Java-Shiro(九):Shiro集成Redis实现Session统一管理
声明:本证项目基于《Java-Shiro(六):Shiro Realm讲解(三)Realm的自定义及应用》构建项目为基础。
版本源码:《https://github.com/478632418/springmv_without_web_xml/tree/master/mybaits-test-dynamic-sql-03》
在实际应用中使用Redis管理Shiro默认的Session(SessionManager)是必要的,因为默认的SessionManager内部默认采用了内存方式存储Session相关信息();当配置了内部cacheManager时(默认配置采用EhCache--内存或磁盘缓存),会将已经登录的用户的Session信息存储到内存或磁盘。无论是采用纯内存方式或者EhCache(内存或磁盘)方式都不适合企业生产应用(特别并发认证用户较多的系统)。
阅读本章请带着这几个问题:
1)如何集成redis存储认证信息,实现分布式session一致?
2)如何统计在线用户数?
3)如何剔除用户?
4)如何实现一个用户最多允许登录几次(单点登录)?
5)当一个用户已经登录 或者 rememberMe,后台管理员修改了该用户的角色,或者调整了(增、删、改)角色与资源之间的关系,登录用户的角色、资源信息如何同步被修改?
6)修改(增、删、改)资源信息,资源信息的url如何动态添加到shiroFilter.filterChainDefinitions?
准备
1)新建maven项目pom.xml配置
<properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <maven.compiler.source>1.8</maven.compiler.source> <maven.compiler.target>1.8</maven.compiler.target> <org.springframework.version>5.2.0.RELEASE</org.springframework.version> <com.alibaba.version>1.1.21</com.alibaba.version> <mysql.version>8.0.11</mysql.version> <org.mybatis.version>3.4.6</org.mybatis.version> <org.mybatis.spring.version>2.0.3</org.mybatis.spring.version> <org.aspectj.version>1.9.4</org.aspectj.version> <jackson.version>2.10.1</jackson.version> <shiro.version>1.4.2</shiro.version> </properties> <dependencies> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-web</artifactId> <version>${org.springframework.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>${org.springframework.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-tx</artifactId> <version>${org.springframework.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-jdbc</artifactId> <version>${org.springframework.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-core</artifactId> <version>${org.springframework.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-beans</artifactId> <version>${org.springframework.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-context</artifactId> <version>${org.springframework.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-context-support</artifactId> <version>${org.springframework.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-aop</artifactId> <version>${org.springframework.version}</version> </dependency> <!--AOP aspectjweaver 支持 --> <dependency> <groupId>org.aspectj</groupId> <artifactId>aspectjweaver</artifactId> <version>${org.aspectj.version}</version> </dependency> <!-- https://mvnrepository.com/artifact/org.aspectj/aspectjrt --> <dependency> <groupId>org.aspectj</groupId> <artifactId>aspectjrt</artifactId> <version>${org.aspectj.version}</version> </dependency> <!-- https://mvnrepository.com/artifact/org.thymeleaf/thymeleaf --> <dependency> <groupId>org.thymeleaf</groupId> <artifactId>thymeleaf</artifactId> <version>3.0.9.RELEASE</version> </dependency> <!-- https://mvnrepository.com/artifact/org.thymeleaf/thymeleaf-spring5 --> <dependency> <groupId>org.thymeleaf</groupId> <artifactId>thymeleaf-spring5</artifactId> <version>3.0.9.RELEASE</version> </dependency> <!--访问RDBMS-MySQL依赖 --> <!--MyBatis --> <dependency> <groupId>org.mybatis</groupId> <artifactId>mybatis</artifactId> <version>${org.mybatis.version}</version> </dependency> <!-- Mybatis自身实现的Spring整合依赖 --> <dependency> <groupId>org.mybatis</groupId> <artifactId>mybatis-spring</artifactId> <version>${org.mybatis.spring.version}</version> </dependency> <!--MySql数据库驱动 --> <!-- https://mvnrepository.com/artifact/com.alibaba/druid --> <dependency> <groupId>com.alibaba</groupId> <artifactId>druid</artifactId> <version>${com.alibaba.version}</version> </dependency> <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <version>${mysql.version}</version> </dependency> <!--Rest Support支持 --> <dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databind</artifactId> <version>${jackson.version}</version> </dependency> <dependency> <groupId>com.fasterxml.jackson.dataformat</groupId> <artifactId>jackson-dataformat-xml</artifactId> <version>${jackson.version}</version> </dependency> <dependency> <groupId>com.fasterxml.jackson.module</groupId> <artifactId>jackson-module-parameter-names</artifactId> <version>${jackson.version}</version> </dependency> <!--form 设置为enctype="multipart/form-data",多文件上传,在applicationContext.xml中配置了bean multipartResolver时,需要依赖该包。 --> <dependency> <groupId>commons-fileupload</groupId> <artifactId>commons-fileupload</artifactId> <version>1.4</version> </dependency> <dependency> <groupId>commons-io</groupId> <artifactId>commons-io</artifactId> <version>2.5</version> </dependency> <!-- 编译依赖 --> <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> <version>3.1.0</version> </dependency> <dependency> <groupId>jstl</groupId> <artifactId>jstl</artifactId> <version>1.2</version> </dependency> <!--日志支持 --> <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-api</artifactId> <version>1.7.26</version> </dependency> <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> <version>1.7.26</version> </dependency> <dependency> <groupId>log4j</groupId> <artifactId>log4j</artifactId> <version>1.2.17</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> <version>${shiro.version}</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-web</artifactId> <version>${shiro.version}</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-cas</artifactId> <version>${shiro.version}</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>${shiro.version}</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-ehcache</artifactId> <version>${shiro.version}</version> </dependency> <!--thymeleaf-shiro-extras--> <dependency> <groupId>com.github.theborakompanioni</groupId> <artifactId>thymeleaf-extras-shiro</artifactId> <version>2.0.0</version> </dependency> <!-- redis依赖包 --> <dependency> <groupId>redis.clients</groupId> <artifactId>jedis</artifactId> <version>3.1.0</version> </dependency> <!-- https://mvnrepository.com/artifact/org.springframework.data/spring-data-redis --> <dependency> <groupId>org.springframework.data</groupId> <artifactId>spring-data-redis</artifactId> <version>2.2.3.RELEASE</version> </dependency> <dependency> <groupId>com.alibaba</groupId> <artifactId>fastjson</artifactId> <version>1.2.13</version> </dependency> <!-- https://mvnrepository.com/artifact/commons-lang/commons-lang --> <dependency> <groupId>commons-lang</groupId> <artifactId>commons-lang</artifactId> <version>2.6</version> </dependency> <!-- https://mvnrepository.com/artifact/junit/junit --> <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <version>4.12</version> <!-- <scope>test</scope> --> </dependency> </dependencies> <repositories> <repository> <id>aliyun_maven</id> <name>aliyun maven</name> <url>http://maven.aliyun.com/nexus/content/groups/public</url> <releases> <enabled>false</enabled> </releases> <snapshots> <enabled>true</enabled> </snapshots> </repository> </repositories>
