大佬教程收集整理的这篇文章主要介绍了Spring Security 入门篇,大佬教程大佬觉得挺不错的,现在分享给大家,也给大家做个参考。
本文是一个笔记系列,目标是完成一个基于角色的权限访问控制系统(RBAC),有基本的用户、角色、权限管理,重点在Spring Security的各种配置。万丈高楼平地起,接下来,一步一步,由浅入深,希望给一起学习的小伙伴一个参考。
1. Hello Security
按照惯例,先写个Hello World
首先,引入依赖
1 <dependency>
2 <groupId>org.springframework.boot</groupId>
3 <artifactId>spring-boot-starter-security</artifactId>
4 </dependency>
先来理清楚“认证”和“授权”两个概念。认证就是告诉我你是谁,授权就是你可以做什么。结合实际项目通俗地来讲,认证就是登录,授权就是访问资源。故而,我们需要先有用户和资源,先简单地定义几个内存用户和资源吧,为此需要在WebSecurtiyConfigurerAdapter中进行配置。
WebSecurityConfig.java
1 package com.example.demo.config;
2
3 import org.springframework.context.Annotation.bean;
4 import org.springframework.context.Annotation.Configuration;
5 import org.springframework.security.config.Annotation.authentication.builders.AuthenticationManagerBuilder;
6 import org.springframework.security.config.Annotation.web.builders.httpSecurity;
7 import org.springframework.security.config.Annotation.web.configuration.WebSecurityConfigurerAdapter;
8 import org.springframework.security.crypto.bcrypt.bCryptpasswordEncoder;
9 import org.springframework.security.crypto.password.passwordEncoder;
10
11 @Configuration
12 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
13
14 @Override
15 protected void configure(AuthenticationManagerBuilder auth) throws Exception {
16 auth.inMemoryAuthentication()
17 .withUser(@H_56_197@"zhangsan").password(passwordEncoder().encode(@H_56_197@"123456")).roles(@H_56_197@"user")
18 .and()
19 .withUser(@H_56_197@"admin").password(passwordEncoder().encode(@H_56_197@"123456")).roles(@H_56_197@"admin")
20 .and()
21 .passwordEncoder(passwordEncoder());
22 }
23
24 @Override
25 protected void configure(httpSecurity http) throws Exception {
26 http.formLogin()
27 // .loginPage("/login.html")
28 .loginProcessingUrl(@H_56_197@"/login")
29 .usernameParameter(@H_56_197@"username")
30 .passwordParameter(@H_56_197@"password")
31 .defaultsuccessUrl(@H_56_197@"/")
32 .and()
33 .authorizerequests()
34 .antMatchers(@H_56_197@"/login.html", @H_56_197@"/login").permitAll()
35 .antMatchers(@H_56_197@"/Hello/sayHello").hasAnyAuthority(@H_56_197@"ROLE_user", @H_56_197@"ROLE_admin")
36 .antMatchers(@H_56_197@"/Hello/sayHi").hasAnyRole(@H_56_197@"admin")
37 .anyrequest().authenticated();
38 }
39
40 @Bean
41 public passwordEncoder passwordEncoder() {
42 return new BCryptpasswordEncoder();
43 }
44 }
HelloController.java
1 package com.example.demo.controller;
2
3 import org.springframework.web.bind.Annotation.GetMapping;
4 import org.springframework.web.bind.Annotation.requestMapping;
5 import org.springframework.web.bind.Annotation.RestController;
6
7 @RestController
8 @requestMapping(@H_56_197@"/Hello")
9 public class HelloController {
10
11 @GetMapping(@H_56_197@"/sayHello")
12 public String sayHello() {
13 return @H_56_197@"Hello";
14 }
15
16 @GetMapping(@H_56_197@"/sayHi")
17 public String sayHi() {
18 return @H_56_197@"hi";
19 }
20
21 }
项目结构
定义了两个用户zhangsan和admin,他们的密码都是123456,zhangsan的角色是user可以访问/Hello/sayHello,admin的角色是admin可以访问/Hello/sayHello和Hello/sayHi
2. 认证成功/失败处理
按照刚才的写法,登录成功之后是跳到/页面,失败跳转到登录页。但是,对于前后端分离的项目,我希望它返回json数据,而不是重定向到某个页面
处理用户名和密码登录的过滤器是org.springframework.security.web.authentication.UsernamepasswordAuthenticationFilter,既然是过滤器,直接看doFilter方法
不用多说,自定义认证成功处理器
1 package com.example.demo.handler;
2
3 import com.fasterxml.jackson.databind.objectMapper;
4 import org.springframework.security.core.Authentication;
5 import org.springframework.security.web.authentication.SavedrequestAwareAuthenticationsuccessHandler;
6 import org.springframework.stereotype.Component;
7
8 import javax.servlet.ServletException;
9 import javax.servlet.http.httpServletrequest;
10 import javax.servlet.http.httpServletResponse;
11 import java.io.IOException;
12
13 @Component
14 public class @H_415_57@myAuthenticationsuccessHandler extends SavedrequestAwareAuthenticationsuccessHandler {
15
16 private static ObjectMapper objectMapper = new ObjectMapper();
17
18 @Override
19 public void onAuthenticationsuccess(httpServletrequest request, httpServletResponse response, Authentication authentication) throws ServletException, IOException {
20 response.setContentType(@H_56_197@"application/json;charset=utf-8");
21 response.getWriter().write(objectMapper.writeValueAsString(@H_56_197@"ok"));
22 }
23 }
自定义认证失败处理器
1 package com.example.demo.handler;
2
3 import com.fasterxml.jackson.databind.objectMapper;
4 import org.springframework.security.core.AuthenticationException;
5 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
6 import org.springframework.stereotype.Component;
7
8 import javax.servlet.ServletException;
9 import javax.servlet.http.httpServletrequest;
10 import javax.servlet.http.httpServletResponse;
11 import java.io.IOException;
12
13 @Component
14 public class @H_415_57@myAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
15
16 private static ObjectMapper objectMapper = new ObjectMapper();
17
18 @Override
19 public void onAuthenticationFailure(httpServletrequest request, httpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
20 response.setContentType(@H_56_197@"application/json;charset=utf-8");
21 response.getWriter().write(objectMapper.writeValueAsString(@H_56_197@"error"));
22 }
23 }
WebSecurityConfig配置
1 package com.example.demo.config;
2
3 import com.example.demo.handler.MyAuthenticationFailureHandler;
4 import com.example.demo.handler.MyAuthenticationsuccessHandler;
5 import com.example.demo.handler.MyExpiredSessionStrategy;
6 import org.springframework.beans.factory.Annotation.Autowired;
7 import org.springframework.context.Annotation.bean;
8 import org.springframework.context.Annotation.Configuration;
