SpringSecurity-02 基于数据库的登录以及自定义登录方式

于 2023-06-25 15:31:40 发布
阅读量186 收藏 1
点赞数
分类专栏: SpringSecurity 文章标签: mybatis java
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_37724144/article/details/131378936
版权

1导入依赖

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
    <version>2.4.4</version>
</dependency>

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
    <version>2.4.4</version>
</dependency>

<dependency>
    <groupId>com.alibaba</groupId>
    <artifactId>fastjson</artifactId>
    <version>1.2.83</version>
</dependency>
<dependency>
    <groupId>org.projectlombok</groupId>
    <artifactId>lombok</artifactId>
    <version>1.18.26</version>
</dependency>
<dependency>
    <groupId>mysql</groupId>
    <artifactId>mysql-connector-java</artifactId>
</dependency>
<dependency>
    <groupId>com.baomidou</groupId>
    <artifactId>mybatis-plus-boot-starter</artifactId>
</dependency>

2新建CustomSecurityConfiguration类


package cn.junior_programmer.springsecurityjdbc.config;

import com.alibaba.fastjson.JSON;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
import org.springframework.security.web.savedrequest.RequestCache;
import org.springframework.security.web.savedrequest.SavedRequest;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;

/**
 * @author junior_programmer
 * <p>
 * EnableGlobalMethodSecurity   启用前置注解
 */
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class CustomSecurityConfiguration extends WebSecurityConfigurerAdapter {


    /**
     * spring security默认的登录接口,可自定义登录路径
     */
    private static final String DEFAULT_LOGIN_URL = "/login";


    /**
     * 定义密码加密bean,校验用户名密码需要用到
     *
     * @return 密码加密类
     */
    @Bean
    PasswordEncoder passwordEncoder() {

        return new BCryptPasswordEncoder();
    }

    @Autowired
    private UserDetailsService userDetailsService;

    @Bean
    public DaoAuthenticationProvider authenticationProvider() {
        final DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
        provider.setUserDetailsService(userDetailsService);
        provider.setPasswordEncoder(passwordEncoder());
        // 设置为false可以抛出UsernameNotFoundException 默认情况下会抛出BadCredentialsException
        provider.setHideUserNotFoundExceptions(false);
        return provider;
    }

    /**
     * DEFAULT_LOGIN_URL设置进白名单,其余接口全部需要登录后访问
     * <p>
     * formLogin() 配置表单登录的一些信息
     * loginProcessingUrl 设置登录接口的url
     * successHandler 登录成功使用自定义的事件处理器 CustomAuthenticationSuccessHandler
     * failureHandler 登陆失败使用自定义的事件处理器 CustomAuthenticationFailureHandler
     * <p>
     * exceptionHandling() 统一的异常处理信息
     * accessDeniedHandler 权限不足使用自定义的事件处理器 CustomAccessDeniedHandler
     * <p>
     * logout() 登出的配置信息
     * logoutSuccessHandler 登出成功使用自定义的事件处理器 CustomLogoutSuccessHandler
     *
     * @param http http
     * @throws Exception ex
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests()
                .antMatchers(DEFAULT_LOGIN_URL).permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .loginProcessingUrl(DEFAULT_LOGIN_URL)
                .successHandler(new CustomAuthenticationSuccessHandler())
                .failureHandler(new CustomAuthenticationFailureHandler())
                .and()
                .exceptionHandling()
                .accessDeniedHandler(new CustomAccessDeniedHandler())
                .and()
                .logout()
                .logoutSuccessHandler(new CustomLogoutSuccessHandler());
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        auth.authenticationProvider(authenticationProvider());
    }

    private void write(HttpServletResponse response, Map<String, Object> params) throws IOException {

        response.setContentType(MediaType.APPLICATION_JSON_VALUE);
        response.setStatus((int) params.get("code"));


        response.getOutputStream().write(JSON.toJSONString(params).getBytes());

        response.getOutputStream().flush();
    }

    /**
     * 自定义权限不足处理事件
     */
    private class CustomAccessDeniedHandler implements AccessDeniedHandler {

        @Override
        public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {

            Map<String, Object> params = new HashMap<>();

            params.put("code", HttpStatus.UNAUTHORIZED.value());
            params.put("error", accessDeniedException.getMessage());

            write(response, params);
        }
    }


    /**
     * 自定义登录成功触发事件
     */
    private class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler {

