shiro+casマイクロサービス化ノート
shiro+casマイクロサービス化ノート
1.Spring Boot構成
次の2つのプロファイルがあります:ShiroBaseConfig.java
import lombok.extern.log4j.Log4j;
import org.apache.shiro.cache.CacheManager;
import org.apache.shiro.cache.MemoryConstrainedCacheManager;
import org.apache.shiro.cas.CasFilter;
import org.apache.shiro.codec.Base64;
import org.apache.shiro.session.mgt.eis.MemorySessionDAO;
import org.apache.shiro.web.mgt.CookieRememberMeManager;
import org.apache.shiro.web.servlet.SimpleCookie;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
/**
*
* Description: shiro conf
*
* @author Dean.Hwang
* @date 17/5/18
*/
@Configuration
@Log4j
public class ShiroBaseConfiguration {
@Value("${cas.server.url.prefix}")
private String casPrefix;
@Value("${cas.service}")
private String casService;
/**
* Cookie
*
* @return
*/
@Bean
public SimpleCookie sessionIdCookie() {
SimpleCookie simpleCookie = new SimpleCookie("sid");
simpleCookie.setHttpOnly(true);
simpleCookie.setMaxAge(1800000);
return simpleCookie;
}
/**
* Cookie
*
* @return
*/
@Bean
public SimpleCookie rememberCookie() {
SimpleCookie simpleCookie = new SimpleCookie("rememberMe");
simpleCookie.setHttpOnly(true);
simpleCookie.setMaxAge(2592000);//30
return simpleCookie;
}
/**
* rememberMe
*
* @return
*/
@Bean
public CookieRememberMeManager rememberMeManager(SimpleCookie rememberCookie) {
CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
cookieRememberMeManager.setCipherKey(Base64.decode(""));// rememberMe cookie AES (128 256 512 )
cookieRememberMeManager.setCookie(rememberCookie);
return cookieRememberMeManager;
}
/**
* DAO
*
* @return
*/
@Bean
public MemorySessionDAO sessionDAO() {
return new MemorySessionDAO();
}
@Bean
public CacheManager shiroCacheManager() {
return new MemoryConstrainedCacheManager();
}
@Bean
public KryCasRealm casRealm(CacheManager shiroCacheManager) {
return new KryCasRealm(casPrefix, casService, shiroCacheManager);
}
@Bean
public CasFilter casFilter() {
CasFilter casFilter = new CasFilter();
casFilter.setEnabled(true);
casFilter.setName("casFilter");
casFilter.setFailureUrl("/authority/casFailure");
return casFilter;
}
}
次にJAvaファイル
import com.keruyun.portal.portalbiz.sso.KryCasRealm;
import com.keruyun.portal.portalbiz.sso.filter.PortalUserFilter;
import org.apache.shiro.cache.CacheManager;
import org.apache.shiro.cas.CasFilter;
import org.apache.shiro.cas.CasSubjectFactory;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.filter.authc.LogoutFilter;
import org.apache.shiro.web.mgt.CookieRememberMeManager;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.session.mgt.ServletContainerSessionManager;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.beans.factory.config.MethodInvokingFactoryBean;
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import javax.servlet.Filter;
import java.util.HashMap;
import java.util.Map;
/**
*
* Description: com.keruyun.portal.portalbiz.conf.shiro
*
*
* Copyright: Copyright (c) 2015
*
*
* Company:
*
*
* @author Dean.Hwang
* @date 17/5/18
*/
@Configuration
@AutoConfigureAfter(
{ShiroBaseConfiguration.class}
)
public class ShiroManagerConfiguration {
@Autowired
private KryCasRealm kryCasRealm;
@Autowired
private CacheManager shiroCacheManager;
@Autowired
private CookieRememberMeManager rememberMeManager;
@Value("${cas.server.login.url}")
private String loginUrl;
@Value("${cas.client.url.prefix}")
private String urlPrefix;
@Autowired
private CasFilter casFilter;
@Value("${cas.server.logout.url}")
private String logoutUrl;
@Value("${cas.client.index.url}")
private String indexUrl;
@Bean
public DefaultWebSecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(kryCasRealm);
securityManager.setSessionManager(new ServletContainerSessionManager());
securityManager.setCacheManager(shiroCacheManager);
securityManager.setRememberMeManager(rememberMeManager);
securityManager.setSubjectFactory(new CasSubjectFactory());
return securityManager;
}
/**
* SecurityUtils.setSecurityManager(securityManager)
*
* @param securityManager
* @return
*/
@Bean
public MethodInvokingFactoryBean methodInvokingFactoryBean(DefaultWebSecurityManager securityManager) {
