SpringBoot Shiro多realm实现免密登录

avatar 2019年01月24日19:44:14 8 13986 views
博主分享免费Java教学视频,B站账号:Java刘哥 ,长期提供技术问题解决、项目定制:本站商品点此
 

上一篇文章介绍了

SpringBoot整合Shiro,通过用户、角色、权限三者关联实现权限管理


本篇文章主要介绍 Shiro 多 realm,根据不同的登录类型指定不同的 realm。

所谓免密登录,就是区别正常的密码登录。比如,我现在要实现第三方登录,当验证了是张三,现在要让他通过 shiro 的 subject.login(),但是不知道他的密码(密码加密了),我们不能拿数据库里的密码去登录,除非重新写 Realm。

所以需要多个 Realm,一个是密码登录(shiro会根据用户的输入的密码和加密方法加密后比较);一个免密登录(允许使用数据库密码登录,shiro不进行任何加密)。

实现的过程简单说下:

重写 UsernamePasswordToken,加一个 loginType 属性,subject.login() 的时候传入 loginType; 重写 ModularRealmAuthenticator 中的 doAuthenticate() 方法,根据传进来的 loginType 来指定使用哪个 Realm。

一、Shiro 配置


1.两个 Realm

NormalRealm.java  密码登录的 Realm
  1. package com.liuyanzhao.sens.config;
  3. import cn.hutool.core.date.DateUnit;
  4. import cn.hutool.core.date.DateUtil;
  5. import cn.hutool.core.lang.Validator;
  6. import cn.hutool.core.util.ObjectUtil;
  7. import cn.hutool.extra.servlet.ServletUtil;
  8. import cn.hutool.http.HtmlUtil;
  9. import com.liuyanzhao.sens.entity.Permission;
  10. import com.liuyanzhao.sens.entity.Role;
  11. import com.liuyanzhao.sens.entity.User;
  12. import com.liuyanzhao.sens.model.dto.JsonResult;
  13. import com.liuyanzhao.sens.model.dto.LogsRecord;
  14. import com.liuyanzhao.sens.model.enums.CommonParamsEnum;
  15. import com.liuyanzhao.sens.model.enums.ResultCodeEnum;
  16. import com.liuyanzhao.sens.model.enums.TrueFalseEnum;
  17. import com.liuyanzhao.sens.service.PermissionService;
  18. import com.liuyanzhao.sens.service.RoleService;
  19. import com.liuyanzhao.sens.service.UserService;
  20. import com.liuyanzhao.sens.utils.LocaleMessageUtil;
  21. import com.liuyanzhao.sens.utils.Md5Util;
  22. import lombok.extern.slf4j.Slf4j;
  23. import org.apache.commons.lang3.StringUtils;
  24. import org.apache.shiro.authc.*;
  25. import org.apache.shiro.authz.AuthorizationInfo;
  26. import org.apache.shiro.authz.SimpleAuthorizationInfo;
  27. import org.apache.shiro.realm.AuthorizingRealm;
  28. import org.apache.shiro.subject.PrincipalCollection;
  29. import org.apache.shiro.util.ByteSource;
  30. import org.springframework.beans.factory.annotation.Autowired;
  32. import java.util.Date;
  33. import java.util.List;
  35. /**
  36.  * 默认的realm
  37.  *
  38.  * @author 言曌
  39.  * @date 2018/9/1 上午10:47
  40.  */
  41. @Slf4j
  42. public class NormalRealm extends AuthorizingRealm {
  44.     @Autowired
  45.     private UserService userService;
  47.     @Autowired
  48.     private RoleService roleService;
  50.     @Autowired
  51.     private PermissionService permissionService;
  53.     @Autowired
  54.     private LocaleMessageUtil localeMessageUtil;
  56.     /**
  57.      * 认证信息(身份验证) Authentication 是用来验证用户身份
  58.      */
  59.     @Override
  60.     protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
  61.         log.info("认证-->MyShiroRealm.doGetAuthenticationInfo()");
  62.         //1.验证用户名
  63.         User user = null;
  64.         String loginName = (String) token.getPrincipal();
  65.         if (Validator.isEmail(loginName)) {
  66.             user = userService.findByEmail(loginName);
  67.         } else {
  68.             user = userService.findByUserName(loginName);
  69.         }
  70.         if (user == null) {
  71.             //用户不存在
  72.             log.info("用户不存在! 登录名:{}, 密码:{}", loginName, token.getCredentials());
  73.             return null;
  74.         }
  76.         //2.首先判断是否已经被禁用已经是否已经过了10分钟
  77.         Date loginLast = DateUtil.date();
  78.         if (null != user.getLoginLast()) {
  79.             loginLast = user.getLoginLast();
  80.         }
  81.         Long between = DateUtil.between(loginLast, DateUtil.date(), DateUnit.MINUTE);
  82.         if (StringUtils.equals(user.getLoginEnable(), TrueFalseEnum.FALSE.getDesc()) && (between < CommonParamsEnum.TEN.getValue())) {
  83.             log.info("账号已锁定! 登录名:{}, 密码:{}", loginName, token.getCredentials());
  84.             throw new LockedAccountException(localeMessageUtil.getMessage("code.admin.login.disabled"));
  85.         }
  86.         userService.updateUserLoginLast(user, DateUtil.date());
  88.         //3.封装authenticationInfo,准备验证密码
  89.         SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(
  90.                 user, // 用户名
  91.                 user.getUserPass(), // 密码
  92.                 ByteSource.Util.bytes("sens"), // 盐
  93.                 getName() // realm name
  94.         );
  95.         System.out.println("realName:" + getName());
  96.         return authenticationInfo;
  97.     }
  100.     @Override
  101.     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
  102.         log.info("授权-->MyShiroRealm.doGetAuthorizationInfo()");
  104.         SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
  105.         User user = (User) principals.getPrimaryPrincipal();
  107.         List<Role> roles = roleService.listRolesByUserId(user.getUserId());
  108.         for (Role role : roles) {
  109.             authorizationInfo.addRole(role.getRole());
  110.             List<Permission> permissions = permissionService.listPermissionsByRoleId(role.getId());
  111.             for (Permission p : permissions) {
  112.                 authorizationInfo.addStringPermission(p.getPermission());
  113.             }
  114.         }
  115.         return authorizationInfo;
  116.     }
  117. }



