阶段提交

src/main/java/com/usky/config/shiro/ShiroConfig.java

@@ -53,18 +53,7 @@ public class ShiroConfig {
     }
 
     /**
-     * 添加自己的过滤器，自定义url规则
-     * Shiro自带拦截器配置规则
-     * rest：比如/admins/user/**=rest[user],根据请求的方法，相当于/admins/user/**=perms[user：method] ,其中method为post，get，delete等
-     * port：比如/admins/user/**=port[8081],当请求的url的端口不是8081是跳转到schemal：//serverName：8081?queryString,其中schmal是协议http或https等，serverName是你访问的host,8081是url配置里port的端口，queryString是你访问的url里的？后面的参数
-     * perms：比如/admins/user/**=perms[user：add：*],perms参数可以写多个，多个时必须加上引号，并且参数之间用逗号分割，比如/admins/user/**=perms["user：add：*,user：modify：*"]，当有多个参数时必须每个参数都通过才通过，想当于isPermitedAll()方法
-     * roles：比如/admins/user/**=roles[admin],参数可以写多个，多个时必须加上引号，并且参数之间用逗号分割，当有多个参数时，比如/admins/user/**=roles["admin,guest"],每个参数通过才算通过，相当于hasAllRoles()方法。//要实现or的效果看http://zgzty.blog.163.com/blog/static/83831226201302983358670/
-     * anon：比如/admins/**=anon 没有参数，表示可以匿名使用
-     * authc：比如/admins/user/**=authc表示需要认证才能使用，没有参数
-     * authcBasic：比如/admins/user/**=authcBasic没有参数表示httpBasic认证
-     * ssl：比如/admins/user/**=ssl没有参数，表示安全的url请求，协议为https
-     * user：比如/admins/user/**=user没有参数表示必须存在用户，当登入操作时不做检查
-     * 详情见文档 http://shiro.apache.org/web.html#urls-
+
      * @param securityManager
      * @return org.apache.shiro.spring.web.ShiroFilterFactoryBean
      * @author laowo
@@ -73,46 +62,51 @@ public class ShiroConfig {
     @Bean("shiroFilter")
     public ShiroFilterFactoryBean shiroFilterFactoryBean(DefaultWebSecurityManager securityManager) {
         ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
-        // 添加自己的过滤器取名为jwt
         Map<String, Filter> filterMap = new HashMap<>(16);
         filterMap.put("jwt", new JwtFilter());
         factoryBean.setFilters(filterMap);
         factoryBean.setSecurityManager(securityManager);
         // 自定义url规则使用LinkedHashMap有序Map
         LinkedHashMap<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>(16);
-        // Swagger接口文档
-        // filterChainDefinitionMap.put("/v2/api-docs", "anon");
-        // filterChainDefinitionMap.put("/webjars/**", "anon");
-        // filterChainDefinitionMap.put("/swagger-resources/**", "anon");
-        // filterChainDefinitionMap.put("/swagger-ui.html", "anon");
-        // filterChainDefinitionMap.put("/doc.html", "anon");
+     //    Swagger接口文档
+        filterChainDefinitionMap.put("/doc.html", "anon");
+        filterChainDefinitionMap.put("/**/*.js", "anon");
+        filterChainDefinitionMap.put("/**/*.css", "anon");
+        filterChainDefinitionMap.put("/**/*.html", "anon");
+        filterChainDefinitionMap.put("/**/*.svg", "anon");
+        filterChainDefinitionMap.put("/**/*.pdf", "anon");
+        filterChainDefinitionMap.put("/**/*.jpg", "anon");
+        filterChainDefinitionMap.put("/**/*.png", "anon");
+        filterChainDefinitionMap.put("/**/*.ico", "anon");
+        filterChainDefinitionMap.put("/**/*.ttf", "anon");
+        filterChainDefinitionMap.put("/**/*.woff", "anon");
+        filterChainDefinitionMap.put("/**/*.woff2", "anon");
+        filterChainDefinitionMap.put("/druid/**", "anon");
+        filterChainDefinitionMap.put("/swagger-ui.html", "anon");
+        filterChainDefinitionMap.put("/swagger**/**", "anon");
+        filterChainDefinitionMap.put("/webjars/**", "anon");
+        filterChainDefinitionMap.put("/v2/**", "anon");
         // 公开接口
         // filterChainDefinitionMap.put("/api/**", "anon");
         // 登录接口放开
-        filterChainDefinitionMap.put("/user/login", "anon");
-        // 所有请求通过我们自己的JWTFilter
+        filterChainDefinitionMap.put("/sys/login", "anon");
         filterChainDefinitionMap.put("/**", "jwt");
         factoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
         return factoryBean;
     }
 
