遇到前后端分离时SpringSecurity权限的处理和之前的也有点差异,本文讲述Spring Boot2.x整合Spring Security前后端分离,对上一篇的配置进行修改,如果不懂的先看上一篇文章SpringBoot2.x+SpringSecurity(一)安全配置整合
1. Spring Securit配置
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 | @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled=true) public class WebSecurityConfig extends WebSecurityConfigurerAdapter{ @Autowired private UserDetailsService userDetailsService; @Autowired private AuthSuccessHandler authSuccessHandler; @Autowired private AuthFailHandler authFailHandler; @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder()); } @Override protected void configure(HttpSecurity http) throws Exception { ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry=http.authorizeRequests(); registry.and() .formLogin() .loginPage("/u/noLogin") .loginProcessingUrl("/login") .permitAll() //成功处理类 .successHandler(authSuccessHandler) //失败处理类 .failureHandler(authFailHandler) .and() .logout() .permitAll() .and() .authorizeRequests() //任何请求 .anyRequest() //都需要认证 .authenticated() .and() //关闭跨站请求防护 .csrf().disable() .and() //自定义权限拒绝处理类 .exceptionHandling().accessDeniedHandler(authAccessDeniedHandler) } } |
这里的successHandler()以及failureHandler()就是当验证成功时以及失败时调用自己写的方法,.exceptionHandling().accessDeniedHandler()依然也是一样的,因为我我们不用默认的了;
2. 成功处理类
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | @Slf4j @Component public class AuthSuccessHandler implements AuthenticationSuccessHandler { @Override public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException { log.info("登陆成功"); String msg=JSON.toJSONString(ServerResponse.Success(authentication.getPrincipal())); ServerResponse.out(response,msg); } } |
当登录验证成功时由AuthenicationSuccessHandler策略接口控制,实现onAuthenticationSuccess方法,authentication.getPrincipal()是当前登录成功时的用户信息,以json返回给前端。
3. 失败处理类
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | @Component @Slf4j public class AuthFailHandler implements AuthenticationFailureHandler { @Override public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException { String msg=null; if (exception instanceof UsernameNotFoundException || exception instanceof BadCredentialsException) { msg="用户名或密码输入错误,登录失败!"; } else if (exception instanceof DisabledException) { msg="账户被禁用,登录失败,请联系管理员!"; } else { msg="登录失败!"; } msg=JSON.toJSONString(ServerResponse.Error(ResponseCode.INTERNAL_SERVER_ERROR.getCode(),msg)); ServerResponse.out(response,msg); } } |
当验证失败时由AuthenticationFailureHandlerc策略借口控制,实现 onAuthenticationFailure方法返回错误信息
4. 权限拒绝处理类
1 2 3 4 5 6 7 8 9 10 | @Slf4j @Component public class AuthAccessDeniedHandler implements AccessDeniedHandler { @Override public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException { log.error("权限不足!"); response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "权限不足!"); } } |
5. 测试
返回的结果:
data里就是当前验证成功的信息,status是自定义返回状态;
6. 小结
在此继续研究下去!