springSecurity三个入门示例

最新推荐文章于 2024-06-19 13:38:26 发布
最新推荐文章于 2024-06-19 13:38:26 发布
阅读量2.5k 收藏 8
点赞数
分类专栏: springBoot
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_35140272/article/details/82118839
版权

spring-boot用spring-sercurity很简单,只需要在maven引入相关依赖就好.

<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-security</artifactId>
</dependency>

(一)简单示例

public class MyPasswordEncoder implements PasswordEncoder {
    @Override
    public String encode(CharSequence charSequence) {
        return charSequence.toString();
    }

    @Override
    public boolean matches(CharSequence charSequence, String s) {
        return s.equals(charSequence.toString());
    }
}

密码加密类.provider验证的时候回用到.

@Component
public class AppAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {
    private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
    @Override
    protected void handle(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
        System.out.println("开始根据权限判断将要跳转的页面................");
        String url=determineTargetUrl(authentication);
        redirectStrategy.sendRedirect(request,response,url);
    }
    protected String determineTargetUrl(Authentication authentication){
        String url="";
        Collection<? extends GrantedAuthority> grantedAuthorities = authentication.getAuthorities();
        List<String> roles=new ArrayList<>();
        for(GrantedAuthority grantedAuthority:grantedAuthorities){
            roles.add(grantedAuthority.getAuthority());
        }
        //这里返回路径重定向,同样返回的是controller请求路径,并不是指静态文件的路径
        if(roles.contains("ROLE_ADMIN")){
            return  "/admin";
        }else if(roles.contains("ROLE_DBA")){
            return  "/dba";
        }else if (roles.contains("ROLE_USER")){
            return "/home";
        }else {
            return  "/accessDenied";
        }
    }
}
验证成功跳转处理类.在验证成功后filter调用执行.
@Configuration
public class AppSecurityConfigurer extends WebSecurityConfigurerAdapter {

    @Autowired
    private AuthenticationSuccessHandler authenticationSuccessHandler;
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        System.out.println("开始认证角色..............");
        //这里设置的角色 系统会自动加上role_前缀 既ROLE_ADMIN
        auth.inMemoryAuthentication().passwordEncoder(new MyPasswordEncoder()).withUser("huangLei").password("a7633050").roles("ADMIN","DBA","USE");
        auth.inMemoryAuthentication().passwordEncoder(new MyPasswordEncoder()).withUser("renling").password("huangl").roles("USER");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        System.out.println("开始配置权限...............3");
        //过滤静态登录页面和静态资源,这里的/路径都是指的是controller请求路径并不是指静态页面路径
        http.authorizeRequests()
                .antMatchers("/login","/js/**").permitAll()
                //配置各个访问url的权限
        .antMatchers("/","/home").hasRole("USER")
        .antMatchers("/admin/**").hasAnyRole("ADMIN","DBA")
        .antMatchers("/dba/**").hasAnyRole("DBA")
                //其他页面为需要登录之后
        .anyRequest().authenticated()
                //关闭防御跨站伪造请求,在使用thymeleaf中使用form表单发起请求,如果没有使用th:action则不会报错误,而使用action则会报错,关闭则都不会报错
        .and().csrf().disable()
        .formLogin()
                //登录节点配置
        .loginPage("/login")
                //登录成功后负责跳转设置重定向路径的配置
        .successHandler(authenticationSuccessHandler)
                //失败后跳转的页面
                .failureForwardUrl("/myError")
                //配置登录参数
        .usernameParameter("loginname").passwordParameter("password")
        .and()
        .logout().permitAll()
        .and()
                //配置由权限不足等引起的拒绝跳转的url
        .exceptionHandling().accessDeniedPage("/accessDenied");
    }
}
security最为重要的配置类.包括页面权限以及验证节点等的配置.各个配置的意义都有注释这里不再多说,需要强调的时在使用auth.inMemoryAuthentication()在内存中保存用户信息的时候系统会自动在权限前加上ROLE_前缀.
@Controller
public class SecurityController {
    @RequestMapping("/")
    public String index(ModelAndView modelAndView){

