修改shiro为无状态，修改cas依赖provided

hcframe-parent/hcframe-base/pom.xml

@@ -203,7 +203,7 @@
             <groupId>org.jasig.cas.client</groupId>
             <artifactId>cas-client-core</artifactId>
             <version>3.5.0</version>
-            <scope>compile</scope>
+            <scope>provided</scope>
         </dependency>
     </dependencies>
     <build>

hcframe-parent/hcframe-base/src/main/java/com/hcframe/base/module/shiro/NoStateFilter.java

@@ -0,0 +1,78 @@
+package com.hcframe.base.module.shiro;
+
+import com.alibaba.fastjson.JSON;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.shiro.web.filter.AccessControlFilter;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * auth过滤器
+ *
+ * @Author lhc
+ */
+public class NoStateFilter extends AccessControlFilter {
+
+    @Override
+    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
+        return false;
+    }
+
+    @Override
+    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
+        //获取请求token，如果token不存在，直接返回
+        String token = getRequestToken((HttpServletRequest) request);
+        if (StringUtils.isBlank(token)) {
+            HttpServletResponse httpResponse = (HttpServletResponse) response;
+            HttpServletRequest httpServletRequest = (HttpServletRequest) request;
+            String myOrigin = httpServletRequest.getHeader("origin");
+            httpResponse.setContentType("application/json;charset=utf-8");
+            httpResponse.setHeader("Access-Control-Allow-Credentials", "true");
+            httpResponse.setHeader("Access-Control-Allow-Headers", "x-requested-with, X-Access-Token, datasource-Key");
+            httpResponse.setHeader("Access-Control-Allow-Origin", myOrigin);
+            httpResponse.setCharacterEncoding("UTF-8");
+            Map<String, Object> result = new HashMap<>();
+            result.put("code", 3);
+            result.put("msg", "未登陆");
+            String json = JSON.toJSONString(result);
+            httpResponse.getWriter().print(json);
+            return false;
+        }
+        try {
+            getSubject(request, response).login(new AuthToken(token));
+        } catch (Exception e) {
+            e.printStackTrace();
+            onLoginFail(response); //6、登录失败
+            return false;
+        }
+        return true;
+    }
+
+    //登录失败时默认返回401状态码
+    private void onLoginFail(ServletResponse response) throws IOException {
+        HttpServletResponse httpResponse = (HttpServletResponse) response;
+        httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+        httpResponse.getWriter().write("login error");
+    }
+
+    /**
+     * 获取请求的token
+     */
+    private String getRequestToken(HttpServletRequest httpRequest) {
+        //从header中获取token
+        String token = httpRequest.getHeader("X-Access-Token");
+        //如果header中不存在token，则从参数中获取token
+        if (StringUtils.isBlank(token)) {
+            if (StringUtils.isBlank(token)) {
+                token = httpRequest.getParameter("token");
+            }
+        }
+        return token;
+    }
+}

hcframe-parent/hcframe-base/src/main/java/com/hcframe/base/module/shiro/ShiroConfig.java

@@ -1,11 +1,16 @@
 package com.hcframe.base.module.shiro;
 
 import com.hcframe.base.module.shiro.service.SystemRealm;
+import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;
+import org.apache.shiro.mgt.DefaultSubjectDAO;
 import org.apache.shiro.mgt.SecurityManager;
+import org.apache.shiro.session.mgt.DefaultSessionManager;
+import org.apache.shiro.session.mgt.SessionManager;
 import org.apache.shiro.spring.LifecycleBeanPostProcessor;
 import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
 import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
 import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
+import org.apache.shiro.web.mgt.DefaultWebSubjectFactory;
 import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
@@ -38,22 +43,41 @@ public class ShiroConfig {
      */
     @Bean
     public CustomRealm myShiroRealm() {
+        CustomRealm customRealm = new CustomRealm();
+        customRealm.setCachingEnabled(false);
         return new CustomRealm();
     }
 
-//    @Bean
-//    public DefaultWebSessionManager sessionManager() {
-//        DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
-//        sessionManager.setSessionIdUrlRewritingEnabled(false);
-//        return sessionManager;
-//    }
+    @Bean
+    public DefaultWebSubjectFactory subjectFactory() {
+        return new StatelessDefaultSubjectFactory();
+    }
 