2)web.xml配置
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1"> <display-name>ssms</display-name> <welcome-file-list> <welcome-file>index.html</welcome-file> <welcome-file>index.htm</welcome-file> <welcome-file>index.jsp</welcome-file> <welcome-file>default.html</welcome-file> <welcome-file>default.htm</welcome-file> <welcome-file>default.jsp</welcome-file> <welcome-file>/index</welcome-file> </welcome-file-list> <!-- 加载spring容器 --> <context-param> <param-name>contextConfigLocation</param-name> <param-value> classpath:appplcationContext-base.xml, classpath:applicationContext-redis.xml, classpath:applicationContext-shiro.xml, classpath:applicationContext-mybatis.xml </param-value> </context-param> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <!-- Shiro Filter is defined in the spring application context: --> <!-- 1. 配置 Shiro 的 shiroFilter. <br> 2. DelegatingFilterProxy 实际上是 Filter 的一个代理对象. 默认情况下, Spring 会到 IOC 容器中查找和 <filter-name> 对应的 filter bean. 也可以通过 targetBeanName 的初始化参数来配置 filter bean 的 id. --> <filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 文件上传与下载过滤器:form表单中存在文件时,该过滤器可以处理http请求中的文件,被该过滤器过滤后会用post方法提交, form表单需设为enctype="multipart/form-data" --> <!-- 注意:必须放在HiddenHttpMethodFilter过滤器之前 --> <filter> <filter-name>multipartFilter</filter-name> <filter-class>org.springframework.web.multipart.support.MultipartFilter</filter-class> <init-param> <param-name>multipartResolverBeanName</param-name> <!--spring中配置的id为multipartResolver的解析器 --> <param-value>multipartResolver</param-value> </init-param> </filter> <filter-mapping> <filter-name>multipartFilter</filter-name> <!--<servlet-name>springmvc</servlet-name> --> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 注意:HiddenHttpMethodFilter必须作用于dispatcher前 请求method支持 put 和 delete 必须添加该过滤器 作用:可以过滤所有请求,并可以分为四种 使用该过滤器需要在前端页面加隐藏表单域 <input type="hidden" name="_method" value="请求方式(put/delete)"> post会寻找_method中的请求式是不是put 或者 delete,如果不是 则默认post请求 --> <filter> <filter-name>hiddenHttpMethodFilter</filter-name> <filter-class>org.springframework.web.filter.HiddenHttpMethodFilter</filter-class> <!--可以通过配置覆盖默认'_method'值 --> <init-param> <param-name>methodParam</param-name> <param-value>_method</param-value> </init-param> </filter> <filter-mapping> <filter-name>hiddenHttpMethodFilter</filter-name> <!--servlet为springMvc的servlet名 --> <servlet-name>springmvc</servlet-name> <!--<url-pattern>/*</url-pattern> --> </filter-mapping> <!-- 后端数据输出到前端乱码问题 --> <filter> <filter-name>characterEncodingFilter</filter-name> <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> <init-param> <param-name>forceEncoding</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>characterEncodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- springmvc前端控制器 --> <servlet> <servlet-name>springmvc</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <init-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:springmvc-servlet.xml</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>springmvc</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> </web-app>
注意:
1)在web.xml中引入shiroFilter、multipartFilter、hiddenHttpMethodFilter、characterEncodingFilter;
2)ContextLoaderListener需要加载applicationContext-base.xml、applicaitonContext-mybatis.xml、applicationContext-shiro.xml、applicationContext-redis.xml 4个配置文件;
3)DispatcherServlet需要加载springmvc-servlet.xml配置文件。
3)springmvc-servlet.xml
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:context="http://www.springframework.org/schema/context" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd "> <!-- 开启controller注解支持 --> <!-- 注意事项请参考:http://jinnianshilongnian.iteye.com/blog/1762632 --> <context:component-scan base-package="com.dx.test.controller" use-default-filters="false"> <context:include-filter type="annotation" expression="org.springframework.stereotype.Controller"/> <context:include-filter type="annotation" expression="org.springframework.web.bind.annotation.ControllerAdvice"/> </context:component-scan> <!--使用mvc:annotation-driven代替上边注解映射器和注解适配器 配置 如果使用mvc:annotation-driven就不用配置上面的 RequestMappingHandlerMapping和RequestMappingHandlerAdapter--> <!-- 使用注解驱动:自动配置处理器映射器与处理器适配器 --> <!-- <mvc:annotation-driven /> --> <mvc:annotation-driven></mvc:annotation-driven> <!-- 开启aop,对类代理 --> <aop:config proxy-target-class="true"></aop:config> <!-- 单独使用jsp视图解析器时,可以取消掉注释,同时注释掉:下边的‘配置多个视图解析’配置--> <!-- <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="prefix" value="/WEB-INF/view/"/> <property name="suffix" value=".jsp"/> </bean> --> <!-- 使用thymeleaf解析 --> <bean id="templateResolver" class="org.thymeleaf.spring5.templateresolver.SpringResourceTemplateResolver"> <property name="prefix" value="/WEB-INF/templates/"/> <!--<property name="suffix" value=".html" />--> <property name="templateMode" value="HTML"/> <property name="characterEncoding" value="UTF-8"/> <property name="cacheable" value="false"/> </bean> <bean id="templateEngine" class="org.thymeleaf.spring5.SpringTemplateEngine"> <property name="templateResolver" ref="templateResolver"/> <property name="additionalDialects"> <set> <bean class="at.pollux.thymeleaf.shiro.dialect.ShiroDialect"/> </set> </property> </bean> <!--单独使用thymeleaf视图引擎时,可以取消掉注释,同时注释掉:下边的‘配置多个视图解析’配置 --> <!-- <bean class="org.thymeleaf.spring5.view.ThymeleafViewResolver"> <property name="templateEngine" ref="templateEngine" /> <property name="characterEncoding" value="UTF-8"/> </bean> --> <!-- 配置多个视图解析 参考:https://blog.csdn.net/qq_19408473/article/details/71214972--> <bean class="org.springframework.web.servlet.view.ContentNegotiatingViewResolver"> <property name="viewResolvers"> <!-- 此时, 返回视图:return "abc.jsp" ,将使用jsp视图解析器,jsp的视图模板文件在/WEB-INF/views/下; 返回视图:return "abc.html",将使用 thymeleaf视图解析器,thymeleaf的视图模板文件在/WEB-INF/templates/下。 --> <list> <!--used thymeleaf --> <bean class="org.thymeleaf.spring5.view.ThymeleafViewResolver"> <property name="characterEncoding" value="UTF-8"/> <property name="templateEngine" ref="templateEngine"/> <property name="viewNames" value="*.html"/> <property name="order" value="2"/> </bean> <!-- used jsp --> <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="prefix" value="/WEB-INF/views/"/> <!--<property name="suffix" value=".jsp"/>--> <property name="viewNames" value="*.jsp"/> <property name="order" value="1"/> </bean> </list> </property> </bean> </beans>
注意:
1)配置文件中配置了两个视图引擎:jsp、thymeleaf。