        return "index";
    }
    @RequestMapping("/login")
    public String login(ModelAndView modelAndView){
        System.out.println("login");
        return "login";
    }
    @RequestMapping("/ipLogin")
    public String ipLogin(ModelAndView modelAndView){
        System.out.println("ipLogin");
        return "ipLogin";
    }
    @RequestMapping("/myError")
    public String myError(ModelAndView modelAndView){
        System.out.println("myError");
        return "myError";
    }
    @RequestMapping("/admin")
    public String admin(ModelAndView modelAndView){
        System.out.println("admin");
        modelAndView.addObject("user",getUserName());
        modelAndView.addObject("roles",getAuthority());
        System.out.println(getUserName());
        return "admin";
    }
    @RequestMapping("/dba")
    public String dba(ModelAndView modelAndView){
        System.out.println("dba");
        modelAndView.addObject("user",getUserName());
        modelAndView.addObject("roles",getAuthority());
        System.out.println(getUserName());
        return "dba";
    }
    @RequestMapping("/home")
    public String home(Model model){
        //这里用modelAndView必须要给视图,不然前台无法获取model里的值
        System.out.println("home");
        model.addAttribute("user",getUserName());
        model.addAttribute("role",getAuthority());
        System.out.println(getUserName());
        return "home";
    }
    @RequestMapping("/accessDenied")
    public String accessDenied(ModelAndView modelAndView){
        System.out.println("accessDenied");
        modelAndView.addObject("user",getUserName());
        modelAndView.addObject("roles",getAuthority());
        return "accessDenied";
    }
    @RequestMapping("/logout")
    public String logout(ModelAndView modelAndView, HttpServletRequest request, HttpServletResponse response){
        System.out.println("logout");
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if(authentication!=null){
            new SecurityContextLogoutHandler().logout(request,response,authentication);
        }
        return "redirect:login";
    }
    public String getUserName(){
        //通过获取securityContextHolder获取保存了用户信息的authentication实例对象
        String userName= SecurityContextHolder.getContext().getAuthentication().getName();
        return  userName;
    }
    public String getAuthority(){
        //获取权限
        Collection<? extends GrantedAuthority> grantedAuthorities = SecurityContextHolder.getContext().getAuthentication().getAuthorities();
        ArrayList<String> pers = new ArrayList<>();
        for (GrantedAuthority grantedAuthority:grantedAuthorities){
            pers.add(grantedAuthority.getAuthority());
        }
        return  pers.toString();
    }
}

页面跳转控制器,这里没有太多逻辑,仅仅是负责页面跳转.

(二)企业开发中常见的使用示例

@Service
public class SystemUserSerivce implements UserDetailsService {
    @Autowired
    private PermissionMapper permissionMapper;
    @Autowired
    private UserMapper userMapper;
    @Override
    public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
        User myUser =userMapper.selectUserByUsername(s);
        List<Permission> permissions = permissionMapper.selectPermissionsByUserName(s);
        List<GrantedAuthority> grantedAuthorities = new ArrayList<>();
        for(Permission permission:permissions){
            String permissionCode = permission.getPermissionCode();
            GrantedAuthority grantedAuthority = new SimpleGrantedAuthority(permissionCode);
            grantedAuthorities.add(grantedAuthority);
        }
        //这里provider需要的是springSecurity的user对象
        return new org.springframework.security.core.userdetails.User(s,myUser.getPassword(),grantedAuthorities);
    }
}

userDetailService是被daoAuthenticationProvider调用用来加载用户及权限的接口,这里需要覆盖loadUserByUsername来从数据库加载用户信息.

@Configuration
public class AppSecurityConfigurer extends WebSecurityConfigurerAdapter {
    @Autowired
    private SystemUserSerivce systemUserSerivce;
    @Autowired
    private PasswordEncoder passwordEncoder;
    @Autowired
    private AuthenticationProvider authenticationProvider ;
    @Autowired
    private AuthenticationSuccessHandler authenticationSuccessHandler;


    @Bean
    public PasswordEncoder passwordEncoder(){
        //推荐使用该密码加密类
        return  new BCryptPasswordEncoder();
    }
    @Bean
    public  AuthenticationProvider authenticationProvider(){
        DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
        //是否隐藏没有找到用户的异常
        daoAuthenticationProvider.setHideUserNotFoundExceptions(false);
        //设置userService实例
        daoAuthenticationProvider.setUserDetailsService(systemUserSerivce);
        //设置密码加密类
        daoAuthenticationProvider.setPasswordEncoder(passwordEncoder);
        return  daoAuthenticationProvider;
    }


