最近在给公司搭建一个权限系统,在原有的测试管理平台上集成shiro框架,提供一个登录和权限控制功能。
之前是使用用户表,管理员直接创建用户,现在要使用员工的工号登录,公司员工是使用LDAP存储,
刚好shiro也提供LDAP的支持,调试了几天,总算调通了
使用通用的表设计,先看下权限系统的表设计
权限编码需要自己去实现,下面看下shiro的配置文件
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.1.xsd"
default-lazy-init="true">
<!-- 用户授权信息Cache, 采用EhCache -->
<!-- <bean id="ehcacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManagerConfigFile" value="classpath:ehcache.xml"/>
</bean> -->
<!-- cache 单机实现 -->
<!--<import resource="classpath:shiro/shiro-ehcache.xml" />-->
<!-- 自定义的Realm -->
<bean id="authShiroRealm" class="com.xn.manage.shiro.WebAuthorizingRealm">
<!--<property name="credentialsMatcher" ref="credentialsMatcher" />-->
<property name="cachingEnabled" value="false" />
<property name="authorizationCachingEnabled" value="false"/>
</bean>
<!-- 基于Form表单的身份验证过滤器 -->
<bean id="formAuthenticationFilter"
class="org.apache.shiro.web.filter.authc.FormAuthenticationFilter">
<property name="usernameParam" value="username"/>
<property name="passwordParam" value="password" />
<property name="rememberMeParam" value="rememberMe" />
<property name="loginUrl" value="/login"/>
</bean>
<!-- 会话ID生成器 -->
<bean id="sessionIdGenerator" class="org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator" />
<!-- 指定本系统SESSIONID, 默认为: JSESSIONID 问题: 与SERVLET容器名冲突, 如JETTY, TOMCAT 等默认JSESSIONID,
当跳出SHIRO SERVLET时如ERROR-PAGE容器会为JSESSIONID重新分配值导致登录会话丢失! -->
<bean id="sessionIdCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
<property name="httpOnly" value="true" />
<property name="maxAge" value="-1" />
<property name="name" value="sid" />
</bean>
<!--多个realm 的认证策略 -->
<bean id="authenticator" class="org.apache.shiro.authc.pam.ModularRealmAuthenticator">
<property name="authenticationStrategy">
<bean class="org.apache.shiro.authc.pam.FirstSuccessfulStrategy " />
</property>
</bean>
<!-- Shiro's main business-tier object for web-enabled applications -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<!--<property name="realm" ref="authShiroRealm" />-->
<!--<property name="realm" ref="ldapAuthorizingRealm" />-->
<property name="authenticator" ref="authenticator"></property>
<property name="realms">
<list>
<ref bean="ldapAuthorizingRealm" />
<!--<ref bean="authShiroRealm" />-->
</list>
</property>
<!--<property name="cacheManager" ref="cacheManager" />-->
<property name="sessionManager" ref="sessionManager"/>
</bean>
<!-- session管理 -->
<bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
<!-- session超时时间设置为8小时 -->
<property name="globalSessionTimeout" value="28800000"></property>
<property name="sessionIdCookie" ref="sessionIdCookie" />
<property name="sessionIdCookieEnabled" value="true" />
</bean>
<!-- 重写ldap认证 这里的rootDN是搜索公司的员工的根目录-->
<bean id="ldapAuthorizingRealm" class="com.xn.manage.shiro.LdapAuthorizingRealm">
<property name="rootDN" value="OU=xxx公司,DC=xxx域,DC=com"/>
<property name="userDnTemplate" value="{0}"/>
<property name="contextFactory" ref="contextFactory"/>
</bean>
<!-- 配置ldap路径及配置一个默认的用户和密码 -->
<bean id="contextFactory" class="org.apache.shiro.realm.ldap.JndiLdapContextFactory">
<property name="url" value="ldap://LDAP的地址:端口"/>
<property name="systemUsername" value="CN=xxx系统用户,OU=xxx公司,DC=xxx域,DC=com"/>
<property name="systemPassword" value="密码123456"/>