MethodInvokingFactoryBean bean = new MethodInvokingFactoryBean();
bean.setStaticMethod("org.apache.shiro.SecurityUtils.setSecurityManager");
bean.setArguments(new Object[]{securityManager});
return bean;
}
@Bean
public ShiroFilterFactoryBean shiroFilter(DefaultWebSecurityManager securityManager) {
ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
factoryBean.setSecurityManager(securityManager);
factoryBean.setLoginUrl(loginUrl + serviceStr + urlPrefix + "/cas");
factoryBean.setSuccessUrl("../mind/index.do");
factoryBean.setUnauthorizedUrl("/unauthorized.jsp");
Map filterMap = new HashMap<>();
filterMap.put("cas", casFilter);
filterMap.put("user", portalUserFilter);
// LogoutFilter, spring boot /*
PortalLogoutFilter logoutFilter = new PortalLogoutFilter();
logoutFilter.setRedirectUrl(logoutUrl + serviceStr + indexUrl);
filterMap.put("logout", logoutFilter);
factoryBean.setFilters(filterMap);
Map filters = new HashMap<>();
filters.put("/casFailure.jsp", "anon");
filters.put("/js/**", "anon");
filters.put("/themes/**", "anon");
filters.put("/3rdOauth/**", "anon");
filters.put("/cas", "cas");
filters.put("/logout", "logout");
filters.put("/**", "user");
factoryBean.setFilterChainDefinitionMap(filters);
return factoryBean; }
}
2.UserFilterの改造
2.1改造の原因:
なぜなら、現在、新しいサーバアーキテクチャは前後端から完全に分離されているからです.しかし、shiroは完全な前後端分離をサポートしていない.そのため、単一のログインが完了すると、ターゲットページではなくインタフェースにジャンプします.また、歴史的な理由から、cas検証サーバはビジネスサーバと同じドメインではありません.サーバ側でリダイレクトする必要がある場合は、ドメイン間でリスクがあることを考慮して、ドメイン間でリダイレクトする必要があります.したがって、ssoサーバログインのリダイレクトも再構築しました.jsonに戻るようにし,フロントエンドはjsonを受信して自分でログインページをジャンプする.具体的な実装コードは以下の通りです.protected void saveRequestAndRedirectToLogin(ServletRequest request, ServletResponse response) throws IOException {
Session session = SecurityUtils.getSubject().getSession();
if (session != null) {
SavedRequest savedRequest = new PortalSavedRequest(WebUtils.toHttp(request));// SavedRequest,
session.setAttribute(SAVED_REQUEST_KEY, savedRequest);
}
PrintWriter out = null;
try {
ResultVO
この方法はCasのUserfilterを書き換え,構成時に書き換えたクラスを用いて既存のUserFilterを上書きする.
3.ログイン成功後のリダイレクト:
sso認証サーバのログインが成功すると、ローカルビジネスサーバにリダイレクトされるためです.ローカル・ビジネス・サーバの認証ログインが成功すると、デフォルトで構成されたSuccessUrlにリダイレクトされます.これにより,ユーザの元の要求されたページにページを戻すことはできない.だから私はCasFilterのissueSuccessRedirectを書き直してこの目的を達成しました/**
*
* Description: com.keruyun.portal.portalbiz.sso.filter
*
*
* Copyright: Copyright (c) 2015
*
*
* Company:
*
*
* @author Dean.Hwang
* @date 17/7/17
*/
public class PortalCasFilter extends CasFilter {
@Override
protected void issueSuccessRedirect(ServletRequest request, ServletResponse response) throws Exception {
String successUrl = ((ShiroHttpServletRequest) request).getHeader("page-url");// header url。 Subject 。
if (StringUtil.isBlank(successUrl)) {
WebUtils.redirectToSavedRequest(request, response, getSuccessUrl());
} else {
WebUtils.redirectToSavedRequest(request, response, successUrl);
}
}
}
4.ユーザーの安全な退出
後期には,既存のlogoutに直接依存するとセッションがログアウトされないことが分かった.だからLogoutFilterを書き直しました.ログイン時に設定したURLを直接呼び出せばよい/**
*
* Description: com.keruyun.portal.portalbiz.sso.filter
*
*
* Copyright: Copyright (c) 2015
*
*
* Company:
*
*
* @author Dean.Hwang
* @date 17/7/17
*/
public class PortalLogoutFilter extends AdviceFilter {
private static final Logger log = LoggerFactory.getLogger(LogoutFilter.class);
public static final String DEFAULT_REDIRECT_URL = "/";
private String redirectUrl = DEFAULT_REDIRECT_URL;
@Override
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
Subject subject = getSubject(request, response);
String redirectUrl = getRedirectUrl(request, response, subject);
//try/catch added for SHIRO-298:
try {
subject.logout();
Session session = subject.getSession();
session.stop();
} catch (SessionException ise) {
log.debug("Encountered session exception during logout. This can generally safely be ignored.", ise);
}
issueRedirect(request, response, redirectUrl);
return false;
}
}
import lombok.extern.log4j.Log4j;
import org.apache.shiro.cache.CacheManager;
import org.apache.shiro.cache.MemoryConstrainedCacheManager;
import org.apache.shiro.cas.CasFilter;
