jwt和shiro的区别
时间: 2023-11-05 16:24:10 浏览: 46
JWT(JSON Web Token)和Shiro都是用于身份验证和授权的工具,但是它们之间有一些区别。
JWT是一种开放的标准,可以在不同的系统中共享和使用,它使用JSON格式来传输信息,包括身份验证和授权信息。JWT通常被用于跨域认证,例如,当用户从一个系统登录后,可以使用JWT在另一个系统中进行身份验证。同时,JWT也可以用于无状态的身份验证,即服务器不需要保存会话状态就可以验证用户身份。
而Shiro是一个Java安全框架,提供了身份验证、授权、加密和会话管理等功能。Shiro支持多种身份验证方式,包括基于表单的身份验证、基于双因素认证的身份验证等。Shiro也支持多种授权策略,包括基于角色的授权、基于权限的授权等。
总的来说,JWT更适合用于跨域身份验证和无状态身份验证,而Shiro则更适合用于Java应用程序的身份验证和授权。
相关问题
jwt和shiro的流程
两者都是用户认证和授权的框架,但具体流程略有不同。JWT令牌通常用于前后端分离的应用中,它在用户登录成功后颁发一个JWT令牌,包含用户信息和过期时间,前端存储在localStorage或cookie中,后续请求时在请求头上带上这个JWT令牌,后端通过解析令牌验证用户是否授权,从而判断是否允许访问对应API。
而Shiro是一个基于RBAC(基于角色的访问控制)的安全框架,它提供了认证、授权、加密、会话管理等功能,Shiro的认证流程一般包括用户向Shiro提供用户名和密码,Shiro通过Realm获取用户数据进行比对,最终返回一个Subject对象表示用户身份和权限信息,前端在后续请求时带上Subject信息,在Shiro过滤器中进行拦截和权限判断。
springboot整和jwt、shiro、redis
Spring Boot可以集成JWT、Shiro和Redis来实现身份认证和授权,以下是一个基本的实现步骤:
1. 集成JWT
添加依赖
```
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.1</version>
</dependency>
```
创建JWT工具类
```
public class JwtUtils {
private static final String SECRET_KEY = "jwt_secret_key";
private static final long EXPIRATION_TIME = 864_000_000; // 10天
public static String generateToken(String subject) {
return Jwts.builder()
.setSubject(subject)
.setExpiration(new Date(System.currentTimeMillis() + EXPIRATION_TIME))
.signWith(SignatureAlgorithm.HS512, SECRET_KEY)
.compact();
}
public static String getSubject(String token) {
try {
return Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody().getSubject();
} catch (JwtException e) {
return null;
}
}
}
```
使用JWT进行身份认证
```
@RestController
@RequestMapping("/api")
public class UserController {
@PostMapping("/login")
public ResponseEntity<?> login(@RequestBody LoginRequest loginRequest) {
// 验证用户名密码
if (userValid(loginRequest.getUsername(), loginRequest.getPassword())) {
String token = JwtUtils.generateToken(loginRequest.getUsername());
return ResponseEntity.ok(new JwtResponse(token));
} else {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
}
}
@GetMapping("/user")
public ResponseEntity<?> getUser(@RequestHeader("Authorization") String authHeader) {
String token = authHeader.substring(7);
String subject = JwtUtils.getSubject(token);
if (subject != null) {
User user = getUserByUsername(subject);
return ResponseEntity.ok(user);
} else {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
}
}
}
```
2. 集成Shiro
添加依赖
```
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring-boot-starter</artifactId>
<version>1.7.1</version>
</dependency>
```
配置Shiro
```
@Configuration
public class ShiroConfig {
@Bean
public Realm realm() {
return new UserRealm();
}
@Bean
public DefaultWebSecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(realm());
return securityManager;
}
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean() {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager());
Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
filterChainDefinitionMap.put("/api/login", "anon");
filterChainDefinitionMap.put("/api/logout", "logout");
filterChainDefinitionMap.put("/api/**", "authc");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroFilterFactoryBean;
}
@Bean
public ShiroFilterChainDefinition shiroFilterChainDefinition() {
DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
chainDefinition.addPathDefinition("/api/login", "anon");
chainDefinition.addPathDefinition("/api/logout", "logout");
chainDefinition.addPathDefinition("/api/**", "authc");
return chainDefinition;
}
}
```
创建UserRealm
```
public class UserRealm extends AuthorizingRealm {
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
