一個開源項目,實現了redis作為緩存 緩存用戶的權限 和 session信息,還有兩個功能沒有修改,一個是用戶并發登錄限制,一個是用戶密碼錯誤次數.本篇中幾個類 也是使用的開源項目中的類,只不過是拿出來了,redis單獨做的配置,方便進行優化。

原文：https://blog.csdn.net/qq_34021712/article/details/80791219 ? ? ?王賽超

有想法的文章：https://blog.csdn.net/qq_20954959/article/details/55260255

????????https://blog.csdn.net/why15732625998/article/details/78729254

https://www.cnblogs.com/Luke-Me/p/8941110.html

https://www.cnblogs.com/sunshine-2015/p/5686750.html

https://blog.csdn.net/qq_16055765/article/details/79298834

https://www.cnblogs.com/UncleWang001/articles/9779245.html

https://blog.csdn.net/u010514380/article/details/82185451

https://blog.csdn.net/xieliaowa9231/article/details/78995465

目錄：

1.整合Redis

序列化工具SerializeUtils.java繼承RedisSerializer

RedisConfig.java

RedisManager.java

2.使用Redis作為緩存需要shiro重寫cache、cacheManager緩存管理器、SessionDAO?

即：

RedisCache.java

RedisCacheManager.java

RedisSessionDAO.java

3.Shiro配置

ShiroConfig.java

ShiroRealm.java

KickoutSessionControlFilter.java(限制并發登錄人數)

RetryLimitHashedCredentialsMatcher.java(登錄錯誤次數限制)

ShiroSessionListener.java(session監聽)

上面的類中有一些依賴類,并沒有貼出來,該些類是為了解決Shiro整合Redis 頻繁獲取或更新 Session

整合具體流程：

1.首先是整合Redis

Redis客戶端使用的是RedisTemplate,自己寫了一個序列化工具SerializeUtils.java繼承RedisSerializer

SerializeUtils.java

package?com.springboot.test.shiro.global.utils; import?org.slf4j.Logger; import?org.slf4j.LoggerFactory; import?org.springframework.data.redis.serializer.RedisSerializer; import?org.springframework.data.redis.serializer.SerializationException; import?java.io.*; /***?@author:?wangsaichao*?@date:?2018/6/20*?@description:?redis的value序列化工具*/ public?class?SerializeUtils?implements?RedisSerializer?{private?static?Logger?logger?=?LoggerFactory.getLogger(SerializeUtils.class);public?static?boolean?isEmpty(byte[]?data)?{return?(data?==?null?||?data.length?==?0);}/***?序列化*?@param?object*?@return*?@throws?SerializationException*/@Overridepublic?byte[]?serialize(Object?object)?throws?SerializationException?{byte[]?result?=?null;if?(object?==?null)?{return?new?byte[0];}try?(ByteArrayOutputStream?byteStream?=?new?ByteArrayOutputStream(128);ObjectOutputStream?objectOutputStream?=?new?ObjectOutputStream(byteStream)){if?(!(object?instanceof?Serializable))?{throw?new?IllegalArgumentException(SerializeUtils.class.getSimpleName()?+?"?requires?a?Serializable?payload?"?+"but?received?an?object?of?type?["?+?object.getClass().getName()?+?"]");}objectOutputStream.writeObject(object);objectOutputStream.flush();result?=??byteStream.toByteArray();}?catch?(Exception?ex)?{logger.error("Failed?to?serialize",ex);}return?result;}/***?反序列化*?@param?bytes*?@return*?@throws?SerializationException*/@Overridepublic?Object?deserialize(byte[]?bytes)?throws?SerializationException?{Object?result?=?null;if?(isEmpty(bytes))?{return?null;}try?(ByteArrayInputStream?byteStream?=?new?ByteArrayInputStream(bytes);ObjectInputStream?objectInputStream?=?new?ObjectInputStream(byteStream)){result?=?objectInputStream.readObject();}?catch?(Exception?e)?{logger.error("Failed?to?deserialize",e);}return?result;} }

RedisConfig.java

package?com.springboot.test.shiro.config; import?com.springboot.test.shiro.global.utils.SerializeUtils; import?org.springframework.beans.factory.annotation.Value; import?org.springframework.context.annotation.Bean; import?org.springframework.context.annotation.Configuration; import?org.springframework.data.redis.connection.RedisConnectionFactory; import?org.springframework.data.redis.connection.jedis.JedisConnectionFactory; import?org.springframework.data.redis.core.RedisTemplate; import?org.springframework.data.redis.serializer.StringRedisSerializer; import?redis.clients.jedis.JedisPoolConfig; /***?@author:?wangsaichao*?@date:?2017/11/23*?@description:?redis配置*/ @Configuration public?class?RedisConfig?{/***?redis地址*/@Value("${spring.redis.host}")private?String?host;/***?redis端口號*/@Value("${spring.redis.port}")private?Integer?port;/***?redis密碼*/@Value("${spring.redis.password}")private?String?password;/***?JedisPoolConfig?連接池*?@return*/@Beanpublic?JedisPoolConfig?jedisPoolConfig(){JedisPoolConfig?jedisPoolConfig=new?JedisPoolConfig();//最大空閑數jedisPoolConfig.setMaxIdle(300);//連接池的最大數據庫連接數jedisPoolConfig.setMaxTotal(1000);//最大建立連接等待時間jedisPoolConfig.setMaxWaitMillis(1000);//逐出連接的最小空閑時間?默認1800000毫秒(30分鐘)jedisPoolConfig.setMinEvictableIdleTimeMillis(300000);//每次逐出檢查時?逐出的最大數目?如果為負數就是?:?1/abs(n),?默認3jedisPoolConfig.setNumTestsPerEvictionRun(10);//逐出掃描的時間間隔(毫秒)?如果為負數,則不運行逐出線程,?默認-1jedisPoolConfig.setTimeBetweenEvictionRunsMillis(30000);//是否在從池中取出連接前進行檢驗,如果檢驗失敗,則從池中去除連接并嘗試取出另一個jedisPoolConfig.setTestOnBorrow(true);//在空閑時檢查有效性,?默認falsejedisPoolConfig.setTestWhileIdle(true);return?jedisPoolConfig;}/***?配置工廠*?@param?jedisPoolConfig*?@return*/@Beanpublic?JedisConnectionFactory?jedisConnectionFactory(JedisPoolConfig?jedisPoolConfig){JedisConnectionFactory?jedisConnectionFactory=new?JedisConnectionFactory();//連接池jedisConnectionFactory.setPoolConfig(jedisPoolConfig);//IP地址jedisConnectionFactory.setHostName(host);//端口號jedisConnectionFactory.setPort(port);//如果Redis設置有密碼jedisConnectionFactory.setPassword(password);//客戶端超時時間單位是毫秒jedisConnectionFactory.setTimeout(5000);return?jedisConnectionFactory;}/***?shiro?redis緩存使用的模板*?實例化?RedisTemplate?對象*?@return*/@Bean("shiroRedisTemplate")public?RedisTemplate?shiroRedisTemplate(RedisConnectionFactory?redisConnectionFactory)?{RedisTemplate?redisTemplate?=?new?RedisTemplate();redisTemplate.setKeySerializer(new?StringRedisSerializer());redisTemplate.setHashKeySerializer(new?StringRedisSerializer());redisTemplate.setHashValueSerializer(new?SerializeUtils());redisTemplate.setValueSerializer(new?SerializeUtils());//開啟事務//stringRedisTemplate.setEnableTransactionSupport(true);redisTemplate.setConnectionFactory(redisConnectionFactory);return?redisTemplate;} }