9 import org.springframework.security.config.Annotation.authentication.builders.AuthenticationManagerBuilder;
10 import org.springframework.security.config.Annotation.web.builders.httpSecurity;
11 import org.springframework.security.config.Annotation.web.configuration.WebSecurityConfigurerAdapter;
12 import org.springframework.security.crypto.bcrypt.bCryptpasswordEncoder;
13 import org.springframework.security.crypto.password.passwordEncoder;
14
15 @Configuration
16 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
17
18 @Autowired
19 private @H_737_79@myAuthenticationsuccessHandler @H_737_79@myAuthenticationsuccessHandler;
20 @Autowired
21 private @H_737_79@myAuthenticationFailureHandler @H_737_79@myAuthenticationFailureHandler;
22
23 @Override
24 protected void configure(AuthenticationManagerBuilder auth) throws Exception {
25 auth.inMemoryAuthentication()
26 .withUser(@H_56_197@"zhangsan").password(passwordEncoder().encode(@H_56_197@"123456")).roles(@H_56_197@"user")
27 .and()
28 .withUser(@H_56_197@"admin").password(passwordEncoder().encode(@H_56_197@"123456")).roles(@H_56_197@"admin")
29 .and()
30 .passwordEncoder(passwordEncoder());
31 }
32
33 @Override
34 protected void configure(httpSecurity http) throws Exception {
35 http.formLogin()
36 // .loginPage("/login.html")
37 .loginProcessingUrl(@H_56_197@"/login")
38 .usernameParameter(@H_56_197@"username")
39 .passwordParameter(@H_56_197@"password")
40 // .defaultsuccessUrl("/")
41 .successHandler(@H_737_79@myAuthenticationsuccessHandler)
42 .failureHandler(@H_737_79@myAuthenticationFailureHandler)
43 .and()
44 .authorizerequests()
45 .antMatchers(@H_56_197@"/login.html", @H_56_197@"/login").permitAll()
46 .antMatchers(@H_56_197@"/Hello/sayHello").hasAnyAuthority(@H_56_197@"ROLE_user", @H_56_197@"ROLE_admin")
47 .antMatchers(@H_56_197@"/Hello/sayHi").hasAnyRole(@H_56_197@"admin")
48 .anyrequest().authenticated()
49 .and()
50 .sessionManagement().sessionFixation().@H_415_57@migrateSession()
51 .@H_415_57@maximumSessions(1).@H_415_57@maxSessionsPreventsLogin(false).expiredSessionStrategy(new @H_737_79@myExpiredSessionStrategy());
52 }
53
54 @Bean
55 public passwordEncoder passwordEncoder() {
56 return new BCryptpasswordEncoder();
57 }
58 }
再多自定义一个Session过期策略,当Session过期或者被踢下线以后的处理逻辑
1 package com.example.demo.handler;
2
3 import com.fasterxml.jackson.databind.objectMapper;
4 import org.springframework.security.web.session.SessionInformationExpiredEvent;
5 import org.springframework.security.web.session.SessionInformationExpiredStrategy;
6
7 import javax.servlet.ServletException;
8 import javax.servlet.http.httpServletResponse;
9 import java.io.IOException;
10
11 public class @H_415_57@myExpiredSessionStrategy implements SessionInformationExpiredStrategy {
12
13 private static ObjectMapper objectMapper = new ObjectMapper();
14
15 @Override
16 public void onExpiredSessionDetected(SessionInformationExpiredEvent event) throws IOException, ServletException {
17 String @H_737_79@msg = @H_56_197@"登录超时或已在另一台机器登录,您被迫下线!";
18 httpServletResponse response = event.getResponse();
19 response.setContentType(@H_56_197@"application/json;charset=utf-8");
20 response.getWriter().write(objectMapper.writeValueAsString(@H_737_79@msg));
21 }
22 }
3. 从数据库中加载用户及权限
刚才用户是在内存中定义的,这肯定是不行的,下面从数据库中加载用户及其所拥有的权限
最简单的结构是这样的:
为了减少用户的重复授权,引入用户组。将用户加入用户组以后,就自动拥有组所对应的权限。
下面,按照最简单的用户角色权限模型来改造刚才的项目
首先,通过实现UserDetails接口来自定义一个用户信息对象
1 package com.example.demo.@H_415_57@model;
2
3 import org.springframework.security.core.GrantedAuthority;
4 import org.springframework.security.core.userdetailS.UserDetails;
5
6 import java.util.Collection;
7
8 public class @H_415_57@myUserDetails implements UserDetails {
9
10 private String username;
11 private String password;
12 private @R_450_8487@an enabled;
13 private Collection<? extends GrantedAuthority> authorities;
14
15 public @H_415_57@myUserDetails(String username, String password, @R_450_8487@an enabled) {
16 this.username = username;
17 this.password = password;
18 this.enabled = enabled;
19 }
20
21 public void setUsername(String username) {
22 this.username = username;
23 }
24
25 public void setpassword(String password) {
26 this.password = password;
27 }
28
29 public void setEnabled(@R_450_8487@an enabled) {
30 this.enabled = enabled;
31 }
32
33 public void setAuthorities(Collection<? extends GrantedAuthority> authorities) {
34 this.authorities = authorities;
35 }
36
37 @Override
38 public Collection<? extends GrantedAuthority> getAuthorities() {
39 return authorities;
40 }
41
42 @Override
43 public String getpassword() {
44 return password;
45 }
46
47 @Override
48 public String getUsername() {
49 return username;
50 }
51
52 @Override
53 public @R_450_8487@an isaccountnonExpired() {
54 return true;
55 }
56
57 @Override
58 public @R_450_8487@an isaccountnonLocked() {
59 return true;
60 }
61
62 @Override
63 public @R_450_8487@an isCredentialsnonExpired() {
64 return true;
65 }
66
67 @Override
68 public @R_450_8487@an isEnabled() {
69 return enabled;
70 }
71 }
有了UserDetails以后,还需要UserDetailsservice去加载它,所以自定义一个UserDetailsservice
@H_569_1@myUserDetailsservice.java
1 package com.example.demo.service;
2
3 import com.example.demo.entity.*;
4 import com.example.demo.model.MyUserDetails;
5 import com.example.demo.repository.*;
6 import org.springframework.beans.factory.Annotation.Autowired;
7 import org.springframework.security.core.GrantedAuthority;
8 import org.springframework.security.core.authority.SimpleGrantedAuthority;
9 import org.springframework.security.core.userdetailS.UserDetails;
10 import org.springframework.security.core.userdetailS.UserDetailsservice;
11 import org.springframework.security.core.userdetails.usernameNotFoundException;
