1导入依赖
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>2.4.4</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>2.4.4</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.83</version>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.18.26</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
</dependency>
<dependency>
<groupId>com.baomidou</groupId>
<artifactId>mybatis-plus-boot-starter</artifactId>
</dependency>
2新建CustomSecurityConfiguration类
package cn.junior_programmer.springsecurityjdbc.config;
import com.alibaba.fastjson.JSON;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
import org.springframework.security.web.savedrequest.RequestCache;
import org.springframework.security.web.savedrequest.SavedRequest;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
/**
* @author junior_programmer
* <p>
* EnableGlobalMethodSecurity 启用前置注解
*/
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class CustomSecurityConfiguration extends WebSecurityConfigurerAdapter {
/**
* spring security默认的登录接口,可自定义登录路径
*/
private static final String DEFAULT_LOGIN_URL = "/login";
/**
* 定义密码加密bean,校验用户名密码需要用到
*
* @return 密码加密类
*/
@Bean
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Autowired
private UserDetailsService userDetailsService;
@Bean
public DaoAuthenticationProvider authenticationProvider() {
final DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setUserDetailsService(userDetailsService);
provider.setPasswordEncoder(passwordEncoder());
// 设置为false可以抛出UsernameNotFoundException 默认情况下会抛出BadCredentialsException
provider.setHideUserNotFoundExceptions(false);
return provider;
}
/**
* DEFAULT_LOGIN_URL设置进白名单,其余接口全部需要登录后访问
* <p>
* formLogin() 配置表单登录的一些信息
* loginProcessingUrl 设置登录接口的url
* successHandler 登录成功使用自定义的事件处理器 CustomAuthenticationSuccessHandler
* failureHandler 登陆失败使用自定义的事件处理器 CustomAuthenticationFailureHandler
* <p>
* exceptionHandling() 统一的异常处理信息
* accessDeniedHandler 权限不足使用自定义的事件处理器 CustomAccessDeniedHandler
* <p>
* logout() 登出的配置信息
* logoutSuccessHandler 登出成功使用自定义的事件处理器 CustomLogoutSuccessHandler
*
* @param http http
* @throws Exception ex
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(DEFAULT_LOGIN_URL).permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginProcessingUrl(DEFAULT_LOGIN_URL)
.successHandler(new CustomAuthenticationSuccessHandler())
.failureHandler(new CustomAuthenticationFailureHandler())
.and()
.exceptionHandling()
.accessDeniedHandler(new CustomAccessDeniedHandler())
.and()
.logout()
.logoutSuccessHandler(new CustomLogoutSuccessHandler());
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider());
}
private void write(HttpServletResponse response, Map<String, Object> params) throws IOException {
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
response.setStatus((int) params.get("code"));
response.getOutputStream().write(JSON.toJSONString(params).getBytes());
response.getOutputStream().flush();
}
/**
* 自定义权限不足处理事件
*/
private class CustomAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
Map<String, Object> params = new HashMap<>();
params.put("code", HttpStatus.UNAUTHORIZED.value());
params.put("error", accessDeniedException.getMessage());
write(response, params);
}
}
/**
* 自定义登录成功触发事件
*/
private class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
// 登出后返回json数据给前端显示
Map<String, Object> params = new HashMap<>();
params.put("code", HttpStatus.OK.value());
write(response, params);
}
}
/**
* 自定义登录失败触发事件
*/
private class CustomAuthenticationFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
Map<String, Object> params = new HashMap<>();
params.put("code", HttpStatus.INTERNAL_SERVER_ERROR.value());
params.put("error", exception.getMessage());
write(response, params);
}
}
/**
* 自定义登出成功触发事件
*/
private class CustomLogoutSuccessHandler implements LogoutSuccessHandler {
@Override
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
Map<String, Object> params = new HashMap<>();
params.put("code", HttpStatus.OK.value());
write(response, params);
}
}
}
3 新建Controller进行测试
/**
* 普通接口,登录即可访问
*
* @return
*/
@GetMapping("/hello")
public String hello() {
return "hello";
}
/**
* admin接口 需要有ROLE_admin的权限才能访问
*
* @return
*/
@PreAuthorize("hasRole('ROLE_admin')")
@GetMapping("/admin")
public String admin() {
return "admin";
}
/**
* admin接口 需要有ROLE_user的权限才能访问
*
* @return
*/
@PreAuthorize("hasRole('ROLE_user')")
@GetMapping("/user")
public String user() {
return "user";
}
4 新建表
CREATE TABLE `user` (
`id` int(0) NOT NULL AUTO_INCREMENT,