RedisManager.java

package?com.springboot.test.shiro.config.shiro; import?org.springframework.beans.factory.annotation.Autowired; import?org.springframework.dao.DataAccessException; import?org.springframework.data.redis.connection.RedisConnection; import?org.springframework.data.redis.core.*; import?org.springframework.util.CollectionUtils; import?java.util.*; import?java.util.concurrent.TimeUnit; /****?@author?wangsaichao*?基于spring和redis的redisTemplate工具類*/ public?class?RedisManager?{@Autowiredprivate?RedisTemplate<String,?Object>?redisTemplate;//=============================common============================/***?指定緩存失效時間*?@param?key?鍵*?@param?time?時間(秒)*/public?void?expire(String?key,long?time){redisTemplate.expire(key,?time,?TimeUnit.SECONDS);}/***?判斷key是否存在*?@param?key?鍵*?@return?true?存在?false不存在*/public?Boolean?hasKey(String?key){return?redisTemplate.hasKey(key);}/***?刪除緩存*?@param?key?可以傳一個值?或多個*/@SuppressWarnings("unchecked")public?void?del(String?...?key){if(key!=null&&key.length>0){if(key.length==1){redisTemplate.delete(key[0]);}else{redisTemplate.delete(CollectionUtils.arrayToList(key));}}}/***?批量刪除key*?@param?keys*/public?void?del(Collection?keys){redisTemplate.delete(keys);}//============================String=============================/***?普通緩存獲取*?@param?key?鍵*?@return?值*/public?Object?get(String?key){return?redisTemplate.opsForValue().get(key);}/***?普通緩存放入*?@param?key?鍵*?@param?value?值*/public?void?set(String?key,Object?value)?{redisTemplate.opsForValue().set(key,?value);}/***?普通緩存放入并設置時間*?@param?key?鍵*?@param?value?值*?@param?time?時間(秒)?time要大于0?如果time小于等于0?將設置無限期*/public?void?set(String?key,Object?value,long?time){if(time>0){redisTemplate.opsForValue().set(key,?value,?time,?TimeUnit.SECONDS);}else{set(key,?value);}}/***?使用scan命令?查詢某些前綴的key*?@param?key*?@return*/public?Set<String>?scan(String?key){Set<String>?execute?=?this.redisTemplate.execute(new?RedisCallback<Set<String>>()?{@Overridepublic?Set<String>?doInRedis(RedisConnection?connection)?throws?DataAccessException?{Set<String>?binaryKeys?=?new?HashSet<>();Cursor<byte[]>?cursor?=?connection.scan(new?ScanOptions.ScanOptionsBuilder().match(key).count(1000).build());while?(cursor.hasNext())?{binaryKeys.add(new?String(cursor.next()));}return?binaryKeys;}});return?execute;}/***?使用scan命令?查詢某些前綴的key?有多少個*?用來獲取當前session數量,也就是在線用戶*?@param?key*?@return*/public?Long?scanSize(String?key){long?dbSize?=?this.redisTemplate.execute(new?RedisCallback<Long>()?{@Overridepublic?Long?doInRedis(RedisConnection?connection)?throws?DataAccessException?{long?count?=?0L;Cursor<byte[]>?cursor?=?connection.scan(ScanOptions.scanOptions().match(key).count(1000).build());while?(cursor.hasNext())?{cursor.next();count++;}return?count;}});return?dbSize;} }

2.使用Redis作為緩存需要shiro重寫cache、cacheManager、SessionDAO

RedisCache.java

package?com.springboot.test.shiro.config.shiro; import?com.springboot.test.shiro.global.exceptions.PrincipalIdNullException; import?com.springboot.test.shiro.global.exceptions.PrincipalInstanceException; import?org.apache.shiro.cache.Cache; import?org.apache.shiro.cache.CacheException; import?org.apache.shiro.subject.PrincipalCollection; import?org.apache.shiro.util.CollectionUtils; import?org.slf4j.Logger; import?org.slf4j.LoggerFactory; import?java.lang.reflect.InvocationTargetException; import?java.lang.reflect.Method; import?java.util.*; /***?@author:?wangsaichao*?@date:?2018/6/22*?@description:?參考?shiro-redis?開源項目?Git地址?https://github.com/alexxiyang/shiro-redis*/ public?class?RedisCache<K,?V>?implements?Cache<K,?V>?{private?static?Logger?logger?=?LoggerFactory.getLogger(RedisCache.class);private?RedisManager?redisManager;private?String?keyPrefix?=?"";private?int?expire?=?0;private?String?principalIdFieldName?=?RedisCacheManager.DEFAULT_PRINCIPAL_ID_FIELD_NAME;/***?Construction*?@param?redisManager*/public?RedisCache(RedisManager?redisManager,?String?prefix,?int?expire,?String?principalIdFieldName)?{if?(redisManager?==?null)?{throw?new?IllegalArgumentException("redisManager?cannot?be?null.");}this.redisManager?=?redisManager;if?(prefix?!=?null?&&?!"".equals(prefix))?{this.keyPrefix?=?prefix;}if?(expire?!=?-1)?{this.expire?=?expire;}if?(principalIdFieldName?!=?null?&&?!"".equals(principalIdFieldName))?{this.principalIdFieldName?=?principalIdFieldName;}}@Overridepublic?V?get(K?key)?throws?CacheException?{logger.debug("get?key?[{}]",key);if?(key?==?null)?{return?null;}try?{String?redisCacheKey?=?getRedisCacheKey(key);Object?rawValue?=?redisManager.get(redisCacheKey);if?(rawValue?==?null)?{return?null;}V?value?=?(V)?rawValue;return?value;}?catch?(Exception?e)?{throw?new?CacheException(e);}}@Overridepublic?V?put(K?key,?V?value)?throws?CacheException?{logger.debug("put?key?[{}]",key);if?(key?==?null)?{logger.warn("Saving?a?null?key?is?meaningless,?return?value?directly?without?call?Redis.");return?value;}try?{String?redisCacheKey?=?getRedisCacheKey(key);redisManager.set(redisCacheKey,?value?!=?null???value?:?null,?expire);return?value;}?catch?(Exception?e)?{throw?new?CacheException(e);}}@Overridepublic?V?remove(K?key)?throws?CacheException?{logger.debug("remove?key?[{}]",key);if?(key?==?null)?{return?null;}try?{String?redisCacheKey?=?getRedisCacheKey(key);Object?rawValue?=?redisManager.get(redisCacheKey);V?previous?=?(V)?rawValue;redisManager.del(redisCacheKey);return?previous;}?catch?(Exception?e)?{throw?new?CacheException(e);}}private?String?getRedisCacheKey(K?key)?{if?(key?==?null)?{return?null;}return?this.keyPrefix?+?getStringRedisKey(key);}private?String?getStringRedisKey(K?key)?{String?redisKey;if?(key?instanceof?PrincipalCollection)?{redisKey?=?getRedisKeyFromPrincipalIdField((PrincipalCollection)?key);}?else?{redisKey?=?key.toString();}return?redisKey;}private?String?getRedisKeyFromPrincipalIdField(PrincipalCollection?key)?{String?redisKey;Object?principalObject?=?key.getPrimaryPrincipal();Method?pincipalIdGetter?=?null;Method[]?methods?=?principalObject.getClass().getDeclaredMethods();for?(Method?m:methods)?{if?(RedisCacheManager.DEFAULT_PRINCIPAL_ID_FIELD_NAME.equals(this.principalIdFieldName)&&?("getAuthCacheKey".equals(m.getName())?||?"getId".equals(m.getName())))?{pincipalIdGetter?=?m;break;}if?(m.getName().equals("get"?+?this.principalIdFieldName.substring(0,?1).toUpperCase()?+?this.principalIdFieldName.substring(1)))?{pincipalIdGetter?=?m;break;}}if?(pincipalIdGetter?==?null)?{throw?new?PrincipalInstanceException(principalObject.getClass(),?this.principalIdFieldName);}try?{Object?idObj?=?pincipalIdGetter.invoke(principalObject);if?(idObj?==?null)?{throw?new?PrincipalIdNullException(principalObject.getClass(),?this.principalIdFieldName);}redisKey?=?idObj.toString();}?catch?(IllegalAccessException?e)?{throw?new?PrincipalInstanceException(principalObject.getClass(),?this.principalIdFieldName,?e);}?catch?(InvocationTargetException?e)?{throw?new?PrincipalInstanceException(principalObject.getClass(),?this.principalIdFieldName,?e);}return?redisKey;}@Overridepublic?void?clear()?throws?CacheException?{logger.debug("clear?cache");Set<String>?keys?=?null;try?{keys?=?redisManager.scan(this.keyPrefix?+?"*");}?catch?(Exception?e)?{logger.error("get?keys?error",?e);}if?(keys?==?null?||?keys.size()?==?0)?{return;}for?(String?key:?keys)?{redisManager.del(key);}}@Overridepublic?int?size()?{Long?longSize?=?0L;try?{longSize?=?new?Long(redisManager.scanSize(this.keyPrefix?+?"*"));}?catch?(Exception?e)?{logger.error("get?keys?error",?e);}return?longSize.intValue();}@SuppressWarnings("unchecked")@Overridepublic?Set<K>?keys()?{Set<String>?keys?=?null;try?{keys?=?redisManager.scan(this.keyPrefix?+?"*");}?catch?(Exception?e)?{logger.error("get?keys?error",?e);return?Collections.emptySet();}if?(CollectionUtils.isEmpty(keys))?{return?Collections.emptySet();}Set<K>?convertedKeys?=?new?HashSet<K>();for?(String?key:keys)?{try?{convertedKeys.add((K)?key);}?catch?(Exception?e)?{logger.error("deserialize?keys?error",?e);}}return?convertedKeys;}@Overridepublic?Collection<V>?values()?{Set<String>?keys?=?null;try?{keys?=?redisManager.scan(this.keyPrefix?+?"*");}?catch?(Exception?e)?{logger.error("get?values?error",?e);return?Collections.emptySet();}if?(CollectionUtils.isEmpty(keys))?{return?Collections.emptySet();}List<V>?values?=?new?ArrayList<V>(keys.size());for?(String?key?:?keys)?{V?value?=?null;try?{value?=?(V)?redisManager.get(key);}?catch?(Exception?e)?{logger.error("deserialize?values=?error",?e);}if?(value?!=?null)?{values.add(value);}}return?Collections.unmodifiableList(values);}public?String?getKeyPrefix()?{return?keyPrefix;}public?void?setKeyPrefix(String?keyPrefix)?{this.keyPrefix?=?keyPrefix;}public?String?getPrincipalIdFieldName()?{return?principalIdFieldName;}public?void?setPrincipalIdFieldName(String?principalIdFieldName)?{this.principalIdFieldName?=?principalIdFieldName;} }