12 import org.springframework.stereotype.Component;
13
14 import java.util.ArrayList;
15 import java.util.List;
16 import java.util.optional;
17 import java.util.stream.Collectors;
18
19 @Component
20 public class @H_415_57@myUserDetailsservice implements UserDetailsservice {
21
22 @Autowired
23 private SysUserRepository sysUserRepository;
24 @Autowired
25 private SysRoleRepository sysRoleRepository;
26 @Autowired
27 private SysUserRoleRelationRepository sysUserRoleRelationRepository;
28 @Autowired
29 private SysRolePermissionRelationRepository sysRolePermissionRelationRepository;
30 @Autowired
31 private SysPermissionRepository sysPermissionRepository;
32
33 @Override
34 public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
35 // 查用户
36 Optional<SysUser> optionalSysUser = sysUserRepository.findByUsername(username);
37 SysUser sysUser = optionalSysUser.orElseThrow(()->new UsernameNotFoundException(@H_56_197@"用户名" + username + @H_56_197@"不存在"));
38
39 // 查权限
40 List<SysUserRoleRelation> sysUserRoleRelationList = sysUserRoleRelationRepository.findByUserId(sysUser.getId());
41 List<Integer> rolEIDs = sysUserRoleRelationList.stream().@H_415_57@map(SysUserRoleRelation::getRolEID).collect(Collectors.toList());
42 List<SysRole> sysRoleList = sysRoleRepository.findByIdIn(rolEIDs);
43 List<SysRolePermissionRelation> sysRolePermissionRelationList = sysRolePermissionRelationRepository.findByRolEIDIn(rolEIDs);
44 List<Integer> permissionIds = sysRolePermissionRelationList.stream().@H_415_57@map(SysRolePermissionRelation::getPermissionId).collect(Collectors.toList());
45 List<SysPermission> sysPermissionList = sysPermissionRepository.findByIdIn(permissionIds);
46
47 List<GrantedAuthority> grantedAuthorities = new ArrayList<>(sysPermissionList.size());
48 for (SysPermission permission : sysPermissionList) {
49 grantedAuthorities.add(new SimpleGrantedAuthority(permission.getUrl()));
50 }
51 sysRoleList.forEach(role->grantedAuthorities.add(new SimpleGrantedAuthority(@H_56_197@"ROLE_" + role.getRoleCode())));
52
53 @H_737_79@myUserDetails @H_737_79@myUserDetails = new @H_737_79@myUserDetails(sysUser.getUsername(), sysUser.getpassword(), sysUser.isEnabled());
54 @H_737_79@myUserDetails.setAuthorities(grantedAuthorities);
55
56 return @H_737_79@myUserDetails;
57 }
58 }
这里用的JPA,相关的实体类及Repository太多就不一一贴出来了,只代表性的贴一个
SysRole.java
1 package com.example.demo.entity;
2
3 import lombok.Data;
4
5 import javax.persistence.*;
6 import java.io.serializable;
7 import java.time.LocaldatetiR_73_11845@e;
8
9 @Data
10 @Entity
11 @Table(name = @H_56_197@"sys_role")
12 public class SysRole implements serializable {
13
14 @Id
15 @GeneratedValue(strategy = GenerationType.AUTO)
16 private Integer id;
17
18 private String rolename;
19
20 private String roleCode;
21
22 private String roleDesc;
23
24 private LocaldatetiR_73_11845@e createTime;
25
26 private LocaldatetiR_73_11845@e updatetiR_73_11845@e;
27 }
SysRoleRepository.java
1 package com.example.demo.repository;
2
3 import com.example.demo.entity.SysRole;
4 import org.springframework.data.jpa.repository.JpaRepository;
5
6 import java.util.List;
7
8 public interface SysRoleRepository extends JpaRepository<SysRole, Integer> {
9
10 List<SysRole> findByIdIn(List<Integer> ids);
11 }
application.properties
1 spring.datasource.url=jdbc:mysql://localhost:3306/test
2 spring.datasource.username=root
3 spring.datasource.password=123456
4 spring.datasource.driver-class-name=com.@H_737_79@mysql.jdbc.Driver
5
6 spring.jpa.database=@H_737_79@mysql
最后,也是最重要的是配置WebSecurity
WebSecurityConfig.java
1 package com.example.demo.config;
2
3 import com.example.demo.handler.MyAuthenticationFailureHandler;
4 import com.example.demo.handler.MyAuthenticationsuccessHandler;
5 import com.example.demo.handler.MyExpiredSessionStrategy;
6 import com.example.demo.service.MyUserDetailsservice;
7 import org.springframework.beans.factory.Annotation.Autowired;
8 import org.springframework.context.Annotation.bean;
9 import org.springframework.context.Annotation.Configuration;
10 import org.springframework.security.config.Annotation.authentication.builders.AuthenticationManagerBuilder;
11 import org.springframework.security.config.Annotation.web.builders.httpSecurity;
12 import org.springframework.security.config.Annotation.web.configuration.WebSecurityConfigurerAdapter;
13 import org.springframework.security.crypto.bcrypt.bCryptpasswordEncoder;
14 import org.springframework.security.crypto.password.passwordEncoder;
15
16 @Configuration
17 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
18
19 @Autowired
20 private @H_737_79@myAuthenticationsuccessHandler @H_737_79@myAuthenticationsuccessHandler;
21 @Autowired
22 private @H_737_79@myAuthenticationFailureHandler @H_737_79@myAuthenticationFailureHandler;
23 @Autowired
24 private @H_737_79@myUserDetailsservice @H_737_79@myUserDetailsservice;
25
26 @Override
27 protected void configure(AuthenticationManagerBuilder auth) throws Exception {
28 auth.userDetailsservice(@H_737_79@myUserDetailsservice).passwordEncoder(passwordEncoder());
29 }
30
31 @Override
32 protected void configure(httpSecurity http) throws Exception {
33 http.formLogin()
34 .loginProcessingUrl(@H_56_197@"/login")
35 .usernameParameter(@H_56_197@"username")
36 .passwordParameter(@H_56_197@"password")
37 .successHandler(@H_737_79@myAuthenticationsuccessHandler)
38 .failureHandler(@H_737_79@myAuthenticationFailureHandler)
39 .and()
40 .authorizerequests()
41 .antMatchers(@H_56_197@"/login.html", @H_56_197@"/login").permitAll()
42 .antMatchers(@H_56_197@"/Hello/sayHello").hasAnyAuthority(@H_56_197@"ROLE_user", @H_56_197@"ROLE_admin")