FreeRealm.java  密码不加密的 Realm
  1. package com.liuyanzhao.sens.config;
  3. import cn.hutool.core.date.DateUnit;
  4. import cn.hutool.core.date.DateUtil;
  5. import cn.hutool.core.lang.Validator;
  6. import com.liuyanzhao.sens.entity.Permission;
  7. import com.liuyanzhao.sens.entity.Role;
  8. import com.liuyanzhao.sens.entity.User;
  9. import com.liuyanzhao.sens.model.enums.CommonParamsEnum;
  10. import com.liuyanzhao.sens.model.enums.TrueFalseEnum;
  11. import com.liuyanzhao.sens.service.PermissionService;
  12. import com.liuyanzhao.sens.service.RoleService;
  13. import com.liuyanzhao.sens.service.UserService;
  14. import com.liuyanzhao.sens.utils.LocaleMessageUtil;
  15. import lombok.extern.slf4j.Slf4j;
  16. import org.apache.commons.lang3.StringUtils;
  17. import org.apache.shiro.authc.*;
  18. import org.apache.shiro.authz.AuthorizationInfo;
  19. import org.apache.shiro.authz.SimpleAuthorizationInfo;
  20. import org.apache.shiro.realm.AuthorizingRealm;
  21. import org.apache.shiro.subject.PrincipalCollection;
  22. import org.apache.shiro.util.ByteSource;
  23. import org.springframework.beans.factory.annotation.Autowired;
  25. import java.util.Date;
  26. import java.util.List;
  28. /**
  29.  * 免密登录,输入的密码和原密码一致
  30.  *
  31.  * @author 言曌
  32.  * @date 2018/9/1 上午10:47
  33.  */
  34. @Slf4j
  35. public class FreeRealm extends AuthorizingRealm {
  37.     @Autowired
  38.     private UserService userService;
  40.     @Autowired
  41.     private RoleService roleService;
  43.     @Autowired
  44.     private PermissionService permissionService;
  46.     @Autowired
  47.     private LocaleMessageUtil localeMessageUtil;
  49.     /**
  50.      * 认证信息(身份验证) Authentication 是用来验证用户身份
  51.      */
  52.     @Override
  53.     protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
  54.         //1.验证用户名
  55.         User user = null;
  56.         String loginName = (String) token.getPrincipal();
  57.         if (Validator.isEmail(loginName)) {
  58.             user = userService.findByEmail(loginName);
  59.         } else {
  60.             user = userService.findByUserName(loginName);
  61.         }
  62.         if (user == null) {
  63.             //用户不存在
  64.             log.info("第三方登录,用户不存在! 登录名:{}, 密码:{}", loginName,token.getCredentials());
  65.             return null;
  66.         }
  68.         //3.封装authenticationInfo,准备验证密码
  69.         SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(
  70.                 user, // 用户名
  71.                 user.getUserPass(), // 密码
  72.                 null,
  73.                 getName() // realm name
  74.         );
  75.         return authenticationInfo;
  76.     }
  79.     @Override
  80.     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
  81.         System.out.println("权限配置-->MyShiroRealm.doGetAuthorizationInfo()");
  83.         SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
  84.         User user = (User) principals.getPrimaryPrincipal();
  86.         List<Role> roles = roleService.listRolesByUserId(user.getUserId());
  87.         for (Role role : roles) {
  88.             authorizationInfo.addRole(role.getRole());
  89.             List<Permission> permissions = permissionService.listPermissionsByRoleId(role.getId());
  90.             for (Permission p : permissions) {
  91.                 authorizationInfo.addStringPermission(p.getPermission());
  92.             }
  93.         }
  94.         return authorizationInfo;
  95.     }
  96. }