??getRedisKeyFromPrincipalIdField()是獲取緩存的用戶身份信息 和用戶權限信息。 里面有一個屬性principalIdFieldName 在RedisCacheManager也有這個屬性,設置其中一個就可以.是為了給緩存用戶身份和權限信息在Redis中的key唯一,登錄用戶名可能是username 或者 phoneNum? 或者是Email中的一個,如 我的User實體類中? 有一個 usernane字段,也是登錄時候使用的用戶名,在redis中緩存的權限信息key 如下, 這個admin 就是 通過getUsername獲得的。?

讀取用戶權限信息時,還用到兩個異常類，如下：

PrincipalInstanceException.java

package?com.springboot.test.shiro.global.exceptions; /***?@author:?wangsaichao*?@date:?2018/6/21*?@description:*/ public?class?PrincipalInstanceException?extends?RuntimeException??{private?static?final?String?MESSAGE?=?"We?need?a?field?to?identify?this?Cache?Object?in?Redis.?"+?"So?you?need?to?defined?an?id?field?which?you?can?get?unique?id?to?identify?this?principal.?"+?"For?example,?if?you?use?UserInfo?as?Principal?class,?the?id?field?maybe?userId,?userName,?email,?etc.?"+?"For?example,?getUserId(),?getUserName(),?getEmail(),?etc.\n"+?"Default?value?is?authCacheKey?or?id,?that?means?your?principal?object?has?a?method?called?\"getAuthCacheKey()\"?or?\"getId()\"";public?PrincipalInstanceException(Class?clazz,?String?idMethodName)?{super(clazz?+?"?must?has?getter?for?field:?"?+??idMethodName?+?"\n"?+?MESSAGE);}public?PrincipalInstanceException(Class?clazz,?String?idMethodName,?Exception?e)?{super(clazz?+?"?must?has?getter?for?field:?"?+??idMethodName?+?"\n"?+?MESSAGE,?e);} }

PrincipalIdNullException.java

package?com.springboot.test.shiro.global.exceptions; /***?@author:?wangsaichao*?@date:?2018/6/21*?@description:*/ public?class?PrincipalIdNullException?extends?RuntimeException??{private?static?final?String?MESSAGE?=?"Principal?Id?shouldn't?be?null!";public?PrincipalIdNullException(Class?clazz,?String?idMethodName)?{super(clazz?+?"?id?field:?"?+??idMethodName?+?",?value?is?null\n"?+?MESSAGE);} }

RedisCacheManager.java

package?com.springboot.test.shiro.config.shiro; import?org.apache.shiro.cache.Cache; import?org.apache.shiro.cache.CacheException; import?org.apache.shiro.cache.CacheManager; import?org.slf4j.Logger; import?org.slf4j.LoggerFactory; import?java.util.concurrent.ConcurrentHashMap; import?java.util.concurrent.ConcurrentMap; /***?@author:?wangsaichao*?@date:?2018/6/22*?@description:?參考?shiro-redis?開源項目?Git地址?https://github.com/alexxiyang/shiro-redis*/ public?class?RedisCacheManager?implements?CacheManager?{private?final?Logger?logger?=?LoggerFactory.getLogger(RedisCacheManager.class);/***?fast?lookup?by?name?map*/private?final?ConcurrentMap<String,?Cache>?caches?=?new?ConcurrentHashMap<String,?Cache>();private?RedisManager?redisManager;/***?expire?time?in?seconds*/private?static?final?int?DEFAULT_EXPIRE?=?1800;private?int?expire?=?DEFAULT_EXPIRE;/***?The?Redis?key?prefix?for?caches*/public?static?final?String?DEFAULT_CACHE_KEY_PREFIX?=?"shiro:cache:";private?String?keyPrefix?=?DEFAULT_CACHE_KEY_PREFIX;public?static?final?String?DEFAULT_PRINCIPAL_ID_FIELD_NAME?=?"authCacheKey?or?id";private?String?principalIdFieldName?=?DEFAULT_PRINCIPAL_ID_FIELD_NAME;@Overridepublic?<K,?V>?Cache<K,?V>?getCache(String?name)?throws?CacheException?{logger.debug("get?cache,?name={}",name);Cache?cache?=?caches.get(name);if?(cache?==?null)?{cache?=?new?RedisCache<K,?V>(redisManager,keyPrefix?+?name?+?":",?expire,?principalIdFieldName);caches.put(name,?cache);}return?cache;}public?RedisManager?getRedisManager()?{return?redisManager;}public?void?setRedisManager(RedisManager?redisManager)?{this.redisManager?=?redisManager;}public?String?getKeyPrefix()?{return?keyPrefix;}public?void?setKeyPrefix(String?keyPrefix)?{this.keyPrefix?=?keyPrefix;}public?int?getExpire()?{return?expire;}public?void?setExpire(int?expire)?{this.expire?=?expire;}public?String?getPrincipalIdFieldName()?{return?principalIdFieldName;}public?void?setPrincipalIdFieldName(String?principalIdFieldName)?{this.principalIdFieldName?=?principalIdFieldName;} }