返回视图:return "abc.jsp" ,将使用jsp视图解析器,jsp的视图模板文件在/WEB-INF/views/下;
返回视图:return "abc.html",将使用 thymeleaf视图解析器,thymeleaf的视图模板文件在/WEB-INF/templates/下。2)开启aop,对类代理<aop:config proxy-target-class="true"></aop:config>
3)开启controller注解支持<context:component-scan base-package="com.dx.test.controller" use-default-filters="false">...</context:component-scan>
4)使用注解驱动:自动配置处理器映射器与处理器适配器 <mvc:annotation-driven></mvc:annotation-driven>
5)关于thymeleaf视图引擎需要注意:引入了解析thymeleaf *.html中shiro标签处理,在templateEngine bean下设置了additionalDialects属性。具体处理请参考《Java-Shiro(八):Shiro集成SpringMvc、Themeleaf,如何实现Themeleaf视图引擎下解析*.html中shiro权限验证》
4)applicaitonContext-base.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context https://www.springframework.org/schema/context/spring-context.xsd"> <!-- 扫描Service、Dao里面的注解,这里没有定义service --> <context:component-scan base-package="com.dx.test.dao"/> <!-- 扫描@Controller注解类 --> <context:component-scan base-package="com.dx.test.controller"/> <!-- 加载Listener component --> <context:component-scan base-package="com.dx.test.listener"/> <!-- 扫描shrio相关类(包含了@Service ShiroService组件) --> <context:component-scan base-package="com.dx.test.shiro"/> <!-- 文件上传注意id --> <bean id="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver"> <!-- 配置默认编码 --> <property name="defaultEncoding" value="utf-8"></property> <!-- 配置文件上传的大小 --> <property name="maxUploadSize" value="1048576"></property> </bean> </beans>
注解:该配置文件主要用来指定系统需要扫描哪几个包下类:
1)扫描包含@Service注解的包(dao/service相关类);
2)扫描包含@Controller注解的包;
3)扫描shiro定义的组件先关包(shiro包下定了@Service修饰的ShiroService);
4)扫描listener下的包(@Component修饰的ApplicationListener目的实现项目启动后执行业务操作);
5)定义上传组件bean。
4)applicaitonContext-mybatis.xml
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:context="http://www.springframework.org/schema/context" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd "> <!-- 数据库连接池配置文件Dao层 --> <!-- 加载配置文件 --> <context:property-placeholder location="classpath:jdbc.properties" ignore-unresolvable="true" /> <!-- 数据库连接池,使用dbcp --> <bean id="dataSource" class="com.alibaba.druid.pool.DruidDataSource" init-method="init" destroy-method="close"> <property name="driverClassName" value="${jdbc.driver}" /> <property name="url" value="${jdbc.url}"/> <property name="username" value="${jdbc.username}"/> <property name="password" value="${jdbc.password}"/> <property name="maxActive" value="10"/> <property name="maxIdle" value="5"/> </bean> <!-- sqlSessionFactory配置 --> <bean id="sqlSessionFactory" class="org.mybatis.spring.SqlSessionFactoryBean"> <property name="dataSource" ref="dataSource" /> <!-- 配置MyBaties全局配置文件:mybatis-config.xml --> <property name="configLocation" value="classpath:mybatisConfig.xml" /> <!-- 扫描entity包 使用别名 --> <!-- <property name="typeAliasesPackage" value="com.dx.test.model" /> --> <!-- 扫描sql配置文件:mapper需要的xml文件 --> <property name="mapperLocations" value="classpath:*dao/*.xml" /> </bean> <!-- 4.配置扫描Dao接口包,动态实现Dao接口,注入到spring容器中 --> <bean class="org.mybatis.spring.mapper.MapperScannerConfigurer"> <!-- 注入sqlSessionFactory --> <property name="sqlSessionFactoryBeanName" value="sqlSessionFactory" /> <!-- 给出需要扫描Dao接口包 --> <property name="basePackage" value="com.dx.test.dao" /> </bean> <!-- 事务管理器--> <bean id="transactionManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager"> <property name="dataSource" ref="dataSource"/> </bean> </beans>
其中配置中依赖了jdbc.properties
jdbc.driver=com.mysql.cj.jdbc.Driver jdbc.url=jdbc:mysql://localhost:3306/mydb?useUnicode=true&characterEncoding=utf8&serverTimezone=GMT%2B8&useSSL=false jdbc.username=root jdbc.password=123456
备注:
2)配置文件中主要配置了mybatis依赖的dataSource bean,以及sqlSessionFactory bean,MapperScannerConfigurer扫描@Mapper定义或者*mapper.xml
3)配置事务管理器 transactionManager。
5)applicationContext-redis.xml
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:p="http://www.springframework.org/schema/p" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.0.xsd"> <!-- 加载配置文件 --> <context:property-placeholder location="classpath:jedis.properties" ignore-unresolvable="true" /> <!-- 连接池配置 --> <bean id="jedisPoolConfig" class="redis.clients.jedis.JedisPoolConfig"> <!-- 最大连接数 --> <property name="maxTotal" value="${redis.maxTotal}" /> <!-- 最大空闲连接数 --> <property name="maxIdle" value="${redis.maxIdle}" /> <!-- 每次释放连接的最大数目 --> <property name="numTestsPerEvictionRun" value="${redis.numTestsPerEvictionRun}" /> <!-- 释放连接的扫描间隔(毫秒) --> <property name="timeBetweenEvictionRunsMillis" value="${redis.timeBetweenEvictionRunsMillis}" /> <!-- 连接最小空闲时间 --> <property name="minEvictableIdleTimeMillis" value="${redis.minEvictableIdleTimeMillis}" /> <!-- 连接空闲多久后释放, 当空闲时间>该值 且 空闲连接>最大空闲连接数 时直接释放 --> <property name="softMinEvictableIdleTimeMillis" value="${redis.softMinEvictableIdleTimeMillis}" /> <!-- 获取连接时的最大等待毫秒数,小于零:阻塞不确定的时间,默认-1 --> <property name="maxWaitMillis" value="${redis.maxWaitMillis}" /> <!-- 在获取连接的时候检查有效性, 默认false --> <property name="testOnBorrow" value="${redis.testOnBorrow}" /> <!-- 在空闲时检查有效性, 默认false --> <property name="testWhileIdle" value="${redis.testWhileIdle}" /> <!-- 连接耗尽时是否阻塞, false报异常,ture阻塞直到超时, 默认true --> <property name="blockWhenExhausted" value="${redis.blockWhenExhausted}" /> </bean> <bean id="jedisPool" class="redis.clients.jedis.JedisPool"> <constructor-arg name="host" value="${redis.host}"></constructor-arg> <constructor-arg name="port" value="${redis.port}"></constructor-arg> <constructor-arg name="poolConfig" ref="jedisPoolConfig"></constructor-arg> </bean> <!-- 需要密码 --> <bean id="connectionFactory" class="org.springframework.data.redis.connection.jedis.JedisConnectionFactory" p:host-name="${redis.host}" p:port="${redis.port}" p:password="${redis.pass}" p:pool-config-ref="jedisPoolConfig"/> <bean id="redisTemplate" class="org.springframework.data.redis.core.StringRedisTemplate"> <property name="connectionFactory" ref="connectionFactory" /> <property name="keySerializer"> <bean class="org.springframework.data.redis.serializer.StringRedisSerializer" /> </property> <property name="valueSerializer"> <bean class="org.springframework.data.redis.serializer.JdkSerializationRedisSerializer" /> </property> </bean> </beans>
上线配置文件中依赖了jedis.properties文件内容:
redis.maxTotal=2000
redis.maxIdle=50
redis.numTestsPerEvictionRun=1024
redis.timeBetweenEvictionRunsMillis=30000
redis.minEvictableIdleTimeMillis=1800000
redis.softMinEvictableIdleTimeMillis=10000
redis.maxWaitMillis=15000
redis.testOnBorrow=false
redis.testWhileIdle=false
redis.testOnReturn=false
redis.blockWhenExhausted=true
redis.host=127.0.0.1
redis.port=6379
redis.pass=
备注:
文件主要配置两种用来操作redis的bean:
1)定义了redis-client下redisPool bean;
2)定义了spring-data下redisTemplate bean。
6)applicationContext-shiro.xml