-    /**
-     * 下面的代码是添加注解支持
-     */
+
     @Bean
     @DependsOn("lifecycleBeanPostProcessor")
     public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
         DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
-        // 强制使用cglib，防止重复代理和可能引起代理出错的问题，https://zhuanlan.zhihu.com/p/29161098
         defaultAdvisorAutoProxyCreator.setProxyTargetClass(true);
         return defaultAdvisorAutoProxyCreator;
     }
-
     @Bean
     public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
         return new LifecycleBeanPostProcessor();
     }
-
     @Bean
     public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager) {
         AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();

src/main/java/com/usky/config/shiro/UserRealm.java

@@ -29,10 +29,6 @@ import java.util.Set;
 @Service
 @Slf4j
 public class UserRealm extends AuthorizingRealm {
-
-    @Resource
-    @Lazy
-    private LoginService loginService;
     @Resource
     @Lazy
     private UserService userService;
@@ -44,7 +40,7 @@ public class UserRealm extends AuthorizingRealm {
     private RedisUtil redisUtil;
 
     /**
-     * 大坑，必须重写此方法，不然Shiro会报错
+     * 必须重写此方法，不然Shiro会报错
      */
     @Override
     public boolean supports(AuthenticationToken authenticationToken) {
@@ -83,7 +79,6 @@ public class UserRealm extends AuthorizingRealm {
         }
         return simpleAuthorizationInfo;
     }
-
     /**
      * 默认使用此方法进行用户名正确与否验证，错误抛出异常即可。
      */
@@ -112,8 +107,6 @@ public class UserRealm extends AuthorizingRealm {
         }
         throw new AuthenticationException("Token已过期(Token expired or incorrect.)");
     }
-
-
     /**
      * 清除当前用户的权限认证缓存
      *
@@ -123,7 +116,6 @@ public class UserRealm extends AuthorizingRealm {
     public void clearCache(PrincipalCollection principals) {
         super.clearCache(principals);
     }
-
     /**
      * 清理所有用户授权信息缓存
      */

src/main/java/com/usky/config/shiro/jwt/JwtFilter.java

@@ -32,15 +32,6 @@ public class JwtFilter extends BasicHttpAuthenticationFilter {
      */
     private static final Logger logger = LoggerFactory.getLogger(JwtFilter.class);
 
-    /**
-     * 这里我们详细说明下为什么最终返回的都是true，即允许访问
-     * 例如我们提供一个地址 GET /article
-     * 登入用户和游客看到的内容是不同的
-     * 如果在这里返回了false，请求会被直接拦截，用户看不到任何东西
-     * 所以我们在这里返回true，Controller中可以通过 subject.isAuthenticated() 来判断用户是否登入
-     * 如果有些资源只有登入用户才能访问，我们只需要在方法上面加上 @RequiresAuthentication 注解即可
-     * 但是这样做有一个缺点，就是不能够对GET,POST等请求进行分别过滤鉴权(因为我们重写了官方的方法)，但实际上对应用影响不大
-     */
     @Override
     protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
         // 查看当前Header中是否携带Authorization属性(Token)，有的话就进行登录认证授权
@@ -92,20 +83,14 @@ public class JwtFilter extends BasicHttpAuthenticationFilter {
         return true;
     }
 
-    /**
-     * 这里我们详细说明下为什么重写
-     * 可以对比父类方法，只是将executeLogin方法调用去除了
-     * 如果没有去除将会循环调用doGetAuthenticationInfo方法
-     */
+
     @Override
     protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
         this.sendChallenge(request, response);
         return false;
     }
 
