1导入依赖
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>2.4.4</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>2.4.4</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.83</version>
</dependency>
2新建CustomSecurityConfiguration类
import com.alibaba.fastjson.JSON;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
import org.springframework.security.web.savedrequest.RequestCache;
import org.springframework.security.web.savedrequest.SavedRequest;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
/**
* @author junior_programmer
* <p>
* EnableGlobalMethodSecurity 启用前置注解
*/
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class CustomSecurityConfiguration extends WebSecurityConfigurerAdapter {
/**
* spring security默认的登录接口,可自定义登录路径
*/
private static final String DEFAULT_LOGIN_URL = "/login";
/**
* 定义密码加密bean,校验用户名密码需要用到
*
* @return 密码加密类
*/
@Bean
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
/**
* DEFAULT_LOGIN_URL设置进白名单,其余接口全部需要登录后访问
* <p>
* formLogin() 配置表单登录的一些信息
* loginProcessingUrl 设置登录接口的url
* successHandler 登录成功使用自定义的事件处理器 CustomAuthenticationSuccessHandler
* failureHandler 登陆失败使用自定义的事件处理器 CustomAuthenticationFailureHandler
* <p>
* exceptionHandling() 统一的异常处理信息
* accessDeniedHandler 权限不足使用自定义的事件处理器 CustomAccessDeniedHandler
* <p>
* logout() 登出的配置信息
* logoutSuccessHandler 登出成功使用自定义的事件处理器 CustomLogoutSuccessHandler
*
* @param http http
* @throws Exception ex
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(DEFAULT_LOGIN_URL).permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginProcessingUrl(DEFAULT_LOGIN_URL)
.successHandler(new CustomAuthenticationSuccessHandler())
.failureHandler(new CustomAuthenticationFailureHandler())
.and()
.exceptionHandling()
.accessDeniedHandler(new CustomAccessDeniedHandler())
.and()
.logout()
.logoutSuccessHandler(new CustomLogoutSuccessHandler());
}
/**
* 使用内存中定义的用户进行登录校验,用户名和密码均设置为admin,给与ROLE_admin的权限
*
* @param auth auth
* @throws Exception ex
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin")
.password(passwordEncoder().encode("admin"))
.authorities(new SimpleGrantedAuthority("ROLE_admin"));
}
private void write(HttpServletResponse response, Map<String, Object> params) throws IOException {
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
response.setStatus((int) params.get("code"));
response.getOutputStream().write(JSON.toJSONString(params).getBytes());
response.getOutputStream().flush();
}
/**
* 自定义权限不足处理事件
*/
private class CustomAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
Map<String, Object> params = new HashMap<>();
params.put("code", HttpStatus.UNAUTHORIZED.value());
params.put("error", accessDeniedException.getMessage());
write(response, params);
}
}
/**
* 自定义登录成功触发事件
*/
private class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
//登录成功后有两种处理方式,任选其一
// 登出后返回json数据给前端显示
// Map<String, Object> params = new HashMap<>();
//
// params.put("code", HttpStatus.OK.value());
//
// write(response, params);
// 登出后跳转回未登录时访问的页面或 home页面
String url = "/home";
RequestCache cache = new HttpSessionRequestCache();
SavedRequest savedRequest = cache.getRequest(request, response);
if (Objects.nonNull(savedRequest)) {
String callbackUri = savedRequest.getRedirectUrl();
if (callbackUri != null && !"".equals(callbackUri.trim())) {
url = callbackUri;
}
}
response.sendRedirect(url);
}
}
/**
* 自定义登录失败触发事件
*/
private class CustomAuthenticationFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
Map<String, Object> params = new HashMap<>();
params.put("code", HttpStatus.INTERNAL_SERVER_ERROR.value());
params.put("error", exception.getMessage());
write(response, params);
}
}
/**
* 自定义登出成功触发事件
*/
private class CustomLogoutSuccessHandler implements LogoutSuccessHandler {
@Override
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
Map<String, Object> params = new HashMap<>();
params.put("code", HttpStatus.OK.value());
write(response, params);
}
}
}
3 新建Controller进行测试
/**
* 普通接口,登录即可访问
*
* @return
*/
@GetMapping("/hello")
public String hello() {
return "hello";
}
/**
* admin接口 需要有ROLE_admin的权限才能访问
*
* @return
*/
@PreAuthorize("hasRole('ROLE_admin')")
@GetMapping("/admin")
public String admin() {
return "admin";
}
/**
* admin接口 需要有ROLE_user的权限才能访问
*
* @return
*/
@PreAuthorize("hasRole('ROLE_user')")
@GetMapping("/user")
public String user() {
return "user";
}
4测试
使用admin admin进行登录
http://localhost:8080/user
{"code":401,"error":"不允许访问"}
http://localhost:8080/admin
admin
http://localhost:8080/hello
hello
基于内存用户模式以及自定义的一些配置,实现登录以及接口的授权管理
gitee https://gitee.com/junior_programmer/spring-security-series