01-SpringSecurity认证、授权

已于 2022-12-13 10:50:24 修改
阅读量844 收藏 1
点赞数
分类专栏: SpringSecurity 文章标签: java 前端 springsecurity 认证
于 2022-08-02 19:06:31 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_42861526/article/details/126127876
版权

一、工作原理

SpringSecurity是使用filter来对资源进行保护的,当初始化SpringSecurity时会创建一个 SpringSecurityFilterChain的过滤器链,它实现了servlet的filter,因此外部的请求会经过该链
在这里插入图片描述
![在这里插入图片描述](https://img-blog.csdnimg.cn/7880712652094db98577c48ba9ff66ee.png

默认状态下,这个filterChain是如下结构
在这里插入图片描述
在这里插入图片描述

二、认证流程

在这里插入图片描述
从上面的流程中我们可以看到几个重要的组件

  1. authenticationFilter:过滤器,将请求携带的参数封装成指定的token传给authenticationManager,可以为它设定成功和失败的处理器
  2. AuthenticationManager:认证管理,对项目中的AuthenticationProvider进行管理
  3. DaoAuthenticationProvider:自定义业务逻辑,对指定类型的token进行校验
  4. UserDetailsService:查询数据库中的用户信息,provider利用查询到的信息和token进行比对,决定是否认证成功
  5. SecurityContextHolder:通过认证的authentication会保存到安全上下文中,后续SpringSecurity需要校验权限时,会根据这个authentication来校验

三、组件

(一)token

token是进行认证所需要的凭证,不同的authenticationProvider支持的token不一样,所以不同的认证方式同样对应着不同的token;比如使用账号密码和手机验证码使用的token就不一样

SpringSecurity为我们定义好了authentication的接口
Authentication

public interface Authentication extends Principal, Serializable {
    Collection<? extends GrantedAuthority> getAuthorities();

    Object getCredentials();

    Object getDetails();

    Object getPrincipal();

    boolean isAuthenticated();

    void setAuthenticated(boolean var1) throws IllegalArgumentException;
}

在这里插入图片描述

UsernamePasswordAuthenticationToken(框架提供的)

public class UsernamePasswordAuthenticationToken extends AbstractAuthenticationToken {
    private static final long serialVersionUID = 530L;
    private final Object principal;
    private Object credentials;

    public UsernamePasswordAuthenticationToken(Object principal, Object credentials) {
        super((Collection)null);
        this.principal = principal;
        this.credentials = credentials;
        this.setAuthenticated(false);
    }

    public UsernamePasswordAuthenticationToken(Object principal, Object credentials, Collection<? extends GrantedAuthority> authorities) {
        super(authorities);
        this.principal = principal;
        this.credentials = credentials;
        super.setAuthenticated(true);
    }

    public Object getCredentials() {
        return this.credentials;
    }

    public Object getPrincipal() {
        return this.principal;
    }

    public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
        if (isAuthenticated) {
            throw new IllegalArgumentException("Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
        } else {
            super.setAuthenticated(false);
        }
    }

    public void eraseCredentials() {
        super.eraseCredentials();
        this.credentials = null;
    }
}

PhoneCodeAuthenticationToken(自定义token)

public class PhoneCodeAuthenticationToken extends AbstractAuthenticationToken {

    List<? extends GrantedAuthority> authorities;

    Object credentials;

    Object details;

    Object principal;

    public PhoneCodeAuthenticationToken(Object principal, Object credentials) {
        super((Collection)null);
        this.principal = principal;
        this.credentials = credentials;
        this.setAuthenticated(false);
    }

    public PhoneCodeAuthenticationToken(Object principal, Object credentials, Collection<? extends GrantedAuthority> authorities) {
        super(authorities);
        this.principal = principal;
        this.credentials = credentials;
        super.setAuthenticated(true);
    }

    @Override
    public Object getCredentials() {
        return credentials;
    }

    @Override
    public Object getPrincipal() {
        return principal;
    }
}

(二)UserDetailsService

它的作用是查询用户信息,封装成UserDetais的实现类返回,在authenticationProvider中被使用到

官方定义接口

public interface UserDetailsService {
    UserDetails loadUserByUsername(String var1) throws UsernameNotFoundException;
}

UserDetails(框架提供)

public interface UserDetails extends Serializable {
    Collection<? extends GrantedAuthority> getAuthorities();

    String getPassword();

    String getUsername();

    boolean isAccountNonExpired();

    boolean isAccountNonLocked();

    boolean isCredentialsNonExpired();

    boolean isEnabled();
}

主要包括username、password、authorities三部分,用来表达当前用户的信息,当然我们可以使用User(框架提供)来构建UserDetails实现类也可以自定义UserDetails的实现类来包含更多的信息

(三)authenticationProvider

该类用来写token的认证逻辑

接口定义

public interface AuthenticationProvider {
	//认证逻辑
    Authentication authenticate(Authentication var1) throws AuthenticationException;
	