</bean>
<!-- Shiro Filter -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<property name="loginUrl" value="/login" />
<property name="successUrl" value="/index" />
<property name="unauthorizedUrl" value="/403"/>
<property name="filters">
<util:map>
<entry key="authc">
<bean class="org.apache.shiro.web.filter.authc.FormAuthenticationFilter"/>
</entry>
</util:map>
</property>
<property name="filterChainDefinitions">
<value>
/login = anon
/sure_login = anon
/logout = logout
/picture/** = anon
/vendor/** = anon
/js/** = anon
/css/** = anon
/decorators/** = anon
/common/** = anon
/dist/** = anon
/** = user
</value>
</property>
</bean>
<!-- 保证实现了Shiro内部lifecycle函数的bean执行 -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
</beans>
LDAP有很多名词,DN、CN、OU、DC请自行百度
再看看LDAP的reaml
public class LdapAuthorizingRealm extends JndiLdapRealm {
private static final Logger logger = LoggerFactory.getLogger(LdapAuthorizingRealm.class);
private String rootDN;
public String getRootDN() {
return rootDN;
}
public void setRootDN(String rootDN) {
this.rootDN = rootDN;
}
/**
* 登录时调用
*
* @param token
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
AuthenticationInfo info;
try {
info = queryForAuthenticationInfo(token, getContextFactory());
getAuthorizationInfo(((UsernamePasswordToken) token).getUsername());
} catch (AuthenticationNotSupportedException e) {
String msg = "Unsupported configured authentication mechanism";
throw new UnsupportedAuthenticationMechanismException(msg, e);
} catch (javax.naming.AuthenticationException e) {
String msg = "LDAP authentication failed.";
throw new AuthenticationException(msg, e);
} catch (NamingException e) {
String msg = "LDAP naming error while attempting to authenticate user.";
throw new AuthenticationException(msg, e);
} catch (UnknownAccountException e) {
String msg = "账号不存在!";
throw new UnknownAccountException(msg, e);
} catch (IncorrectCredentialsException e) {
String msg = "IncorrectCredentialsException";
throw new IncorrectCredentialsException(msg, e);
}
return info;
}
/**
* 授权
*
* @param principalCollection
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
// 因为非正常退出,即没有显式调用 SecurityUtils.getSubject().logout()
// (可能是关闭浏览器,或超时),但此时缓存依旧存在(principals),所以会自己跑到授权方法里。
if (!SecurityUtils.getSubject().isAuthenticated()) {
doClearCache(principalCollection);
SecurityUtils.getSubject().logout();
return null;
}
// 获取当前登录的用户名
String username = (String) principalCollection.getPrimaryPrincipal();
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
Session session = SecurityUtils.getSubject().getSession();
authorizationInfo.setStringPermissions((Set<String>) session.getAttribute("permissions"));
return authorizationInfo;
}
/**
* 连接LDAP查询用户信息是否存在
* <p>
* 1. 从页面得到登陆名和密码。注意这里的登陆名和密码一开始并没有被用到。
* 2. 先匿名绑定到LDAP服务器,如果LDAP服务器没有启用匿名绑定,一般会提供一个默认的用户,用这个用户进行绑定即可。
* 3. 之前输入的登陆名在这里就有用了,当上一步绑定成功以后,需要执行一个搜索,而filter就是用登陆名来构造,形如: "CN=*(xn607659)" 。
* 搜索执行完毕后,需要对结果进行判断,如果只返回一个entry,这个就是包含了该用户信息的entry,可以得到该 entry的DN,后面使用。
* 如果返回不止一个或者没有返回,说明用户名输入有误,应该退出验证并返回错误信息。
* 4. 如果能进行到这一步,说明用相应的用户,而上一步执行时得到了用户信息所在的entry的DN,这里就需要用这个DN和第一步中得到的password重新绑定LDAP服务器。
* 5. 执行完上一步,验证的主要过程就结束了,如果能成功绑定,那么就说明验证成功,如果不行,则应该返回密码错误的信息。
* 这5大步就是基于LDAP的一个 “两次绑定” 验证方法
*
* @param token
* @param ldapContextFactory
* @return