    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        //注册daoAutheticationProvider
        auth.authenticationProvider(authenticationProvider);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        System.out.println("开始配置权限...............4");
        //过滤静态登录页面和静态资源,这里的/路径都是指的是controller请求路径并不是指静态页面路径
        http.authorizeRequests()
                .antMatchers("/login","/js/**").permitAll()
        .antMatchers("/","/home").hasRole("USER")
        .antMatchers("/admin/**").hasAnyRole("ADMIN","DBA")
        .antMatchers("/dba/**").hasAnyRole("DBA")
        .anyRequest().authenticated()
        .and().csrf().disable()
        .formLogin()
        .loginPage("/login")
        .successHandler(authenticationSuccessHandler)
                .failureForwardUrl("/myError")
        .usernameParameter("loginname").passwordParameter("password")
        .and()
        .logout().permitAll()
        .and()
        .exceptionHandling().accessDeniedPage("/accessDenied");
    }
}

另外,控制器类与successHandler与第一个示例相同,这里不做赘述.

这里与第一个示例不同的地方是我们需要从数据库中加载用户信息,所以我们选择实用daoAuthenticationProvider这个类,然后我们写一个类来继承负责加载数据库user信息的userDetailService的loadUserByUsername这个方法.这个示例是我们日常开发过程中实用的比较多的方式,在示例后面将会联系源码做重点分析

(三)依据ip作为登录验证参数的示例

这里是原文链接:

https://mp.weixin.qq.com/s?__biz=MzUzMTA2NTU2Ng==&mid=2247483980&idx=1&sn=cb40ba4fea5cf100a98896d9a0404a43&chksm=fa497dfdcd3ef4ebdd162db2f674d882fd87d2648c775272a8af238c0500289d439d858804e5&scene=21#wechat_redirect

public class IpAuthenticationToken extends AbstractAuthenticationToken {
    /**
     *  对比UsernamePasswordAuthenticationToken 中的账号principal 密码credentials
     */
    private  String ip;

    public String getIp() {
        return ip;
    }

    public void setIp(String ip) {
        this.ip = ip;
    }

    public  IpAuthenticationToken(String ip){
        super(null);
        this.ip=ip;
        //认证前
        super.setAuthenticated(false);
    }
    public  IpAuthenticationToken(String ip, Collection< ? extends GrantedAuthority> authorities){
        super(authorities);
        this.ip=ip;
        //认证后
        super.setAuthenticated(true);
    }
    @Override
    public Object getCredentials() {
        return null;
    }

    @Override
    public Object getPrincipal() {
        return this.ip;
    }
}

封装了用户ip的token类

public class IpAuthenticationProvider implements AuthenticationProvider {
    final static Map<String , SimpleGrantedAuthority> ipAuthorityMap=new ConcurrentHashMap<>();
    //维护一个权限Map
    static {
        ipAuthorityMap.put("127.0.0.1",new SimpleGrantedAuthority("ROLE_ADMIN"));
        ipAuthorityMap.put("10.236.69.103",new SimpleGrantedAuthority("ROLE_USER"));
        ipAuthorityMap.put("127.0.0.5",new SimpleGrantedAuthority("ROLE_DBA"));
    }
    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        //IpAuthenticationToken 是authentication的实现类
        IpAuthenticationToken ipAuthenticationToken = (IpAuthenticationToken) authentication;
        String ip = ipAuthenticationToken.getIp();
        SimpleGrantedAuthority simpleGrantedAuthority = ipAuthorityMap.get(ip);
        if (simpleGrantedAuthority!=null){
          return  new IpAuthenticationToken(ip, Arrays.asList(simpleGrantedAuthority));
        }
        return null;
    }

    @Override
    public boolean supports(Class<?> authentication) {
        //只支持IPAuthentication进行认证
        return (IpAuthenticationToken.class.isAssignableFrom(authentication));
    }
}

负责ip验证的provider

public class IpAuthenticationProcessingFilter extends AbstractAuthenticationProcessingFilter {
     IpAuthenticationProcessingFilter(){
        super(new AntPathRequestMatcher("/ipVerify"));
    }

    /**
     *  在AbstractAuthenticationProcessingFilter的DoFilter方法中被调用
     * @param request
     * @param response
     * @return
     * @throws AuthenticationException
     * @throws IOException
     * @throws ServletException
     */
    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
         String hostIp=request.getRemoteHost();
         return getAuthenticationManager().authenticate(new IpAuthenticationToken(hostIp));
    }
}

负责sercurity验证的过滤器.