     /**
-     *  权限管理，配置主要是Realm的管理认证
+     * 自定义sessionManager
+     *
+     * @return
+     */
+    @Bean
+    public SessionManager sessionManager() {
+        DefaultSessionManager shiroSessionManager = new DefaultSessionManager();
+        shiroSessionManager.setSessionValidationSchedulerEnabled(false);
+        return shiroSessionManager;
+    }
+
+    /**
+     * 权限管理，配置主要是Realm的管理认证
      */
     @Bean("securityManager")
     public SecurityManager securityManager() {
         DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
+        DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();
+        DefaultSessionStorageEvaluator defaultSessionStorageEvaluator = new DefaultSessionStorageEvaluator();
+        defaultSessionStorageEvaluator.setSessionStorageEnabled(false);
+        subjectDAO.setSessionStorageEvaluator(defaultSessionStorageEvaluator);
+        securityManager.setSubjectDAO(subjectDAO);
+        securityManager.setSubjectFactory(subjectFactory());
+        securityManager.setSessionManager(sessionManager());
         securityManager.setRealm(myShiroRealm());
         return securityManager;
     }
@@ -63,12 +87,11 @@ public class ShiroConfig {
      * Filter工厂，设置对应的过滤条件和跳转条件
      */
     @Bean("shiroFilter")
-    public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {
+    public ShiroFilterFactoryBean shiroFilterFactoryBean() {
         ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
-        shiroFilterFactoryBean.setSecurityManager(securityManager);
-        Map<String, Filter> filters = new HashMap<>();
-        filters.put("auth", new AuthFilter());
-        shiroFilterFactoryBean.setFilters(filters);
+        shiroFilterFactoryBean.setSecurityManager(securityManager());
+        Map<String, Filter> filters = new HashMap<>(1);
+        filters.put("auth", new NoStateFilter());
         shiroFilterFactoryBean.setFilters(filters);
         shiroFilterFactoryBean.setFilterChainDefinitionMap(systemRealm.setShiroUrl());
         return shiroFilterFactoryBean;

hcframe-parent/hcframe-base/src/main/java/com/hcframe/base/module/shiro/ShiroSessionManager.java

@@ -0,0 +1,45 @@
+package com.hcframe.base.module.shiro;
+
+import org.apache.shiro.web.servlet.ShiroHttpServletRequest;
+import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
+import org.apache.shiro.web.util.WebUtils;
+import org.springframework.util.StringUtils;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import java.io.Serializable;
+
+/**
+ * @author lhc
+ * @version 1.0
+ * @className ShiroSessionManager
+ * @date 2021年04月19日 2:56 下午
+ * @description 描述
+ */
+public class ShiroSessionManager extends DefaultWebSessionManager {
+
+    private static final String AUTHORIZATION = "X-Access-Token";
+
+    private static final String REFERENCED_SESSION_ID_SOURCE = "Stateless request";
+
+    public ShiroSessionManager(){
+        super();
+    }
+
+    @Override
+    protected Serializable getSessionId(ServletRequest request, ServletResponse response){
+        String id = WebUtils.toHttp(request).getHeader(AUTHORIZATION);
+        System.out.println("id："+id);
+        if(StringUtils.isEmpty(id)){
+            //如果没有携带id参数则按照父类的方式在cookie进行获取
+            System.out.println("super："+super.getSessionId(request, response));
+            return super.getSessionId(request, response);
+        }else{
+            //如果请求头中有 authToken 则其值为sessionId
+            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE,REFERENCED_SESSION_ID_SOURCE);
+            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID,id);
+            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID,Boolean.TRUE);
+            return id;
+        }
+    }
+}

hcframe-parent/hcframe-base/src/main/java/com/hcframe/base/module/shiro/StatelessDefaultSubjectFactory.java

@@ -0,0 +1,22 @@
+package com.hcframe.base.module.shiro;
+
+import org.apache.shiro.subject.Subject;
+import org.apache.shiro.subject.SubjectContext;
+import org.apache.shiro.web.mgt.DefaultWebSubjectFactory;
+
+/**
+ * @author lhc
+ * @version 1.0
+ * @className StatelessDefaultSubjectFactory
+ * @date 2021年04月19日 1:54 下午
+ * @description 描述
+ */
+public class StatelessDefaultSubjectFactory extends DefaultWebSubjectFactory {
+
+    @Override
+    public Subject createSubject(SubjectContext context) {
+        //不创建session
+        context.setSessionCreationEnabled(false);
+        return super.createSubject(context);
+    }
+}