fix shiro filter

src/main/java/com/yunzhi/nanyang/controller/LoginController.java

@@ -86,8 +86,8 @@ public class LoginController extends BaseController {
 
     @GetMapping("/401")
     @ApiOperation(value="401无权限", notes = "401无权限", httpMethod = "GET", response = ResponseBean.class)
-    public ResponseBean unAuth() throws Exception {
-        return ResponseBean.error("未登录或暂无权限", ResponseBean.ERROR_AUTH_FAIL);
+    public ResponseBean unAuth(@RequestParam(value = "msg", defaultValue = "未登录或暂无权限") String msg) throws Exception {
+        return ResponseBean.error(msg, ResponseBean.ERROR_AUTH_FAIL);
     }
 
 //    @PutMapping("/admin/change-password")

src/main/java/com/yunzhi/nanyang/shiro/filters/JWTFilter.java

@@ -2,6 +2,7 @@ package com.yunzhi.nanyang.shiro.filters;
 
 import com.yunzhi.nanyang.shiro.utils.JWTToken;
 import com.yunzhi.nanyang.shiro.utils.JWTUtil;
+import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.authc.AuthenticationToken;
 import org.apache.shiro.subject.Subject;
 import org.apache.shiro.web.filter.authc.AuthenticatingFilter;
@@ -13,6 +14,8 @@ import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
 
 public class JWTFilter extends AuthenticatingFilter {
 
@@ -38,13 +41,21 @@ public class JWTFilter extends AuthenticatingFilter {
         return new JWTToken(authorization);
     }
 
+    @Override
+    protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception {
+        AuthenticationToken token = this.createToken(request, response);
+        Subject subject = this.getSubject(request, response);
+        subject.login(token);
+        return this.onLoginSuccess(token, subject, request, response);
+    }
+
     @Override
     protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
         boolean allowed = false;
         try {
             allowed = executeLogin(request, response);
         } catch (Exception e) {
-            response401(request, response);
+            response401(request, response, e);
         }
 
         return allowed;
@@ -73,11 +84,20 @@ public class JWTFilter extends AuthenticatingFilter {
     /**
      *Jump illegal request to / 401
      */
-    private void response401(ServletRequest request, ServletResponse response) {
+    private void response401(ServletRequest request, ServletResponse response, Exception e) {
+        String message = "";
+        if (e != null) {
+            try {
+                message = URLEncoder.encode(e.getMessage(), "UTF-8");
+            } catch (UnsupportedEncodingException ex) {
+                //
+            }
+        }
+
         try {
-            WebUtils.toHttp(response).sendRedirect(unauthorizedUrl);
-        } catch (IOException e) {
-            LOGGER.error(e.getMessage());
+            WebUtils.toHttp(response).sendRedirect(unauthorizedUrl + "?msg=" + message);
+        } catch (IOException e1) {
+            LOGGER.error(e1.getMessage());
         }
     }
 }

src/main/java/com/yunzhi/nanyang/shiro/matcher/JWTCredentialsMatcher.java

@@ -1,6 +1,5 @@
 package com.yunzhi.nanyang.shiro.matcher;
 
-import com.yunzhi.nanyang.shiro.utils.JWTUtil;
 import org.apache.shiro.authc.AuthenticationInfo;
 import org.apache.shiro.authc.AuthenticationToken;
 import org.apache.shiro.authc.credential.CredentialsMatcher;
@@ -8,7 +7,10 @@ import org.apache.shiro.authc.credential.CredentialsMatcher;
 public class JWTCredentialsMatcher implements CredentialsMatcher {
     @Override
     public boolean doCredentialsMatch(AuthenticationToken authenticationToken, AuthenticationInfo authenticationInfo) {
-        String token = authenticationToken.getCredentials().toString();
-        return JWTUtil.verify(token);
+//        String token = authenticationToken.getCredentials().toString();
+//        return JWTUtil.verify(token);
+
+        // 校验在 realm 做过了
+        return true;
     }
 }

src/main/java/com/yunzhi/nanyang/shiro/realms/manager/ManagerRealm.java

@@ -1,11 +1,10 @@
 package com.yunzhi.nanyang.shiro.realms.manager;
 
+import com.auth0.jwt.exceptions.JWTDecodeException;
+import com.auth0.jwt.exceptions.TokenExpiredException;
 import com.yunzhi.nanyang.shiro.utils.JWTToken;
 import com.yunzhi.nanyang.shiro.utils.JWTUtil;
-import org.apache.shiro.authc.AuthenticationException;
-import org.apache.shiro.authc.AuthenticationInfo;
-import org.apache.shiro.authc.AuthenticationToken;
-import org.apache.shiro.authc.SimpleAuthenticationInfo;
+import org.apache.shiro.authc.*;
 import org.apache.shiro.authz.AuthorizationInfo;
 import org.apache.shiro.authz.SimpleAuthorizationInfo;
 import org.apache.shiro.realm.AuthorizingRealm;
@@ -43,10 +42,24 @@ public class ManagerRealm extends AuthorizingRealm {
     @Override
     protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
         String token = (String) authenticationToken.getPrincipal();
+
+        // 这里进行 token 验证, CredentialsMatcher 就不做了
+        try {
+            JWTUtil.verify(token);
+        } catch (JWTDecodeException e1) {
+            throw new AuthenticationException("非法的权限凭证");
+        } catch (TokenExpiredException e2) {
+            throw new ExpiredCredentialsException("授权过期, 请重新登录");
+        } catch (Exception e) {
+            e.printStackTrace();
+            throw new AuthenticationException("凭证校验失败, 请重新登录");
+        }
+
+
         String loginId = JWTUtil.getLoginId(token);
 
         if (!iManagerService.verify(loginId)) {
-            throw new AuthenticationException("User is abnormal");
+            throw new LockedAccountException("用户不存在或者状态异常");
         }
 
         // 交给 AuthenticatingRealm 使用 CredentialsMatcher 行校验

src/main/java/com/yunzhi/nanyang/shiro/utils/JWTUtil.java

@@ -3,7 +3,9 @@ package com.yunzhi.nanyang.shiro.utils;
 import com.auth0.jwt.JWT;
 import com.auth0.jwt.algorithms.Algorithm;
 import com.auth0.jwt.exceptions.JWTDecodeException;
+import com.auth0.jwt.exceptions.JWTVerificationException;
 import com.auth0.jwt.interfaces.DecodedJWT;
+import com.auth0.jwt.interfaces.JWTVerifier;
 
 import java.util.Date;
 
@@ -52,14 +54,13 @@ public class JWTUtil {
         return sign(loginId, secret);
     }
 
-    public static boolean verify(String token) {
-        try {
-            JWT.decode(token);
-            return true;
-        } catch (Exception e) {
-            e.printStackTrace();
-            return false;
-        }
+    public static void verify(String token) throws JWTVerificationException {
+        DecodedJWT jwt = JWT.decode(token);
+        String loginId = jwt.getSubject();
+        String secret = jwt.getClaim("secret").asString();
+        Algorithm algorithm = Algorithm.HMAC256(secret);
+        JWTVerifier verifier = JWT.require(algorithm).withSubject(loginId).build();
+        verifier.verify(jwt);
     }
 
 }