@Configuration
public class AppSecurityConfiger extends WebSecurityConfigurerAdapter {
    @Autowired
    private  IpAuthenticationProvider ipAuthenticationProvider;
    @Autowired
    private AppAuthenticationSuccessHandler appAuthenticationSuccessHandler;
    @Bean
    public  IpAuthenticationProvider ipAuthenticationProvider(){
        return  new IpAuthenticationProvider();
    }

    /**
     * 这里会覆盖configure中的SuccessHandler和异常的配置
     * @param authenticationManager
     * @return
     */
    IpAuthenticationProcessingFilter ipAuthenticationProcessingFilter(AuthenticationManager authenticationManager){
        IpAuthenticationProcessingFilter ipAuthenticationProcessingFilter = new IpAuthenticationProcessingFilter();
        //添加认证管理器
        ipAuthenticationProcessingFilter.setAuthenticationManager(authenticationManager);
        //添加成功处理器
        ipAuthenticationProcessingFilter.setAuthenticationSuccessHandler(appAuthenticationSuccessHandler);
        //添加失败处理器
        ipAuthenticationProcessingFilter.setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler("/myError"));
        return  ipAuthenticationProcessingFilter;
    }
  

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(ipAuthenticationProvider);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        System.out.println("开始配置权限...............5");
        //过滤静态登录页面和静态资源,这里的/路径都是指的是controller请求路径并不是指静态页面路径
        http.authorizeRequests()
                .antMatchers("/ipLogin","/js/**").permitAll()
                .antMatchers("/","/home").hasRole("USER")
                .antMatchers("/admin/**").hasAnyRole("ADMIN","DBA")
                .antMatchers("/dba/**").hasAnyRole("DBA")
                .anyRequest().authenticated()
                .and().csrf().disable()
                .formLogin()
                .loginPage("/ipLogin")
              //  .successHandler(appAuthenticationSuccessHandler)
              //  .failureForwardUrl("/myError")
                .and()
                .logout().permitAll()
                .and()
                .exceptionHandling().accessDeniedPage("/accessDenied");
        //这里的得注意插入过滤器的位置
        http.addFilterBefore(ipAuthenticationProcessingFilter(authenticationManager()), UsernamePasswordAuthenticationFilter.class);
    }
}

这里我舍去了原文中LoginUrlAuthenticationEntryPoint的配置,选择直接在configure中配置验证拦截点的配置,另外发现新增的ipFilter的处理跳转的successHandler和failureForwardUrl无法在configure中配置,会失效

(四)以UsernamePasswordAuthenticationFilter为例分析sercurity的核心流程

WebSecurityConfigurerAdapter会获取到sercurity相关的filterChain(这部分源码没找到),然后挨个执行filter中的doFilter方法,每个filter都会继承抽象类AbstractAuthenticationProcessingFilter.
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
        throws IOException, ServletException {

    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    if (!requiresAuthentication(request, response)) {
        chain.doFilter(request, response);
        return;
    }
    if (logger.isDebugEnabled()) {
        logger.debug("Request is to process authentication");
    }
    Authentication authResult;
    try {
        //在UsernamePasswordAutheticationFilter中被覆盖
        authResult = attemptAuthentication(request, response);
        if (authResult == null) {
            // return immediately as subclass has indicated that it hasn't completed
            // authentication
            return;
        }
        sessionStrategy.onAuthentication(authResult, request, response);
    }
    catch (InternalAuthenticationServiceException failed) {
        logger.error(
                "An internal error occurred while trying to authenticate the user.",
                failed);
        unsuccessfulAuthentication(request, response, failed);

        return;
    }
    catch (AuthenticationException failed) {
        // Authentication failed
        unsuccessfulAuthentication(request, response, failed);

        return;
    }

    // Authentication success
    if (continueChainBeforeSuccessfulAuthentication) {
        chain.doFilter(request, response);
    }
    //调用seccessHandler进行调整控制
    successfulAuthentication(request, response, chain, authResult);
}

usernamePasswordAuthenticationFilter:

public Authentication attemptAuthentication(HttpServletRequest request,
      HttpServletResponse response) throws AuthenticationException {
   if (postOnly && !request.getMethod().equals("POST")) {
      throw new AuthenticationServiceException(
            "Authentication method not supported: " + request.getMethod());
   }

