基於shiro的改造集成真正支持restful請求
這個模塊分離至上上上一篇api權限管理系統與前後端分離實踐,感覺那樣太長了找不到重點,分離出來要好點。
首先說明設計的這個安全體系是是RBAC(基於角色的權限訪問控制)授權模型,即用戶--角色--資源
,用戶不直接和權限打交道,角色擁有資源,用戶擁有這個角色就有權使用角色所用戶的資源。所有這裏沒有權限一說,簽發jwt裏面也就只有用戶所擁有的角色而沒有權限。
爲啥說是真正的restful風格集成,雖說shiro對rest不友好但他本身是有支持rest集成的filter–HttpMethodPermissionFilter
,這個shiro rest的 風格攔截器,會自動根據請求方法構建權限字符串( GET=read,POST=create,PUT=update,DELETE=delete)
構建權限字符串;eg: /users=rest[user]
, 會 自動拼接出user:read,user:create,user:update,user:delete
”權限字符串進行權限匹配(所有都得匹配,isPermittedAll)。
但是這樣感覺不利於基於jwt的角色的權限控制,在細粒度上驗權url(即支持get,post,delete鑑別)就更沒法了(個人見解)。打個比方:我們對一個用戶簽發的jwt寫入角色列(role_admin,role_customer)。對不同request請求:url="api/resource/",httpMethod="GET"
,url="api/resource",httpMethod="POST"
,在基於角色-資源的授權模型中,這兩個url相同的請求對HttpMethodPermissionFilter是一種請求,用戶對應的角色擁有的資源url=”api/resource”,只要請求的url是”api/resource”,不論它的請求方式是什麼,都會判定通過這個請求,這在restful風格的api中肯定是不可取的,對同一資源有些角色可能只要查詢的權限而沒有修改增加的權限。
可能會說在jwt中再增加權限列就好了嘛,但是在基於用戶-資源的授權模型中,雖然能判別是不同的請求,但是太麻煩了,對每個資源我們都要設計對應的權限列然後再塞入到jwt中,對每個用戶都要單獨授權資源這也是不可取的。
對shiro的改造這裏自定義了一些規則:
shiro過濾器鏈的url=url+"=="+httpMethod
eg:對於url="api/resource/",httpMethod="GET"
的資源,其拼接出來的過濾器鏈匹配url=api/resource==GET
這樣對相同的url而不同的訪問方式,會判定爲不同的資源,即資源不再簡單是url,而是url和httpMethod的組合。基於角色的授權模型中,角色所擁有的資源形式爲url+"=="+httpMethod
。
這裏改變了過濾器的過濾匹配url規則,重寫PathMatchingFilterChainResolver的getChain方法,增加對上述規則的url的支持。
/* *
* @Author tomsun28
* @Description
* @Date 21:12 2018/4/20
*/
public class RestPathMatchingFilterChainResolver extends PathMatchingFilterChainResolver {
private static final Logger LOGGER = LoggerFactory.getLogger(RestPathMatchingFilterChainResolver.class);
public RestPathMatchingFilterChainResolver() {
super();
}
public RestPathMatchingFilterChainResolver(FilterConfig filterConfig) {
super(filterConfig);
}
/* *
* @Description 重寫filterChain匹配
* @Param [request, response, originalChain]
* @Return javax.servlet.FilterChain
*/
@Override
public FilterChain getChain(ServletRequest request, ServletResponse response, FilterChain originalChain) {
FilterChainManager filterChainManager = this.getFilterChainManager();
if (!filterChainManager.hasChains()) {
return null;
} else {
String requestURI = this.getPathWithinApplication(request);
Iterator var6 = filterChainManager.getChainNames().iterator();
String pathPattern;
boolean flag = true;
String[] strings = null;
do {
if (!var6.hasNext()) {
return null;
}
pathPattern = (String)var6.next();
strings = pathPattern.split("==");
if (strings.length == 2) {
// 分割出url+httpMethod,判斷httpMethod和request請求的method是否一致,不一致直接false
if (WebUtils.toHttp(request).getMethod().toUpperCase().equals(strings[1].toUpperCase())) {
flag = false;
} else {
flag = true;
}
} else {
flag = false;
}
pathPattern = strings[0];
} while(!this.pathMatches(pathPattern, requestURI) || flag);
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("Matched path pattern [" + pathPattern + "] for requestURI [" + requestURI + "]. Utilizing corresponding filter chain...");
}
if (strings.length == 2) {
pathPattern = pathPattern.concat("==").concat(WebUtils.toHttp(request).getMethod().toUpperCase());
}
return filterChainManager.proxy(originalChain, pathPattern);
}
}
}
重寫PathMatchingFilter的路徑匹配方法pathsMatch(),加入httpMethod支持。
