SpringSecurity配置单个HttpSecurity

最新推荐文章于 2024-05-09 22:13:59 发布

老爸是程序员

最新推荐文章于 2024-05-09 22:13:59 发布

阅读量630

点赞数

分类专栏： Spring Security

本文链接：https://blog.csdn.net/king101125s/article/details/104214534

版权

Spring Security 专栏收录该内容

9 篇文章 3 订阅

订阅专栏

HttpSecurity配置解释

方法	说明
.antMatchers("/admin/**").hasRole(“admin”)	/admin/**路径下的必须有admin角色才能访问
.antMatchers("/db/").hasAnyRole(“admin”,“user”) .antMatchers("/user/").access(“hasAnyRole(‘admin’,‘user’)”)	/db/和/user/下的路径，admin和user角色都可以访问
.anyRequest().authenticated()	表示剩下的任何请求只要验证之后都可以访问
.formLogin()	开启表单登陆
.loginProcessingUrl("/dologin")	登陆处理的路径
.loginPage("/login")	登陆的页面，如果不写会使用默认的登陆页面
.usernameParameter(“uname”)	定义登录时，用户名的 key，默认为 username
.passwordParameter(“pwd”)	定义登录时，用户名的 key，默认为 password
.successHandler()	登陆成功的处理
.failureHandler()	登陆失败的处理
.permitAll()	permitALL()表示放开和登陆有关的接口
.and().csrf().disable()	关闭跨站请求伪造,方便postman请求（默认开启）

HttpSecurity配置

public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    HrService hrService;
    @Autowired
    CustomFilterInvocationSecurityMetadataSource customFilterInvocationSecurityMetadataSource;
    @Autowired
    CustomUrlDecisionManager customUrlDecisionManager;

    //从 Spring5 开始，强制要求密码要加密
    @Bean
    PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    // 如果非不想加密，可 以使用一个过期的 PasswordEncoder 的实例 NoOpPasswordEncoder，但是不建议这么做，毕竟不安全
//    @Bean
//    PasswordEncoder passwordEncoder(){
//        return NoOpPasswordEncoder.getInstance();
//    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        //web页面白名单
        web.ignoring().antMatchers("/login", "/css/**", "/js/**", "/index.html", "/img/**", "/fonts/**", "/favicon.ico");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
//                .anyRequest().authenticated()//任何请求,登录后可以访问
                .withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {

                    @Override
                    public <O extends FilterSecurityInterceptor> O postProcess(O object) {
                        object.setAccessDecisionManager(customUrlDecisionManager);
                        object.setSecurityMetadataSource(customFilterInvocationSecurityMetadataSource);
                        return object;
                    }
                })
                .and()
                .formLogin()
                .usernameParameter("username")
                .passwordParameter("password")
                .loginProcessingUrl("/doLogin")
                .loginPage("/login")
                .successHandler(new AuthenticationSuccessHandler() {
                    @Override
                    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
                        response.setContentType("application/json;charset=utf-8");
                        PrintWriter out = response.getWriter();
                        Hr hr = (Hr) authentication.getPrincipal();
                        hr.setPassword(null);
                        RespBean ok = RespBean.ok("登录成功!", hr);
                        String s = new ObjectMapper().writeValueAsString(ok);
                        out.write(s);
                        out.flush();
                        out.close();
                    }
                })
                .failureHandler(new AuthenticationFailureHandler() {
                    @Override
                    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
                        response.setContentType("application/json;charset=utf-8");
                        PrintWriter out = response.getWriter();
                        RespBean respBean = RespBean.error("登录失败!");
                        if (exception instanceof LockedException) {
                            respBean.setMsg("账户被锁定，请联系管理员!");
                        } else if (exception instanceof CredentialsExpiredException) {
                            respBean.setMsg("密码过期，请联系管理员!");
                        } else if (exception instanceof AccountExpiredException) {
                            respBean.setMsg("账户过期，请联系管理员!");
                        } else if (exception instanceof DisabledException) {
                            respBean.setMsg("账户被禁用，请联系管理员!");
                        } else if (exception instanceof BadCredentialsException) {
                            respBean.setMsg("用户名或者密码输入错误，请重新输入!");
                        }
                        out.write(new ObjectMapper().writeValueAsString(respBean));
                        out.flush();
                        out.close();
                    }
                })
                .permitAll()
                .and()
                .logout()
                .logoutSuccessHandler(new LogoutSuccessHandler() {
                    @Override
                    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
                        response.setContentType("application/json;charset=utf-8");
                        PrintWriter out = response.getWriter();
                        out.write(new ObjectMapper().writeValueAsString(RespBean.ok("注销成功!")));
                        out.flush();
                        out.close();
                    }
                })
                .permitAll()
                .and()
                .csrf().disable().exceptionHandling()
                .authenticationEntryPoint(new AuthenticationEntryPoint() {
                    @Override
                    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
                        response.setContentType("application/json;charset=utf-8");
                        response.setStatus(401);
                        PrintWriter out = response.getWriter();
                        RespBean respBean = RespBean.error("访问失败!");
                        if (authException instanceof InsufficientAuthenticationException) {
                            respBean.setMsg("请求失败，请联系管理员!");
                        }
                        out.write(new ObjectMapper().writeValueAsString(respBean));
                        out.flush();
                        out.close();
                    }
                });

    }
}

参考

spring security之httpSecurity使用示例

github

Httpsecurity中的常用方法介绍

spring security中文翻译文档

老爸是程序员

关注

0
点赞
踩
4

收藏

觉得还不错? 一键收藏
0
评论
SpringSecurity配置单个HttpSecurity

HttpSecurity配置解释方法说明.antMatchers("/admin/**").hasRole(“admin”)/admin/**路径下的必须有admin角色才能访问.antMatchers("/db/").hasAnyRole(“admin”,“user”) .antMatchers("/user/").access(“hasAnyRole(‘admin...
复制链接

扫一扫