43 .antMatchers(@H_56_197@"/Hello/sayHi").hasAnyRole(@H_56_197@"admin")
44 .anyrequest().authenticated()
45 .and()
46 .sessionManagement().sessionFixation().@H_415_57@migrateSession()
47 .@H_415_57@maximumSessions(1).@H_415_57@maxSessionsPreventsLogin(false).expiredSessionStrategy(new @H_737_79@myExpiredSessionStrategy());
48 }
49
50 @Bean
51 public passwordEncoder passwordEncoder() {
52 return new BCryptpasswordEncoder();
53 }
54
55 }
改完后的项目结构如下
4. 动态加载权限规则配置
鉴权规则就是判断请求的资源是不是在当前用户可访问的资源列表中
那么,首先,定义一个方法来实现这个逻辑
1 package com.example.demo.service;
2
3 import org.springframework.security.core.Authentication;
4 import org.springframework.security.core.authority.SimpleGrantedAuthority;
5 import org.springframework.security.core.userdetailS.UserDetails;
6 import org.springframework.stereotype.Component;
7
8 import javax.servlet.http.httpServletrequest;
9
10 @Component(@H_56_197@"myAccessDecisionservice")
11 public class @H_415_57@myAccessDecisionservice {
12
13 public @R_450_8487@an hasPermission(httpServletrequest request, Authentication authentication) {
14 Object principal = authentication.getPrincipal();
15 if (principal instanceof UserDetails) {
16 UserDetails userDetails = (UserDetails) principal;
17 SimpleGrantedAuthority simpleGrantedAuthority = new SimpleGrantedAuthority(request.getrequestuRI());
18 return userDetails.getAuthorities().contains(simpleGrantedAuthority);
19 }
20 return false;
21 }
22 }
然后,在WebSecurityConfig中配置,替换原来写死的匹配规则
1 package com.example.demo.config;
2
3 import com.example.demo.handler.MyAuthenticationFailureHandler;
4 import com.example.demo.handler.MyAuthenticationsuccessHandler;
5 import com.example.demo.handler.MyExpiredSessionStrategy;
6 import com.example.demo.service.MyUserDetailsservice;
7 import org.springframework.beans.factory.Annotation.Autowired;
8 import org.springframework.context.Annotation.bean;
9 import org.springframework.context.Annotation.Configuration;
10 import org.springframework.security.config.Annotation.authentication.builders.AuthenticationManagerBuilder;
11 import org.springframework.security.config.Annotation.web.builders.httpSecurity;
12 import org.springframework.security.config.Annotation.web.configuration.WebSecurityConfigurerAdapter;
13 import org.springframework.security.crypto.bcrypt.bCryptpasswordEncoder;
14 import org.springframework.security.crypto.password.passwordEncoder;
15
16 @Configuration
17 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
18
19 @Autowired
20 private @H_737_79@myAuthenticationsuccessHandler @H_737_79@myAuthenticationsuccessHandler;
21 @Autowired
22 private @H_737_79@myAuthenticationFailureHandler @H_737_79@myAuthenticationFailureHandler;
23 @Autowired
24 private @H_737_79@myUserDetailsservice @H_737_79@myUserDetailsservice;
25
26 @Override
27 protected void configure(AuthenticationManagerBuilder auth) throws Exception {
28 auth.userDetailsservice(@H_737_79@myUserDetailsservice)
29 .passwordEncoder(passwordEncoder());
30 }
31
32 @Override
33 protected void configure(httpSecurity http) throws Exception {
34 http.formLogin()
35 .loginProcessingUrl(@H_56_197@"/login")
36 .usernameParameter(@H_56_197@"username")
37 .passwordParameter(@H_56_197@"password")
38 .successHandler(@H_737_79@myAuthenticationsuccessHandler)
39 .failureHandler(@H_737_79@myAuthenticationFailureHandler)
40 .and()
41 .authorizerequests()
42 .antMatchers(@H_56_197@"/login.html", @H_56_197@"/login").permitAll()
43 .anyrequest().access(@H_56_197@"@myAccessDecisionservice.hasPermission(request, authentication)")
44 .and()
45 .sessionManagement().sessionFixation().@H_415_57@migrateSession()
46 .@H_415_57@maximumSessions(1).@H_415_57@maxSessionsPreventsLogin(false).expiredSessionStrategy(new @H_737_79@myExpiredSessionStrategy());
47 }
48
49 @Bean
50 public passwordEncoder passwordEncoder() {
51 return new BCryptpasswordEncoder();
52 }
53
54 }
改造后的项目结构如下
关于权限(资源)访问规则,还有一种写法,这种方式是我@R_674_7094@,就是利用 FilterInvocationSecuritymetadatasource 和 AccessDecisionManager
这里我稍微改了一下,先来创建两个实现类
首先是MyFilterInvocationSecuritymetadatasource.java
1 package com.example.demo.service;
2
3 import com.example.demo.entity.SysPermission;
4 import com.example.demo.repository.SysPermissionRepository;
5 import org.springframework.beans.factory.Annotation.Autowired;
6 import org.springframework.security.access.ConfigAttribute;
7 import org.springframework.security.access.SecurityConfig;
8 import org.springframework.security.web.FilterInvocation;
9 import org.springframework.security.web.access.intercept.FilterInvocationSecuritymetadatasource;
10 import org.springframework.stereotype.Component;
11 import org.springframework.util.AntPathMatcher;
12 import org.springframework.util.CollectionUtils;
13
14 import java.util.Collection;
15 import java.util.List;
16 import java.util.stream.Collectors;
17
18 @Component
19 public class @H_415_57@myFilterInvocationSecuritymetadatasource implements FilterInvocationSecuritymetadatasource {
20
21 private AntPathMatcher pathMatcher = new AntPathMatcher();
22
23 @Autowired
24 private SysPermissionRepository sysPermissionRepository;
25
26 @Override
27 public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentexception {
28 String requesturl = ((FilterInvocation) object).getrequesturl();
29
30 // 查找与当前请求URL匹配的所有权限
31 List<SysPermission> sysPermissionList = sysPermissionRepository.findAll();
32 List<String> urls = sysPermissionList.stream()
33 .@H_415_57@map(SysPermission::getUrl)
34 .filter(e->pathMatcher.@H_415_57@match(e, requesturl))
35 .disTinct()
36 .collect(Collectors.toList());
37
38 if (!CollectionUtils.isEmpty(urls)) {
39 return SecurityConfig.createList(urls.toArray(new String[urls.size()]));
40 }
41