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:p="http://www.springframework.org/schema/p" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.0.xsd"> <!-- 凭证匹配器 --> <bean id="credentialsMatcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> <!-- 加密算法 --> <property name="hashAlgorithmName" value="md5"></property> <!-- 迭代次数 --> <property name="hashIterations" value="8"></property> </bean> <!-- 配置自定义Realm --> <bean id="myRealm" class="com.dx.test.shiro.MyRealm"> <!-- 将凭证匹配器设置到realm中,realm按照凭证匹配器的要求进行散列 --> <property name="credentialsMatcher" ref="credentialsMatcher"></property> <!--启用缓存,默认SimpleAccountRealm关闭,默认AuthenticatingRealm、AuthorizingRealm、CachingRealm开启--> <property name="cachingEnabled" value="true"/> <!-- 一般情况下不需要对 认证信息进行缓存 --> <!--启用身份验证缓存,即缓存AuthenticationInfo,默认false--> <property name="authenticationCachingEnabled" value="false"/> <!--启用授权缓存,即缓存AuthorizationInfo的信息,默认为true--> <property name="authorizationCachingEnabled" value="true"/> <!--<property name="authenticationCacheName" value="authenticationCache"></property>--> <!--<property name="authenticationCache" ref="redisCache"></property>--> </bean> <!--cacheManager--> <!-- // 采用EHCache混合缓存 <bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"> <property name="cacheManagerConfigFile" value="classpath:shiro-ehcache.xml"/> </bean> --> <!-- // 采用本地内存方式缓存 <bean id="cacheManager" class="org.apache.shiro.cache.MemoryConstrainedCacheManager"/> --> <bean id="redisCache" class="com.dx.test.shiro.RedisCache"> <constructor-arg name="timeout" value="30"></constructor-arg> <constructor-arg name="redisTemplate" ref="redisTemplate"></constructor-arg> </bean> <bean id="cacheManager" class="com.dx.test.shiro.RedisCacheManager"> <property name="keyPrefix" value="shiro_redis_cache:"></property> <property name="redisTemplate" ref="redisTemplate"></property> <property name="timeout" value="30"></property> </bean> <!-- sessionIdCookie的实现,用于重写覆盖容器默认的JSESSIONID --> <bean id="sessionIdCookie" class="org.apache.shiro.web.servlet.SimpleCookie"> <!-- cookie的name,对应的默认是 JSESSIONID --> <constructor-arg name="name" value="SHAREJSESSIONID"/> <!-- jsessionId的path为 / 用于多个系统共享jsessionId --> <property name="path" value="/"/> </bean> <bean id="sessionIdGenerator" class="org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator"></bean> <bean id="sessionDao" class="com.dx.test.shiro.RedisSessionDao"> <property name="keyPrefix" value="shiro_redis_session:"></property> <property name="redisTemplate" ref="redisTemplate"></property> <property name="sessionIdGenerator" ref="sessionIdGenerator"></property> <property name="sessionTimeout" value="30"></property> </bean> <!-- 会话管理器--> <bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"> <!--删除在session过期时跳转页面时自动在URL中添加JSESSIONID--> <property name="sessionIdUrlRewritingEnabled" value="false"/> <!-- 设置超时时间 --> <property name="globalSessionTimeout" value="1800000"/> <!-- 删除失效的session --> <property name="deleteInvalidSessions" value="true"/> <!-- 定时检查失效的session --> <property name="sessionValidationSchedulerEnabled" value="true"/> <!-- 集群共享session --> <property name="sessionIdCookieEnabled" value="true"/> <property name="sessionIdCookie" ref="sessionIdCookie"/> <property name="sessionDAO" ref="sessionDao"/> </bean> <!--手动指定cookie--> <bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimpleCookie"> <constructor-arg value="rememberMe"/> <property name="httpOnly" value="true"/> <!-- 7天 --> <property name="maxAge" value="604800"/> <property name="domain" value="*"/> <property name="path" value="/"/> </bean> <!-- rememberMe管理器 --> <bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager"> <!--注入自定义cookie(主要是设置寿命, 默认的一年太长)--> <property name="cookie" ref="rememberMeCookie"/> </bean> <!-- securityManager安全管理器 --> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <!--<property name="realm" ref="myRealm"></property>--> <property name="realms"> <list> <ref bean="myRealm"></ref> </list> </property> <property name="cacheManager" ref="cacheManager"></property> <property name="sessionManager" ref="sessionManager"></property> <property name="rememberMeManager" ref="rememberMeManager"></property> </bean> <bean id="kickout" class="com.dx.test.shiro.KickoutSessionFilter"> <constructor-arg name="sessionManager" ref="sessionManager"></constructor-arg> <constructor-arg name="cacheName" value="shiro_redis_kickout_cache"></constructor-arg> <constructor-arg name="cacheManager" ref="cacheManager"></constructor-arg> <constructor-arg name="kickoutAfter" value="true"></constructor-arg> <constructor-arg name="kickoutUrl" value="/login"></constructor-arg> <constructor-arg name="maxSession" value="2"></constructor-arg> </bean> <!-- id属性值要对应 web.xml中shiro的filter对应的bean --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager"></property> <!-- loginUrl认证提交地址,如果没有认证将会请求此地址进行认证,请求地址将由formAuthenticationFilter进行表单认证 --> <property name="loginUrl" value="/login"></property> <!-- 认证成功统一跳转到first.action,建议不配置,shiro认证成功会默认跳转到上一个请求路径 --> <!-- <property name="successUrl" value="/first.action"></property> --> <!-- 通过unauthorizedUrl指定没有权限操作时跳转页面,这个位置会拦截不到,下面有给出解决方法 --> <!-- <property name="unauthorizedUrl" value="/refuse.jsp"></property> --> <property name="filters"> <util:map> <entry key="kickout" value-ref="kickout"></entry> </util:map> </property> <!-- 过滤器定义,从上到下执行,一般将/**放在最下面 --> <property name="filterChainDefinitions"> <!-- 过滤器简称 对应的java类 anon org.apache.shiro.web.filter.authc.AnonymousFilter authc org.apache.shiro.web.filter.authc.FormAuthenticationFilter authcBasic org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter perms org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter port org.apache.shiro.web.filter.authz.PortFilter rest org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter roles org.apache.shiro.web.filter.authz.RolesAuthorizationFilter ssl org.apache.shiro.web.filter.authz.SslFilter user org.apache.shiro.web.filter.authc.UserFilter logout org.apache.shiro.web.filter.authc.LogoutFilter ———————————————— 版权声明:本文为CSDN博主「a745233700」的原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接及本声明。 原文链接:https://blog.csdn.net/a745233700/article/details/81350191 --> <value> # 对静态资源设置匿名访问 /images/** = anon /js/** = anon /styles/** = anon /validatecode.jsp=anon /index=anon # 请求logout.action地址,shiro去清除session /logout.action = logout # /**=anon 所有的url都可以匿名访问,不能配置在最后一排,不然所有的请求都不会拦截 # /**=authc 所有的url都必须通过认证才可以访问 /** = kickout,authc </value> </property> </bean> <!-- 解决shiro配置的没有权限访问时,unauthorizedUrl不跳转到指定路径的问题 --> <bean class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver"> <property name="exceptionMappings"> <props> <!--登录--> <prop key="org.apache.shiro.authz.UnauthenticatedException"> redirect:/web/page/login.do </prop> <!--授权--> <prop key="org.apache.shiro.authz.UnauthorizedException"> redirect:/web/page/unauthorized.do </prop> </props> </property> <property name="defaultErrorView" value="/index/error.do"/> </bean> <!-- 保证实现了Shiro内部lifecycle函数的bean执行 --> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> <!-- 配置启用Shiro的注解功能 --> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"> <property name="proxyTargetClass" value="true"></property> </bean> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager"/> </bean> </beans>