   String username = obtainUsername(request);
   String password = obtainPassword(request);

   if (username == null) {
      username = "";
   }

   if (password == null) {
      password = "";
   }

   username = username.trim();

   UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
         username, password);

   // Allow subclasses to set the "details" property
   setDetails(request, authRequest);

   return this.getAuthenticationManager().authenticate(authRequest);
}

providerManager:遍历各个provider进行验证

public Authentication authenticate(Authentication authentication)
      throws AuthenticationException {
   Class<? extends Authentication> toTest = authentication.getClass();
   AuthenticationException lastException = null;
   Authentication result = null;
   boolean debug = logger.isDebugEnabled();

   for (AuthenticationProvider provider : getProviders()) {
      if (!provider.supports(toTest)) {
         continue;
      }

      if (debug) {
         logger.debug("Authentication attempt using "
               + provider.getClass().getName());
      }

      try {
         result = provider.authenticate(authentication);

         if (result != null) {
            copyDetails(authentication, result);
            break;
         }
      }
      catch (AccountStatusException e) {
         prepareException(e, authentication);
         // SEC-546: Avoid polling additional providers if auth failure is due to
         // invalid account status
         throw e;
      }
      catch (InternalAuthenticationServiceException e) {
         prepareException(e, authentication);
         throw e;
      }
      catch (AuthenticationException e) {
         lastException = e;
      }
   }

   if (result == null && parent != null) {
      // Allow the parent to try.
      try {
         result = parent.authenticate(authentication);
      }
      catch (ProviderNotFoundException e) {
         // ignore as we will throw below if no other exception occurred prior to
         // calling parent and the parent
         // may throw ProviderNotFound even though a provider in the child already
         // handled the request
      }
      catch (AuthenticationException e) {
         lastException = e;
      }
   }

   if (result != null) {
      if (eraseCredentialsAfterAuthentication
            && (result instanceof CredentialsContainer)) {
         // Authentication is complete. Remove credentials and other secret data
         // from authentication
         ((CredentialsContainer) result).eraseCredentials();
      }

      eventPublisher.publishAuthenticationSuccess(result);
      return result;
   }

   // Parent was null, or didn't authenticate (or throw an exception).

   if (lastException == null) {
      lastException = new ProviderNotFoundException(messages.getMessage(
            "ProviderManager.providerNotFound",
            new Object[] { toTest.getName() },
            "No AuthenticationProvider found for {0}"));
   }

   prepareException(lastException, authentication);

   throw lastException;
}

abstractUserDetailsAuthenticationProvider:调用userDetailService加载数据库里的user数据,并调用daoAuthenticationProvider的

additionalAuthenticationChecks进行账号密码匹配验证.

public Authentication authenticate(Authentication authentication)
      throws AuthenticationException {
   Assert.isInstanceOf(UsernamePasswordAuthenticationToken.class, authentication,
         messages.getMessage(
               "AbstractUserDetailsAuthenticationProvider.onlySupports",
               "Only UsernamePasswordAuthenticationToken is supported"));

   // Determine username
   String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED"
         : authentication.getName();

   boolean cacheWasUsed = true;
   UserDetails user = this.userCache.getUserFromCache(username);

   if (user == null) {
      cacheWasUsed = false;

      try {
         user = retrieveUser(username,
               (UsernamePasswordAuthenticationToken) authentication);
      }
      catch (UsernameNotFoundException notFound) {
         logger.debug("User '" + username + "' not found");

         if (hideUserNotFoundExceptions) {
            throw new BadCredentialsException(messages.getMessage(
                  "AbstractUserDetailsAuthenticationProvider.badCredentials",
                  "Bad credentials"));
         }
         else {
            throw notFound;
         }
      }