	//支持token类型
    boolean supports(Class<?> var1);
}

短信登录provider

public class SMSAuthenticationProvider implements AuthenticationProvider {

    public static Map<String,String> codeMap = new HashMap<>();

    private UserDetailsService userDetailsService;


    public SMSAuthenticationProvider(UserDetailsService userDetailsService){
        this.userDetailsService = userDetailsService;
    }
    /**
     *
     * @param authentication
     * @return
     * @throws AuthenticationException
     */
    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        String phone = (String) authentication.getPrincipal();
        String code = (String) authentication.getCredentials();
        String cacheCode = codeMap.get(phone);
        if(cacheCode == null || !code.equals(cacheCode)){
            throw new InternalAuthenticationServiceException(
                    "code error");
        }

        SMSUserDetais details = (SMSUserDetais) userDetailsService.loadUserByUsername(phone);
        if(details == null){
            throw new UsernameNotFoundException("not found this phone");
        }

        List<? extends GrantedAuthority> authorities = new ArrayList<>();
        return new PhoneCodeAuthenticationToken(details.getUsername(),details.getPassword(),authorities);
    }

    @Override
    public boolean supports(Class<?> authentication) {
        return PhoneCodeAuthenticationToken.class.isAssignableFrom(authentication);
    }

    public void setUserDetailsService(UserDetailsService userDetailsService){
        this.userDetailsService = userDetailsService;
    }
}

DaoAuthenticationProvider

框架本身也提供了一个provider,针对UsernamePasswordAuthenticationToken

public class DaoAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider {
    private static final String USER_NOT_FOUND_PASSWORD = "userNotFoundPassword";
    private PasswordEncoder passwordEncoder;
    private volatile String userNotFoundEncodedPassword;
    private UserDetailsService userDetailsService;
    private UserDetailsPasswordService userDetailsPasswordService;

    public DaoAuthenticationProvider() {
        this.setPasswordEncoder(PasswordEncoderFactories.createDelegatingPasswordEncoder());
    }

    protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
        if (authentication.getCredentials() == null) {
            this.logger.debug("Authentication failed: no credentials provided");
            throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
        } else {
            String presentedPassword = authentication.getCredentials().toString();
            if (!this.passwordEncoder.matches(presentedPassword, userDetails.getPassword())) {
                this.logger.debug("Authentication failed: password does not match stored value");
                throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
            }
        }
    }

    protected void doAfterPropertiesSet() {
        Assert.notNull(this.userDetailsService, "A UserDetailsService must be set");
    }

    protected final UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
        this.prepareTimingAttackProtection();

        try {
            UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username);
            if (loadedUser == null) {
                throw new InternalAuthenticationServiceException("UserDetailsService returned null, which is an interface contract violation");
            } else {
                return loadedUser;
            }
        } catch (UsernameNotFoundException var4) {
            this.mitigateAgainstTimingAttack(authentication);
            throw var4;
        } catch (InternalAuthenticationServiceException var5) {
            throw var5;
        } catch (Exception var6) {
            throw new InternalAuthenticationServiceException(var6.getMessage(), var6);
        }
    }

    protected Authentication createSuccessAuthentication(Object principal, Authentication authentication, UserDetails user) {
        boolean upgradeEncoding = this.userDetailsPasswordService != null && this.passwordEncoder.upgradeEncoding(user.getPassword());
        if (upgradeEncoding) {
            String presentedPassword = authentication.getCredentials().toString();
            String newPassword = this.passwordEncoder.encode(presentedPassword);
            user = this.userDetailsPasswordService.updatePassword(user, newPassword);
        }

        return super.createSuccessAuthentication(principal, authentication, user);
    }

    private void prepareTimingAttackProtection() {
        if (this.userNotFoundEncodedPassword == null) {
            this.userNotFoundEncodedPassword = this.passwordEncoder.encode("userNotFoundPassword");
        }

    }

    private void mitigateAgainstTimingAttack(UsernamePasswordAuthenticationToken authentication) {
        if (authentication.getCredentials() != null) {
            String presentedPassword = authentication.getCredentials().toString();
            this.passwordEncoder.matches(presentedPassword, this.userNotFoundEncodedPassword);
        }

    }

    public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
        Assert.notNull(passwordEncoder, "passwordEncoder cannot be null");
        this.passwordEncoder = passwordEncoder;
        this.userNotFoundEncodedPassword = null;
    }

    protected PasswordEncoder getPasswordEncoder() {
        return this.passwordEncoder;
    }

    public void setUserDetailsService(UserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }

    protected UserDetailsService getUserDetailsService() {
        return this.userDetailsService;
    }

    public void setUserDetailsPasswordService(UserDetailsPasswordService userDetailsPasswordService) {
        this.userDetailsPasswordService = userDetailsPasswordService;
    }
}

(四)filter

对符合条件的url进行过滤,框架提供了一个UsernamePasswordAuthenticationFilter处理账号密码登录,下面我们自定义一个处理验证码登录的filter