`user_name` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin NOT NULL,
`password` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin NOT NULL,
`role_name` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin NOT NULL,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB CHARACTER SET = utf8mb4 COLLATE = utf8mb4_bin ROW_FORMAT = Dynamic;
SET FOREIGN_KEY_CHECKS = 1;
insert into user values(1,'admin','$2a$10$vTFXf/Qs1cIsKQEsoFVhoOt9KRAjD2zbirYmLUXx/G1hALkCvw5lW','admin')
新建实体类
@Data
public class User {
private Integer id;
private String userName;
private String password;
private String roleName;
}
@Data
@NoArgsConstructor
@AllArgsConstructor
public class LoginUser implements UserDetails {
public LoginUser(User user) {
this.userName = user.getUserName();
this.password = user.getPassword();
this.roleName = user.getRoleName();
}
private String userName;
private String password;
private String roleName;
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
List<SimpleGrantedAuthority> list = new ArrayList<>();
list.add(new SimpleGrantedAuthority("ROLE_" + roleName));
return list;
}
@Override
public String getPassword() {
return password;
}
@Override
public String getUsername() {
return userName;
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
新建Mapper
@Mapper
public interface UserMapper extends BaseMapper<User> {
}
新建manager
@Service
public class UserManager extends ServiceImpl<UserMapper, User> {
public User loadByUserName(String userName) {
LambdaQueryWrapper<User> queryWrapper = Wrappers.lambdaQuery();
queryWrapper.eq(User::getUserName, userName);
return this.getOne(queryWrapper, false);
}
}
新建Service 继承UserDetailsService
@Service
public class CustomUserDetailServiceImpl implements UserDetailsService {
@Autowired
private UserManager userManager;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userManager.loadByUserName(username);
if (Objects.isNull(user)) {
throw new UsernameNotFoundException("用户名未找到:" + username);
}
return new LoginUser(user);
}
}
测试
使用admin admin进行登录
http://localhost:8080/user
{"code":401,"error":"不允许访问"}
http://localhost:8080/admin
admin
http://localhost:8080/hello
hello
如果需要使用json登录方式,使用下面的方式
新建CustonAuthenticationFilter
public class CustomAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
public CustomAuthenticationFilter(String loginDefaultUrl) {
super(loginDefaultUrl);
}
@Resource
private UserDetailsService userDetailsService;
@Resource
private PasswordEncoder passwordEncoder;
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException {
LoginCondition condition = JSON.parseObject(request.getInputStream(), LoginCondition.class);
if (Objects.isNull(condition)) {
throw new BadCredentialsException("未获取到登录Condition");
}
String username = validateUsername(condition.getUsername());
String password = validatePassword(condition.getPassword());
LoginUser loginUser = (LoginUser) userDetailsService.loadUserByUsername(username);
if (!passwordEncoder.matches(password, loginUser.getPassword())) {
throw new BadCredentialsException("账号密码不匹配");
}
return new UsernamePasswordAuthenticationToken(loginUser, password, loginUser.getAuthorities());
}
private String validateUsername(String username) {
if (StringUtils.isNotBlank(username)) {
return username.trim();
}
throw new BadCredentialsException("username不能为空");
}
private String validatePassword(String password) {
if (StringUtils.isNotBlank(password)) {
return password.trim();
}
throw new BadCredentialsException("password不能为空");
}
}
修改 CustomSecurityConfiguration
@Bean
public CustomAuthenticationFilter customAuthenticationFilter() throws Exception {
CustomAuthenticationFilter customAuthenticationFilter = new CustomAuthenticationFilter(DEFAULT_LOGIN_URL);
customAuthenticationFilter.setAuthenticationSuccessHandler(new CustomAuthenticationSuccessHandler());
customAuthenticationFilter.setAuthenticationFailureHandler(new CustomAuthenticationFailureHandler());
customAuthenticationFilter.setAuthenticationManager(authenticationManagerBean());
return customAuthenticationFilter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(DEFAULT_LOGIN_URL).permitAll()
.anyRequest().authenticated()
.and()
.addFilterAt(customAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
.formLogin()
.loginProcessingUrl(DEFAULT_LOGIN_URL)
.and()
.exceptionHandling()
.accessDeniedHandler(new CustomAccessDeniedHandler())
.and()
.logout()
.logoutSuccessHandler(new CustomLogoutSuccessHandler());
}
https://gitee.com/junior_programmer/spring-security-series/tree/master/spring-security-jdbc