shiro单点登录原理

单点登录原理"/>

shiro单点登录原理

最近新建的系统中使用了shiro，而shiro框架中包含登录认证和鉴权的功能，因为我们系统要统一接入公司内部的单点登录(isso)系统，所以通过isso的登录用户，需要在shiro中置为已认证，一下提供了两种方案。

1、自建subject并绑定到当前线程(推荐)

import org.apache.shiro.subject.PrincipalCollection;

import org.apache.shiro.subject.SimplePrincipalCollection;

import org.apache.shiro.subject.Subject;

import org.apache.shiro.util.ThreadContext;

import org.apache.shiro.web.subject.WebSubject;

/**

* shiro对登录用户进行认证

*

* @param request

* @param response

* @param loginUser

*/

private void shiroAuthenticationedUser(HttpServletRequest request, HttpServletResponse response, String loginUser) {

// UserRealm是用户认证和授权的具体实现类

PrincipalCollection principals = new SimplePrincipalCollection(

loginUser, "FcocmpClientRealm");

WebSubject.Builder builder = new WebSubject.Builder(request, response);

builder.principals(principals);

// 已认证

builder.authenticated(true);

// 保证shiro创建的sessionId与原有的sessionId不一致，统一取原有sessionId

builder.sessionId(request.getSession().getId());

WebSubject subject = builder.buildWebSubject();

ThreadContext.bind(subject);

}

2、使用isso用户进行shiro登录认证

import org.apache.shiro.authc.UsernamePasswordToken;

import org.apache.shiro.subject.Subject;

// loginUser是单点登录用户ID

UsernamePasswordToken token = new UsernamePasswordToken(loginUser, "", true);

Subject subject = org.apache.shiro.SecurityUtils.getSubject();

subject.login(token);

使用这个方案有可能会出现sessin异常问题：当切换登录用户时，执行subject.login(token)时，会用前一次用户的sessionId取session，导致session获取不到异常。

Caused by: org.apache.shiro.session.InvalidSessionException: java.lang.IllegalStateException: UT000010: Session not found g0gOlfwQXA1fHxriNq-JasOr

at org.apache.shiro.web.session.HttpServletSession.getAttribute(HttpServletSession.java:148) [shiro-web-1.4.0.jar:1.4.0]

at org.apache.shiro.web.session.HttpServletSession.getHost(HttpServletSession.java:98) [shiro-web-1.4.0.jar:1.4.0]

at org.apache.shiro.session.ProxiedSession.getHost(ProxiedSession.java:93) [shiro-core-1.4.0.jar:1.4.0]

at org.apache.shiro.subject.support.DefaultSubjectContext.resolveHost(DefaultSubjectContext.java:273) [shiro-core-1.4.0.jar:1.4.0]

at org.apache.shiro.web.subject.support.DefaultWebSubjectContext.resolveHost(DefaultWebSubjectContext.java:51) [shiro-web-1.4.0.jar:1.4.0]

at org.apache.shiro.web.mgt.DefaultWebSubjectFactory.createSubject(DefaultWebSubjectFactory.java:58) [shiro-web-1.4.0.jar:1.4.0]

at org.apache.shiro.mgt.DefaultSecurityManager.doCreateSubject(DefaultSecurityManager.java:373) [shiro-core-1.4.0.jar:1.4.0]

at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:348) [shiro-core-1.4.0.jar:1.4.0]

at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:187) [shiro-core-1.4.0.jar:1.4.0]

at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:287) [shiro-core-1.4.0.jar:1.4.0]

at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:260) [shiro-core-1.4.0.jar:1.4.0]