2.ShiroConfig

主要关注65-86行
  1. package com.liuyanzhao.sens.config;
  3. import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
  4. import org.apache.shiro.authc.pam.AtLeastOneSuccessfulStrategy;
  5. import org.apache.shiro.authc.pam.ModularRealmAuthenticator;
  6. import org.apache.shiro.mgt.SecurityManager;
  7. import org.apache.shiro.realm.Realm;
  8. import org.apache.shiro.spring.LifecycleBeanPostProcessor;
  9. import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
  10. import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
  11. import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
  12. import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
  13. import org.springframework.context.annotation.Bean;
  14. import org.springframework.context.annotation.Configuration;
  15. import org.springframework.context.annotation.DependsOn;
  17. import java.util.ArrayList;
  18. import java.util.LinkedHashMap;
  19. import java.util.List;
  20. import java.util.Map;
  22. /**
  23.  * @author 言曌
  24.  * @date 2018/8/20 上午6:19
  25.  */
  27. @Configuration
  28. public class ShiroConfig {
  30.     @Bean
  31.     public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
  32.         System.out.println("ShiroConfiguration.shirFilter()");
  33.         ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
  34.         shiroFilterFactoryBean.setSecurityManager(securityManager);
  35.         //拦截器.
  36.         Map<String,String> filterChainDefinitionMap = new LinkedHashMap<String,String>();
  37.         // 配置不会被拦截的链接 顺序判断
  38.         filterChainDefinitionMap.put("/static/**""anon");
  39.         filterChainDefinitionMap.put("/upload/**""anon");
  40.         filterChainDefinitionMap.put("/favicon.ico""anon");
  41.         filterChainDefinitionMap.put("/favicon.ico""anon");
  42.         filterChainDefinitionMap.put("/admin/login""anon");
  43.         filterChainDefinitionMap.put("/admin/getLogin""anon");
  44.         //配置退出 过滤器,其中的具体的退出代码Shiro已经替我们实现了
  45.         filterChainDefinitionMap.put("/logout""logout");
  46.         //<!-- 过滤链定义,从上向下顺序执行,一般将/**放在最为下边 -->:这是一个坑呢,一不小心代码就不好使了;
  47.         //<!-- authc:所有url都必须认证通过才可以访问; anon:所有url都都可以匿名访问-->
  48.         filterChainDefinitionMap.put("/admin/**""authc");
  49.         filterChainDefinitionMap.put("/backup/**""authc");
  50.         filterChainDefinitionMap.put("/**""anon");
  51.         shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
  53.         // 如果不设置默认会自动寻找Web工程根目录下的"/login"页面
  54.         shiroFilterFactoryBean.setLoginUrl("/admin/login");
  55.         // 登录成功后要跳转的链接
  56.         shiroFilterFactoryBean.setSuccessUrl("/");
  57.         //未授权界面;
  58.         shiroFilterFactoryBean.setUnauthorizedUrl("/403");
  60.         return shiroFilterFactoryBean;
  62.     }
  64.     @Bean
  65.     public SecurityManager securityManager() {
  66.         DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
  67.         securityManager.setAuthenticator(modularRealmAuthenticator());