42 return SecurityConfig.createList(@H_56_197@"ROLE_login");
43 }
44
45 @Override
46 public Collection<ConfigAttribute> getAllConfigAttributes() {
47 return null;
48 }
49
50 @Override
51 public @R_450_8487@an supports(Class<?> clazz) {
52 return true;
53 }
54 }
@H_569_1@myAccessDecisionManager.java
1 package com.example.demo.service;
2
3 import org.springframework.security.access.AccessDecisionManager;
4 import org.springframework.security.access.AccessDeniedException;
5 import org.springframework.security.access.ConfigAttribute;
6 import org.springframework.security.authentication.AnonymousAuthenticationToken;
7 import org.springframework.security.authentication.InsufficientAuthenticationException;
8 import org.springframework.security.core.Authentication;
9 import org.springframework.security.core.GrantedAuthority;
10 import org.springframework.security.web.FilterInvocation;
11 import org.springframework.stereotype.Component;
12
13 import java.util.Collection;
14 import java.util.List;
15 import java.util.stream.Collectors;
16
17 @Component
18 public class @H_415_57@myAccessDecisionManager implements AccessDecisionManager {
19
20 /**
21 *
22 * @param authentication 当前登录用户,可以获取用户的权限列表
23 * @param object FilterInvocation对象,可以获取请求url
24 * @param configAttributes
25 * @throws AccessDeniedException
26 * @throws InsufficientAuthenticationException
27 */
28 @Override
29 public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
30 String requesturl = ((FilterInvocation) object).getrequesturl();
31 System.out.println(requesturl);
32
33 // 当前用户拥有的权限(能访问的资源)
34 Collection<? extends GrantedAuthority> grantedAuthorities = authentication.getAuthorities();
35 List<String> authorities = grantedAuthorities.stream().@H_415_57@map(GrantedAuthority::getAuthority).collect(Collectors.toList());
36
37 /*if (!authorities.contains(requesturl)) {
38 throw new AccessDeniedException("权限不足");
39 }*/
40
41 // 判断访问当前资源所需要的权限用户是否拥有
42 // PS: 在我看来,其实就是看两个集合是否有交集
43
44 for (ConfigAttribute configAttribute : configAttributes) {
45 String attr = configAttribute.getAttribute();
46 if (@H_56_197@"ROLE_login".equals(attr)) {
47 if (authentication instanceof AnonymousAuthenticationToken) {
48 throw new AccessDeniedException(@H_56_197@"非法请求");
49 }
50 }
51
52 if (authorities.contains(attr)) {
53 return;
54 }
55 }
56
57 throw new AccessDeniedException(@H_56_197@"权限不足");
58 }
59
60 @Override
61 public @R_450_8487@an supports(ConfigAttribute attribute) {
62 return true;
63 }
64
65 @Override
66 public @R_450_8487@an supports(Class<?> clazz) {
67 return true;
68 }
69 }
最后是WebSecurityConfig
1 package com.example.demo.config;
2
3 import com.example.demo.handler.MyAccessDeniedHandler;
4 import com.example.demo.handler.MyAuthenticationFailureHandler;
5 import com.example.demo.handler.MyAuthenticationsuccessHandler;
6 import com.example.demo.handler.MyExpiredSessionStrategy;
7 import com.example.demo.service.MyAccessDecisionManager;
8 import com.example.demo.service.MyFilterInvocationSecuritymetadatasource;
9 import com.example.demo.service.MyUserDetailsservice;
10 import org.springframework.beans.factory.Annotation.Autowired;
11 import org.springframework.context.Annotation.bean;
12 import org.springframework.context.Annotation.Configuration;
13 import org.springframework.security.config.Annotation.objectPostProcessor;
14 import org.springframework.security.config.Annotation.authentication.builders.AuthenticationManagerBuilder;
15 import org.springframework.security.config.Annotation.web.builders.httpSecurity;
16 import org.springframework.security.config.Annotation.web.configuration.WebSecurityConfigurerAdapter;
17 import org.springframework.security.crypto.bcrypt.bCryptpasswordEncoder;
18 import org.springframework.security.crypto.password.passwordEncoder;
19 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
20
21 @Configuration
22 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
23
24 @Autowired
25 private @H_737_79@myAuthenticationsuccessHandler @H_737_79@myAuthenticationsuccessHandler;
26 @Autowired
27 private @H_737_79@myAuthenticationFailureHandler @H_737_79@myAuthenticationFailureHandler;
28 @Autowired
29 private @H_737_79@myAccessDeniedHandler @H_737_79@myAccessDeniedHandler;
30 @Autowired
31 private @H_737_79@myUserDetailsservice @H_737_79@myUserDetailsservice;
32 @Autowired
33 private @H_737_79@myFilterInvocationSecuritymetadatasource @H_737_79@myFilterInvocationSecuritymetadatasource;
34 @Autowired
35 private @H_737_79@myAccessDecisionManager @H_737_79@myAccessDecisionManager;
36
37 @Override
38 protected void configure(AuthenticationManagerBuilder auth) throws Exception {
39 auth.userDetailsservice(@H_737_79@myUserDetailsservice)
40 .passwordEncoder(passwordEncoder());
41 }
42
43 @Override
44 protected void configure(httpSecurity http) throws Exception {
45 http.formLogin()
46 .loginProcessingUrl(@H_56_197@"/login")
47 .usernameParameter(@H_56_197@"username")
48 .passwordParameter(@H_56_197@"password")
49 .defaultsuccessUrl(@H_56_197@"/")
50 .successHandler(@H_737_79@myAuthenticationsuccessHandler)
51 .failureHandler(@H_737_79@myAuthenticationFailureHandler)
52 .and()
53 .authorizerequests()
54 .antMatchers(@H_56_197@"/login.html", @H_56_197@"/login").permitAll()
55 .withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {
56 @Override
57 public <O extends FilterSecurityInterceptor> O postProcess(O object) {
58 object.setSecuritymetadatasource(@H_737_79@myFilterInvocationSecuritymetadatasource);
59 object.setAccessDecisionManager(@H_737_79@myAccessDecisionManager);
60 return object;
61 }
62 })
63 .and()
64 .exceptionHandling().accessDeniedHandler(@H_737_79@myAccessDeniedHandler)
65 .and()