备注:
applicaitonContext-shiro.xml配置内容包含:
1)自定myRealm,指定shiro是否开启认证、授权缓存,指定shiro的凭证匹配器credentialsMatcher;2)配置启用Shiro的注解功能,配置了DefaultAdvisorAutoProxyCreator、AuthorizationAttributeSourceAdvisor、lifecycleBeanPostProcessor几个bean;
3)定了cacheManager(记录缓存授权信息到redis)、sessionDao(用来记录用户session对象到redis) bean;
4)另外还定义了sessionManager(内部依赖于sessionDao、sessionIdCookie、sessionIdGenerate bean)、rememberMeManager(内部依赖于rememberMeCookie)、cacheManager 基本bean,都指定给了securityManager bean的属性;
5)定了kickout,用来实现将在认证用户与sessionId关联起来,实现方式在redis中记录用户和sessionId;
6)shiroFilter是shiro与springmvc关联起来的核心bean,shiroFilter的名字必须和web.xml中定义的shiroFilter名字一致。
待解决问题
1)如何实现分布式站点session共享
如果在分布式web站点中想实现session共享,必须借助于类似redis这种分布式一致性的介质。本章也主要是使用redis来实现的,具体实现:
1)在pom.xml中引入redis-client、spring-data依赖包,具体参考上边介绍的pom.xml
2)web.xml的ContextLoaderListener加载监听文件applicationContext-redis.xml,具体参考上边applicationContext-redis.xml配置文件内容;
3)web.xml的ContextLoaderListener加载监听文件applicaitonContext-shiro.xml中添加shiroFilter的sessionManager,并引入自定RedisSessionDao类;
<!-- sessionIdCookie的实现,用于重写覆盖容器默认的JSESSIONID --> <bean id="sessionIdCookie" class="org.apache.shiro.web.servlet.SimpleCookie"> <!-- cookie的name,对应的默认是 JSESSIONID --> <constructor-arg name="name" value="SHAREJSESSIONID"/> <!-- jsessionId的path为 / 用于多个系统共享jsessionId --> <property name="path" value="/"/> </bean> <bean id="sessionIdGenerator" class="org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator"></bean> <bean id="sessionDao" class="com.dx.test.shiro.RedisSessionDao"> <property name="keyPrefix" value="shiro_redis_session:"></property> <property name="redisTemplate" ref="redisTemplate"></property> <property name="sessionIdGenerator" ref="sessionIdGenerator"></property> <property name="sessionTimeout" value="30"></property> </bean> <!-- 会话管理器--> <bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"> <!--删除在session过期时跳转页面时自动在URL中添加JSESSIONID--> <property name="sessionIdUrlRewritingEnabled" value="false"/> <!-- 设置超时时间 --> <property name="globalSessionTimeout" value="1800000"/> <!-- 删除失效的session --> <property name="deleteInvalidSessions" value="true"/> <!-- 定时检查失效的session --> <property name="sessionValidationSchedulerEnabled" value="true"/> <!-- 集群共享session --> <property name="sessionIdCookieEnabled" value="true"/> <property name="sessionIdCookie" ref="sessionIdCookie"/> <property name="sessionDAO" ref="sessionDao"/> </bean> <!-- securityManager安全管理器 --> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <!--<property name="realm" ref="myRealm"></property>--> <property name="realms"> <list> <ref bean="myRealm"></ref> </list> </property> <property name="cacheManager" ref="cacheManager"></property> <property name="sessionManager" ref="sessionManager"></property> <property name="rememberMeManager" ref="rememberMeManager"></property> </bean>
注意:
1)sessionIdGenerator支持自定义生成器、和内置的JavaUuidSessionIdGenerator、RandomSessionIdGenerator;
2)其中sessionManager中的sessionDao是自定的RedisSessionDao,这个类内部提供了对session的缓存,但是用户也可以自定义实现:可以使用内存、关系(非关系)数据库、文件系统、redis等方式去实现。
4)自定义RedisSessionDao.java
public class RedisSessionDao extends AbstractSessionDAO { private static Logger logger = LoggerFactory.getLogger(RedisSessionDao.class); private RedisTemplate redisTemplate; private String keyPrefix = "shiro_redis_session:"; /** * 单位minutes */ private Long sessionTimeout = 30L; public RedisTemplate getRedisTemplate() { return redisTemplate; } public void setRedisTemplate(RedisTemplate redisTemplate) { this.redisTemplate = redisTemplate; } public String getKeyPrefix() { return keyPrefix; } public void setKeyPrefix(String keyPrefix) { this.keyPrefix = keyPrefix; } public void setSessionTimeout(Long sessionTimeout) { this.sessionTimeout = sessionTimeout; } private String getKey(String key) { return getKeyPrefix() + key; } private void saveSession(Session session) throws UnknownSessionException { if (session != null && session.getId() != null) { String key = this.getKey(session.getId().toString()); session.setTimeout(this.sessionTimeout * 60 * 1000); redisTemplate.opsForValue().set(key, session, this.sessionTimeout*60*1000, TimeUnit.SECONDS); } else { logger.error("session or session id is null"); } } @Override public void update(Session session) throws UnknownSessionException { logger.debug("更新seesion,id=[{}]", session.getId() != null ? session.getId().toString() : "null"); this.saveSession(session); } @Override public void delete(Session session) { logger.debug("删除seesion,id=[{}]", session.getId().toString()); try { String key = getKey(session.getId().toString()); redisTemplate.delete(key); } catch (Exception e) { logger.error(e.getMessage(), e); } } @Override public Collection<Session> getActiveSessions() { logger.info("获取存活的session"); Set<Session> sessions = new HashSet<>(); Set<String> keys = redisTemplate.keys(getKey("*")); if (keys != null && keys.size() > 0) { for (String key : keys) { Session s = (Session) redisTemplate.opsForValue().get(key); sessions.add(s); } } return sessions; } @Override protected Serializable doCreate(Session session) { Serializable sessionId = this.generateSessionId(session); this.assignSessionId(session, sessionId); logger.debug("创建seesion,id=[{}]", session.getId() != null ? session.getId().toString() : "null"); // 当有游客进入或者remeberme都会调用 this.saveSession(session); return sessionId; } @Override protected Session doReadSession(Serializable sessionId) { logger.debug("获取seesion,id=[{}]", sessionId.toString()); Session readSession = null; try { readSession = (Session) redisTemplate.opsForValue().get(getKey(sessionId.toString())); } catch (Exception e) { logger.error(e.getMessage()); } return readSession; } }
注意:
1)redisTemplate是applicationContext-redis.xml中定义的bean,因此这里可以直接在applicationContext-shiro.xml中使用ref="redisTemplate"引入;
2)keyPrefix需要在定义sessionDao bean时指定,默认‘shiro_redis_session:’;
3)timeout需要在定义sessionDao bean时指定,其用来指定存储到redis的session过期时间,默认为30,单位:minute;
4)默认存储到redis的session信息的key格式为:shiro_redis_session:xx-xx-xx-xx-xx-xx-xx。
2)如何控制一个用户允许登录次数?