RedisSessionDAO.java

package?com.springboot.test.shiro.config.shiro; import?org.apache.shiro.session.Session; import?org.apache.shiro.session.UnknownSessionException; import?org.apache.shiro.session.mgt.ValidatingSession; import?org.apache.shiro.session.mgt.eis.AbstractSessionDAO; import?org.slf4j.Logger; import?org.slf4j.LoggerFactory; import?java.io.Serializable; import?java.util.*; /***?@author:?wangsaichao*?@date:?2018/6/22*?@description:?參考?shiro-redis?開源項目?Git地址?https://github.com/alexxiyang/shiro-redis*/ public?class?RedisSessionDAO?extends?AbstractSessionDAO?{private?static?Logger?logger?=?LoggerFactory.getLogger(RedisSessionDAO.class);private?static?final?String?DEFAULT_SESSION_KEY_PREFIX?=?"shiro:session:";private?String?keyPrefix?=?DEFAULT_SESSION_KEY_PREFIX;private?static?final?long?DEFAULT_SESSION_IN_MEMORY_TIMEOUT?=?1000L;/***?doReadSession?be?called?about?10?times?when?login.*?Save?Session?in?ThreadLocal?to?resolve?this?problem.?sessionInMemoryTimeout?is?expiration?of?Session?in?ThreadLocal.*?The?default?value?is?1000?milliseconds?(1s).*?Most?of?time,?you?don't?need?to?change?it.*/private?long?sessionInMemoryTimeout?=?DEFAULT_SESSION_IN_MEMORY_TIMEOUT;/***?expire?time?in?seconds*/private?static?final?int?DEFAULT_EXPIRE?=?-2;private?static?final?int?NO_EXPIRE?=?-1;/***?Please?make?sure?expire?is?longer?than?sesion.getTimeout()*/private?int?expire?=?DEFAULT_EXPIRE;private?static?final?int?MILLISECONDS_IN_A_SECOND?=?1000;private?RedisManager?redisManager;private?static?ThreadLocal?sessionsInThread?=?new?ThreadLocal();@Overridepublic?void?update(Session?session)?throws?UnknownSessionException?{//如果會話過期/停止?沒必要再更新了try?{if?(session?instanceof?ValidatingSession?&&?!((ValidatingSession)?session).isValid())?{return;}if?(session?instanceof?ShiroSession)?{//?如果沒有主要字段(除lastAccessTime以外其他字段)發生改變ShiroSession?ss?=?(ShiroSession)?session;if?(!ss.isChanged())?{return;}//如果沒有返回?證明有調用?setAttribute往redis?放的時候永遠設置為falsess.setChanged(false);}this.saveSession(session);}?catch?(Exception?e)?{logger.warn("update?Session?is?failed",?e);}}/***?save?session*?@param?session*?@throws?UnknownSessionException*/private?void?saveSession(Session?session)?throws?UnknownSessionException?{if?(session?==?null?||?session.getId()?==?null)?{logger.error("session?or?session?id?is?null");throw?new?UnknownSessionException("session?or?session?id?is?null");}String?key?=?getRedisSessionKey(session.getId());if?(expire?==?DEFAULT_EXPIRE)?{this.redisManager.set(key,?session,?(int)?(session.getTimeout()?/?MILLISECONDS_IN_A_SECOND));return;}if?(expire?!=?NO_EXPIRE?&&?expire?*?MILLISECONDS_IN_A_SECOND?<?session.getTimeout())?{logger.warn("Redis?session?expire?time:?"+?(expire?*?MILLISECONDS_IN_A_SECOND)+?"?is?less?than?Session?timeout:?"+?session.getTimeout()+?"?.?It?may?cause?some?problems.");}this.redisManager.set(key,?session,?expire);}@Overridepublic?void?delete(Session?session)?{if?(session?==?null?||?session.getId()?==?null)?{logger.error("session?or?session?id?is?null");return;}try?{redisManager.del(getRedisSessionKey(session.getId()));}?catch?(Exception?e)?{logger.error("delete?session?error.?session?id=?{}",session.getId());}}@Overridepublic?Collection<Session>?getActiveSessions()?{Set<Session>?sessions?=?new?HashSet<Session>();try?{Set<String>?keys?=?redisManager.scan(this.keyPrefix?+?"*");if?(keys?!=?null?&&?keys.size()?>?0)?{for?(String?key:keys)?{Session?s?=?(Session)?redisManager.get(key);sessions.add(s);}}}?catch?(Exception?e)?{logger.error("get?active?sessions?error.");}return?sessions;}public?Long?getActiveSessionsSize()?{Long?size?=?0L;try?{size?=?redisManager.scanSize(this.keyPrefix?+?"*");}?catch?(Exception?e)?{logger.error("get?active?sessions?error.");}return?size;}@Overrideprotected?Serializable?doCreate(Session?session)?{if?(session?==?null)?{logger.error("session?is?null");throw?new?UnknownSessionException("session?is?null");}Serializable?sessionId?=?this.generateSessionId(session);this.assignSessionId(session,?sessionId);this.saveSession(session);return?sessionId;}@Overrideprotected?Session?doReadSession(Serializable?sessionId)?{if?(sessionId?==?null)?{logger.warn("session?id?is?null");return?null;}Session?s?=?getSessionFromThreadLocal(sessionId);if?(s?!=?null)?{return?s;}logger.debug("read?session?from?redis");try?{s?=?(Session)?redisManager.get(getRedisSessionKey(sessionId));setSessionToThreadLocal(sessionId,?s);}?catch?(Exception?e)?{logger.error("read?session?error.?settionId=?{}",sessionId);}return?s;}private?void?setSessionToThreadLocal(Serializable?sessionId,?Session?s)?{Map<Serializable,?SessionInMemory>?sessionMap?=?(Map<Serializable,?SessionInMemory>)?sessionsInThread.get();if?(sessionMap?==?null)?{sessionMap?=?new?HashMap<Serializable,?SessionInMemory>();sessionsInThread.set(sessionMap);}SessionInMemory?sessionInMemory?=?new?SessionInMemory();sessionInMemory.setCreateTime(new?Date());sessionInMemory.setSession(s);sessionMap.put(sessionId,?sessionInMemory);}private?Session?getSessionFromThreadLocal(Serializable?sessionId)?{Session?s?=?null;if?(sessionsInThread.get()?==?null)?{return?null;}Map<Serializable,?SessionInMemory>?sessionMap?=?(Map<Serializable,?SessionInMemory>)?sessionsInThread.get();SessionInMemory?sessionInMemory?=?sessionMap.get(sessionId);if?(sessionInMemory?==?null)?{return?null;}Date?now?=?new?Date();long?duration?=?now.getTime()?-?sessionInMemory.getCreateTime().getTime();if?(duration?<?sessionInMemoryTimeout)?{s?=?sessionInMemory.getSession();logger.debug("read?session?from?memory");}?else?{sessionMap.remove(sessionId);}return?s;}private?String?getRedisSessionKey(Serializable?sessionId)?{return?this.keyPrefix?+?sessionId;}public?RedisManager?getRedisManager()?{return?redisManager;}public?void?setRedisManager(RedisManager?redisManager)?{this.redisManager?=?redisManager;}public?String?getKeyPrefix()?{return?keyPrefix;}public?void?setKeyPrefix(String?keyPrefix)?{this.keyPrefix?=?keyPrefix;}public?long?getSessionInMemoryTimeout()?{return?sessionInMemoryTimeout;}public?void?setSessionInMemoryTimeout(long?sessionInMemoryTimeout)?{this.sessionInMemoryTimeout?=?sessionInMemoryTimeout;}public?int?getExpire()?{return?expire;}public?void?setExpire(int?expire)?{this.expire?=?expire;} }