66 .sessionManagement().sessionFixation().@H_415_57@migrateSession()
67 .@H_415_57@maximumSessions(1).@H_415_57@maxSessionsPreventsLogin(false).expiredSessionStrategy(new @H_737_79@myExpiredSessionStrategy());
68 }
69
70 @Bean
71 public passwordEncoder passwordEncoder() {
72 return new BCryptpasswordEncoder();
73 }
74
75 }
可以看到,FilterInvocationSecuritymetadatasource的作用就是查找当前请求的资源所对应权限,然后将所需的访问权限列表传给AccessDecisionManager;MyAccessDecisionManager的作用是判断用户是否有权限访问,判断的依据就是当前资源所对应的权限是否在用户所拥有的权限列表中。
在我看来,就是判断两个集合是否有交集,有交集就有权限访问,否则没有权限访问
而且,这种方式的权限在表设计上应该是分了url和权限编码的,也就是说权限标识符是code,不是url。首先,用请求url去匹配权限表,找到与之匹配的权限code,后续所有的权限比较都是比较的权限code。这样其实也挺好。
还有一点,注意到com.example.demo.service.MyAccessDecisionManager#decide()方法有三个参数,第一个参数代表当前登录用户,第二个参数代表用户请求,第三个参数代表访问资源所需的权限。
本例中,用的是第一和第三个参数
但是,我觉得可以直接用第一和第二个参数,用户请求也能拿到,用户权限也能拿到,有这些就可以判断用户是否有权限了,这样的话只需要AccessDecisionManager,而不需要FilterInvocationSecuritymetadatasource了
这里补充两点:
1、这里说的权限和资源是一个意思
2、关于资源访问控制,有两种写法。一种是基于权限编码的匹配,另一种是基于url的匹配。
5. 退出登录
1 package com.example.demo.config;
2
3 import com.example.demo.handler.*;
4 import com.example.demo.service.MyAccessDecisionManager;
5 import com.example.demo.service.MyFilterInvocationSecuritymetadatasource;
6 import com.example.demo.service.MyUserDetailsservice;
7 import org.springframework.beans.factory.Annotation.Autowired;
8 import org.springframework.context.Annotation.bean;
9 import org.springframework.context.Annotation.Configuration;
10 import org.springframework.security.config.Annotation.objectPostProcessor;
11 import org.springframework.security.config.Annotation.authentication.builders.AuthenticationManagerBuilder;
12 import org.springframework.security.config.Annotation.web.builders.httpSecurity;
13 import org.springframework.security.config.Annotation.web.configuration.WebSecurityConfigurerAdapter;
14 import org.springframework.security.crypto.bcrypt.bCryptpasswordEncoder;
15 import org.springframework.security.crypto.password.passwordEncoder;
16 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
17
18 @Configuration
19 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
20
21 @Autowired
22 private @H_737_79@myAuthenticationsuccessHandler @H_737_79@myAuthenticationsuccessHandler;
23 @Autowired
24 private @H_737_79@myAuthenticationFailureHandler @H_737_79@myAuthenticationFailureHandler;
25 @Autowired
26 private @H_737_79@myAccessDeniedHandler @H_737_79@myAccessDeniedHandler;
27 @Autowired
28 private @H_737_79@myLogoutsuccessHandler @H_737_79@myLogoutsuccessHandler;
29 @Autowired
30 private @H_737_79@myUserDetailsservice @H_737_79@myUserDetailsservice;
31 @Autowired
32 private @H_737_79@myFilterInvocationSecuritymetadatasource @H_737_79@myFilterInvocationSecuritymetadatasource;
33 @Autowired
34 private @H_737_79@myAccessDecisionManager @H_737_79@myAccessDecisionManager;
35
36 @Override
37 protected void configure(AuthenticationManagerBuilder auth) throws Exception {
38 auth.userDetailsservice(@H_737_79@myUserDetailsservice)
39 .passwordEncoder(passwordEncoder());
40 }
41
42 @Override
43 protected void configure(httpSecurity http) throws Exception {
44 http.formLogin()
45 .loginProcessingUrl(@H_56_197@"/login")
46 .usernameParameter(@H_56_197@"username")
47 .passwordParameter(@H_56_197@"password")
48 .defaultsuccessUrl(@H_56_197@"/")
49 .successHandler(@H_737_79@myAuthenticationsuccessHandler)
50 .failureHandler(@H_737_79@myAuthenticationFailureHandler)
51 .and().logout()
52 .logoutUrl(@H_56_197@"/logout")
53 .logoutsuccessHandler(@H_737_79@myLogoutsuccessHandler)
54 .and()
55 .authorizerequests()
56 .antMatchers(@H_56_197@"/login.html", @H_56_197@"/login").permitAll()
57 .withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {
58 @Override
59 public <O extends FilterSecurityInterceptor> O postProcess(O object) {
60 object.setSecuritymetadatasource(@H_737_79@myFilterInvocationSecuritymetadatasource);
61 object.setAccessDecisionManager(@H_737_79@myAccessDecisionManager);
62 return object;
63 }
64 })
65 .and()
66 .exceptionHandling().accessDeniedHandler(@H_737_79@myAccessDeniedHandler)
67 .and()
68 .sessionManagement().sessionFixation().@H_415_57@migrateSession()
69 .@H_415_57@maximumSessions(1).@H_415_57@maxSessionsPreventsLogin(false).expiredSessionStrategy(new @H_737_79@myExpiredSessionStrategy());
70 }
71
72 @Bean
73 public passwordEncoder passwordEncoder() {
74 return new BCryptpasswordEncoder();
75 }
76
77 }
自定义LogoutsuccessHandler
1 package com.example.demo.handler;
2
3 import com.fasterxml.jackson.databind.objectMapper;
4 import org.springframework.security.core.Authentication;
5 import org.springframework.security.web.authentication.logout.LogoutsuccessHandler;
6 import org.springframework.stereotype.Component;
7
8 import javax.servlet.ServletException;
9 import javax.servlet.http.httpServletrequest;
10 import javax.servlet.http.httpServletResponse;
11 import java.io.IOException;
12 import java.io.PrintWriter;
13
14 @Component
15 public class @H_415_57@myLogoutsuccessHandler implements LogoutsuccessHandler {
16
17 private static ObjectMapper objectMapper = new ObjectMapper();
18
19 @Override
20 public void onLogoutsuccess(httpServletrequest request, httpServletResponse response, Authentication authentication) throws IOException, ServletException {
21 // response.sendRedirect("/login.html");
22
23 response.setContentType(@H_56_197@"application/json;charset=utf-8");
24 PrintWriter printWriter = response.getWriter();
25 printWriter.write(objectMapper.writeValueAsString(@H_56_197@"logout success"));
26 printWriter.flush();
27 printWriter.close();
28 }
29 }
到这里为止,我们已经实现了用户动态加载,权限匹配规则动态加载,即谁可以访问什么资源这个过程已经不再是写死了,而是全部可配置化了
6. 集成JWT生成token