  68.         List<Realm> realms = new ArrayList<>();
  69.         //密码登录realm
  70.         realms.add(normalRealm());
  71.         //免密登录realm
  72.         realms.add(freeRealm());
  73.         securityManager.setRealms(realms);
  74.         return securityManager;
  75.     }
  77.     /**
  78.      * 系统自带的Realm管理,主要针对多realm
  79.      * */
  80.     @Bean
  81.     public ModularRealmAuthenticator modularRealmAuthenticator(){
  82.         //自己重写的ModularRealmAuthenticator
  83.         UserModularRealmAuthenticator modularRealmAuthenticator = new UserModularRealmAuthenticator();
  84.         modularRealmAuthenticator.setAuthenticationStrategy(new AtLeastOneSuccessfulStrategy());
  85.         return modularRealmAuthenticator;
  86.     }
  88.     /**
  89.      * 需要密码登录的realm
  90.      *
  91.      * @return MyShiroRealm
  92.      */
  93.     @Bean
  94.     public NormalRealm normalRealm() {
  95.         NormalRealm normalRealm = new NormalRealm();
  96.         normalRealm.setCredentialsMatcher(hashedCredentialsMatcher());
  97.         return normalRealm;
  98.     }
  101.     /**
  102.      * 免密登录realm
  103.      *
  104.      * @return MyShiroRealm
  105.      */
  106.     @Bean
  107.     public FreeRealm freeRealm() {
  108.         FreeRealm realm = new FreeRealm();
  109.         //不需要加密,直接用数据库密码进行登录
  110.         return realm;
  111.     }
  113.     /**
  114.      * 凭证匹配器
  115.      * (由于我们的密码校验交给Shiro的SimpleAuthenticationInfo进行处理了
  116.      *  所以我们需要修改下doGetAuthenticationInfo中的代码;
  117.      * )
  118.      * @return
  119.      */
  120.     @Bean
  121.     public HashedCredentialsMatcher hashedCredentialsMatcher(){
  122.         HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher();
  123.         hashedCredentialsMatcher.setHashAlgorithmName("md5");//散列算法:这里使用MD5算法;
  124.         hashedCredentialsMatcher.setHashIterations(10);//散列的次数,md5("")
  125.         return hashedCredentialsMatcher;
  126.     }
  129.     /**
  130.      *  开启shiro aop注解支持.
  131.      *  使用代理方式;所以需要开启代码支持;
  132.      * @param securityManager
  133.      * @return
  134.      */
  135.     /** * Shiro生命周期处理器 * @return */
  136.     @Bean
  137.     public LifecycleBeanPostProcessor lifecycleBeanPostProcessor(){
  138.         return new LifecycleBeanPostProcessor();
  139.     }
  141.     @Bean
  142.     @DependsOn({"lifecycleBeanPostProcessor"})
  143.     public DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator(){
  144.         DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
  145.         advisorAutoProxyCreator.setProxyTargetClass(true);
  146.         return advisorAutoProxyCreator;
  147.     }
  148.     @Bean
  149.     public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(){
  150.         AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
  151.         authorizationAttributeSourceAdvisor.setSecurityManager(securityManager());
  152.         return authorizationAttributeSourceAdvisor;
  153.     }
  154. }

