import org.apache.shiro.web.filter.authc.AnonymousFilter import org.apache.shiro.web.mgt.DefaultWebSecurityManager import org.apache.shiro.web.session.mgt.ServletContainerSessionManager import org.springframework.boot.autoconfigure.condition.ConditionalOnClass import org.springframework.boot.web.servlet.FilterRegistrationBean import org.springframework.context.annotation.Bean import org.springframework.context.annotation.Configuration import org.springframework.context.annotation.DependsOn import org.springframework.core.annotation.Order import org.springframework.web.filter.DelegatingFilterProxy import javax.servlet.DispatcherType import javax.servlet.Filter /** * Shiro配置 * @author NorthLan * @date 2018/4/21 * @url https://noahlan.com */ @Configuration @ConditionalOnClass(value = [RedisConfiguration::class]) class ShiroConfig { @Bean("shiroLifecycleBeanPostProcessor") fun lifecycleBeanPostProcessor(): LifecycleBeanPostProcessor { return LifecycleBeanPostProcessor() } @Bean @DependsOn(value = ["shiroLifecycleBeanPostProcessor", "shrioRedisCacheManager"]) fun userRealm(cacheManager: CacheManager): ZenShiroRealm { val shiroRealm = ZenShiroRealm() .apply { isCachingEnabled = true isAuthenticationCachingEnabled = true isAuthorizationCachingEnabled = true //加密验证方法 credentialsMatcher = HashedCredentialsMatcher().also { it.hashAlgorithmName = "md5" it.hashIterations = 2 // 两次md5 } } shiroRealm.cacheManager = cacheManager return shiroRealm } @Bean(name = ["securityManager"]) fun securityManager(userRealm: AuthorizingRealm, redisCacheManager: CacheManager): DefaultWebSecurityManager { return DefaultWebSecurityManager().apply { setRealm(userRealm) cacheManager = redisCacheManager sessionManager = ServletContainerSessionManager() } } @Bean("shiroFilterRegistrationBean") @DependsOn("shiroFilter") fun filterRegistrationBean(): FilterRegistrationBean { return FilterRegistrationBean().apply { filter = DelegatingFilterProxy("shiroFilter") isEnabled = true addUrlPatterns("/*") setDispatcherTypes(DispatcherType.REQUEST) } } @Bean(name = ["shiroFilter"]) @Order(2) fun shiroFilter(securityManager: SecurityManager): ShiroFilterFactoryBean { return ShiroFilterFactoryBean().apply { setSecurityManager(securityManager) filters = hashMapOf( "canon" to ZenCorsAnonymousFilter(), "cors" to ZenCorsPathMatchingFilter(), "perms" to UrlPermissionsFilter(), "authc" to AjaxAuthorizationFilter(), "anon" to AnonymousFilter() ) /** * anon(匿名) org.apache.shiro.web.filter.authc.AnonymousFilter * authc(身份验证) org.apache.shiro.web.filter.authc.FormAuthenticationFilter * authcBasic(http基本验证) org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter * logout(退出) org.apache.shiro.web.filter.authc.LogoutFilter * noSessionCreation(不创建session) org.apache.shiro.web.filter.session.NoSessionCreationFilter * perms(许可验证) org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter * port(端口验证) org.apache.shiro.web.filter.authz.PortFilter * rest (rest方面) org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter * roles(权限验证) org.apache.shiro.web.filter.authz.RolesAuthorizationFilter * ssl (ssl方面) org.apache.shiro.web.filter.authz.SslFilter * member (用户方面) org.apache.shiro.web.filter.authc.UserFilter * user 表示用户不一定已通过认证,只要曾被Shiro记住过登录状态的用户就可以正常发起请求,比如rememberMe */ filterChainDefinitionMap = linkedMapOf( // BUG 此处一定要使用 linkedHashMap 否则顺序有问题 "/auth/setcookie" to "canon", // 设置cookie "/auth/check" to "canon", // 检查登录状态 "/auth/logout" to "canon", // 登出 "/test/**" to "canon", // 测试 免登录 "/upload/**" to "canon", // 上传免登录 "/fdfsupload/**" to "canon", // 上传免登录 "/api/**" to "canon", // api 免登陆 "/ws/**" to "canon", // websocket 免登陆 "/" to "canon", "/v1/login/**" to "canon", ////////////////////// 静态资源 ///////////////////// "/v2/api-docs" to "canon", "/swagger-resources/**" to "anon", "/swagger-ui.html" to "anon", "/webjars*" to "anon", "/webjars/**" to "anon", "/druid/**" to "anon", "/druid/sql.json" to "anon", "/**/favicon.*" to "anon", "/eureka*" to "anon", "/eureka/**" to "anon", "/v1/sys" to "anon", ////////////////////// 静态资源 ///////////////////// "/**" to "cors,authc" // 对于其他未配置的所有url 先设置cors头 再进行登陆判定 最后判定权限 ) } } }