        @Override
        public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
            // 登出后返回json数据给前端显示
            Map<String, Object> params = new HashMap<>();

            params.put("code", HttpStatus.OK.value());

            write(response, params);

        }
    }


    /**
     * 自定义登录失败触发事件
     */
    private class CustomAuthenticationFailureHandler implements AuthenticationFailureHandler {

        @Override
        public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {

            Map<String, Object> params = new HashMap<>();

            params.put("code", HttpStatus.INTERNAL_SERVER_ERROR.value());
            params.put("error", exception.getMessage());

            write(response, params);
        }
    }


    /**
     * 自定义登出成功触发事件
     */
    private class CustomLogoutSuccessHandler implements LogoutSuccessHandler {

        @Override
        public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
            Map<String, Object> params = new HashMap<>();

            params.put("code", HttpStatus.OK.value());

            write(response, params);
        }
    }
}

3 新建Controller进行测试



    /**
     * 普通接口,登录即可访问
     *
     * @return
     */
    @GetMapping("/hello")
    public String hello() {
        return "hello";
    }

    /**
     * admin接口 需要有ROLE_admin的权限才能访问
     *
     * @return
     */
    @PreAuthorize("hasRole('ROLE_admin')")
    @GetMapping("/admin")
    public String admin() {
        return "admin";
    }

    /**
     * admin接口 需要有ROLE_user的权限才能访问
     *
     * @return
     */
    @PreAuthorize("hasRole('ROLE_user')")
    @GetMapping("/user")
    public String user() {
        return "user";
    }

4 新建表

CREATE TABLE `user`  (
  `id` int(0) NOT NULL AUTO_INCREMENT,
  `user_name` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin NOT NULL,
  `password` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin NOT NULL,
  `role_name` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_bin NOT NULL,
  PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB CHARACTER SET = utf8mb4 COLLATE = utf8mb4_bin ROW_FORMAT = Dynamic;

SET FOREIGN_KEY_CHECKS = 1;



insert into user values(1,'admin','$2a$10$vTFXf/Qs1cIsKQEsoFVhoOt9KRAjD2zbirYmLUXx/G1hALkCvw5lW','admin')

新建实体类

@Data
public class User {

    private Integer id;

    private String userName;

    private String password;

    private String roleName;
}

@Data
@NoArgsConstructor
@AllArgsConstructor
public class LoginUser implements UserDetails {

    public LoginUser(User user) {

        this.userName = user.getUserName();
        this.password = user.getPassword();
        this.roleName = user.getRoleName();
    }


    private String userName;

    private String password;

    private String roleName;


    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {

        List<SimpleGrantedAuthority> list = new ArrayList<>();

        list.add(new SimpleGrantedAuthority("ROLE_" + roleName));

        return list;
    }

    @Override
    public String getPassword() {
        return password;
    }

    @Override
    public String getUsername() {
        return userName;
    }

    @Override
    public boolean isAccountNonExpired() {
        return true;
    }

    @Override
    public boolean isAccountNonLocked() {
        return true;
    }

    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }

    @Override
    public boolean isEnabled() {
        return true;
    }
}

新建Mapper

@Mapper
public interface UserMapper extends BaseMapper<User> {

}

新建manager

@Service
public class UserManager extends ServiceImpl<UserMapper, User> {


    public User loadByUserName(String userName) {

        LambdaQueryWrapper<User> queryWrapper = Wrappers.lambdaQuery();

        queryWrapper.eq(User::getUserName, userName);

        return this.getOne(queryWrapper, false);
    }
}

新建Service 继承UserDetailsService

@Service
public class CustomUserDetailServiceImpl implements UserDetailsService {

    @Autowired
    private UserManager userManager;


    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {

        User user = userManager.loadByUserName(username);

        if (Objects.isNull(user)) {

            throw new UsernameNotFoundException("用户名未找到:" + username);
        }

        return new LoginUser(user);
    }
}

测试

使用admin admin进行登录

http://localhost:8080/user

{"code":401,"error":"不允许访问"}

http://localhost:8080/admin

admin

http://localhost:8080/hello

hello

如果需要使用json登录方式,使用下面的方式

新建CustonAuthenticationFilter

public class CustomAuthenticationFilter extends AbstractAuthenticationProcessingFilter {


    public CustomAuthenticationFilter(String loginDefaultUrl) {

        super(loginDefaultUrl);
    }

    @Resource
    private UserDetailsService userDetailsService;