String username = (String) principals.getPrimaryPrincipal();
Set<String> roles = getUserRoles(username);
Set<String> permissions = getUserPermissions(username);
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
authorizationInfo.setRoles(roles);
authorizationInfo.setStringPermissions(permissions);
return authorizationInfo;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String username = (String) token.getPrincipal();
String password = getPasswordByUsername(username);
if (password == null) {
throw new UnknownAccountException();
}
return new SimpleAuthenticationInfo(username, password, getName());
}
}
```
使用Shiro进行身份认证
```
@RestController
@RequestMapping("/api")
public class UserController {
@PostMapping("/login")
public ResponseEntity<?> login(@RequestBody LoginRequest loginRequest) {
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(loginRequest.getUsername(), loginRequest.getPassword());
try {
subject.login(token);
String jwtToken = JwtUtils.generateToken(loginRequest.getUsername());
return ResponseEntity.ok(new JwtResponse(jwtToken));
} catch (AuthenticationException e) {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
}
}
@GetMapping("/user")
public ResponseEntity<?> getUser() {
Subject subject = SecurityUtils.getSubject();
if (subject.isAuthenticated()) {
String username = (String) subject.getPrincipal();
User user = getUserByUsername(username);
return ResponseEntity.ok(user);
} else {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
}
}
@PostMapping("/logout")
public ResponseEntity<?> logout() {
Subject subject = SecurityUtils.getSubject();
subject.logout();
return ResponseEntity.ok().build();
}
}
```
3. 集成Redis
添加依赖
```
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>
```
配置Redis
```
@Configuration
public class RedisConfig {
@Bean
public RedisTemplate<String, Object> redisTemplate(RedisConnectionFactory factory) {
RedisTemplate<String, Object> redisTemplate = new RedisTemplate<>();
redisTemplate.setConnectionFactory(factory);
redisTemplate.setKeySerializer(new StringRedisSerializer());
redisTemplate.setValueSerializer(new Jackson2JsonRedisSerializer<>(Object.class));
return redisTemplate;
}
@Bean
public CacheManager cacheManager(RedisConnectionFactory factory) {
RedisCacheConfiguration config = RedisCacheConfiguration.defaultCacheConfig()
.entryTtl(Duration.ofHours(1));
return RedisCacheManager.builder(factory)
.cacheDefaults(config)
.build();
}
}
```
实现Redis缓存
```
@Service
public class UserServiceImpl implements UserService {
private final UserRepository userRepository;
private final RedisTemplate<String, User> redisTemplate;
private final CacheManager cacheManager;
public UserServiceImpl(UserRepository userRepository, RedisTemplate<String, User> redisTemplate, CacheManager cacheManager) {
this.userRepository = userRepository;
this.redisTemplate = redisTemplate;
this.cacheManager = cacheManager;
}
@Override
public User getUserById(Long id) {
String key = "user:" + id;
ValueOperations<String, User> ops = redisTemplate.opsForValue();
if (redisTemplate.hasKey(key)) {
return ops.get(key);
} else {
User user = userRepository.findById(id).orElse(null);
if (user != null) {
ops.set(key, user);
Cache cache = cacheManager.getCache("userCache");
if (cache != null) {
cache.put(key, user);
}
}
return user;
}
}
@Override
public void updateUser(User user) {
userRepository.save(user);
String key = "user:" + user.getId();
redisTemplate.delete(key);
Cache cache = cacheManager.getCache("userCache");
if (cache != null) {
cache.evict(key);
}
}
}
```
以上是整合Spring Boot、JWT、Shiro和Redis的基本实现步骤,具体实现可以根据自己的需求进行调整和扩展。