多 Realm 模式需要重写 ModularRealmAuthenticator



3.重写ModularRealmAuthenticator

UserModularRealmAuthenticator.java
  1. package com.liuyanzhao.sens.config;
  3. import com.liuyanzhao.sens.model.dto.UserToken;
  4. import org.apache.shiro.authc.AuthenticationException;
  5. import org.apache.shiro.authc.AuthenticationInfo;
  6. import org.apache.shiro.authc.AuthenticationToken;
  7. import org.apache.shiro.authc.pam.ModularRealmAuthenticator;
  8. import org.apache.shiro.realm.Realm;
  10. import java.util.ArrayList;
  11. import java.util.Collection;
  12. import java.util.List;
  14. /**
  15.  * @author 言曌
  16.  * @date 2019/1/24 下午4:19
  17.  */
  19. public class UserModularRealmAuthenticator extends ModularRealmAuthenticator {
  21.     @Override
  22.     protected AuthenticationInfo doAuthenticate(AuthenticationToken authenticationToken)
  23.             throws AuthenticationException {
  24.         System.out.println("UserModularRealmAuthenticator:method doAuthenticate() execute ");
  25.         // 判断getRealms()是否返回为空
  26.         assertRealmsConfigured();
  27.         // 强制转换回自定义的CustomizedToken
  28.         UserToken userToken = (UserToken) authenticationToken;
  29.         // 登录类型
  30.         String loginType = userToken.getLoginType();
  31.         // 所有Realm
  32.         Collection<Realm> realms = getRealms();
  33.         // 登录类型对应的所有Realm
  34.         List<Realm> typeRealms = new ArrayList<>();
  35.         for (Realm realm : realms) {
  36.             if (realm.getName().contains(loginType)) {
  37.                 typeRealms.add(realm);
  38.             }
  39.         }
  41.         // 判断是单Realm还是多Realm
  42.         if (typeRealms.size() == 1){
  43.             System.out.println("doSingleRealmAuthentication() execute ");
  44.             return doSingleRealmAuthentication(typeRealms.get(0), userToken);
  45.         }
  46.         else{
  47.             System.out.println("doMultiRealmAuthentication() execute ");
  48.             return doMultiRealmAuthentication(typeRealms, userToken);
  49.         }
  50.     }
  51. }



4.枚举类 LoginType

LoginType.java
  1. package com.liuyanzhao.sens.model.enums;
  3. /**
  4.  * @author 言曌
  5.  * @date 2019/1/24 下午5:08
  6.  */
  8. public enum LoginType {
  10.     /**
  11.      * 密码登录
  12.      */
  13.     NORMAL("Normal"),
  15.     /**
  16.      * 免密码登录
  17.      */
  18.     FREE("Free");
  21.     private String desc;
  23.     LoginType(String desc) {
  24.         this.desc = desc;
  25.     }
  27.     public String getDesc() {
  28.         return desc;
  29.     }
  30. }



