SpringBoot2.x+SpringSecurit(二)前后端分离

遇到前后端分离时SpringSecurity权限的处理和之前的也有点差异，本文讲述Spring Boot2.x整合Spring Security前后端分离，对上一篇的配置进行修改，如果不懂的先看上一篇文章SpringBoot2.x+SpringSecurity(一)安全配置整合

 

1. Spring Securit配置

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49

@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled=true) public class WebSecurityConfig extends WebSecurityConfigurerAdapter{ @Autowired private UserDetailsService userDetailsService; @Autowired private AuthSuccessHandler authSuccessHandler; @Autowired private AuthFailHandler authFailHandler; @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder()); } @Override protected void configure(HttpSecurity http) throws Exception { ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry=http.authorizeRequests(); registry.and() .formLogin() .loginPage("/u/noLogin") .loginProcessingUrl("/login") .permitAll() //成功处理类 .successHandler(authSuccessHandler) //失败处理类 .failureHandler(authFailHandler) .and() .logout() .permitAll() .and() .authorizeRequests() //任何请求 .anyRequest() //都需要认证 .authenticated() .and() //关闭跨站请求防护 .csrf().disable() .and() //自定义权限拒绝处理类 .exceptionHandling().accessDeniedHandler(authAccessDeniedHandler) } }

这里的successHandler(）以及failureHandler()就是当验证成功时以及失败时调用自己写的方法，.exceptionHandling().accessDeniedHandler(）依然也是一样的，因为我我们不用默认的了；

2. 成功处理类

1 2 3 4 5 6 7 8 9 10 11 12 13 14

@Slf4j @Component public class AuthSuccessHandler implements AuthenticationSuccessHandler { @Override public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException { log.info("登陆成功"); String msg=JSON.toJSONString(ServerResponse.Success(authentication.getPrincipal())); ServerResponse.out(response,msg); } }

当登录验证成功时由AuthenicationSuccessHandler策略接口控制，实现onAuthenticationSuccess方法，authentication.getPrincipal()是当前登录成功时的用户信息，以json返回给前端。

3. 失败处理类

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

@Component @Slf4j public class AuthFailHandler implements AuthenticationFailureHandler { @Override public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException { String msg=null; if (exception instanceof UsernameNotFoundException || exception instanceof BadCredentialsException) { msg="用户名或密码输入错误，登录失败!"; } else if (exception instanceof DisabledException) { msg="账户被禁用，登录失败，请联系管理员!"; } else { msg="登录失败！"; } msg=JSON.toJSONString(ServerResponse.Error(ResponseCode.INTERNAL_SERVER_ERROR.getCode(),msg)); ServerResponse.out(response,msg); } }

当验证失败时由AuthenticationFailureHandlerc策略借口控制，实现 onAuthenticationFailure方法返回错误信息

4. 权限拒绝处理类

1 2 3 4 5 6 7 8 9 10

@Slf4j @Component public class AuthAccessDeniedHandler implements AccessDeniedHandler { @Override public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException { log.error("权限不足！"); response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "权限不足！"); } }

5. 测试

返回的结果：
data里就是当前验证成功的信息，status是自定义返回状态；

6. 小结

在此继续研究下去！

转载于:https://my.oschina.net/u/4037000/blog/3045348