3.Shiro配置

ShiroConfig.java

package?com.springboot.test.shiro.config; import?at.pollux.thymeleaf.shiro.dialect.ShiroDialect; import?com.springboot.test.shiro.config.shiro.*; import?org.apache.shiro.codec.Base64; import?org.apache.shiro.session.SessionListener; import?org.apache.shiro.session.mgt.SessionManager; import?org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator; import?org.apache.shiro.session.mgt.eis.SessionDAO; import?org.apache.shiro.session.mgt.eis.SessionIdGenerator; import?org.apache.shiro.spring.LifecycleBeanPostProcessor; import?org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor; import?org.apache.shiro.spring.web.ShiroFilterFactoryBean; import?org.apache.shiro.mgt.SecurityManager; import?org.apache.shiro.web.filter.authc.FormAuthenticationFilter; import?org.apache.shiro.web.mgt.CookieRememberMeManager; import?org.apache.shiro.web.mgt.DefaultWebSecurityManager; import?org.apache.shiro.web.servlet.SimpleCookie; import?org.apache.shiro.web.session.mgt.DefaultWebSessionManager; import?org.springframework.beans.factory.annotation.Qualifier; import?org.springframework.beans.factory.config.MethodInvokingFactoryBean; import?org.springframework.boot.context.embedded.ConfigurableEmbeddedServletContainer; import?org.springframework.boot.context.embedded.EmbeddedServletContainerCustomizer; import?org.springframework.boot.web.servlet.ErrorPage; import?org.springframework.context.annotation.Bean; import?org.springframework.context.annotation.Configuration; import?org.springframework.http.HttpStatus; import?org.springframework.web.servlet.handler.SimpleMappingExceptionResolver; import?javax.servlet.Filter; import?java.util.ArrayList; import?java.util.Collection; import?java.util.LinkedHashMap; import?java.util.Properties; /***?@author:?wangsaichao*?@date:?2018/5/10*?@description:?Shiro配置*/ @Configuration public?class?ShiroConfig?{/***?ShiroFilterFactoryBean?處理攔截資源文件問題。*?注意：初始化ShiroFilterFactoryBean的時候需要注入：SecurityManager*?Web應用中,Shiro可控制的Web請求必須經過Shiro主過濾器的攔截*?@param?securityManager*?@return*/@Bean(name?=?"shirFilter")public?ShiroFilterFactoryBean?shiroFilter(@Qualifier("securityManager")?SecurityManager?securityManager)?{ShiroFilterFactoryBean?shiroFilterFactoryBean?=?new?ShiroFilterFactoryBean();//必須設置?SecurityManager,Shiro的核心安全接口shiroFilterFactoryBean.setSecurityManager(securityManager);//這里的/login是后臺的接口名,非頁面，如果不設置默認會自動尋找Web工程根目錄下的"/login.jsp"頁面shiroFilterFactoryBean.setLoginUrl("/");//這里的/index是后臺的接口名,非頁面,登錄成功后要跳轉的鏈接shiroFilterFactoryBean.setSuccessUrl("/index");//未授權界面,該配置無效，并不會進行頁面跳轉shiroFilterFactoryBean.setUnauthorizedUrl("/unauthorized");//自定義攔截器限制并發人數,參考博客：LinkedHashMap<String,?Filter>?filtersMap?=?new?LinkedHashMap<>();//限制同一帳號同時在線的個數filtersMap.put("kickout",?kickoutSessionControlFilter());//統計登錄人數shiroFilterFactoryBean.setFilters(filtersMap);//?配置訪問權限?必須是LinkedHashMap，因為它必須保證有序//?過濾鏈定義，從上向下順序執行，一般將?/**放在最為下邊?-->?:?這是一個坑，一不小心代碼就不好使了LinkedHashMap<String,?String>?filterChainDefinitionMap?=?new?LinkedHashMap<>();//配置不登錄可以訪問的資源，anon?表示資源都可以匿名訪問//配置記住我或認證通過可以訪問的地址filterChainDefinitionMap.put("/login",?"anon");filterChainDefinitionMap.put("/",?"anon");filterChainDefinitionMap.put("/css/**",?"anon");filterChainDefinitionMap.put("/js/**",?"anon");filterChainDefinitionMap.put("/img/**",?"anon");filterChainDefinitionMap.put("/druid/**",?"anon");//解鎖用戶專用?測試用的filterChainDefinitionMap.put("/unlockAccount","anon");filterChainDefinitionMap.put("/Captcha.jpg","anon");//logout是shiro提供的過濾器filterChainDefinitionMap.put("/logout",?"logout");//此時訪問/user/delete需要delete權限,在自定義Realm中為用戶授權。//filterChainDefinitionMap.put("/user/delete",?"perms[\"user:delete\"]");//其他資源都需要認證??authc?表示需要認證才能進行訪問?user表示配置記住我或認證通過可以訪問的地址//如果開啟限制同一賬號登錄,改為?.put("/**",?"kickout,user");filterChainDefinitionMap.put("/**",?"kickout,user");shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);return?shiroFilterFactoryBean;}/***?配置核心安全事務管理器*?@return*/@Bean(name="securityManager")public?SecurityManager?securityManager()?{DefaultWebSecurityManager?securityManager?=??new?DefaultWebSecurityManager();//設置自定義realm.securityManager.setRealm(shiroRealm());//配置記住我securityManager.setRememberMeManager(rememberMeManager());//配置redis緩存securityManager.setCacheManager(cacheManager());//配置自定義session管理，使用redissecurityManager.setSessionManager(sessionManager());return?securityManager;}/***?配置Shiro生命周期處理器*?@return*/@Bean(name?=?"lifecycleBeanPostProcessor")public?LifecycleBeanPostProcessor?lifecycleBeanPostProcessor()?{return?new?LifecycleBeanPostProcessor();}/***??身份認證realm;?(這個需要自己寫，賬號密碼校驗；權限等)*?@return*/@Beanpublic?ShiroRealm?shiroRealm(){ShiroRealm?shiroRealm?=?new?ShiroRealm();shiroRealm.setCachingEnabled(true);//啟用身份驗證緩存，即緩存AuthenticationInfo信息，默認falseshiroRealm.setAuthenticationCachingEnabled(true);//緩存AuthenticationInfo信息的緩存名稱?在ehcache-shiro.xml中有對應緩存的配置shiroRealm.setAuthenticationCacheName("authenticationCache");//啟用授權緩存，即緩存AuthorizationInfo信息，默認falseshiroRealm.setAuthorizationCachingEnabled(true);//緩存AuthorizationInfo信息的緩存名稱??在ehcache-shiro.xml中有對應緩存的配置shiroRealm.setAuthorizationCacheName("authorizationCache");//配置自定義密碼比較器shiroRealm.setCredentialsMatcher(retryLimitHashedCredentialsMatcher());return?shiroRealm;}/***?必須（thymeleaf頁面使用shiro標簽控制按鈕是否顯示）*?未引入thymeleaf包，Caused?by:?java.lang.ClassNotFoundException:?org.thymeleaf.dialect.AbstractProcessorDialect*?@return*/@Beanpublic?ShiroDialect?shiroDialect()?{return?new?ShiroDialect();}/***?開啟shiro?注解模式*?可以在controller中的方法前加上注解*?如?@RequiresPermissions("userInfo:add")*?@param?securityManager*?@return*/@Beanpublic?AuthorizationAttributeSourceAdvisor?authorizationAttributeSourceAdvisor(@Qualifier("securityManager")?SecurityManager?securityManager){AuthorizationAttributeSourceAdvisor?authorizationAttributeSourceAdvisor?=?new?AuthorizationAttributeSourceAdvisor();authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);return?authorizationAttributeSourceAdvisor;}/***?解決：?無權限頁面不跳轉?shiroFilterFactoryBean.setUnauthorizedUrl("/unauthorized")?無效*?shiro的源代碼ShiroFilterFactoryBean.Java定義的filter必須滿足filter?instanceof?AuthorizationFilter，*?只有perms，roles，ssl，rest，port才是屬于AuthorizationFilter，而anon，authcBasic，auchc，user是AuthenticationFilter，*?所以unauthorizedUrl設置后頁面不跳轉?Shiro注解模式下，登錄失敗與沒有權限都是通過拋出異常。*?并且默認并沒有去處理或者捕獲這些異常。在SpringMVC下需要配置捕獲相應異常來通知用戶信息*?@return*/@Beanpublic?SimpleMappingExceptionResolver?simpleMappingExceptionResolver()?{SimpleMappingExceptionResolver?simpleMappingExceptionResolver=new?SimpleMappingExceptionResolver();Properties?properties=new?Properties();//這里的?/unauthorized?