-    /**
-     * 检测Header里面是否包含Authorization字段，有就进行Token登录认证授权
-     */
+
     @Override
     protected boolean isLoginAttempt(ServletRequest request, ServletResponse response) {
         // 拿到当前Header中Authorization的AccessToken(Shiro中getAuthzHeader方法已经实现)
@@ -131,7 +116,6 @@ public class JwtFilter extends BasicHttpAuthenticationFilter {
      */
     @Override
     protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
-        // 跨域已经在OriginFilter处全局配置
         /*HttpServletRequest httpServletRequest = WebUtils.toHttp(request);
         HttpServletResponse httpServletResponse = WebUtils.toHttp(response);
         httpServletResponse.setHeader("Access-control-Allow-Origin", httpServletRequest.getHeader("Origin"));

src/main/java/com/usky/controller/login/LoginController.java

@@ -41,21 +41,16 @@ import javax.servlet.http.HttpServletResponse;
 @Api(tags = "登录")
 @PropertySource("classpath:config.properties")
 public class LoginController {
-    @Autowired
-    private UserService userService;
     @Autowired
     private LoginService loginService;
     @Autowired
     private RedisUtil redisUtil;
-
     /**
      * RefreshToken过期时间
      */
     @Value("${refreshTokenExpireTime}")
     private String refreshTokenExpireTime;
-
     @PostMapping("login")
-    //   @ApiOperation(value = "用户登录")
     @ApiImplicitParams({
             @ApiImplicitParam(name = "loginName", value = "登录名", required = true, paramType = "query"),
             @ApiImplicitParam(name = "passWord", value = "密码", required = true, paramType = "query")

src/main/java/com/usky/controller/sys/UserController.java

@@ -1,10 +1,13 @@
 package com.usky.controller.sys;
 
+import com.usky.constant.Constant;
 import com.usky.entity.sys.SysUserDTO;
 import com.usky.entity.sys.vo.SysUserVO;
+import com.usky.exception.CustomException;
 import com.usky.service.sys.RoleService;
 import com.usky.service.sys.user.UserService;
 import com.usky.utils.*;
+import com.usky.utils.jwt.AesCipherUtil;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiImplicitParam;
 import io.swagger.annotations.ApiImplicitParams;
@@ -72,12 +75,16 @@ public class UserController {
         if (ListUtil.isNotBlank(phone)) {
             return Result.error("手机号已存在");
         }
+        if (password.length() > Constant.PASSWORD_MAX_LEN) {
+            throw new CustomException("密码最多8位");
+        }
+        String key = AesCipherUtil.enCrypto(loginName + password);
         SysUserVO user = new SysUserVO();
         user.setLoginName(loginName);
         user.setDeptId(deptId);
         user.setRemark(remark);
         user.setUserName(userName);
-        user.setPassword(password);
+        user.setPassword(key);
         user.setStatus(status);
         user.setRoleIds(roleIds);
         userService.addUser(user);

src/main/java/com/usky/service/sys/user/UserServiceImpl.java

@@ -33,11 +33,12 @@ public class UserServiceImpl extends BaseDaoImpl implements UserService {
     @Transactional
     public void addUser(SysUserVO user) {
         SysUserDTO sysUserDTO = BeanHelp.copyProperties(user, SysUserDTO.class);
-        String password = sysUserDTO.getPassword();
-        String salt = RandomStringUtils.randomNumeric(6, 8);
-        sysUserDTO.setSalt(salt);
-        Md5Hash md5Hash = new Md5Hash(password, salt); //模拟md5加密一次
-        sysUserDTO.setPassword(md5Hash.toString());
+//        String password = sysUserDTO.getPassword();
+//        String salt = oConvertUtils.randomGen(8);
+//        String passwordEncode = PasswordUtil.encrypt(sysUserDTO.getLoginName(), password, salt);
+//        sysUserDTO.setSalt(salt);
+//        //    Md5Hash md5Hash = new Md5Hash(password, salt); //模拟md5加密一次
+//        sysUserDTO.setPassword(passwordEncode);
         sysUserDTO.setStatus("0");
         //用户类型
         sysUserDTO.setUserType("01");

src/main/java/com/usky/utils/ShiroUtils.java

@@ -44,8 +44,6 @@ public class ShiroUtils {
         SysUserVO user = null;
         Object obj = getSubject().getPrincipal();
         if (obj != null) {
-            //  user = new SysUserVO();
-            //  BeanUtils.copyProperties(user, obj);
             String token = (String) getSubject().getPrincipal();
             String loginName = JwtUtil.getClaim(token, Constant.ACCOUNT);
             user = userService.queryuserByLoginName(loginName);