      Assert.notNull(user,
            "retrieveUser returned null - a violation of the interface contract");
   }

   try {
      preAuthenticationChecks.check(user);
      additionalAuthenticationChecks(user,
            (UsernamePasswordAuthenticationToken) authentication);
   }
   catch (AuthenticationException exception) {
      if (cacheWasUsed) {
         // There was a problem, so try again after checking
         // we're using latest data (i.e. not from the cache)
         cacheWasUsed = false;
         user = retrieveUser(username,
               (UsernamePasswordAuthenticationToken) authentication);
         preAuthenticationChecks.check(user);
         additionalAuthenticationChecks(user,
               (UsernamePasswordAuthenticationToken) authentication);
      }
      else {
         throw exception;
      }
   }

   postAuthenticationChecks.check(user);

   if (!cacheWasUsed) {
      this.userCache.putUserInCache(user);
   }

   Object principalToReturn = user;

   if (forcePrincipalAsString) {
      principalToReturn = user.getUsername();
   }

   return createSuccessAuthentication(principalToReturn, authentication, user);
}

userDetailService加载数据库中国的user信息

@Service
public class SystemUserSerivce implements UserDetailsService {
    @Autowired
    private PermissionMapper permissionMapper;
    @Autowired
    private UserMapper userMapper;
    @Override
    public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
        User myUser =userMapper.selectUserByUsername(s);
        List<Permission> permissions = permissionMapper.selectPermissionsByUserName(s);
        List<GrantedAuthority> grantedAuthorities = new ArrayList<>();
        for(Permission permission:permissions){
            String permissionCode = permission.getPermissionCode();
            GrantedAuthority grantedAuthority = new SimpleGrantedAuthority(permissionCode);
            grantedAuthorities.add(grantedAuthority);
        }
        //这里provider需要的是springSecurity的user对象
        return new org.springframework.security.core.userdetails.User(s,myUser.getPassword(),grantedAuthorities);
    }
}

daoAuthenticationProvider 账号密码匹配

protected void additionalAuthenticationChecks(UserDetails userDetails,
      UsernamePasswordAuthenticationToken authentication)
      throws AuthenticationException {
   if (authentication.getCredentials() == null) {
      logger.debug("Authentication failed: no credentials provided");

      throw new BadCredentialsException(messages.getMessage(
            "AbstractUserDetailsAuthenticationProvider.badCredentials",
            "Bad credentials"));
   }

   String presentedPassword = authentication.getCredentials().toString();

   if (!passwordEncoder.matches(presentedPassword, userDetails.getPassword())) {
      logger.debug("Authentication failed: password does not match stored value");

      throw new BadCredentialsException(messages.getMessage(
            "AbstractUserDetailsAuthenticationProvider.badCredentials",
            "Bad credentials"));
   }
}

如果验证通过则abstractUserDetailsAuthenticationProvider会调用createSuccessAuthentication将权限信息也塞入token,并返回,如果验证不通过继续循环下一个provider

protected Authentication createSuccessAuthentication(Object principal,
      Authentication authentication, UserDetails user) {
   // Ensure we return the original credentials the user supplied,
   // so subsequent attempts are successful even with encoded passwords.
   // Also ensure we return the original getDetails(), so that future
   // authentication events after cache expiry contain the details
   UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(
         principal, authentication.getCredentials(),
         authoritiesMapper.mapAuthorities(user.getAuthorities()));
   result.setDetails(authentication.getDetails());

   return result;

回到filter,验证通过,并且返回了一个新的authentication ,包含了用户信息和权限,successfulAuthentication调用执行successHandler开始根据权限进行跳转

protected void successfulAuthentication(HttpServletRequest request,
      HttpServletResponse response, FilterChain chain, Authentication authResult)
      throws IOException, ServletException {

   if (logger.isDebugEnabled()) {
      logger.debug("Authentication success. Updating SecurityContextHolder to contain: "
            + authResult);
   }

   SecurityContextHolder.getContext().setAuthentication(authResult);

   rememberMeServices.loginSuccess(request, response, authResult);