5.自定义UsernamePasswordToken

UserToken.java
  1. package com.liuyanzhao.sens.model.dto;
  3. import lombok.Data;
  4. import org.apache.shiro.authc.UsernamePasswordToken;
  6. /**
  7.  *
  8.  * 自定义UsernamePasswordToken
  9.  * 必须传loginType
  10.  *
  11.  * @author 言曌
  12.  * @date 2019/1/24 下午4:20
  13.  */
  14. @Data
  15. public class UserToken extends UsernamePasswordToken {
  16.     private String loginType;
  18.     public UserToken() {
  19.     }
  21.     public UserToken(final String username, final String password,
  22.                      final String loginType) {
  23.         super(username, password);
  24.         this.loginType = loginType;
  25.     }
  27. }




二、登录


1.正常的密码登录
  1. @PostMapping(value = "/getLogin")
  2. @ResponseBody
  3. public JsonResult getLogin(@ModelAttribute("loginName") String loginName, @ModelAttribute("loginPwd") String loginPwd) {
  4.         Subject subject = SecurityUtils.getSubject();
  5.         UserToken token = new UserToken(loginName, loginPwd, LoginType.FREE.getDesc());
  6.         try {
  7.             subject.login(token);
  8.             if (subject.isAuthenticated()) {
  9.                 //登录成功,修改登录错误次数为0
  10.                 User user = (User) subject.getPrincipal();
  11.                 userService.updateUserLoginNormal(user);
  12.                 return new JsonResult(ResultCodeEnum.SUCCESS.getCode(),"登录成功");
  13.             }
  14.         } catch (UnknownAccountException e) {
  15.             ...
  16.         }
  17.        ...
  18.     }



2.第三方登录,授权成功后,免密登录
  1. package com.liuyanzhao.sens.web.controller.front;
  3. import cn.hutool.core.date.DateUtil;
  4. import cn.hutool.extra.servlet.ServletUtil;
  5. import com.liuyanzhao.sens.entity.Log;
  6. import com.liuyanzhao.sens.entity.ThirdAppBind;
  7. import com.liuyanzhao.sens.entity.User;
  8. import com.liuyanzhao.sens.model.dto.LogsRecord;
  9. import com.liuyanzhao.sens.model.dto.UserToken;
  10. import com.liuyanzhao.sens.model.enums.BindTypeEnum;
  11. import com.liuyanzhao.sens.model.enums.LoginType;
  12. import com.liuyanzhao.sens.service.*;
  13. import com.liuyanzhao.sens.utils.Response;
  14. import lombok.extern.slf4j.Slf4j;
  15. import org.apache.shiro.SecurityUtils;
  16. import org.apache.shiro.subject.Subject;
  17. import org.springframework.beans.factory.annotation.Autowired;
  18. import org.springframework.stereotype.Controller;
  19. import org.springframework.web.bind.annotation.GetMapping;
  20. import org.springframework.web.bind.annotation.RequestParam;
  22. import javax.servlet.http.HttpServletRequest;
  25. /**
  26.  * @author 言曌
  27.  * @date 2018/5/9 下午2:59
  28.  */
  29. @Controller
  30. @Slf4j
  31. public class AuthController {
  33.     @Autowired
  34.     private QQAuthService qqAuthService;
  36.     @Autowired
  37.     private UserService userService;
  39.     @Autowired
  40.     private ThirdAppBindService thirdAppBindService;
  42.     @Autowired
  43.     private LogService logService;
  45.     /**
  46.      * 第三方授权后会回调此方法,并将code传过来
  47.      *
  48.      * @param code code
  49.      * @return
  50.      */
  51.     @GetMapping("/oauth/qq/callback")
  52.     public String oauthByQQ(@RequestParam(value = "code") String code, HttpServletRequest request) {
  53.         Response<String> tokenResponse = qqAuthService.getAccessToken(code);
  54.         if (tokenResponse.isSuccess()) {
  55.             Response<String> openidResponse = qqAuthService.getOpenId(tokenResponse.getData());
  56.             if (openidResponse.isSuccess()) {
  57.                 //根据openId去找关联的用户
  58.                 ThirdAppBind bind = thirdAppBindService.findByAppTypeAndOpenId(BindTypeEnum.QQ.getValue(), openidResponse.getData());
  59.                 if (bind != null && bind.getUserId() != null) {
  60.                     //执行Login操作
  61.                     User user = userService.findByUserId(bind.getUserId());
  62.                     if (user != null) {
  63.                         Subject subject = SecurityUtils.getSubject();
  64.                         UserToken userToken = new UserToken(user.getUserName(), user.getUserPass(), LoginType.FREE.getDesc());  
  65.                         try {
  66.                             subject.login(userToken);
  67.                         } catch (Exception e) {
  68.                             e.printStackTrace();
  69.                             log.error("第三方登录(QQ)免密码登录失败, cause:{}", e);
  70.                             return "redirect:/admin/login";
  71.                         }
  72.                         logService.saveByLog(new Log(LogsRecord.LOGIN, LogsRecord.LOGIN_SUCCESS + "(QQ登录)", ServletUtil.getClientIP(request), DateUtil.date()));
  73.                         log.info("用户[{}]登录成功(QQ登录)。", user.getUserDisplayName());
  74.                         return "redirect:/admin";
  75.                     }
  76.                 }
  77.             }
  78.         }
  79.         return "redirect:/admin/login";
  80.     }
  84. }