/* *
* @Author tomsun28
* @Description 重寫過濾鏈路徑匹配規則,增加REST風格post,get.delete,put..支持
* @Date 23:37 2018/4/19
*/
public abstract class BPathMatchingFilter extends PathMatchingFilter {
public BPathMatchingFilter() {
}
/* *
* @Description 重寫URL匹配 加入httpMethod支持
* @Param [path, request]
* @Return boolean
*/
@Override
protected boolean pathsMatch(String path, ServletRequest request) {
String requestURI = this.getPathWithinApplication(request);
// path: url==method eg: http://api/menu==GET 需要解析出path中的url和httpMethod
String[] strings = path.split("==");
if (strings.length <= 1) {
// 分割出來只有URL
return this.pathsMatch(strings[0], requestURI);
} else {
// 分割出url+httpMethod,判斷httpMethod和request請求的method是否一致,不一致直接false
String httpMethod = WebUtils.toHttp(request).getMethod().toUpperCase();
return httpMethod.equals(strings[1].toUpperCase()) && this.pathsMatch(strings[0], requestURI);
}
}
}
這樣增加httpMethod的改造就完成了,重寫ShiroFilterFactoryBean使其使用改造後的chainResolver:RestPathMatchingFilterChainResolver
/* *
* @Author tomsun28
* @Description rest支持的shiroFilterFactoryBean
* @Date 21:35 2018/4/20
*/
public class RestShiroFilterFactoryBean extends ShiroFilterFactoryBean {
private static final Logger LOGGER = LoggerFactory.getLogger(RestShiroFilterFactoryBean.class);
public RestShiroFilterFactoryBean() {
super();
}
@Override
protected AbstractShiroFilter createInstance() throws Exception {
LOGGER.debug("Creating Shiro Filter instance.");
SecurityManager securityManager = this.getSecurityManager();
String msg;
if (securityManager == null) {
msg = "SecurityManager property must be set.";
throw new BeanInitializationException(msg);
} else if (!(securityManager instanceof WebSecurityManager)) {
msg = "The security manager does not implement the WebSecurityManager interface.";
throw new BeanInitializationException(msg);
} else {
FilterChainManager manager = this.createFilterChainManager();
RestPathMatchingFilterChainResolver chainResolver = new RestPathMatchingFilterChainResolver();
chainResolver.setFilterChainManager(manager);
return new RestShiroFilterFactoryBean.SpringShiroFilter((WebSecurityManager)securityManager, chainResolver);
}
}
private static final class SpringShiroFilter extends AbstractShiroFilter {
protected SpringShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver resolver) {
if (webSecurityManager == null) {
throw new IllegalArgumentException("WebSecurityManager property cannot be null.");
} else {
this.setSecurityManager(webSecurityManager);
if (resolver != null) {
this.setFilterChainResolver(resolver);
}
}
}
}
}
上面是一些核心的代碼片段,更多請看項目代碼。
對用戶賬戶登錄註冊的過濾filter:PasswordFilter
/* *
* @Author tomsun28
* @Description 基於 用戶名密碼 的認證過濾器
* @Date 20:18 2018/2/10
*/
public class PasswordFilter extends AccessControlFilter {
private static final Logger LOGGER = LoggerFactory.getLogger(PasswordFilter.class);
private StringRedisTemplate redisTemplate;
@Override
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
Subject subject = getSubject(request,response);
// 如果其已經登錄,再此發送登錄請求
if(null != subject && subject.isAuthenticated()){
return true;
}
// 拒絕,統一交給 onAccessDenied 處理
return false;
}
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