是頁面，不是訪問的路徑properties.setProperty("org.apache.shiro.authz.UnauthorizedException","/unauthorized");properties.setProperty("org.apache.shiro.authz.UnauthenticatedException","/unauthorized");simpleMappingExceptionResolver.setExceptionMappings(properties);return?simpleMappingExceptionResolver;}/***?解決spring-boot?Whitelabel?Error?Page*?@return*/@Beanpublic?EmbeddedServletContainerCustomizer?containerCustomizer()?{return?new?EmbeddedServletContainerCustomizer()?{@Overridepublic?void?customize(ConfigurableEmbeddedServletContainer?container)?{ErrorPage?error401Page?=?new?ErrorPage(HttpStatus.UNAUTHORIZED,?"/unauthorized.html");ErrorPage?error404Page?=?new?ErrorPage(HttpStatus.NOT_FOUND,?"/404.html");ErrorPage?error500Page?=?new?ErrorPage(HttpStatus.INTERNAL_SERVER_ERROR,?"/500.html");container.addErrorPages(error401Page,?error404Page,?error500Page);}};}/***?cookie對象;會話Cookie模板?,默認為:?JSESSIONID?問題:?與SERVLET容器名沖突,重新定義為sid或rememberMe，自定義*?@return*/@Beanpublic?SimpleCookie?rememberMeCookie(){//這個參數是cookie的名稱，對應前端的checkbox的name?=?rememberMeSimpleCookie?simpleCookie?=?new?SimpleCookie("rememberMe");//setcookie的httponly屬性如果設為true的話，會增加對xss防護的安全系數。它有以下特點：//setcookie()的第七個參數//設為true后，只能通過http訪問，javascript無法訪問//防止xss讀取cookiesimpleCookie.setHttpOnly(true);simpleCookie.setPath("/");//<!--?記住我cookie生效時間30天?,單位秒;-->simpleCookie.setMaxAge(2592000);return?simpleCookie;}/***?cookie管理對象;記住我功能,rememberMe管理器*?@return*/@Beanpublic?CookieRememberMeManager?rememberMeManager(){CookieRememberMeManager?cookieRememberMeManager?=?new?CookieRememberMeManager();cookieRememberMeManager.setCookie(rememberMeCookie());//rememberMe?cookie加密的密鑰?建議每個項目都不一樣?默認AES算法?密鑰長度(128?256?512?位)cookieRememberMeManager.setCipherKey(Base64.decode("4AvVhmFLUs0KTA3Kprsdag=="));return?cookieRememberMeManager;}/***?FormAuthenticationFilter?過濾器?過濾記住我*?@return*/@Beanpublic?FormAuthenticationFilter?formAuthenticationFilter(){FormAuthenticationFilter?formAuthenticationFilter?=?new?FormAuthenticationFilter();//對應前端的checkbox的name?=?rememberMeformAuthenticationFilter.setRememberMeParam("rememberMe");return?formAuthenticationFilter;}/***?shiro緩存管理器;*?需要添加到securityManager中*?@return*/@Beanpublic?RedisCacheManager?cacheManager(){RedisCacheManager?redisCacheManager?=?new?RedisCacheManager();redisCacheManager.setRedisManager(redisManager());//redis中針對不同用戶緩存redisCacheManager.setPrincipalIdFieldName("username");//用戶權限信息緩存時間redisCacheManager.setExpire(200000);return?redisCacheManager;}/***?讓某個實例的某個方法的返回值注入為Bean的實例*?Spring靜態注入*?@return*/@Beanpublic?MethodInvokingFactoryBean?getMethodInvokingFactoryBean(){MethodInvokingFactoryBean?factoryBean?=?new?MethodInvokingFactoryBean();factoryBean.setStaticMethod("org.apache.shiro.SecurityUtils.setSecurityManager");factoryBean.setArguments(new?Object[]{securityManager()});return?factoryBean;}/***?配置session監聽*?@return*/@Bean("sessionListener")public?ShiroSessionListener?sessionListener(){ShiroSessionListener?sessionListener?=?new?ShiroSessionListener();return?sessionListener;}/***?配置會話ID生成器*?@return*/@Beanpublic?SessionIdGenerator?sessionIdGenerator()?{return?new?JavaUuidSessionIdGenerator();}@Beanpublic?RedisManager?redisManager(){RedisManager?redisManager?=?new?RedisManager();return?redisManager;}@Bean("sessionFactory")public?ShiroSessionFactory?sessionFactory(){ShiroSessionFactory?sessionFactory?=?new?ShiroSessionFactory();return?sessionFactory;}/***?SessionDAO的作用是為Session提供CRUD并進行持久化的一個shiro組件*?MemorySessionDAO?直接在內存中進行會話維護*?EnterpriseCacheSessionDAO??提供了緩存功能的會話維護，默認情況下使用MapCache實現，內部使用ConcurrentHashMap保存緩存的會話。*?@return*/@Beanpublic?SessionDAO?sessionDAO()?{RedisSessionDAO?redisSessionDAO?=?new?RedisSessionDAO();redisSessionDAO.setRedisManager(redisManager());//session在redis中的保存時間,最好大于session會話超時時間redisSessionDAO.setExpire(12000);return?redisSessionDAO;}/***?配置保存sessionId的cookie*?注意：這里的cookie?不是上面的記住我?cookie?記住我需要一個cookie?session管理?也需要自己的cookie*?默認為:?JSESSIONID?問題:?與SERVLET容器名沖突,重新定義為sid*?@return*/@Bean("sessionIdCookie")public?SimpleCookie?sessionIdCookie(){//這個參數是cookie的名稱SimpleCookie?simpleCookie?=?new?SimpleCookie("sid");//setcookie的httponly屬性如果設為true的話，會增加對xss防護的安全系數。它有以下特點：//setcookie()的第七個參數//設為true后，只能通過http訪問，javascript無法訪問//防止xss讀取cookiesimpleCookie.setHttpOnly(true);simpleCookie.setPath("/");//maxAge=-1表示瀏覽器關閉時失效此CookiesimpleCookie.setMaxAge(-1);return?simpleCookie;}/***?配置會話管理器，設定會話超時及保存*?@return*/@Bean("sessionManager")public?SessionManager?sessionManager()?{ShiroSessionManager?sessionManager?=?new?ShiroSessionManager();Collection<SessionListener>?listeners?=?new?ArrayList<SessionListener>();//配置監聽listeners.add(sessionListener());sessionManager.setSessionListeners(listeners);sessionManager.setSessionIdCookie(sessionIdCookie());sessionManager.setSessionDAO(sessionDAO());sessionManager.setCacheManager(cacheManager());sessionManager.setSessionFactory(sessionFactory());//全局會話超時時間（單位毫秒），默認30分鐘??暫時設置為10秒鐘?用來測試sessionManager.setGlobalSessionTimeout(1800000);//是否開啟刪除無效的session對象??默認為truesessionManager.setDeleteInvalidSessions(true);//是否開啟定時調度器進行檢測過期session?默認為truesessionManager.setSessionValidationSchedulerEnabled(true);//設置session失效的掃描時間,?清理用戶直接關閉瀏覽器造成的孤立會話?默認為?1個小時//設置該屬性?就不需要設置?ExecutorServiceSessionValidationScheduler?底層也是默認自動調用ExecutorServiceSessionValidationScheduler//暫時設置為?5秒?用來測試sessionManager.setSessionValidationInterval(3600000);//取消url?后面的?JSESSIONIDsessionManager.setSessionIdUrlRewritingEnabled(false);return?sessionManager;}/***?并發登錄控制*?@return*/@Beanpublic?KickoutSessionControlFilter?kickoutSessionControlFilter(){KickoutSessionControlFilter?kickoutSessionControlFilter?=?new?KickoutSessionControlFilter();//用于根據會話ID，獲取會話進行踢出操作的；kickoutSessionControlFilter.setSessionManager(sessionManager());//使用cacheManager獲取相應的cache來緩存用戶登錄的會話；用于保存用戶—會話之間的關系的；kickoutSessionControlFilter.setRedisManager(redisManager());//是否踢出后來登錄的，默認是false；即后者登錄的用戶踢出前者登錄的用戶；kickoutSessionControlFilter.setKickoutAfter(false);//同一個用戶最大的會話數，默認1；比如2的意思是同一個用戶允許最多同時兩個人登錄；kickoutSessionControlFilter.setMaxSession(1);//被踢出后重定向到的地址；kickoutSessionControlFilter.setKickoutUrl("/login?kickout=1");return?kickoutSessionControlFilter;}/***?配置密碼比較器*?@return*/@Bean("credentialsMatcher")public?RetryLimitHashedCredentialsMatcher?retryLimitHashedCredentialsMatcher(){RetryLimitHashedCredentialsMatcher?retryLimitHashedCredentialsMatcher?=?new?RetryLimitHashedCredentialsMatcher();retryLimitHashedCredentialsMatcher.setRedisManager(redisManager());//如果密碼加密,可以打開下面配置//加密算法的名稱//retryLimitHashedCredentialsMatcher.setHashAlgorithmName("MD5");//配置加密的次數//retryLimitHashedCredentialsMatcher.setHashIterations(1024);//是否存儲為16進制//retryLimitHashedCredentialsMatcher.setStoredCredentialsHexEncoded(true);return?retryLimitHashedCredentialsMatcher;} }