上边我们定义了sessionDao、sessionManager,并在securityManager中引入了sessionManager,从而实现了在redis中存储session信息,redis中的session信息格式为:shiro_redis_session:xx-xx-xx-xx-xx-xx-xx。
此时,redis中还包含了另外一个用户信息,那就是登录用户的授权信息,因为在myShiro中开启了缓存授权信息的开关,且在securityManager中引用了cacheManager。且cacheManager也是我们自定的RedisCacheManager,那么在第一次认证触发后,就会将认证信息存储到redis中。它的存储格式为key为SimpleAuthorizationInfo对象的一个字节码。
如果要实现控制一个用户最多登录次数,需要知道用户与session之间的关系。就目前的数据而言还不能完美的将用户和session关联起来,因此我们就需要通过其他方案实现用户与session关联起来。这我们采用自定义一个AccessControlFilter,在shiroFilter的filterChainDefinitions中引入该filter,用来拦截url,之后在拦截器中拿到认证后的用户和session信息,然后用户和session信息关联存储到redis中,这样实现了用户与session关联起来,进而可以实现控制一个用户最多登录次数。
1)自定义AccessControlFilter
/** * 用来缓存已经通过认证的用户,使得用户与sessionId关联起。 * */ public class KickoutSessionFilter extends AccessControlFilter { /** * 踢出之后跳转的url */ private String kickoutUrl; /** * 踢出之前登录的/之后登录的用户 默认踢出之前登录的用户 */ private boolean kickoutAfter = false; /** * 同一个帐号最大会话数 默认5 */ private Integer maxSession = 5; /** * 设置sessionManager */ private SessionManager sessionManager; /** * redis缓存cache对象别名 */ private String cacheName = "shiro_redis_kickout_cache"; /** * 获取cacheManager下的Cache接口实现对象 */ private Cache<String, Deque<Serializable>> cache; /** * 构造函数 * * @param sessionManager session管理器 * @param cacheManager cache管理器 * @param cacheName redis缓存cache对象别名 * @param kickoutAfter 踢出之前登录的/之后登录的用户 默认踢出之前登录的用户 * @param kickoutUrl 踢出之后跳转的url * @param maxSession 同一个帐号最大会话数 默认5 */ public KickoutSessionFilter(SessionManager sessionManager, String cacheName, CacheManager cacheManager, String kickoutUrl, Boolean kickoutAfter, Integer maxSession) { this.sessionManager = sessionManager; this.cacheName = cacheName; this.cache = cacheManager.getCache(this.cacheName); this.kickoutAfter = kickoutAfter; this.kickoutUrl = kickoutUrl; this.maxSession = maxSession; } /** * 是否有权限访问 */ @Override protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception { return false; } /** * 没有权限访问时,才执行该方法。 */ @Override protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception { Subject subject = getSubject(request, response); if (!subject.isAuthenticated() && !subject.isRemembered()) { //如果没有登录,直接进行之后的流程 return true; } Session session = subject.getSession(); SysUser user = (SysUser) subject.getPrincipal(); String username = user.getUsername(); Serializable sessionId = session.getId(); //读取缓存 没有就存入 Deque<Serializable> deque = cache.get(username); //如果此用户没有session队列,也就是还没有登录过,缓存中没有 //就new一个空队列,不然deque对象为空,会报空指针 if (deque == null) { deque = new LinkedList<Serializable>(); } //如果队列里没有此sessionId,且用户没有被踢出;放入队列 if (!deque.contains(sessionId) && session.getAttribute("kickout") == null) { //将sessionId存入队列 deque.push(sessionId); //将用户的sessionId队列缓存 cache.put(username, deque); } //如果队列里的sessionId数超出最大会话数,开始踢人 while (deque.size() > maxSession) { Serializable kickoutSessionId = null; //如果踢出后者 if (kickoutAfter) { kickoutSessionId = deque.removeFirst(); //踢出后再更新下缓存队列 cache.put(username, deque); } else { //否则踢出前者 kickoutSessionId = deque.removeLast(); //踢出后再更新下缓存队列 cache.put(username, deque); } try { //获取被踢出的sessionId的session对象 Session kickoutSession = sessionManager.getSession(new DefaultSessionKey(kickoutSessionId)); if (kickoutSession != null) { //设置会话的kickout属性表示踢出了 kickoutSession.setAttribute("kickout", true); } } catch (Exception e) {//ignore exception } } //如果被踢出了,直接退出,重定向到踢出后的地址 if ((Boolean) session.getAttribute("kickout") != null && (Boolean) session.getAttribute("kickout") == true) { //会话被踢出了 try { //退出登录 subject.logout(); } catch (Exception e) { //ignore } saveRequest(request); Map<String, String> resultMap = new HashMap<String, String>(2); //判断是不是Ajax请求 if ("XMLHttpRequest".equalsIgnoreCase(((HttpServletRequest) request).getHeader("X-Requested-With"))) { resultMap.put("state", "300"); resultMap.put("message", "您已经在其他地方登录,请重新登录!"); //输出json串 out(response, resultMap); } else { //重定向 WebUtils.issueRedirect(request, response, kickoutUrl); } return false; } return true; } private void out(ServletResponse hresponse, Map<String, String> resultMap) throws IOException { try { hresponse.setCharacterEncoding("UTF-8"); PrintWriter out = hresponse.getWriter(); out.println(JSON.toJSONString(resultMap)); out.flush(); out.close(); } catch (Exception e) { System.err.println("KickoutSessionFilter.class 输出JSON异常,可以忽略。"); } } }
注意:
1)上边代码中存储到redis的key格式为:redis_shiro_cache:username;
2)存储到redis的value的格式为:LinkedList(sessionid-00,sessionId-01,。。。);
3)实际上控制登录个数也就是通过判定redis中value的LinkedList的元素个数;
4)定义该bean时,需要在构造函数中指定以下几个参数:
* sessionManager session管理器
* cacheManager cache管理器
* cacheName redis缓存cache对象别名
* kickoutAfter 踢出之前登录的/之后登录的用户 默认踢出之前登录的用户
* kickoutUrl 踢出之后跳转的url
* maxSession 同一个帐号最大会话数 默认5
2)applicaitonContext-shiro.xml中shiroFilter.filterChainDefinitions下引入自定filter到url下
<bean id="kickout" class="com.dx.test.shiro.KickoutSessionFilter"> <constructor-arg name="sessionManager" ref="sessionManager"></constructor-arg> <constructor-arg name="cacheName" value="shiro_redis_kickout_cache"></constructor-arg> <constructor-arg name="cacheManager" ref="cacheManager"></constructor-arg> <constructor-arg name="kickoutAfter" value="true"></constructor-arg> <constructor-arg name="kickoutUrl" value="/login"></constructor-arg> <constructor-arg name="maxSession" value="2"></constructor-arg> </bean> <!-- id属性值要对应 web.xml中shiro的filter对应的bean --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager"></property> <!-- loginUrl认证提交地址,如果没有认证将会请求此地址进行认证,请求地址将由formAuthenticationFilter进行表单认证 --> <property name="loginUrl" value="/login"></property> <property name="filters"> <util:map> <entry key="kickout" value-ref="kickout"></entry> </util:map> </property> <!-- 过滤器定义,从上到下执行,一般将/**放在最下面 --> <property name="filterChainDefinitions"> <value> # 对静态资源设置匿名访问 /images/** = anon /js/** = anon /styles/** = anon /validatecode.jsp=anon /index=anon # 请求logout.action地址,shiro去清除session /logout.action = logout # /**=anon 所有的url都可以匿名访问,不能配置在最后一排,不然所有的请求都不会拦截 # /**=authc 所有的url都必须通过认证才可以访问 /** = kickout,authc </value> </property> </bean>
此时redis中信息包含:
3)如何动态分配shiroFilter#filterChainDefinitions
实际上边url中指定kickout filter是写死的,当在permission中修改了数据后,如何实现动态分配shiroFilter#filterChainDefinitions属性呢?