现在的项目都是前后端分离的,客户端与服务端通过接口进行交互,数据格式采用JSON,这就要求服务端是无状态的。如果还是利用Session在服务端维持会话的话,可扩展性就太差了。总之一句话,用Session就是有状态的,用Token就是无状态的,因此,我们要用Token来识别用户身份。
默认会话是Session维持的,用Session的话不利于水平扩容(尽管共享Session,但还是很不方便),而且也没法做前后端分离。因此,需要用token来承载认证用户信息,前后端通过json进行交互。
首先,引入依赖
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.1</version>
</dependency>
然后,JWT工具类
1 package com.example.demo.util;
2
3 import io.jsonwebtoken.*;
4
5 import java.util.Date;
6 import java.util.HashMap;
7 import java.util.Map;
8 import java.util.function.Function;
9
10 /**
11 * @Author ChengJianSheng
12 * @Date 2021/5/7
13 */
14 public class JwtUtil {
15
16 private static long TOKEN_EXPIRATION = 24 * 60 * 60 * 1000;
17 private static String TOKEN_SECRET_KEY = @H_56_197@"123456";
18
19 /**
20 * 生成Token
21 * @param subject 用户名
22 * @return
23 */
24 public static String createToken(String subject) {
25 long currentTimeMillis = System.currentTimeMillis();
26 Date currentDate = new Date(currentTimeMillis);
27 Date expirationDate = new Date(currentTimeMillis + TOKEN_EXPIRATION);
28
29 // 存放自定义属性,比如用户拥有的权限
30 @H_737_79@map<String, Object> claims = new HashMap<>();
31
32 return Jwts.builder()
33 .setClaims(claims)
34 .setSubject(subject)
35 .setIssuedAt(currentDate)
36 .setExpiration(expirationDate)
37 .signWith(SignatureAlgorithm.HS512, TOKEN_SECRET_KEY)
38 .compact();
39 }
40
41 public static String extractUsername(String token) {
42 return extractClaim(token, Claims::getSubject);
43 }
44
45 public static @R_450_8487@an isTokenExpired(String token) {
46 return extractExpiration(token).before(new Date());
47 }
48
49 public static Date extractExpiration(String token) {
50 return extractClaim(token, Claims::getExpiration);
51 }
52
53 public static <T> T extractClaim(String token, Function<Claims, T> claimsResolver) {
54 final Claims claims = extractAllClaims(token);
55 return claimsResolver.apply(claims);
56 }
57
58 private static Claims extractAllClaims(String token) {
59 return Jwts.parser().setSigningKey(TOKEN_SECRET_KEY).parseClaimsJws(token).getBody();
60 }
61
62 }
登录成功后,将token返回给客户端
1 package com.example.demo.handler;
2
3 import com.example.demo.model.MyUserDetails;
4 import com.example.demo.util.JwtUtil;
5 import com.fasterxml.jackson.databind.objectMapper;
6 import org.springframework.security.core.Authentication;
7 import org.springframework.security.web.authentication.SavedrequestAwareAuthenticationsuccessHandler;
8 import org.springframework.stereotype.Component;
9
10 import javax.servlet.ServletException;
11 import javax.servlet.http.httpServletrequest;
12 import javax.servlet.http.httpServletResponse;
13 import java.io.IOException;
14
15 @Component
16 public class @H_415_57@myAuthenticationsuccessHandler extends SavedrequestAwareAuthenticationsuccessHandler {
17
18 private static ObjectMapper objectMapper = new ObjectMapper();
19
20 @Override
21 public void onAuthenticationsuccess(httpServletrequest request, httpServletResponse response, Authentication authentication) throws ServletException, IOException {
22 @H_737_79@myUserDetails @H_737_79@myUserDetails = (@H_737_79@myUserDetails) authentication.getPrincipal();
23 String username = @H_737_79@myUserDetails.getUsername();
24 String token = JwtUtil.createToken(username);
25 //todo 缓存到 redis
26 //todo 把token存到redis中
27
28 response.setContentType(@H_56_197@"application/json;charset=utf-8");
29 response.getWriter().write(objectMapper.writeValueAsString(token));
30 }
31 }
每次请求过来,从token中取到用户信息,然后放到上下文中
1 package com.example.demo.filter;
2
3 import com.example.demo.service.MyUserDetailsservice;
4 import com.example.demo.util.JwtUtil;
5 import org.apache.commons.lang3.StringUtils;
6 import org.springframework.security.authentication.AuthenticationManager;
7 import org.springframework.security.authentication.UsernamepasswordAuthenticationToken;
8 import org.springframework.security.core.context.SecurityContextHolder;
9 import org.springframework.security.core.userdetailS.UserDetails;
10 import org.springframework.security.web.authentication.WebAuthenticationDetailssource;
11 import org.springframework.security.web.authentication.www.basicAuthenticationFilter;
12
13 import javax.servlet.FilterChain;
14 import javax.servlet.ServletException;
15 import javax.servlet.http.httpServletrequest;
16 import javax.servlet.http.httpServletResponse;
17 import java.io.IOException;
18
19 /**
20 * 负责在每次请求中,解析请求头中的token,从中取得用户信息,生成认证对象传递给下一个过滤器
21 * @Author ChengJianSheng
22 * @Date 2021/5/7
23 */
24 public class JwtAuthenticationFilter extends BasicAuthenticationFilter {
25
26 private @H_737_79@myUserDetailsservice @H_737_79@myUserDetailsservice;
27
28 public JwtAuthenticationFilter(AuthenticationManager authenticationManager) {
29 super(authenticationManager);
30 }
31
32 public JwtAuthenticationFilter(AuthenticationManager authenticationManager, @H_737_79@myUserDetailsservice @H_737_79@myUserDetailsservice) {
33 super(authenticationManager);
34 this.@H_415_57@myUserDetailsservice = @H_737_79@myUserDetailsservice;
35 }
36
37 @Override
38 protected void doFilterInternal(httpServletrequest request, httpServletResponse response, FilterChain chain) throws IOException, ServletException {
39 String token = request.getHeader(@H_56_197@"token");
40 System.out.println(@H_56_197@"请求头中带的token: " + token);
41 if (StringUtils.isnoneBlank(token)) {
42 if (!JwtUtil.isTokenExpired(token)) {
43 String username = JwtUtil.extractUsername(token);
44 if (StringUtils.isnoneBlank(username) && null == SecurityContextHolder.getContext().getAuthentication()) {
45 // 查询用户权限,有以下三种方式:
46 // 1. 可以从数据库中加载
47 // 2. 可以从redis中加载(PS: 前提是之前已经缓存到redis中了)
48 // 3. 可以从token中加载(PS: 前提是生成token的时候把用户权限作为Claims放置其中了)
49
50 UserDetails userDetails = @H_737_79@myUserDetailsservice.loadUserByUsername(username);