ShiroRealm.java

package?com.springboot.test.shiro.config.shiro; import?com.springboot.test.shiro.modules.user.dao.PermissionMapper; import?com.springboot.test.shiro.modules.user.dao.RoleMapper; import?com.springboot.test.shiro.modules.user.dao.entity.Permission; import?com.springboot.test.shiro.modules.user.dao.entity.Role; import?com.springboot.test.shiro.modules.user.dao.UserMapper; import?com.springboot.test.shiro.modules.user.dao.entity.User; import?org.apache.shiro.SecurityUtils; import?org.apache.shiro.authc.*; import?org.apache.shiro.authz.AuthorizationInfo; import?org.apache.shiro.authz.SimpleAuthorizationInfo; import?org.apache.shiro.realm.AuthorizingRealm; import?org.apache.shiro.subject.PrincipalCollection; import?org.springframework.beans.factory.annotation.Autowired; import?java.util.Set; import?java.util.concurrent.ConcurrentHashMap; /***?@author:?wangsaichao*?@date:?2018/5/10*?@description:?在Shiro中，最終是通過Realm來獲取應用程序中的用戶、角色及權限信息的*?在Realm中會直接從我們的數據源中獲取Shiro需要的驗證信息。可以說，Realm是專用于安全框架的DAO.*/ public?class?ShiroRealm?extends?AuthorizingRealm?{@Autowiredprivate?UserMapper?userMapper;@Autowiredprivate?RoleMapper?roleMapper;@Autowiredprivate?PermissionMapper?permissionMapper;/***?驗證用戶身份*?@param?authenticationToken*?@return*?@throws?AuthenticationException*/@Overrideprotected?AuthenticationInfo?doGetAuthenticationInfo(AuthenticationToken?authenticationToken)?throws?AuthenticationException?{//獲取用戶名密碼?第一種方式//String?username?=?(String)?authenticationToken.getPrincipal();//String?password?=?new?String((char[])?authenticationToken.getCredentials());//獲取用戶名?密碼?第二種方式UsernamePasswordToken?usernamePasswordToken?=?(UsernamePasswordToken)?authenticationToken;String?username?=?usernamePasswordToken.getUsername();String?password?=?new?String(usernamePasswordToken.getPassword());//從數據庫查詢用戶信息User?user?=?this.userMapper.findByUserName(username);//可以在這里直接對用戶名校驗,或者調用?CredentialsMatcher?校驗if?(user?==?null)?{throw?new?UnknownAccountException("用戶名或密碼錯誤！");}//這里將?密碼對比?注銷掉,否則?無法鎖定??要將密碼對比?交給?密碼比較器//if?(!password.equals(user.getPassword()))?{//????throw?new?IncorrectCredentialsException("用戶名或密碼錯誤！");//}if?("1".equals(user.getState()))?{throw?new?LockedAccountException("賬號已被鎖定,請聯系管理員！");}//調用?CredentialsMatcher?校驗?還需要創建一個類?繼承CredentialsMatcher??如果在上面校驗了,這個就不需要了//配置自定義權限登錄器?參考博客：SimpleAuthenticationInfo?info?=?new?SimpleAuthenticationInfo(user,?user.getPassword(),?getName());return?info;}/***?授權用戶權限*?授權的方法是在碰到<shiro:hasPermission?name=''></shiro:hasPermission>標簽的時候調用的*?它會去檢測shiro框架中的權限(這里的permissions)是否包含有該標簽的name值,如果有,里面的內容顯示*?如果沒有,里面的內容不予顯示(這就完成了對于權限的認證.)**?shiro的權限授權是通過繼承AuthorizingRealm抽象類，重載doGetAuthorizationInfo();*?當訪問到頁面的時候，鏈接配置了相應的權限或者shiro標簽才會執行此方法否則不會執行*?所以如果只是簡單的身份認證沒有權限的控制的話，那么這個方法可以不進行實現，直接返回null即可。**?在這個方法中主要是使用類：SimpleAuthorizationInfo?進行角色的添加和權限的添加。*?authorizationInfo.addRole(role.getRole());?authorizationInfo.addStringPermission(p.getPermission());**?當然也可以添加set集合：roles是從數據庫查詢的當前用戶的角色，stringPermissions是從數據庫查詢的當前用戶對應的權限*?authorizationInfo.setRoles(roles);?authorizationInfo.setStringPermissions(stringPermissions);**?就是說如果在shiro配置文件中添加了filterChainDefinitionMap.put("/add",?"perms[權限添加]");*?就說明訪問/add這個鏈接必須要有“權限添加”這個權限才可以訪問**?如果在shiro配置文件中添加了filterChainDefinitionMap.put("/add",?"roles[100002]，perms[權限添加]");*?就說明訪問/add這個鏈接必須要有?"權限添加"?這個權限和具有?"100002"?這個角色才可以訪問*?@param?principalCollection*?@return*/@Overrideprotected?AuthorizationInfo?doGetAuthorizationInfo(PrincipalCollection?principalCollection)?{System.out.println("查詢權限方法調用了！！！");//獲取用戶User?user?=?(User)?SecurityUtils.getSubject().getPrincipal();//獲取用戶角色Set<Role>?roles?=this.roleMapper.findRolesByUserId(user.getUid());//添加角色SimpleAuthorizationInfo?authorizationInfo?=??new?SimpleAuthorizationInfo();for?(Role?role?:?roles)?{authorizationInfo.addRole(role.getRole());}//獲取用戶權限Set<Permission>?permissions?=?this.permissionMapper.findPermissionsByRoleId(roles);//添加權限for?(Permission?permission:permissions)?{authorizationInfo.addStringPermission(permission.getPermission());}return?authorizationInfo;}/***?重寫方法,清除當前用戶的的?授權緩存*?@param?principals*/@Overridepublic?void?clearCachedAuthorizationInfo(PrincipalCollection?principals)?{super.clearCachedAuthorizationInfo(principals);}/***?重寫方法，清除當前用戶的?認證緩存*?@param?principals*/@Overridepublic?void?clearCachedAuthenticationInfo(PrincipalCollection?principals)?{super.clearCachedAuthenticationInfo(principals);}@Overridepublic?void?clearCache(PrincipalCollection?principals)?{super.clearCache(principals);}/***?自定義方法：清除所有?授權緩存*/public?void?clearAllCachedAuthorizationInfo()?{getAuthorizationCache().clear();}/***?自定義方法：清除所有?認證緩存*/public?void?clearAllCachedAuthenticationInfo()?{getAuthenticationCache().clear();}/***?自定義方法：清除所有的??認證緩存??和?授權緩存*/public?void?clearAllCache()?{clearAllCachedAuthenticationInfo();clearAllCachedAuthorizationInfo();} }

KickoutSessionControlFilter.java(限制并發登錄人數)