又如何动态分配kickout filter呢?就说第一次加载时如何动态配置shiroFilter#filterChainDefinitions,因为数据表sys_permission中配置的有url资源。
1)启动时同步
自定StartupListener.java启动类,在启动类中加载sys_permission数据到shiroFilter#filterChainDefinitions集合中:
/** * 将系统中的的permission信息追加到 shiroFilter.filterChainDefinitions 下。 * 注意:<br> * 在SpringMvc项目中,这个类的onApplicationEvent方法会被执行两次,因为项目中有两个ApplicationContext:<br> * 1)parent ApplicationContext:ContextLoaderListener初始化的;<br> * 2)child ApplicationContext:DispatcherServlet初始化的。<br> */ @Component("startupListener") public class StartupListener implements ApplicationListener<ContextRefreshedEvent> { protected Logger logger = LoggerFactory.getLogger(getClass()); @Autowired private ShiroService shiroService; @Override public void onApplicationEvent(ContextRefreshedEvent event) { // 这里只想在 parent ApplicationContext 初始化完整时,执行相应业务,因为 applicationContext-shiro.xml 是在 ContextLoaderListner 下加载的。 if (event.getApplicationContext().getParent() == null) { // 获取到上下文唯一 shiroFilter bean对象 ShiroFilterFactoryBean shiroFilterFactoryBean = event.getApplicationContext().getBean(ShiroFilterFactoryBean.class); // 获取到 shiroFilter bean中配置的 filterChainDefinitions 信息,然后与 sys_permission 中的配置信息一起 merge。 Map<String, String> filterChainDefinitionMap = shiroService.mergeFilterChainDefinitions(shiroFilterFactoryBean.getFilterChainDefinitionMap()); // 重新设置 shiroFilter.filterChainDefinitions 属性。 shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap); } } }
需要在applicationContext-base.xml中扫描该listener所在的包下的类:
<!-- 加载Listener component --> <context:component-scan base-package="com.dx.test.listener"/>
2)修改了sys_permission时
当修改了sys_permission时,需要动态修改shiroFilter#filterChainDefinitions集合
在shiro包下定义个ShiroService,并使用@Service修饰,需要在applicaitonContext-base.xml中扫描shiro包的类:
<!-- 扫描shrio相关类(包含了@Service ShiroService组件) --> <context:component-scan base-package="com.dx.test.shiro"/>
自定义ShiroService类,内部定义函数
@Service public class ShiroService { @Autowired private SysPermissionMapper sysPermissionMapper; /** * 将applicationContext-shiro.xml中shiroFilter.filterChainDefinitions配置信息与sys_permission合并。 */ public Map<String, String> mergeFilterChainDefinitions(Map<String, String> oldFilterChainDefinitions) { // 权限控制map.从数据库获取 Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>(); filterChainDefinitionMap.put("/register", "anon"); filterChainDefinitionMap.put("/login", "anon"); filterChainDefinitionMap.put("/error/**", "anon"); filterChainDefinitionMap.put("/kickout", "anon"); /*filterChainDefinitionMap.put("/logout", "logout");*/ filterChainDefinitionMap.put("/css/**", "anon"); filterChainDefinitionMap.put("/js/**", "anon"); filterChainDefinitionMap.put("/img/**", "anon"); filterChainDefinitionMap.put("/libs/**", "anon"); filterChainDefinitionMap.put("/favicon.ico", "anon"); filterChainDefinitionMap.put("/verificationCode", "anon"); List<SysPermission> permissionList = sysPermissionMapper.getAll(); for (SysPermission permission : permissionList) { if (StringUtils.isNotBlank(permission.getPermissionUrl()) && StringUtils.isNotBlank(permission.getPermissionValue())) { String perm = "perms[" + permission.getPermissionValue() + "]"; filterChainDefinitionMap.put(permission.getPermissionUrl(), perm + ",kickout"); } } filterChainDefinitionMap.put("/**", "user,kickout"); for (Map.Entry<String, String> entry : oldFilterChainDefinitions.entrySet()) { if (false == filterChainDefinitionMap.containsKey(entry.getKey())) { filterChainDefinitionMap.put(entry.getKey(), entry.getValue()); } } return filterChainDefinitionMap; } /** * 重置 filterChainDefinitions */ public void reloadPermission(ServletContext servletContext) { ShiroFilterFactoryBean shiroFilterFactoryBean = WebApplicationContextUtils.getWebApplicationContext(servletContext).getBean(ShiroFilterFactoryBean.class); synchronized (shiroFilterFactoryBean) { AbstractShiroFilter shiroFilter = null; try { shiroFilter = (AbstractShiroFilter) shiroFilterFactoryBean .getObject(); } catch (Exception e) { throw new RuntimeException( "get ShiroFilter from shiroFilterFactoryBean error!"); } PathMatchingFilterChainResolver filterChainResolver = (PathMatchingFilterChainResolver) shiroFilter.getFilterChainResolver(); DefaultFilterChainManager defaultFilterChainManager = (DefaultFilterChainManager) filterChainResolver.getFilterChainManager(); Map<String, String> oldFilterChainDefinitionMap = shiroFilterFactoryBean.getFilterChainDefinitionMap(); Map<String, String> newFilterChainDefinitionMap = mergeFilterChainDefinitions(oldFilterChainDefinitionMap); // 清空老的权限控制 defaultFilterChainManager.getFilterChains().clear(); shiroFilterFactoryBean.getFilterChainDefinitionMap().clear(); shiroFilterFactoryBean.setFilterChainDefinitionMap(newFilterChainDefinitionMap); // 重新构建生成 Map<String, String> chains = shiroFilterFactoryBean.getFilterChainDefinitionMap(); for (Map.Entry<String, String> entry : chains.entrySet()) { String url = entry.getKey(); String chainDefinition = entry.getValue().trim().replace(" ", ""); defaultFilterChainManager.createChain(url, chainDefinition); } } } }
模拟修改资源时,调用修改示例:
@Controller @RequestMapping(value = "/role") public class SysRoleController { @Autowired private MyRealm myRealm; @Autowired private ShiroService shiroService; /** * 模拟修改了用户的资源信息(增删改), * 1)需要同步到shiroFilter的filterChainDefinitions属性。 * 2)清空在线用户的授权缓存信息。(下次用户调用授权时,会重新执行MyShiro#doGetAuthorizationInfo(...)方法) * */ @RequestMapping(value="/updatePermission",method=RequestMethod.GET) public String updatePermission(SysPermission sysPermission, Map<String,String> map, HttpServletRequest request){ BaseResult baseResult = null; ResultEnum enu = null; // 模拟:在这里做了以下业务: // 1)修改了资源下的资源信息; // 2)删除了资源; // 3)修改了用户的资源信息。 this.shiroService.reloadPermission(request.getServletContext()); this.myRealm.clearAllCache(); enu = ResultEnum.Success; baseResult = new BaseResult(enu.getCode(), enu.getMessage(), enu.getDesc()); map.put("result", "已处理完成"); return "role/list.html"; } }
3)如何统计在线用户数、剔除用户?
