修改shiro 兼容性问题

2026-04-13 19:58:49 +08:00
parent 5d74578aa3
commit e8235eeec5
6 changed files with 94 additions and 61 deletions
--- a/src/main/java/com/label/common/shiro/ShiroConfig.java
+++ b/src/main/java/com/label/common/shiro/ShiroConfig.java
@@ -2,9 +2,10 @@ package com.label.common.shiro;

 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.label.common.redis.RedisService;
-import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;
+import org.apache.shiro.mgt.DefaultSecurityManager;
+import org.apache.shiro.mgt.DefaultSubjectDAO;
 import org.apache.shiro.mgt.SecurityManager;
-import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -12,18 +13,7 @@ import org.springframework.context.annotation.Configuration;
 import java.util.List;

 /**
- * Shiro 安全配置。
- *
- * 设计说明：
- * - 使用 Spring 的 FilterRegistrationBean 注册 TokenFilter（jakarta.servlet），
- *   替代 Shiro 的 ShiroFilterFactoryBean（javax.servlet），避免 Shiro 1.x 与
- *   Spring Boot 3.x 之间的 javax/jakarta 命名空间冲突。
- * - URL 路由逻辑内聚于 TokenFilter.shouldNotFilter()：
- *     /api/auth/login → 跳过（公开）
- *     非 /api/ 路径   → 跳过（公开）
- *     /api/**         → 强制校验 Bearer Token
- * - SecurityUtils.setSecurityManager() 必须在此处调用，
- *   以便 @RequiresRoles 等 AOP 注解和 SecurityUtils.getSubject() 可正常工作。
+ * Shiro security configuration for the Jakarta servlet stack.
 */
@Configuration
 public class ShiroConfig {
@@ -35,22 +25,28 @@ public class ShiroConfig {

    @Bean
    public SecurityManager securityManager(UserRealm userRealm) {
-        DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
+        // Keep Shiro on the core stack. Shiro 1.x web classes depend on javax.servlet.
+        DefaultSecurityManager manager = new DefaultSecurityManager();
        manager.setRealms(List.of(userRealm));
-        // 设置全局 SecurityManager，使 SecurityUtils.getSubject() 及 AOP 注解可用
-        SecurityUtils.setSecurityManager(manager);
+        manager.setSubjectDAO(statelessSubjectDao());
        return manager;
    }

-    @Bean
-    public TokenFilter tokenFilter(RedisService redisService, ObjectMapper objectMapper) {
-        return new TokenFilter(redisService, objectMapper);
+    private DefaultSubjectDAO statelessSubjectDao() {
+        DefaultSessionStorageEvaluator evaluator = new DefaultSessionStorageEvaluator();
+        evaluator.setSessionStorageEnabled(false);
+
+        DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();
+        subjectDAO.setSessionStorageEvaluator(evaluator);
+        return subjectDAO;
+    }
+
+    @Bean
+    public TokenFilter tokenFilter(RedisService redisService, ObjectMapper objectMapper,
+                                   SecurityManager securityManager) {
+        return new TokenFilter(redisService, objectMapper, securityManager);
    }

-    /**
-     * 将 TokenFilter 注册为 Servlet 过滤器，覆盖所有路径。
-     * 实际的路径过滤逻辑由 TokenFilter.shouldNotFilter() 控制。
-     */
    @Bean
    public FilterRegistrationBean<TokenFilter> tokenFilterRegistration(TokenFilter tokenFilter) {
        FilterRegistrationBean<TokenFilter> registration = new FilterRegistrationBean<>();
--- a/src/main/java/com/label/common/shiro/TokenFilter.java
+++ b/src/main/java/com/label/common/shiro/TokenFilter.java
@@ -11,7 +11,9 @@ import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.mgt.SecurityManager;
+import org.apache.shiro.subject.SimplePrincipalCollection;
+import org.apache.shiro.subject.Subject;
 import org.apache.shiro.util.ThreadContext;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.MediaType;
@@ -38,6 +40,7 @@ public class TokenFilter extends OncePerRequestFilter {

    private final RedisService redisService;
    private final ObjectMapper objectMapper;
+    private final SecurityManager securityManager;

    @Value("${shiro.auth.enabled:true}")
    private boolean authEnabled;
@@ -78,7 +81,7 @@ public class TokenFilter extends OncePerRequestFilter {
                TokenPrincipal principal = new TokenPrincipal(
                        mockUserId, mockRole, mockCompanyId, mockUsername, "mock-token");
                CompanyContext.set(mockCompanyId);
-                SecurityUtils.getSubject().login(new BearerToken("mock-token", principal));
+                bindSubject(principal);
                request.setAttribute("__token_principal__", principal);
                filterChain.doFilter(request, response);
                return;
@@ -113,7 +116,7 @@ public class TokenFilter extends OncePerRequestFilter {

            // 创建 TokenPrincipal 并登录 Shiro Subject，使 @RequiresRoles 等注解生效
            TokenPrincipal principal = new TokenPrincipal(userId, role, companyId, username, token);
-            SecurityUtils.getSubject().login(new BearerToken(token, principal));
+            bindSubject(principal);
            request.setAttribute("__token_principal__", principal);
            redisService.expire(RedisKeyManager.tokenKey(token), tokenTtlSeconds);
            redisService.expire(RedisKeyManager.userSessionsKey(userId), tokenTtlSeconds);
@@ -126,9 +129,21 @@ public class TokenFilter extends OncePerRequestFilter {
            // 关键：必须清除 ThreadLocal，防止线程池复用时数据串漏
            CompanyContext.clear();
            ThreadContext.unbindSubject();
+            ThreadContext.unbindSecurityManager();
        }
    }

+    private void bindSubject(TokenPrincipal principal) {
+        SimplePrincipalCollection principals = new SimplePrincipalCollection(principal, UserRealm.class.getName());
+        Subject subject = new Subject.Builder(securityManager)
+                .principals(principals)
+                .authenticated(true)
+                .sessionCreationEnabled(false)
+                .buildSubject();
+        ThreadContext.bind(securityManager);
+        ThreadContext.bind(subject);
+    }
+
    private void writeUnauthorized(HttpServletResponse resp, String message) throws IOException {
        resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
        resp.setContentType(MediaType.APPLICATION_JSON_VALUE + ";charset=UTF-8");
--- a/src/main/java/com/label/module/source/controller/SourceController.java
+++ b/src/main/java/com/label/module/source/controller/SourceController.java
@@ -33,7 +33,7 @@ public class SourceController {
     * 上传文件（multipart/form-data）。
     * 返回 201 Created + 资料摘要。
     */
-    @Operation(summary = "上传原始资料")
+    @Operation(summary = "上传原始资料", description = "dataType: text,image, video")
    @PostMapping("/upload")
    @RequiresRoles("UPLOADER")
    @ResponseStatus(HttpStatus.CREATED)