import org.apache.shiro.codec.Base64;
import org.apache.shiro.session.mgt.eis.MemorySessionDAO;
import org.apache.shiro.web.mgt.CookieRememberMeManager;
import org.apache.shiro.web.servlet.SimpleCookie;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
/**
*
* Description: shiro conf
*
* @author Dean.Hwang
* @date 17/5/18
*/
@Configuration
@Log4j
public class ShiroBaseConfiguration {
@Value("${cas.server.url.prefix}")
private String casPrefix;
@Value("${cas.service}")
private String casService;
/**
* Cookie
*
* @return
*/
@Bean
public SimpleCookie sessionIdCookie() {
SimpleCookie simpleCookie = new SimpleCookie("sid");
simpleCookie.setHttpOnly(true);
simpleCookie.setMaxAge(1800000);
return simpleCookie;
}
/**
* Cookie
*
* @return
*/
@Bean
public SimpleCookie rememberCookie() {
SimpleCookie simpleCookie = new SimpleCookie("rememberMe");
simpleCookie.setHttpOnly(true);
simpleCookie.setMaxAge(2592000);//30
return simpleCookie;
}
/**
* rememberMe
*
* @return
*/
@Bean
public CookieRememberMeManager rememberMeManager(SimpleCookie rememberCookie) {
CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
cookieRememberMeManager.setCipherKey(Base64.decode(""));// rememberMe cookie AES (128 256 512 )
cookieRememberMeManager.setCookie(rememberCookie);
return cookieRememberMeManager;
}
/**
* DAO
*
* @return
*/
@Bean
public MemorySessionDAO sessionDAO() {
return new MemorySessionDAO();
}
@Bean
public CacheManager shiroCacheManager() {
return new MemoryConstrainedCacheManager();
}
@Bean
public KryCasRealm casRealm(CacheManager shiroCacheManager) {
return new KryCasRealm(casPrefix, casService, shiroCacheManager);
}
@Bean
public CasFilter casFilter() {
CasFilter casFilter = new CasFilter();
casFilter.setEnabled(true);
casFilter.setName("casFilter");
casFilter.setFailureUrl("/authority/casFailure");
return casFilter;
}
}
import com.keruyun.portal.portalbiz.sso.KryCasRealm;
import com.keruyun.portal.portalbiz.sso.filter.PortalUserFilter;
import org.apache.shiro.cache.CacheManager;
import org.apache.shiro.cas.CasFilter;
import org.apache.shiro.cas.CasSubjectFactory;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.filter.authc.LogoutFilter;
import org.apache.shiro.web.mgt.CookieRememberMeManager;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.session.mgt.ServletContainerSessionManager;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.beans.factory.config.MethodInvokingFactoryBean;
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import javax.servlet.Filter;
import java.util.HashMap;
import java.util.Map;
/**
*
* Description: com.keruyun.portal.portalbiz.conf.shiro
*
*
* Copyright: Copyright (c) 2015
*
*
* Company:
*
*
* @author Dean.Hwang
* @date 17/5/18
*/
@Configuration
@AutoConfigureAfter(
{ShiroBaseConfiguration.class}
)
public class ShiroManagerConfiguration {
@Autowired
private KryCasRealm kryCasRealm;
@Autowired
private CacheManager shiroCacheManager;
@Autowired
private CookieRememberMeManager rememberMeManager;
@Value("${cas.server.login.url}")
private String loginUrl;
@Value("${cas.client.url.prefix}")
private String urlPrefix;
@Autowired
private CasFilter casFilter;
@Value("${cas.server.logout.url}")
private String logoutUrl;
@Value("${cas.client.index.url}")
private String indexUrl;
@Bean
public DefaultWebSecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(kryCasRealm);
securityManager.setSessionManager(new ServletContainerSessionManager());
securityManager.setCacheManager(shiroCacheManager);
securityManager.setRememberMeManager(rememberMeManager);
securityManager.setSubjectFactory(new CasSubjectFactory());
return securityManager;
}
/**
* SecurityUtils.setSecurityManager(securityManager)
*
* @param securityManager
* @return
*/
@Bean
public MethodInvokingFactoryBean methodInvokingFactoryBean(DefaultWebSecurityManager securityManager) {
MethodInvokingFactoryBean bean = new MethodInvokingFactoryBean();
bean.setStaticMethod("org.apache.shiro.SecurityUtils.setSecurityManager");
bean.setArguments(new Object[]{securityManager});
return bean;
}
@Bean