1)在ShiroService中加入如下获取在线用户方法,以及剔除用户方法
@Service public class ShiroService { @Autowired private RedisSessionDao redisSessionDao; @Autowired private SessionManager sessionManager; @Autowired private RedisCacheManager redisCacheManager; /** * 从redis中获取到在线用户 */ public List<UserOnlineVo> getOnlineUserList() { Collection<Session> sessions = redisSessionDao.getActiveSessions(); Iterator<Session> it = sessions.iterator(); List<UserOnlineVo> userOnlineVoList = new ArrayList<UserOnlineVo>(); // 遍历session while (it.hasNext()) { // 这是shiro已经存入session的 // 现在直接取就是了 Session session = it.next(); //标记为已提出的不加入在线列表 if (session.getAttribute("kickout") != null) { continue; } UserOnlineVo userOnlineVo = getOnlineUserinfoFromSession(session); if (userOnlineVo != null) { userOnlineVoList.add(userOnlineVo); } } return userOnlineVoList; } /** * 剔出在线用户 */ public void kickout(Serializable sessionId, String username) { getSessionBysessionId(sessionId).setAttribute("kickout", true); //读取缓存,找到并从队列中移除 Cache<String, Deque<Serializable>> cache = redisCacheManager.getCache(redisCacheManager.getKeyPrefix() + username); Deque<Serializable> deques = cache.get(username); for (Serializable deque : deques) { if (sessionId.equals(deque)) { deques.remove(deque); break; } } cache.put(username, deques); } private Session getSessionBysessionId(Serializable sessionId) { Session kickoutSession = sessionManager.getSession(new DefaultSessionKey(sessionId)); return kickoutSession; } private UserOnlineVo getOnlineUserinfoFromSession(Session session) { //获取session登录信息。 Object obj = session.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY); if (null == obj) { return null; } //确保是 SimplePrincipalCollection对象。 if (obj instanceof SimplePrincipalCollection) { SimplePrincipalCollection spc = (SimplePrincipalCollection) obj; obj = spc.getPrimaryPrincipal(); if (null != obj && obj instanceof SysUser) { SysUser user = (SysUser) obj; //存储session + user 综合信息 UserOnlineVo userOnlineVo = new UserOnlineVo(); //最后一次和系统交互的时间 userOnlineVo.setLastAccess(session.getLastAccessTime()); //主机的ip地址 userOnlineVo.setHost(session.getHost()); //session ID userOnlineVo.setSessionId(session.getId().toString()); //最后登录时间 userOnlineVo.setLastLoginTime(session.getStartTimestamp()); //回话到期 ttl(ms) userOnlineVo.setTimeout(session.getTimeout()); //session创建时间 userOnlineVo.setStartTime(session.getStartTimestamp()); //是否踢出 userOnlineVo.setSessionStatus(false); /*用户名*/ userOnlineVo.setUsername(user.getUsername()); return userOnlineVo; } } return null; } }
2)在/webapp/WEB-INF/templates/online/下,添加list.html
<!DOCTYPE html> <html xmlns:shiro="http://www.pollix.at/thymeleaf/shiro"> <head> <meta charset="UTF-8"> <title>Online user page</title> <style> td{ border:solid #add9c0; border-width:0px 1px 1px 0px; } table{ border:solid #add9c0; border-width:1px 0px 0px 1px; border-collapse: collapse; } </style> </head> <body> <h3>在线用户列表</h3> <table> <thead> <tr> <td>会话id</td> <td>用户名</td> <td>主机地址</td> <td>最后访问时间</td> <td>操作</td> </tr> </thead> <tbody> <shiro:hasPermission name="online:list"> <tr th:each="m : ${list}"><!-- 其中m是个临时变量,像for(User u : userList)那样中的u--> <td th:text="${m.sessionId}"/> <td th:text="${m.username}"/> <td th:text="${m.host}"/> <td th:text="${m.lastAccess}"/> <td> <shiro:hasPermission name="online:remove"> <a href="/online/delete?id=${m.sessionId}">剔除</a> </shiro:hasPermission> </td> </tr> </shiro:hasPermission> </tbody> </table> <shiro:lacksPermission name="online:list"> <p> Sorry, you are not allowed to access online user information. </p> </shiro:lacksPermission> <shiro:lacksPermission name="online:remove"> <p> Sorry, you are not allowed to remove online user. </p> </shiro:lacksPermission> </body> </html>
3)添加OnelineUserController.java类
@Controller @RequestMapping(value = "/online") public class OnlineUserController { @Autowired private ShiroService shiroService; @RequestMapping(value = "/list", method = RequestMethod.GET) public ModelAndView list() { ModelAndView mv = new ModelAndView(); mv.setViewName("online/list.html"); List<UserOnlineVo> userOnlineVoList = this.shiroService.getOnlineUserList(); mv.addObject("list", userOnlineVoList); return mv; } /** * 强制踢出用户 */ @RequestMapping(value = "/kickout", method = RequestMethod.GET) @ResponseBody public String kickout(String sessionId, String username) { try { if (SecurityUtils.getSubject().getSession().getId().equals(sessionId)) { return "不能踢出自己"; } shiroService.kickout(sessionId, username); return "踢出用户成功"; } catch (Exception e) { return "踢出用户失败"; } } }
4)测试列表页面:
基础才是编程人员应该深入研究的问题,比如:
1)List/Set/Map内部组成原理|区别
2)mysql索引存储结构&如何调优/b-tree特点、计算复杂度及影响复杂度的因素。。。
3)JVM运行组成与原理及调优
4)Java类加载器运行原理
5)Java中GC过程原理|使用的回收算法原理
6)Redis中hash一致性实现及与hash其他区别
7)Java多线程、线程池开发、管理Lock与Synchroined区别
8)Spring IOC/AOP 原理;加载过程的。。。
【+加关注】。
