Shiro 实现免密登陆

原创

gblfy 2022-09-06 19:34:26 ©著作权

文章标签 免密登录自定义 ide apache 文章分类 云平台云计算

©著作权归作者所有：来自51CTO博客作者gblfy的原创作品，请联系作者获取转载授权，否则将追究法律责任

需求：对接第三方登陆，实现绕过原有Shiro认证登陆。

文章目录

一、实现思路

1. 现状分析
2. 用户来源
3. 所属范围

二、实现方案

2.1. 自定义登录认证规则
2.2. Shiro认证枚举
2.3. 密码和非密码登录
2.4. 规则配置
2.5. 自定义Realm
2.6. 案例使用

一、实现思路

1. 现状分析

系统权框架默认使用Shiro 认证授权机制

2. 用户来源

从统一认证平台登录跳转过来的用户

3. 所属范围

登录限制由统一认证平台去做，但是，跳转过来的用户仍然走您本系统的登录流程，只是走本系统的登录流程时，想跳过Shiro 对用户密码的校验，校验所属范围为Shiro 认证机制，其他功能照旧；

二、实现方案

2.1. 自定义登录认证规则

package com.gblfy.config.skipshiro;

import com.gblfy.config.skipshiro.enums.ShiroApproveLoginType;
import org.apache.shiro.authc.UsernamePasswordToken;

/**
 * 自定义token 实现免密和密码登录
 * <p>
 * 1.账号密码登陆（password）
 * 2.免密登陆（nopassword）
 * </p>
 *
 * @author gblfy
 * @date 2021-10-22
 */
public class EasyUsernameToken extends UsernamePasswordToken {
    private static final long serialVersionUID = -2564928913725078138L;

    private ShiroApproveLoginType type;

    public EasyUsernameToken() {
        super();
    }

    /**
     * 免密登录
     */
    public EasyUsernameToken(String username) {
        super(username, "", false, null);
        this.type = ShiroApproveLoginType.NOPASSWD;
    }

    /**
     * 账号密码登录
     */
    public EasyUsernameToken(String username, String password, boolean rememberMe) {
        super(username, password, rememberMe, null);
        this.type = ShiroApproveLoginType.PASSWORD;
    }

    public ShiroApproveLoginType getType() {
        return type;
    }

    public void setType(ShiroApproveLoginType type) {
        this.type = type;
    }

}

2.2. Shiro认证枚举

package com.gblfy.config.skipshiro.enums;

/**
 * Shiro认证枚举
 * @author gblfy
 * @date 2021-10-22
 */
public enum ShiroApproveLoginType {
    /** 密码登录 */
    PASSWORD("PASSWORD"),
    /** 密码登录 */
    NOPASSWD("NOPASSWORD");
    /** 状态值 */
    private String code;
    private ShiroApproveLoginType(String code) {
        this.code = code;
    }

    public String getCode() {
        return code;
    }
}

2.3. 密码和非密码登录

package com.gblfy.config.skipshiro;

import com.gblfy.config.skipshiro.enums.ShiroApproveLoginType;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;

/**
 * 自定义登录认证方案
 * <p>
 * 1.免密登录，不加密
 * 2.密码登录，md5加密
 * </p>
 *
 * @author gblfy
 * @date 2021-10-22
 */
public class EasyCredentialsMatch extends HashedCredentialsMatcher {

    /**
     * 重写方法
     * 区分 密码和非密码登录
     * 此次无需记录登录次数 详情看SysPasswordService
     */
    @Override
    public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
        EasyUsernameToken easyUsernameToken = (EasyUsernameToken) token;

        //免密登录,不验证密码
        if (ShiroApproveLoginType.NOPASSWD.equals(easyUsernameToken.getType())) {
            return true;
        }

        //密码登录
        Object tokenHashedCredentials = hashProvidedCredentials(token, info);
        Object accountCredentials = getCredentials(info);
        return equals(tokenHashedCredentials, accountCredentials);
    }
}

2.4. 规则配置

customCredentialsMatch() {
        EasyCredentialsMatch customCredentialsMatch = new EasyCredentialsMatch();
        customCredentialsMatch.setHashAlgorithmName("md5");
        customCredentialsMatch.setHashIterations(3);
        customCredentialsMatch.setStoredCredentialsHexEncoded(true);
        return customCredentialsMatch;
    }

2.5. 自定义Realm

权限认证保持默认，修改登录认证

public class UserRealm extends AuthorizingRealm {

    /**
     * 权限认证  
     */
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
      //权限认证  代码省略
    }

   /**
     * 登录认证
     */
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
        EasyUsernameToken upToken = (EasyUsernameToken) token;
        String username = upToken.getUsername();

        SysUser user = null;
        // 密码登录
        if (upToken.getType().getCode().equals(LoginType.PASSWORD.getCode())) {
            String password;
            if (upToken.getPassword() != null) {
                password = new String(upToken.getPassword());
                try {
                    user = loginService.login(username, password);
                } 
                catch (Exception e) {
                    log.info("对用户[" + username + "]进行登录验证..验证未通过{}", e.getMessage());
                    throw new AuthenticationException(e.getMessage(), e);
                }
            }
        } else if (upToken.getType().getCode().equals(LoginType.NOPASSWD.getCode())) {
            // 第三方登录 TODO
         
        }

        SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user, upToken.getPassword(), getName());
        return info;
    }
}

2.6. 案例使用

(String username, String password, Boolean rememberMe) {
        EasyUsernameToken token = new EasyUsernameToken(username, password, rememberMe);
        Subject subject = SecurityUtils.getSubject();
        try {
            subject.login(token);
            return success();
        } catch (AuthenticationException e) {
            String msg = "用户或密码错误";
            if (StringUtils.isNotEmpty(e.getMessage())) {
                msg = e.getMessage();
            }
            return error(msg);
        }
    }