public ShiroFilterFactoryBean shiroFilter(DefaultWebSecurityManager securityManager) {
ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
factoryBean.setSecurityManager(securityManager);
factoryBean.setLoginUrl(loginUrl + serviceStr + urlPrefix + "/cas");
factoryBean.setSuccessUrl("../mind/index.do");
factoryBean.setUnauthorizedUrl("/unauthorized.jsp");
Map filterMap = new HashMap<>();
filterMap.put("cas", casFilter);
filterMap.put("user", portalUserFilter);
// LogoutFilter, spring boot /*
PortalLogoutFilter logoutFilter = new PortalLogoutFilter();
logoutFilter.setRedirectUrl(logoutUrl + serviceStr + indexUrl);
filterMap.put("logout", logoutFilter);
factoryBean.setFilters(filterMap);
Map filters = new HashMap<>();
filters.put("/casFailure.jsp", "anon");
filters.put("/js/**", "anon");
filters.put("/themes/**", "anon");
filters.put("/3rdOauth/**", "anon");
filters.put("/cas", "cas");
filters.put("/logout", "logout");
filters.put("/**", "user");
factoryBean.setFilterChainDefinitionMap(filters);
return factoryBean; }
}
protected void saveRequestAndRedirectToLogin(ServletRequest request, ServletResponse response) throws IOException {
Session session = SecurityUtils.getSubject().getSession();
if (session != null) {
SavedRequest savedRequest = new PortalSavedRequest(WebUtils.toHttp(request));// SavedRequest,
session.setAttribute(SAVED_REQUEST_KEY, savedRequest);
}
PrintWriter out = null;
try {
ResultVOsso認証サーバのログインが成功すると、ローカルビジネスサーバにリダイレクトされるためです.ローカル・ビジネス・サーバの認証ログインが成功すると、デフォルトで構成されたSuccessUrlにリダイレクトされます.これにより,ユーザの元の要求されたページにページを戻すことはできない.だから私はCasFilterのissueSuccessRedirectを書き直してこの目的を達成しました
/**
*
* Description: com.keruyun.portal.portalbiz.sso.filter
*
*
* Copyright: Copyright (c) 2015
*
*
* Company:
*
*
* @author Dean.Hwang
* @date 17/7/17
*/
public class PortalCasFilter extends CasFilter {
@Override
protected void issueSuccessRedirect(ServletRequest request, ServletResponse response) throws Exception {
String successUrl = ((ShiroHttpServletRequest) request).getHeader("page-url");// header url。 Subject 。
if (StringUtil.isBlank(successUrl)) {
WebUtils.redirectToSavedRequest(request, response, getSuccessUrl());
} else {
WebUtils.redirectToSavedRequest(request, response, successUrl);
}
}
}
4.ユーザーの安全な退出
後期には,既存のlogoutに直接依存するとセッションがログアウトされないことが分かった.だからLogoutFilterを書き直しました.ログイン時に設定したURLを直接呼び出せばよい/**
*
* Description: com.keruyun.portal.portalbiz.sso.filter
*
*
* Copyright: Copyright (c) 2015
*
*
* Company:
*
*
* @author Dean.Hwang
* @date 17/7/17
*/
public class PortalLogoutFilter extends AdviceFilter {
private static final Logger log = LoggerFactory.getLogger(LogoutFilter.class);
public static final String DEFAULT_REDIRECT_URL = "/";
private String redirectUrl = DEFAULT_REDIRECT_URL;
@Override
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
Subject subject = getSubject(request, response);
String redirectUrl = getRedirectUrl(request, response, subject);
//try/catch added for SHIRO-298:
try {
subject.logout();
Session session = subject.getSession();
session.stop();
} catch (SessionException ise) {
log.debug("Encountered session exception during logout. This can generally safely be ignored.", ise);
}
issueRedirect(request, response, redirectUrl);
return false;
}
}
/**
*
* Description: com.keruyun.portal.portalbiz.sso.filter
*
*
* Copyright: Copyright (c) 2015
*
*
* Company:
*
*
* @author Dean.Hwang
* @date 17/7/17
*/
public class PortalLogoutFilter extends AdviceFilter {
private static final Logger log = LoggerFactory.getLogger(LogoutFilter.class);
public static final String DEFAULT_REDIRECT_URL = "/";
private String redirectUrl = DEFAULT_REDIRECT_URL;
@Override
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
Subject subject = getSubject(request, response);
String redirectUrl = getRedirectUrl(request, response, subject);
//try/catch added for SHIRO-298:
try {
subject.logout();
Session session = subject.getSession();
session.stop();
} catch (SessionException ise) {
log.debug("Encountered session exception during logout. This can generally safely be ignored.", ise);
}
issueRedirect(request, response, redirectUrl);
return false;
}
}