// 判斷若爲獲取登錄註冊加密動態祕鑰請求
if (isPasswordTokenGet(request)) {
//動態生成祕鑰,redis存儲祕鑰供之後祕鑰驗證使用,設置有效期5秒用完即丟棄
String tokenKey = CommonUtil.getRandomString(16);
try {
redisTemplate.opsForValue().set("PASSWORD_TOKEN_KEY_"+request.getRemoteAddr().toUpperCase(),tokenKey,5, TimeUnit.SECONDS);
// 動態祕鑰response返回給前端
Message message = new Message();
message.ok(1000,"issued tokenKey success")
.addData("tokenKey",tokenKey);
RequestResponseUtil.responseWrite(JSON.toJSONString(message),response);
}catch (Exception e) {
LOGGER.warn(e.getMessage(),e);
// 動態祕鑰response返回給前端
Message message = new Message();
message.ok(1000,"issued tokenKey fail");
RequestResponseUtil.responseWrite(JSON.toJSONString(message),response);
}
return false;
}
// 判斷是否是登錄請求
if(isPasswordLoginPost(request)){
AuthenticationToken authenticationToken = createPasswordToken(request);
Subject subject = getSubject(request,response);
try {
subject.login(authenticationToken);
//登錄認證成功,進入請求派發json web token url資源內
return true;
}catch (AuthenticationException e) {
LOGGER.warn(authenticationToken.getPrincipal()+"::"+e.getMessage(),e);
// 返回response告訴客戶端認證失敗
Message message = new Message().error(1002,"login fail");
RequestResponseUtil.responseWrite(JSON.toJSONString(message),response);
return false;
}catch (Exception e) {
LOGGER.error(e.getMessage(),e);
// 返回response告訴客戶端認證失敗
Message message = new Message().error(1002,"login fail");
RequestResponseUtil.responseWrite(JSON.toJSONString(message),response);
return false;
}
}
// 判斷是否爲註冊請求,若是通過過濾鏈進入controller註冊
if (isAccountRegisterPost(request)) {
return true;
}
// 之後添加對賬戶的找回等
// response 告知無效請求
Message message = new Message().error(1111,"error request");
RequestResponseUtil.responseWrite(JSON.toJSONString(message),response);
return false;
}
private boolean isPasswordTokenGet(ServletRequest request) {
// String tokenKey = request.getParameter("tokenKey");
String tokenKey = RequestResponseUtil.getParameter(request,"tokenKey");
return (request instanceof HttpServletRequest)
&& ((HttpServletRequest) request).getMethod().toUpperCase().equals("GET")
&& null != tokenKey && "get".equals(tokenKey);
}
private boolean isPasswordLoginPost(ServletRequest request) {
// String password = request.getParameter("password");
// String timestamp = request.getParameter("timestamp");
// String methodName = request.getParameter("methodName");
// String appId = request.getParameter("appId");
Map<String ,String> map = RequestResponseUtil.getRequestParameters(request);
String password = map.get("password");
String timestamp = map.get("timestamp");
String methodName = map.get("methodName");
String appId = map.get("appId");
return (request instanceof HttpServletRequest)
&& ((HttpServletRequest) request).getMethod().toUpperCase().equals("POST")
&& null != password
&& null != timestamp
&& null != methodName
&& null != appId
&& methodName.equals("login");
}
private boolean isAccountRegisterPost(ServletRequest request) {
// String uid = request.getParameter("uid");
// String methodName = request.getParameter("methodName");
// String username = request.getParameter("username");
// String password = request.getParameter("password");