主要关注61-71行

历史上的今天
一月
24日
  • 微信
  • 交流学习,资料分享
  • weinxin
  • 个人淘宝
  • 店铺名:言曌博客咨询部

  • (部分商品未及时上架淘宝)
avatar

发表评论

avatar 登录者:匿名
匿名评论,评论回复后会有邮件通知

  

已通过评论:2   待审核评论数:0
  1. avatar yukiloh
    回复 2019年12月09日 12:00:37

    问题我自己解决了 你的UserModularRealmAuthenticatorif (realm.getName().contains(loginType)) { 这句代码会出现bug,此时获取的realm.getName有大小写 2个解决方案 1. if (realm.getName().toLowerCase().contains(loginType)) { 转为小写,不然即是永远找不到对应的realm! 2.强制命名realm的name 在shiro的config配置类中 @Bean public DefaultUserRealm getDefaultUserRealm() { DefaultUserRealm defaultUserRealm = new DefaultUserRealm(); defaultUserRealm.setName(LoginType.DEFAULT.getDesc()); //此处设定shiro的Name! return defaultUserRealm; } 希望通过审查,给更多人看到

  2. avatar yukiloh
    回复 2019年12月06日 15:19:18

    这对我有用,这个问题几乎困扰了我1天 但是有一个问题 你的案例中重写的ModularRealmAuthenticator中, 对于realm的判断是根据传入的 new UserToken(loginCode, password, LoginType.FREE.getDesc()); 中的LoginType.FREE.getDesc()来决定的吗? 我的案例中虽然没有采用你的realm名称, 但在类似的登录情景中,在修改了LoginType后实行subject.login()登陆时 new UserToken(loginCode, password, LoginType.NORMAL.getDesc()); 和 new UserToken(loginCode, password, LoginType.FREE.getDesc()); 依然还是遍历在查找realm,而不是去指定的realm中进行登录匹配 最后导致错误的账号和密码会返回 AuthenticationException: Authentication token of type [class xyz.murasakichigo.demo.shiro.UserToken] could not be authenticated by any configured realms. Please ensure that at least one realm can authenticate these tokens. 无法抓取UnknownAccountException和IncorrectCredentialsException这两个异常 虽然说问题并不大...但是比较好奇。 总结一下,怎么指定subject.login(token)时去指定的realm进行登录匹配,而不是挨个realm遍历 最后,正常密码登录的示例中 UserToken token = new UserToken(loginName, loginPwd, LoginType.FREE.getDesc()); 此处的枚举应该是NORMAL吧?