SpringCloudBase/zen-api/src/main/kotlin/cn/gygxzc/envir/config/shiro/ShiroConfig.kt

package cn.gygxzc.envir.config.shiro

import cn.gygxzc.envir.config.shiro.cache.RedisConfiguration
import cn.gygxzc.envir.config.shiro.filter.AjaxAuthorizationFilter
import cn.gygxzc.envir.config.shiro.filter.UrlPermissionsFilter
import cn.gygxzc.envir.config.shiro.filter.ZenCorsAnonymousFilter
import cn.gygxzc.envir.config.shiro.filter.ZenCorsPathMatchingFilter
import cn.gygxzc.envir.config.shiro.realm.ZenShiroRealm
import org.apache.shiro.authc.credential.HashedCredentialsMatcher
import org.apache.shiro.cache.CacheManager
import org.apache.shiro.mgt.SecurityManager
import org.apache.shiro.realm.AuthorizingRealm
import org.apache.shiro.spring.LifecycleBeanPostProcessor
import org.apache.shiro.spring.web.ShiroFilterFactoryBean
import org.apache.shiro.web.filter.authc.AnonymousFilter
import org.apache.shiro.web.mgt.DefaultWebSecurityManager
import org.apache.shiro.web.session.mgt.ServletContainerSessionManager
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass
import org.springframework.boot.web.servlet.FilterRegistrationBean
import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration
import org.springframework.context.annotation.DependsOn
import org.springframework.core.annotation.Order
import org.springframework.web.filter.DelegatingFilterProxy
import javax.servlet.DispatcherType
import javax.servlet.Filter


/**
 * Shiro配置
 * @author NorthLan
 * @date 2018/4/21
 * @url https://noahlan.com
 */
@Configuration
@ConditionalOnClass(value = [RedisConfiguration::class])
class ShiroConfig {

    @Bean("shiroLifecycleBeanPostProcessor")
    fun lifecycleBeanPostProcessor(): LifecycleBeanPostProcessor {
        return LifecycleBeanPostProcessor()
    }

    @Bean
    @DependsOn(value = ["shiroLifecycleBeanPostProcessor", "shrioRedisCacheManager"])
    fun userRealm(cacheManager: CacheManager): ZenShiroRealm {
        val shiroRealm = ZenShiroRealm()
                .apply {
                    isCachingEnabled = true
                    isAuthenticationCachingEnabled = true
                    isAuthorizationCachingEnabled = true
                    //加密验证方法
                    credentialsMatcher = HashedCredentialsMatcher().also {
                        it.hashAlgorithmName = "md5"
                        it.hashIterations = 2 // 两次md5
                    }
                }
        shiroRealm.cacheManager = cacheManager
        return shiroRealm
    }

    @Bean(name = ["securityManager"])
    fun securityManager(userRealm: AuthorizingRealm,
                        redisCacheManager: CacheManager): DefaultWebSecurityManager {
        return DefaultWebSecurityManager().apply {
            setRealm(userRealm)
            cacheManager = redisCacheManager
            sessionManager = ServletContainerSessionManager()
        }
    }

    @Bean("shiroFilterRegistrationBean")
    @DependsOn("shiroFilter")
    fun filterRegistrationBean(): FilterRegistrationBean<DelegatingFilterProxy> {
        return FilterRegistrationBean<DelegatingFilterProxy>().apply {
            filter = DelegatingFilterProxy("shiroFilter")
            isEnabled = true
            addUrlPatterns("/*")
            setDispatcherTypes(DispatcherType.REQUEST)
        }
    }

    @Bean(name = ["shiroFilter"])
    @Order(2)
    fun shiroFilter(securityManager: SecurityManager): ShiroFilterFactoryBean {
        return ShiroFilterFactoryBean().apply {
            setSecurityManager(securityManager)

            filters = hashMapOf<String, Filter>(
                    "canon" to ZenCorsAnonymousFilter(),
                    "cors" to ZenCorsPathMatchingFilter(),
                    "perms" to UrlPermissionsFilter(),
                    "authc" to AjaxAuthorizationFilter(),
                    "anon" to AnonymousFilter()
            )
            /**
             * anon（匿名）  org.apache.shiro.web.filter.authc.AnonymousFilter
             * authc（身份验证）       org.apache.shiro.web.filter.authc.FormAuthenticationFilter
             * authcBasic（http基本验证）    org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter
             * logout（退出）        org.apache.shiro.web.filter.authc.LogoutFilter
             * noSessionCreation（不创建session） org.apache.shiro.web.filter.session.NoSessionCreationFilter
             * perms(许可验证)  org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter
             * port（端口验证）   org.apache.shiro.web.filter.authz.PortFilter
             * rest  (rest方面)  org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter
             * roles（权限验证）  org.apache.shiro.web.filter.authz.RolesAuthorizationFilter
             * ssl （ssl方面）   org.apache.shiro.web.filter.authz.SslFilter
             * member （用户方面）  org.apache.shiro.web.filter.authc.UserFilter
             * user  表示用户不一定已通过认证,只要曾被Shiro记住过登录状态的用户就可以正常发起请求,比如rememberMe
             */
            filterChainDefinitionMap = linkedMapOf<String, String>( // BUG 此处一定要使用 linkedHashMap 否则顺序有问题
                    "/auth/setcookie" to "canon", // 设置cookie
                    "/auth/check" to "canon", // 检查登录状态
                    "/auth/logout" to "canon", // 登出
                    "/test/**" to "canon", // 测试 免登录
                    "/upload/**" to "canon", // 上传免登录
                    "/fdfsupload/**" to "canon", // 上传免登录
                    "/api/**" to "canon", // api 免登陆
                    "/ws/**" to "canon", // websocket 免登陆
                    "/" to "canon",
                    "/v1/login/**" to "canon",
                    ////////////////////// 静态资源 /////////////////////
                    "/v2/api-docs" to "canon",
                    "/swagger-resources/**" to "anon",
                    "/swagger-ui.html" to "anon",
                    "/webjars*" to "anon",
                    "/webjars/**" to "anon",
                    "/druid/**" to "anon",
                    "/druid/sql.json" to "anon",
                    "/**/favicon.*" to "anon",
                    "/eureka*" to "anon",
                    "/eureka/**" to "anon",
                    "/v1/sys" to "anon",
                    ////////////////////// 静态资源 /////////////////////
                    "/**" to "cors,authc" // 对于其他未配置的所有url 先设置cors头 再进行登陆判定 最后判定权限
            )
        }
    }


}