package cn.chnmuseum.party.auth.realm;
import cn.chnmuseum.party.auth.token.JwtToken;
import cn.chnmuseum.party.auth.util.JwtTokenUtil;
import cn.chnmuseum.party.model.*;
import cn.chnmuseum.party.service.PermissionService;
import cn.chnmuseum.party.service.RolePermissionService;
import cn.chnmuseum.party.service.RoleService;
import cn.chnmuseum.party.service.TUserService;
import cn.chnmuseum.party.service.impl.EmployeeRoleServiceImpl;
import cn.chnmuseum.party.service.impl.EmployeeServiceImpl;
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.SimplePrincipalCollection;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.data.redis.core.StringRedisTemplate;
import javax.annotation.Resource;
import java.util.*;
/**
* 身份校验核心类
*/
public class MyShiroRealm extends AuthorizingRealm {
private static final Logger LOGGER = LoggerFactory.getLogger(MyShiroRealm.class);
private static final String SHIRO_JWT_TOKEN = "shiro:jwt:token:";
//用户登录次数计数 redisKey 前缀
private String SHIRO_LOGIN_COUNT = "shiro_login_count_";
//用户登录是否被锁定 一小时 redisKey 前缀
private String SHIRO_IS_LOCK = "shiro_is_lock_";
@Resource
private PermissionService permissionService;
@Resource
private RoleService roleService;
@Resource
private EmployeeServiceImpl employeeService;
@Resource
private EmployeeRoleServiceImpl employeeRoleService;
@Resource
private RolePermissionService rolePermissionService;
@Resource
private StringRedisTemplate stringRedisTemplate;
@Resource
private TUserService userService;
/**
* 必须重写此方法,不然Shiro会报错
*/
@Override
public boolean supports(AuthenticationToken token) {
return token instanceof JwtToken;
}
/**
* 认证信息.(身份验证) : Authentication 是用来验证用户身份
*
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String credentials = (String) token.getCredentials();
if (credentials == null) {
throw new AuthenticationException("token为空!");
}
Boolean hasToken = stringRedisTemplate.hasKey(SHIRO_JWT_TOKEN + credentials);
if (hasToken == null || !hasToken) {
throw new AuthenticationException("用户未登录!");
}
String username = JwtTokenUtil.getUsername(credentials);
if (username == null) {
throw new AuthenticationException("token invalid");
}
LOGGER.info("MyShiroRealm doGetAuthenticationInfo().username=" + username);
// 通过username从数据库中查找
// 实际项目中,这里可以根据实际情况做缓存,如果不做,Shiro自己也是有时间间隔机制,2分钟内不会重复执行该方法
String userId = JwtTokenUtil.getEmployeeId(credentials);
TUser user = userService.getById(userId);
if (user == null) {
throw new AuthenticationException("User does not exist!");
}
user = userService.selectByUsername(user.getUserName());
if (JwtTokenUtil.verify(credentials, username) == null) {
throw new AuthenticationException("token invalid");
}
return new SimpleAuthenticationInfo(new TUser(user.getId(), user.getUserName(), user.getOrgId(), user.getOrgName(), credentials), credentials, getName());
}
/**
* 授权
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
System.out.println("权限认证方法:MyShiroRealm.doGetAuthorizationInfo()");
TUser user = (TUser) principals.getPrimaryPrincipal();
Boolean hasToken = stringRedisTemplate.hasKey(SHIRO_JWT_TOKEN + user.getJwtToken());
if (hasToken == null || !hasToken) {
throw new AuthenticationException("token invalid!");
}
String userId = JwtTokenUtil.getEmployeeId(user.getJwtToken());
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
List<Role> list = roleService.selectRoleByUserId(userId);
List<String> ridList = new ArrayList<>();
if (list != null && !list.isEmpty()) {
// 根据用户ID查询角色(role),放入到Authorization里。
Map<String, Object> map = new HashMap<>();
map.put("user_id", userId);
List<EmployeeRole> employeeRoleList = this.employeeRoleService.listByMap(map);
for (EmployeeRole employeeRole : employeeRoleList) {
ridList.add(employeeRole.getRoleId());
}
List<Role> roleList = this.roleService.listByIds(ridList);
Set<String> roleSet = new LinkedHashSet<>();
for (Role role : list) {
roleSet.add(role.getAlias());
ridList.add(role.getId());
}
info.setRoles(roleSet);
}
// 根据用户ID查询权限(permission)放入到Authorization里。
QueryWrapper<RolePermission> wrapper = new QueryWrapper<>();
wrapper.in("rid", ridList).select("pid");
List<Object> permissionIdList = this.rolePermissionService.listObjs(wrapper);
List<Permission> permissionList = new ArrayList<>();
if (permissionIdList.size() > 0) {
QueryWrapper<Permission> ew = new QueryWrapper<>();
ew.in("id", permissionIdList);
permissionList = this.permissionService.list(ew);
}
Set<String> permissionSet = new HashSet<>();
for (Permission permission : permissionList) {
permissionSet.add(permission.getUrl());
}
info.setStringPermissions(permissionSet);
return info;
}
public void clearCachedAuthenticationInfo(String token) {
SimplePrincipalCollection principals = new SimplePrincipalCollection(new Employee(token), getName());
clearCachedAuthenticationInfo(principals);
}
@Override
public void clearCachedAuthorizationInfo(PrincipalCollection principals) {
super.clearCachedAuthorizationInfo(principals);
}
@Override
public void clearCachedAuthenticationInfo(PrincipalCollection principals) {
super.clearCachedAuthenticationInfo(principals);
}
@Override
public void clearCache(PrincipalCollection principals) {
super.clearCache(principals);
}
private void clearAllCachedAuthorizationInfo() {
getAuthorizationCache().clear();
}
private void clearAllCachedAuthenticationInfo() {
getAuthenticationCache().clear();
}
public void clearAllCache() {
clearAllCachedAuthenticationInfo();
clearAllCachedAuthorizationInfo();
}
}