Map<String ,String> map = RequestResponseUtil.getRequestParameters(request);
String uid = map.get("uid");
String username = map.get("username");
String methodName = map.get("methodName");
String password = map.get("password");
return (request instanceof HttpServletRequest)
&& ((HttpServletRequest) request).getMethod().toUpperCase().equals("POST")
&& null != username
&& null != password
&& null != methodName
&& null != uid
&& methodName.equals("register");
}
private AuthenticationToken createPasswordToken(ServletRequest request) {
// String appId = request.getParameter("appId");
// String password = request.getParameter("password");
// String timestamp = request.getParameter("timestamp");
Map<String ,String> map = RequestResponseUtil.getRequestParameters(request);
String appId = map.get("appId");
String timestamp = map.get("timestamp");
String password = map.get("password");
String host = request.getRemoteAddr();
String tokenKey = redisTemplate.opsForValue().get("PASSWORD_TOKEN_KEY_"+host.toUpperCase());
return new PasswordToken(appId,password,timestamp,host,tokenKey);
}
public void setRedisTemplate(StringRedisTemplate redisTemplate) {
this.redisTemplate = redisTemplate;
}
}
支持restful風格的jwt鑑權filter:BJwtFilter
/* *
* @Author tomsun28
* @Description 支持restful url 的過濾鏈 JWT json web token 過濾器,無狀態驗證
* @Date 0:04 2018/4/20
*/
public class BJwtFilter extends BPathMatchingFilter {
private static final Logger LOGGER = LoggerFactory.getLogger(BJwtFilter.class);
private StringRedisTemplate redisTemplate;
private AccountService accountService;
protected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse, Object mappedValue) throws Exception {
Subject subject = getSubject(servletRequest,servletResponse);
// 判斷是否爲JWT認證請求
if ((null == subject || !subject.isAuthenticated()) && isJwtSubmission(servletRequest)) {
AuthenticationToken token = createJwtToken(servletRequest);
try {
subject.login(token);
// return this.checkRoles(subject,mappedValue) && this.checkPerms(subject,mappedValue);
return this.checkRoles(subject,mappedValue);
}catch (AuthenticationException e) {
LOGGER.info(e.getMessage(),e);
// 如果是JWT過期
if (e.getMessage().equals("expiredJwt")) {
// 這裏初始方案先拋出令牌過期,之後設計爲在Redis中查詢當前appId對應令牌,其設置的過期時間是JWT的兩倍,此作爲JWT的refresh時間
// 當JWT的有效時間過期後,查詢其refresh時間,refresh時間有效即重新派發新的JWT給客戶端,
// refresh也過期則告知客戶端JWT時間過期重新認證
// 當存儲在redis的JWT沒有過期,即refresh time 沒有過期
String appId = WebUtils.toHttp(servletRequest).getHeader("appId");
String jwt = WebUtils.toHttp(servletRequest).getHeader("authorization");
String refreshJwt = redisTemplate.opsForValue().get("JWT-SESSION-"+appId);
if (null != refreshJwt && refreshJwt.equals(jwt)) {
// 重新申請新的JWT
// 根據appId獲取其對應所擁有的角色(這裏設計爲角色對應資源,沒有權限對應資源)
String roles = accountService.loadAccountRole(appId);
long refreshPeriodTime = 36000L; //seconds爲單位,10 hours
String newJwt = JsonWebTokenUtil.issueJWT(UUID.randomUUID().toString(),appId,
"token-server",refreshPeriodTime >> 2,roles,null, SignatureAlgorithm.HS512);
// 將簽發的JWT存儲到Redis: {JWT-SESSION-{appID} , jwt}
redisTemplate.opsForValue().set("JWT-SESSION-"+appId,newJwt,refreshPeriodTime, TimeUnit.SECONDS);
Message message = new Message().ok(1005,"new jwt").addData("jwt",newJwt);
