一 参考文章
http://www.spring4all.com/article/422
二 代码位置
三 关键代码
1 过滤器定义
package com.spring4all.config;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
/**
* 自定义表单登录
*/
public class CustomFromLoginFilter extends AbstractAuthenticationProcessingFilter {
CustomFromLoginFilter(String defaultFilterProcessesUrl) {
super(new AntPathRequestMatcher(defaultFilterProcessesUrl, HttpMethod.POST.name()));
}
@Override
public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException {
String username = httpServletRequest.getParameter("username");
String password = httpServletRequest.getParameter("password");
customCheck(username, password);
List<SimpleGrantedAuthority> simpleGrantedAuthorities = new ArrayList<>();
simpleGrantedAuthorities.add(new SimpleGrantedAuthority("USER"));
return new UsernamePasswordAuthenticationToken(username, password, simpleGrantedAuthorities);
}
private void customCheck(String username, String password){
if (!("anoyi".equals(username) && "anoyi".equals(password))){
throw new RuntimeException("用户名或密码错误!");
}
}
}
2 过滤器配置
package com.spring4all.config;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
/**
* 匹配 "/" 路径,不需要权限即可访问
* 匹配 "/user" 及其以下所有路径,都需要 "USER" 权限
* 退出登录的地址为 "/logout",退出成功后跳转到页面 "/login"
* 默认启用 CSRF
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/user/**").hasAuthority("USER")
.and()
.logout().logoutUrl("/logout").logoutSuccessUrl("/login");
http.addFilterAt(customFromLoginFilter(), UsernamePasswordAuthenticationFilter.class);
}
/**
* 自定义认证过滤器
*/
private CustomFromLoginFilter customFromLoginFilter() {
return new CustomFromLoginFilter("/login");
}
}
addFilterAt该函数的用法参考: https://blog.csdn.net/qq_36882793/article/details/102869583
四 调试
我们调试下看看有哪些过滤器,以及过滤器的执行顺序。
1 在下面两个过滤器中设置断点
2 浏览器输入: http://localhost:8080/login
从调试结果看,先执行优先级高的过滤器。