   // Fire event
   if (this.eventPublisher != null) {
      eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(
            authResult, this.getClass()));
   }

   successHandler.onAuthenticationSuccess(request, response, authResult);
}

这里以simpleUrlAuthenticationSuccessHandler为例:

public void onAuthenticationSuccess(HttpServletRequest request,
      HttpServletResponse response, Authentication authentication)
      throws IOException, ServletException {

   handle(request, response, authentication);
   clearAuthenticationAttributes(request);
}

handler就是我们重写的覆盖的方法

protected void handle(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
    System.out.println("开始根据权限判断将要跳转的页面................");
    String url=determineTargetUrl(authentication);
    redirectStrategy.sendRedirect(request,response,url);
}
protected String determineTargetUrl(Authentication authentication){
    String url="";
    Collection<? extends GrantedAuthority> grantedAuthorities = authentication.getAuthorities();
    List<String> roles=new ArrayList<>();
    for(GrantedAuthority grantedAuthority:grantedAuthorities){
        roles.add(grantedAuthority.getAuthority());
    }
    //这里返回路径重定向,同样返回的是controller请求路径,并不是指静态文件的路径
    if(roles.contains("ROLE_ADMIN")){
        return  "/admin";
    }else if(roles.contains("ROLE_DBA")){
        return  "/dba";
    }else if (roles.contains("ROLE_USER")){
        return "/home";
    }else {
        return  "/accessDenied";
    }
}

 

至此,sercurity的核心流程全部结束.