RequestResponseUtil.responseWrite(JSON.toJSONString(message),servletResponse);
return false;
}else {
// jwt時間失效過期,jwt refresh time失效 返回jwt過期客戶端重新登錄
Message message = new Message().error(1006,"expired jwt");
RequestResponseUtil.responseWrite(JSON.toJSONString(message),servletResponse);
return false;
}
}
// 其他的判斷爲JWT錯誤無效
Message message = new Message().error(1007,"error Jwt");
RequestResponseUtil.responseWrite(JSON.toJSONString(message),servletResponse);
return false;
}catch (Exception e) {
// 其他錯誤
LOGGER.warn(servletRequest.getRemoteAddr()+"JWT認證"+e.getMessage(),e);
// 告知客戶端JWT錯誤1005,需重新登錄申請jwt
Message message = new Message().error(1007,"error jwt");
RequestResponseUtil.responseWrite(JSON.toJSONString(message),servletResponse);
return false;
}
}else {
// 請求未攜帶jwt 判斷爲無效請求
Message message = new Message().error(1111,"error request");
RequestResponseUtil.responseWrite(JSON.toJSONString(message),servletResponse);
return false;
}
}
protected boolean onAccessDenied(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
Subject subject = getSubject(servletRequest,servletResponse);
// 未認證的情況
if (null == subject || !subject.isAuthenticated()) {
// 告知客戶端JWT認證失敗需跳轉到登錄頁面
Message message = new Message().error(1006,"error jwt");
RequestResponseUtil.responseWrite(JSON.toJSONString(message),servletResponse);
}else {
// 已經認證但未授權的情況
// 告知客戶端JWT沒有權限訪問此資源
Message message = new Message().error(1008,"no permission");
RequestResponseUtil.responseWrite(JSON.toJSONString(message),servletResponse);
}
// 過濾鏈終止
return false;
}
private boolean isJwtSubmission(ServletRequest request) {
String jwt = RequestResponseUtil.getHeader(request,"authorization");
String appId = RequestResponseUtil.getHeader(request,"appId");
return (request instanceof HttpServletRequest)
&& !StringUtils.isEmpty(jwt)
&& !StringUtils.isEmpty(appId);
}
private AuthenticationToken createJwtToken(ServletRequest request) {
Map<String,String> maps = RequestResponseUtil.getRequestHeaders(request);
String appId = maps.get("appId");
String ipHost = request.getRemoteAddr();
String jwt = maps.get("authorization");
String deviceInfo = maps.get("deviceInfo");
return new JwtToken(ipHost,deviceInfo,jwt,appId);
}
// 驗證當前用戶是否屬於mappedValue任意一個角色
private boolean checkRoles(Subject subject, Object mappedValue){
String[] rolesArray = (String[]) mappedValue;
return rolesArray == null || rolesArray.length == 0 || Stream.of(rolesArray).anyMatch(role -> subject.hasRole(role.trim()));
}
// 驗證當前用戶是否擁有mappedValue任意一個權限
private boolean checkPerms(Subject subject, Object mappedValue){
String[] perms = (String[]) mappedValue;
boolean isPermitted = true;
if (perms != null && perms.length > 0) {
if (perms.length == 1) {
if (!subject.isPermitted(perms[0])) {
isPermitted = false;
}
} else {
if (!subject.isPermittedAll(perms)) {
isPermitted = false;
}
}
}
return isPermitted;
}
public void setRedisTemplate(StringRedisTemplate redisTemplate) {
this.redisTemplate = redisTemplate;
}
public void setAccountService(AccountService accountService) {
this.accountService = accountService;
}
}
realm數據源,數據提供service,匹配matchs,自定義token,spring集成shiro配置等其他詳見項目代碼。
最後項目實現了基於jwt的動態restful api權限認證。
效果展示
持續更新。。。。。。
分享一波阿里雲代金券快速上雲
轉載請註明 from tomsun28