    @Resource
    private PasswordEncoder passwordEncoder;


    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException {

        LoginCondition condition = JSON.parseObject(request.getInputStream(), LoginCondition.class);

        if (Objects.isNull(condition)) {
            throw new BadCredentialsException("未获取到登录Condition");
        }

        String username = validateUsername(condition.getUsername());
        String password = validatePassword(condition.getPassword());

        LoginUser loginUser = (LoginUser) userDetailsService.loadUserByUsername(username);

        if (!passwordEncoder.matches(password, loginUser.getPassword())) {

            throw new BadCredentialsException("账号密码不匹配");
        }

        return new UsernamePasswordAuthenticationToken(loginUser, password, loginUser.getAuthorities());
    }
    

    private String validateUsername(String username) {

        if (StringUtils.isNotBlank(username)) {

            return username.trim();
        }

        throw new BadCredentialsException("username不能为空");
    }

    private String validatePassword(String password) {

        if (StringUtils.isNotBlank(password)) {

            return password.trim();
        }

        throw new BadCredentialsException("password不能为空");
    }
}

修改 CustomSecurityConfiguration

    @Bean
    public CustomAuthenticationFilter customAuthenticationFilter() throws Exception {

        CustomAuthenticationFilter customAuthenticationFilter = new CustomAuthenticationFilter(DEFAULT_LOGIN_URL);

        customAuthenticationFilter.setAuthenticationSuccessHandler(new CustomAuthenticationSuccessHandler());
        customAuthenticationFilter.setAuthenticationFailureHandler(new CustomAuthenticationFailureHandler());
        customAuthenticationFilter.setAuthenticationManager(authenticationManagerBean());

        return customAuthenticationFilter;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests()
                .antMatchers(DEFAULT_LOGIN_URL).permitAll()
                .anyRequest().authenticated()
                .and()
                .addFilterAt(customAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
                .formLogin()
                .loginProcessingUrl(DEFAULT_LOGIN_URL)
                .and()
                .exceptionHandling()
                .accessDeniedHandler(new CustomAccessDeniedHandler())
                .and()
                .logout()
                .logoutSuccessHandler(new CustomLogoutSuccessHandler());
    }

https://gitee.com/junior_programmer/spring-security-series/tree/master/spring-security-jdbc