* @throws NamingException
*/
@Override
protected AuthenticationInfo queryForAuthenticationInfo(
AuthenticationToken token, LdapContextFactory ldapContextFactory)
throws NamingException {
Object principal = token.getPrincipal();//输入的用户名
Object credentials = token.getCredentials();//输入的密码
String userName = principal.toString();
String password = new String((char[]) credentials);
LdapContext systemCtx = null;
LdapContext ctx = null;
try {
//使用系统配置的用户连接LDAP
systemCtx = ldapContextFactory.getSystemLdapContext();
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);//搜索范围是包括子树
// String returnedAtts[] = { "uid","displayName","cn","company","department","mailNickname"};
// constraints.setReturningAttributes(returnedAtts);
NamingEnumeration results = systemCtx.search(rootDN, "UID=" + principal , constraints);
if (results != null && !results.hasMore()) {
throw new UnknownAccountException();
} else {
while (results.hasMore()) {
SearchResult si = (SearchResult) results.next();
principal = si.getName() + "," + rootDN;
logger.debug(si.getAttributes().get("company").toString());
logger.debug(si.getAttributes().get("department").toString());
}
logger.info("DN=[" + principal + "]");
try {
//根据查询到的用户与输入的密码连接LDAP,用户密码正确才能连接
ctx = ldapContextFactory.getLdapContext(principal, credentials);
dealUser(userName, password);
} catch (NamingException e) {
throw new IncorrectCredentialsException();
}
return new SimpleAuthenticationInfo(userName, MD5Util.MD5(userName + password).toLowerCase(), getName());
}
} finally {
//关闭连接
LdapUtils.closeContext(systemCtx);
LdapUtils.closeContext(ctx);
}
}
/**
* 将LDAP查询到的用户保存到sys_user表
*
* @param userName
*/
private void dealUser(String userName, String password) {
if (StringUtil.isEmpty(userName)) {
return;
}
//TO DO...
}
/**
* 获取权限码
*
* @param username
* @return
*/
private Map<String, Set<String>> getAuthorizationInfo(String username) {
Map<String, Set<String>> authorizationMap = new HashMap<String, Set<String>>();
Set<String> codeSet = new HashSet<String>();
Session session = SecurityUtils.getSubject().getSession();
//查询数据库的用户权限
//......
authorizationMap.put("permissions", codeSet);
session.setAttribute("permissions", codeSet);
logger.debug("当前登录账户:{}的权限集合:{}", username, codeSet);
return authorizationMap;
}
/**
* 设定Password校验的Hash算法与迭代次数.这里使用了自定义的加密算法
*/
@PostConstruct
public void initCredentialsMatcher() {
HashedCredentialsMatcher matcher = new HashedCredentialsMatcher("MD5") {
@Override
public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
Object credentials = token.getCredentials();
UsernamePasswordToken token1 = (UsernamePasswordToken) token;
if (credentials == null) {
String msg = "Argument for byte conversion cannot be null.";
throw new IllegalArgumentException(msg);
}
byte[] bytes = null;
if (credentials instanceof char[]) {
bytes = CodecSupport.toBytes(new String((char[]) credentials), PREFERRED_ENCODING);
} else {
bytes = objectToBytes(credentials);
}
String tokenHashedCredentials = MD5Util.MD5(token1.getUsername() + new String(bytes)).toLowerCase();
String accountCredentials = getCredentials(info).toString();
return tokenHashedCredentials.equals(accountCredentials);
}
};
matcher.setHashIterations(1);
setCredentialsMatcher(matcher);
}
}
这里涉及公司具体业务的代码出于保密没有写出来,大概就是这个样子