在最后,补上一个从芋道源码获取的整体的流程图

 
qq_35140272
关注
  • 0
    点赞
  • 8
    收藏
    觉得还不错? 一键收藏
  • 2
    评论
专栏目录
Spring Security 示例项目
11-29
在这个入门项目中,最常见的是基于内存的UserDetailsService,它会将用户信息存储在内存中。 2. **授权(Authorization)**: 授权是决定已认证的用户可以访问哪些资源或执行哪些操作。Spring Security 提供了基于...
spring security 入门demo
08-11
通过深入研究这个入门demo,开发者可以逐步了解并掌握Spring Security的强大功能,从而能够为自己的应用程序构建出健壮且安全的访问控制机制。无论是对于Web应用还是RESTful API,Spring Security都能提供全面的解决...
SpringSecurity案例一(可运行)
大连赵哥的博客
01-10 949
SpringSecurity案例一(可运行)
SpringSpring Security介绍及其入门案例
源僧
09-11 272
本文只为了备忘,而进行抄录的Spring 是非常流行和成功的 Java 应用开发框架,Spring Security 正是 Spring 家族中的成员。Spring Security 基于 Spring 框架,提供了一套 Web 应用安全性的完整解决方案。正如你可能知道的关于安全方面的两个主要区域是“认证”和“授权”(或者访问控制),一般来说,Web 应用的安全性包括用户认证(Authentication)和用户授权(Authorization)两个部分,这两点也是 Spring Security 重要核心
SpringSecurity详细解读与应用
最新发布
CTZL123456的博客
06-19 541
执行完loadUserByUsername后会返回数据库的用户密码,此信息会经过PasswordEncode类,和用户输入的密码来进行校验,但是原生的PasswordEncode比较糟糕(略),所以我们在配置中修改一下PasswordEncode的校验方式,使用 BCrypt。通常,我们习惯于将原生的用户认证修改为基于数据库字段的(例如username和password)进行登录校验的业务逻辑,这就需要我们进入Secuirty的认证流程中,修改源代码来解决。二、代码实现-用户认证。
spring security 使用示例
红衣女妖仙的博客
08-19 2021
用户名密码认证、短信验证码认证、踢人下线、 AuthorizationFilter 授权、FilterSecurityInterceptor url / expression 授权、登出、分布式配置。 2、SecurityConfig   先添加一个 SecurityConfig 配置类,作为整个 spring security 的核心配置,后续的认证、授权等功能都将在整个配置类中完成。 3、用户名密码认证   用户名密码认证主要是自定义实现 UserDetails、UserDetailsService、A
SpringSecurity 详解(通俗易懂)
风也温柔☆的博客
08-12 1822
2、退出,从SecurityContextHolder中拿到认证信息loginUser,进而得到userId。1.3、 如果找到,说明已经登录(将认证信息即用户信息 存入SecurityContextHolder)。1.1、第一次登陆时,根据userId生成jwt(能反解析出userId),返回给 浏览器并存储。1.2、用户下次再请求时,带上token, 登录校验过滤器会从token中解析出userId,通过userid查redis,查到(从redis中获取用户信息),查不到 认证失败(重新登录)
spring security简单例子
shuangyueliao的专栏
02-27 2048
数据库表简单设计如下 DROP TABLE IF EXISTS `user`; CREATE TABLE `user` (   `username` varchar(255) NOT NULL,   `password` char(255) NOT NULL,   `roles` enum('MEMBER','MEMBER,LEADER','SUPER_ADMIN','ROLE1','ROLE2...
Spring Security 详解
热门推荐
qq_22075913的博客
06-06 11万+
Spring SecuritySpring家族中的一个安全管理框架。相比与另外一个安全框架Shiro,它提供了更丰富的功能,社区资源也比Shiro丰富。一般来说中大型的项目都是使用SpringSecurity来做安全框架。小项目有Shiro的比较多,因为相比与SpringSecurity,Shiro的上手更加的简单。​ 一般Web应用的需要进行认证和授权。​ 而认证和授权也是SpringSecurity作为安全框架的核心功能。视频地址:​ 我们先要搭建一个简单的SpringBoot工程① 设置父工
springsecurity详解
baidu_37366055的博客
11-23 9万+
1.springsecurity springsecurity底层实现为一条过滤器链,就是用户请求进来,判断有没有请求的权限,抛出异常,重定向跳转。 2.登录页 springsecurity自带一个登录页。 从登陆入手,登录页替换成我们自己的,对输入的账号密码进行验证 /** * 表单登陆security * 安全 = 认证 + 授权 */ @Configuration public class SecurityConfig extends WebSecurityConfigur
spring mvc入门示例
12-23
MVC模式将应用程序分为三个主要部分:Model(模型)负责处理数据和业务逻辑,View(视图)负责显示数据,Controller(控制器)接收用户请求并调用模型进行处理,然后更新视图。 Spring MVC的工作流程如下: 1. 用户...
Spring Security实战例子
09-08
Spring Security实战例子资源里面有4个小项目,都是利用maven搭建的。数据库要建立一个security的表
SpringSecurity入门Demo实例
10-15
按照教程https://blog.csdn.net/ryo1060732496/article/details/78848205 编写的demo程序
Spring Security3.1实例
05-13
spring security3.1 在数据库实现 用户 角色 资源 权限控制,在eclipse+tomcat下测试通过
springboot+springSecurity的Demo实例
09-24
springboot+springsecurity做的一个demo实例,里面功能很全,希望帮到大家,谢谢!
springSecurity.zip
06-23
本教程将带你简单入门Spring Security,了解其核心概念和基本配置。 一、Spring Security 概述 Spring Security的核心目标是为应用程序提供“认证”(Authentication)和“授权”(Authorization)。认证是指确认...
springSecurityTest.zip
03-27
在这个入门程序中,你可能发现配置了`UserDetailsService`接口,通过它来查询用户的凭证,并创建`Authentication`对象,这将用于后续的授权过程。 其次,授权是决定已认证的用户能否访问特定资源的过程。Spring ...
spring-security
migo_的专栏
02-25 1234
Spring Security是一个框架,致力于为Java应用程序提供身份验证和授权。像所有Spring项目一样,Spring Security的真正强大之处在于它可以轻松扩展以满足定制需求的能力。Spring SecuritySpring采用 `AOP`思想,基于 `servlet过滤器`实现的安全框架。它提供了完善的认证机制和方法级的授权功能。Spring Security是一个功能强大且高度可定制的身份验证和访问控制框架。它是用于保护基于Spring的应用程序的事实上的标准。
Spring Security详细介绍使用
书启鸿蒙知秋枫
03-08 4491
Spring 是非常流行和成功的 Java 应用开发框架,Spring Security 正是 Spring 家族中的成员。Spring Security 基于 Spring 框架,提供了一套 Web 应用安全性的完整解决方案。正如你可能知道的关于安全方面的两个核心功能是“
Spring Security3入门与实战
Spring Security3是一个强大的安全框架,它为Java和Java EE应用提供了全面的安全解决方案。该框架的核心目标是确保只有经过正确认证和授权的用户能够访问应用程序的特定资源。在书中,作者首先通过分析一个不安全的...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值