junior~programmer
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
SpringSecurity连接数据库并设置权限
weixin_68193389的博客
11-08 492
在页面显示权限是否正确。
SpringSecurity5.7从入门到精通全套教程-认证篇使用数据库存储用户
weixin_46040278的博客
05-03 989
本文章仅供学习参考,有很多地方都是借鉴大佬的文档,如文档有错误地方欢迎指正
详解Spring Security
Joker_ZJN的博客
04-21 2082
万字长文详解spring security,全网最清晰易懂。
SpringBoot整合Spring Security (一,基于数据库登录认证)
llvyuanjie的博客
05-02 3707
SpringBoot整合Spring Security (一,基于数据库登录认证) 一、基本环境准备 1、数据库表设计 登录认证一般涉及到三张表:用户表、角色表、用户角色中间表。 /* Navicat MySQL Data Transfer Source Server : localhost Source Server Version : 50717 Source Host...
SpringBoot + Security 自定义登录界面 数据库动态管理用户和权限 记住密码 退出登录
qq_33545171的博客
06-13 1283
Security的基本介绍搜搜别的博客看吧,我是来贴代码的(如果是新手,一定要多看看基本介绍,搭建,配置等)最重要的Security配置代码package com.andsonap.config;import java.io.IOException;import javax.servlet.ServletException;import javax.servlet.http.HttpServlet...
spring-security实现自定义登录认证.rar
05-21
本资源“spring-security实现自定义登录认证.rar”包含了一个使用Spring Security进行登录认证的示例,以及JWT(JSON Web Tokens)与Spring Security集成的代码。 首先,让我们了解Spring Security的基本工作原理。...
SpringSecurity-数据库认证-简单授权
最新发布
06-03
在这个“SpringSecurity-数据库认证-简单授权”的主题中,我们将深入探讨如何结合SpringSecurity与数据库来实现用户身份验证和权限管理。 首先,我们需要理解SpringSecurity的核心组件。`Authentication`代表认证,...
springsecurity+oauth2+jwt实现单点登录demo
06-06
该资源是springsecurity+oauth2+jwt实现的单点登录demo,模式为授权码模式,实现自定义登录页面和自定义授权页面。应用数据存在内存中或者存在数据库中(附带数据库表结构),token存储分为数据库或者Redis。demo...
spring security自定义认证登录的全过程记录
08-28
Spring Security 自定义认证登录全过程记录 Spring Security 是一个基于 Spring AOP 和 Servlet 过滤器的安全框架,以此来管理权限认证等。在 Spring Security 中,自定义认证登录是非常重要的,它可以满足不同的...
spring security的学习-3. 自定义数据库表结构.doc
06-03
定义数据库表结构”的文档中,我们将探讨如何根据企业特定的需求来定制Spring Security的数据库表结构,并且如何初始化数据以及获取自定义的用户权限信息。Spring Security默认的表结构可能无法满足所有企业的...
SpringSecurity4 样例工程(自定义登录页,从数据库获取用户名密码)
05-23
SpringSecurity4 样例工程(自定义登录页,从数据库获取用户名密码)
spring security与数据库交互实现简单例子
03-22
NULL 博文链接:https://ynp.iteye.com/blog/1008178
Spring Security 3连接数据库查询实例
07-15
Spring Security 3连接数据库查询实例
SpringBoot+SpringSecurity实现查询数据库定义登录
weixin_46628668的博客
04-03 1609
SpringSecurity实现自定义登录页 在上一篇文章SpringSecurity实现简单的用户认证中,已经实现了自定义的安全配置类SecurityConfig(继承了WebSecurityConfigurerAdapter),要实现自定义登录页,需要覆写其中的config(HttpSecurity http)方法: @Override protected void configure(HttpSecurity http) throws Exception { http.formLogi
Spring Security之自定义数据库
来啊 快活啊
06-14 1236
[org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl]类中定义了三条sql语句和三个相关的方法:public static final String DEF_USERS_BY_USERNAME_QUERY = "select username,password,enabled " + "from use
Spring Security 6.x 系列【2】认证篇之使用数据库存储用户
记录知识、锤炼自我
03-23 4688
用户进行认证,最常见的认证方式就是用户名+密码,认证服务需要根据用户名从存储中查询用户信息,然后判断输入的密码和存储中的密码是否匹配。对用户名、密码存储,支持多种存储机制:内存JDBC关系型数据库使用的自定义数据存储使用LDAP认证的LDAP存储本篇文档主要学习使用数据库存储用户信息。
SpringSecurity之二:web自定义用户登录
铃萌的博客
05-01 2563
官方文档:Hello Spring Security :: Spring Security 一、认证流程 先了解下SpringSecurity认证的流程,如下图(图片来自官网): step1:用户提交请求,AbstractAuthenticationProcessingFilter会从请求信息中生成Authentication对象,Authentication对象根据AbstractAuthenticationProcessingFilter子类决定; step2:通过Authentication.
SpringSecurity系列之基于数据库认证
kenewstar的博客
01-21 2239
SpringSecurity系列之基于数据库认证 本文中所使用的技术栈如下: SpringBoot 2.6.2 MyBatis Plus 3.5.0 SpringSecurity 5.6.1 一、创建数据库表 如下图所示,创建一个简单的用户数据表,实际开发中应当使用密文存储密码,而不是如下当中的明文存储。 二、创建SpringBoot应用 1.配置application.properties文件 主要是配置数据库连接信息 # 指定端口号 server: port: 8888 # 配置数据库连接信息
Spring全家桶-Spring Security之自定义数据库表认证和鉴权
HQ DevJ的专栏
05-10 1454
Spring全家桶-Spring Security之自定义数据库表认证和鉴权 Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组可以在Spring应用上下文中配置的Bean,充分利用了Spring IoC(控制反转),DI(依赖注入)和AOP(面向切面编程)功能,为应用系统提供声明式的安全访问控制功能,减少了为企业系统安全控制编写大量重复代码的工作。 文章目录Spring全家桶-Spring Security之自定义数据库表认
基于 Speing Security 如何实现自定义 token 登录
09-05
基于 Spring Security 实现自定义 token 登录的步骤如下: 1. 实现自定义 Token 类,继承 org.springframework.security.authentication.UsernamePasswordAuthenticationToken。 2. 实现自定义 ...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值