51
52 UsernamepasswordAuthenticationToken authrequest = new UsernamepasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
53 authrequest.setDetails(new WebAuthenticationDetailssource().buildDetails(request));
54
55 SecurityContextHolder.getContext().setAuthentication(authrequest);
56 }
57 }
58 }
59
60 chain.doFilter(request, response);
61 }
62 }
把这个过滤器添加到
1 http.addFilterBefore(new JwtAuthenticationFilter(authenticationManager(), @H_737_79@myUserDetailsservice), UsernamepasswordAuthenticationFilter.class);
完整配置如下:
1 package com.example.demo.config;
2
3 import com.example.demo.filter.JwtAuthenticationFilter;
4 import com.example.demo.handler.*;
5 import com.example.demo.service.MyAccessDecisionManager;
6 import com.example.demo.service.MyFilterInvocationSecuritymetadatasource;
7 import com.example.demo.service.MyUserDetailsservice;
8 import org.springframework.beans.factory.Annotation.Autowired;
9 import org.springframework.context.Annotation.bean;
10 import org.springframework.context.Annotation.Configuration;
11 import org.springframework.security.config.Annotation.objectPostProcessor;
12 import org.springframework.security.config.Annotation.authentication.builders.AuthenticationManagerBuilder;
13 import org.springframework.security.config.Annotation.web.builders.httpSecurity;
14 import org.springframework.security.config.Annotation.web.configuration.WebSecurityConfigurerAdapter;
15 import org.springframework.security.config.http.SessionCreationPolicy;
16 import org.springframework.security.crypto.bcrypt.bCryptpasswordEncoder;
17 import org.springframework.security.crypto.password.passwordEncoder;
18 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
19 import org.springframework.security.web.authentication.UsernamepasswordAuthenticationFilter;
20
21 @Configuration
22 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
23
24 @Autowired
25 private @H_737_79@myAuthenticationsuccessHandler @H_737_79@myAuthenticationsuccessHandler;
26 @Autowired
27 private @H_737_79@myAuthenticationFailureHandler @H_737_79@myAuthenticationFailureHandler;
28 @Autowired
29 private @H_737_79@myAccessDeniedHandler @H_737_79@myAccessDeniedHandler;
30 @Autowired
31 private @H_737_79@myLogoutsuccessHandler @H_737_79@myLogoutsuccessHandler;
32 @Autowired
33 private @H_737_79@myUserDetailsservice @H_737_79@myUserDetailsservice;
34 @Autowired
35 private @H_737_79@myFilterInvocationSecuritymetadatasource @H_737_79@myFilterInvocationSecuritymetadatasource;
36 @Autowired
37 private @H_737_79@myAccessDecisionManager @H_737_79@myAccessDecisionManager;
38 @Autowired
39 private @H_737_79@myAuthenticationEntryPoint @H_737_79@myAuthenticationEntryPoint;
40
41 @Override
42 protected void configure(AuthenticationManagerBuilder auth) throws Exception {
43 auth.userDetailsservice(@H_737_79@myUserDetailsservice)
44 .passwordEncoder(passwordEncoder());
45 }
46
47 @Override
48 protected void configure(httpSecurity http) throws Exception {
49 http.formLogin()
50 .loginProcessingUrl(@H_56_197@"/login")
51 .usernameParameter(@H_56_197@"username")
52 .passwordParameter(@H_56_197@"password")
53 .successHandler(@H_737_79@myAuthenticationsuccessHandler)
54 .failureHandler(@H_737_79@myAuthenticationFailureHandler)
55 .and().logout()
56 .logoutUrl(@H_56_197@"/logout")
57 .logoutsuccessUrl(@H_56_197@"/login.html")
58 .logoutsuccessHandler(@H_737_79@myLogoutsuccessHandler)
59 .and()
60 .authorizerequests()
61 .antMatchers(@H_56_197@"/login.html", @H_56_197@"/login").permitAll()
62 .anyrequest().access(@H_56_197@"@myAccessDecisionservice.hasPermission(request, authentication)")
63 .and()
64 .exceptionHandling().accessDeniedHandler(@H_737_79@myAccessDeniedHandler).authenticationEntryPoint(@H_737_79@myAuthenticationEntryPoint)
65 .and()
66 .sessionManagement().sessionFixation().@H_415_57@migrateSession().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
67 .@H_415_57@maximumSessions(1).@H_415_57@maxSessionsPreventsLogin(false).expiredSessionStrategy(new @H_737_79@myExpiredSessionStrategy());
68
69 http.addFilterBefore(new JwtAuthenticationFilter(authenticationManager(), @H_737_79@myUserDetailsservice), UsernamepasswordAuthenticationFilter.class);
70
71 http.csrf().disable();
72 }
73
74 @Bean
75 public passwordEncoder passwordEncoder() {
76 return new BCryptpasswordEncoder();
77 }
78
79 }
增加一个未登录的处理
1 package com.example.demo.handler;
2
3 import com.fasterxml.jackson.databind.objectMapper;
4 import org.springframework.security.core.AuthenticationException;
5 import org.springframework.security.web.AuthenticationEntryPoint;
6 import org.springframework.stereotype.Component;
7
8 import javax.servlet.ServletException;
9 import javax.servlet.http.httpServletrequest;
10 import javax.servlet.http.httpServletResponse;
11 import java.io.IOException;
12
13 /**
14 * 未认证(未登录)统一处理
15 * @Author ChengJianSheng
16 * @Date 2021/5/7
17 */
18 @Component
19 public class @H_415_57@myAuthenticationEntryPoint implements AuthenticationEntryPoint {
20
21 private static ObjectMapper objectMapper = new ObjectMapper();
22
23 @Override
24 public void commence(httpServletrequest request, httpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
25 response.setContentType(@H_56_197@"application/json;charset=utf-8");
26 response.getWriter().write(objectMapper.writeValueAsString(@H_56_197@"未登录,请先登录"));
27 }
28 }
改造后的项目结构如下
最后,用token以后,退出要做一点改动。由于我们采用JWT来生成Token,因此token是没法撤销和删除的,所以此时的退出应该是:
关于Spring Security实现简单的用户、角色、权限控制就先讲到这里,稍微做一个回顾:
以上是大佬教程为你收集整理的Spring Security 入门篇全部内容,希望文章能够帮你解决Spring Security 入门篇所遇到的程序开发问题。
如果觉得大佬教程网站内容还不错,欢迎将大佬教程推荐给程序员好友。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。