package?com.springboot.test.shiro.config.shiro; import?java.io.Serializable; import?java.util.Deque; import?java.util.LinkedList; import?javax.servlet.ServletRequest; import?javax.servlet.ServletResponse; import?javax.servlet.http.HttpServletRequest; import?com.springboot.test.shiro.modules.user.dao.entity.User; import?org.apache.shiro.session.Session; import?org.apache.shiro.session.mgt.DefaultSessionKey; import?org.apache.shiro.session.mgt.SessionManager; import?org.apache.shiro.subject.Subject; import?org.apache.shiro.web.filter.AccessControlFilter; import?org.apache.shiro.web.util.WebUtils; import?org.springframework.beans.factory.annotation.Autowired; import?org.springframework.web.servlet.resource.ResourceUrlProvider; /***?@author:?WangSaiChao*?@date:?2018/5/23*?@description:?shiro?自定義filter?實現?并發登錄控制*/ public?class?KickoutSessionControlFilter??extends?AccessControlFilter{@Autowiredprivate?ResourceUrlProvider?resourceUrlProvider;/**?踢出后到的地址?*/private?String?kickoutUrl;/**??踢出之前登錄的/之后登錄的用戶?默認踢出之前登錄的用戶?*/private?boolean?kickoutAfter?=?false;/**??同一個帳號最大會話數?默認1?*/private?int?maxSession?=?1;private?SessionManager?sessionManager;private?RedisManager?redisManager;public?static?final?String?DEFAULT_KICKOUT_CACHE_KEY_PREFIX?=?"shiro:cache:kickout:";private?String?keyPrefix?=?DEFAULT_KICKOUT_CACHE_KEY_PREFIX;public?void?setKickoutUrl(String?kickoutUrl)?{this.kickoutUrl?=?kickoutUrl;}public?void?setKickoutAfter(boolean?kickoutAfter)?{this.kickoutAfter?=?kickoutAfter;}public?void?setMaxSession(int?maxSession)?{this.maxSession?=?maxSession;}public?void?setSessionManager(SessionManager?sessionManager)?{this.sessionManager?=?sessionManager;}public?void?setRedisManager(RedisManager?redisManager)?{this.redisManager?=?redisManager;}public?String?getKeyPrefix()?{return?keyPrefix;}public?void?setKeyPrefix(String?keyPrefix)?{this.keyPrefix?=?keyPrefix;}private?String?getRedisKickoutKey(String?username)?{return?this.keyPrefix?+?username;}/***?是否允許訪問，返回true表示允許*/@Overrideprotected?boolean?isAccessAllowed(ServletRequest?request,?ServletResponse?response,?Object?mappedValue)?throws?Exception?{return?false;}/***?表示訪問拒絕時是否自己處理，如果返回true表示自己不處理且繼續攔截器鏈執行，返回false表示自己已經處理了（比如重定向到另一個頁面）。*/@Overrideprotected?boolean?onAccessDenied(ServletRequest?request,?ServletResponse?response)?throws?Exception?{Subject?subject?=?getSubject(request,?response);if(!subject.isAuthenticated()?&&?!subject.isRemembered())?{//如果沒有登錄，直接進行之后的流程return?true;}//如果有登錄,判斷是否訪問的為靜態資源，如果是游客允許訪問的靜態資源,直接返回trueHttpServletRequest?httpServletRequest?=?(HttpServletRequest)request;String?path?=?httpServletRequest.getServletPath();//?如果是靜態文件，則返回trueif?(isStaticFile(path)){return?true;}Session?session?=?subject.getSession();//這里獲取的User是實體?因為我在?自定義ShiroRealm中的doGetAuthenticationInfo方法中//new?SimpleAuthenticationInfo(user,?password,?getName());?傳的是?User實體?所以這里拿到的也是實體,如果傳的是userName?這里拿到的就是userNameString?username?=?((User)?subject.getPrincipal()).getUsername();Serializable?sessionId?=?session.getId();//?初始化用戶的隊列放到緩存里Deque<Serializable>?deque?=?(Deque<Serializable>)?redisManager.get(getRedisKickoutKey(username));if(deque?==?null?||?deque.size()==0)?{deque?=?new?LinkedList<Serializable>();}//如果隊列里沒有此sessionId，且用戶沒有被踢出；放入隊列if(!deque.contains(sessionId)?&&?session.getAttribute("kickout")?==?null)?{deque.push(sessionId);}//如果隊列里的sessionId數超出最大會話數，開始踢人while(deque.size()?>?maxSession)?{Serializable?kickoutSessionId?=?null;if(kickoutAfter)?{?//如果踢出后者kickoutSessionId=deque.getFirst();kickoutSessionId?=?deque.removeFirst();}?else?{?//否則踢出前者kickoutSessionId?=?deque.removeLast();}try?{Session?kickoutSession?=?sessionManager.getSession(new?DefaultSessionKey(kickoutSessionId));if(kickoutSession?!=?null)?{//設置會話的kickout屬性表示踢出了kickoutSession.setAttribute("kickout",?true);}}?catch?(Exception?e)?{//ignore?exceptione.printStackTrace();}}redisManager.set(getRedisKickoutKey(username),?deque);//如果被踢出了，直接退出，重定向到踢出后的地址if?(session.getAttribute("kickout")?!=?null)?{//會話被踢出了try?{subject.logout();}?catch?(Exception?e)?{}WebUtils.issueRedirect(request,?response,?kickoutUrl);return?false;}return?true;}private?boolean?isStaticFile(String?path)?{String?staticUri?=?resourceUrlProvider.getForLookupPath(path);return?staticUri?!=?null;} }

RetryLimitHashedCredentialsMatcher.java(登錄錯誤次數限制)

package?com.springboot.test.shiro.config.shiro; import?java.util.concurrent.atomic.AtomicInteger; import?com.springboot.test.shiro.modules.user.dao.UserMapper; import?com.springboot.test.shiro.modules.user.dao.entity.User; import?org.apache.log4j.Logger; import?org.apache.shiro.authc.AuthenticationInfo; import?org.apache.shiro.authc.AuthenticationToken; import?org.apache.shiro.authc.LockedAccountException; import?org.apache.shiro.authc.credential.SimpleCredentialsMatcher; import?org.apache.shiro.cache.Cache; import?org.apache.shiro.cache.CacheManager; import?org.springframework.beans.factory.annotation.Autowired;/***?@author:?WangSaiChao*?@date:?2018/5/25*?@description:?登陸次數限制*/ public?class?RetryLimitHashedCredentialsMatcher?extends?SimpleCredentialsMatcher?{private?static?final?Logger?logger?=?Logger.getLogger(RetryLimitHashedCredentialsMatcher.class);public?static?final?String?DEFAULT_RETRYLIMIT_CACHE_KEY_PREFIX?=?"shiro:cache:retrylimit:";private?String?keyPrefix?=?DEFAULT_RETRYLIMIT_CACHE_KEY_PREFIX;@Autowiredprivate?UserMapper?userMapper;private?RedisManager?redisManager;public?void?setRedisManager(RedisManager?redisManager)?{this.redisManager?=?redisManager;}private?String?getRedisKickoutKey(String?username)?{return?this.keyPrefix?+?username;}@Overridepublic?boolean?doCredentialsMatch(AuthenticationToken?token,?AuthenticationInfo?info)?{//獲取用戶名String?username?=?(String)token.getPrincipal();//獲取用戶登錄次數AtomicInteger?retryCount?=?(AtomicInteger)redisManager.get(getRedisKickoutKey(username));if?(retryCount?==?null)?{//如果用戶沒有登陸過,登陸次數加1?并放入緩存retryCount?=?new?AtomicInteger(0);}if?(retryCount.incrementAndGet()?>?5)?{//如果用戶登陸失敗次數大于5次?拋出鎖定用戶異常??并修改數據庫字段User?user?=?userMapper.findByUserName(username);if?(user?!=?null?&&?"0".equals(user.getState())){//數據庫字段?默認為?0??就是正常狀態?所以?要改為1//修改數據庫的狀態字段為鎖定user.setState("1");userMapper.update(user);}logger.info("鎖定用戶"?+?user.getUsername());//拋出用戶鎖定異常throw?new?LockedAccountException();}//判斷用戶賬號和密碼是否正確boolean?matches?=?super.doCredentialsMatch(token,?info);if?(matches)?{//如果正確,從緩存中將用戶登錄計數?清除redisManager.del(getRedisKickoutKey(username));}{redisManager.set(getRedisKickoutKey(username),?retryCount);}return?matches;}/***?根據用戶名?解鎖用戶*?@param?username*?@return*/public?void?unlockAccount(String?username){User?user?=?userMapper.findByUserName(username);if?(user?!=?null){//修改數據庫的狀態字段為鎖定user.setState("0");userMapper.update(user);redisManager.del(getRedisKickoutKey(username));}} }

ShiroSessionListener.java(session監聽)

package?com.springboot.test.shiro.config.shiro; import?com.springboot.test.shiro.Application; import?com.springboot.test.shiro.modules.user.dao.entity.User; import?org.apache.shiro.SecurityUtils; import?org.apache.shiro.session.Session; import?org.apache.shiro.session.SessionListener; import?org.springframework.beans.factory.annotation.Autowired; import?javax.servlet.ServletContextEvent; import?javax.servlet.ServletContextListener; import?javax.servlet.http.HttpSessionAttributeListener; import?javax.servlet.http.HttpSessionBindingEvent; import?java.util.concurrent.ConcurrentHashMap; import?java.util.concurrent.atomic.AtomicInteger; /***?@author:?wangsaichao*?@date:?2018/5/15*?@description:?配置session監聽器,*/ public?class?ShiroSessionListener?implements?SessionListener{/***?統計在線人數*?juc包下線程安全自增*/private?final?AtomicInteger?sessionCount?=?new?AtomicInteger(0);/***?會話創建時觸發*?@param?session*/@Overridepublic?void?onStart(Session?session)?{//會話創建，在線人數加一sessionCount.incrementAndGet();}/***?退出會話時觸發*?@param?session*/@Overridepublic?void?onStop(Session?session)?{//會話退出,在線人數減一sessionCount.decrementAndGet();}/***?會話過期時觸發*?@param?session*/@Overridepublic?void?onExpiration(Session?session)?{//會話過期,在線人數減一sessionCount.decrementAndGet();}/***?獲取在線人數使用*?@return*/public?AtomicInteger?getSessionCount()?{return?sessionCount;} }

轉載于:https://blog.51cto.com/14150615/2356855

總結

以上是生活随笔為你收集整理的Shiro使用redis作为缓存(解决shiro频繁访问Redis)的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。