短信登录Filter

/**
 * 短信登录过滤器
 * @author liqi
 */
public class SmsAuthenticationFilter extends AbstractAuthenticationProcessingFilter {

    public static final String SMS_MOBILE = "phone";

    public static final String CODE = "code";



    public SmsAuthenticationFilter() {
        super(new AntPathRequestMatcher("/login/sms", "POST"));
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
            throws AuthenticationException {
        String loginName = request.getParameter(SMS_MOBILE);
        if (StringUtils.isEmpty(loginName)) {
            throw new AuthenticationServiceException("手机号不能为空");
        }
        String code = request.getParameter(CODE);
        if (StringUtils.isEmpty(code)) {
            throw new AuthenticationServiceException("手机验证码不能为空");
        }


        PhoneCodeAuthenticationToken authRequest = new PhoneCodeAuthenticationToken(loginName,code);
        authRequest.setDetails(super.authenticationDetailsSource.buildDetails(request));
        System.out.println(authRequest);
        return this.getAuthenticationManager().authenticate(authRequest);
    }
}

配置该filter

SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> securityConfigurerAdapter = new SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity>() {
			@Override
			public void configure(HttpSecurity httpSecurity) throws Exception {
				// 手机号+短信登录
				AuthenticationManager authenticationManager = httpSecurity.getSharedObject(AuthenticationManager.class);
				AbstractAuthenticationProcessingFilter smsFilter = new SmsAuthenticationFilter();
				smsFilter.setAuthenticationManager(authenticationManager);
				smsFilter.setAuthenticationSuccessHandler(successHandler);
				smsFilter.setAuthenticationFailureHandler(failureHandler);
				httpSecurity.addFilterBefore(smsFilter, UsernamePasswordAuthenticationFilter.class);
			}
		};
		http.apply(securityConfigurerAdapter);

四、整体配置

package com.codexie.security.config;

import com.codexie.security.filter.SmsAuthenticationFilter;
import com.codexie.security.provider.SMSAuthenticationProvider;
import com.codexie.security.service.impl.UserDetailsServiceImpl;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.factory.PasswordEncoderFactories;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true,prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {


	@Autowired
	UserDetailsServiceImpl userDetailsService;

	@Autowired
	SuccessHandler successHandler;

	@Autowired
	DeniedHandler deniedHandler;

	@Autowired
	FailureHandler failureHandler;


	public SecurityConfig() {
	}



	@Bean
	public SMSAuthenticationProvider smsAuthenticationProvider(){
		SMSAuthenticationProvider provider = new SMSAuthenticationProvider(userDetailsService);
		return provider;
	}

	/**
	 * 添加自定义认证方式
	 * @param auth
	 * @throws Exception
	 */
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    	//将自定义的provider添加至list
		auth.authenticationProvider(smsAuthenticationProvider())
				//设置内置的provider的userDetailsService以及passwordEncoder
		 		.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
    }
    

    //不定义没有password grant_type
    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
	public DaoAuthenticationProvider daoAuthenticationProvider(){
		DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
		daoAuthenticationProvider.setUserDetailsService(userDetailsService);
		daoAuthenticationProvider.setPasswordEncoder(passwordEncoder());
		return daoAuthenticationProvider;
	}
    
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/public/**", "/webjars/**", "/v2/**", "/swagger**", "/static/**", "/resources/**");
		//web.httpFirewall(new DefaultHttpFirewall());//StrictHttpFirewall 去除验url非法验证防火墙
    }

    @Bean
	public PasswordEncoder passwordEncoder(){
		return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
	}
    @Override
    protected void configure(HttpSecurity http) throws Exception {


		http.authorizeRequests()
			.antMatchers("/login*").permitAll()
			.antMatchers("/login/code").permitAll()
			.antMatchers("/logout*").permitAll()
			.antMatchers("/druid/**").permitAll()
			.anyRequest().authenticated()
			.and().formLogin()
				.loginPage("/login") // 登录页面
				.loginProcessingUrl("/login.do") // 登录处理url
				.failureUrl("/login?authentication_error=1")
				.defaultSuccessUrl("/main")
				.usernameParameter("username")
				.passwordParameter("password")
			.and().logout()
				.logoutUrl("/logout.do")
				.deleteCookies("JSESSIONID")
				.logoutSuccessUrl("/")
			.and().csrf().disable()
			.exceptionHandling()
			.accessDeniedPage("/login?authorization_error=2");


		SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> securityConfigurerAdapter = new SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity>() {
			@Override
			public void configure(HttpSecurity httpSecurity) throws Exception {
				// 手机号+短信登录
				AuthenticationManager authenticationManager = httpSecurity.getSharedObject(AuthenticationManager.class);
				AbstractAuthenticationProcessingFilter smsFilter = new SmsAuthenticationFilter();
				smsFilter.setAuthenticationManager(authenticationManager);
				smsFilter.setAuthenticationSuccessHandler(successHandler);
				smsFilter.setAuthenticationFailureHandler(failureHandler);
				httpSecurity.addFilterBefore(smsFilter, UsernamePasswordAuthenticationFilter.class);
			}
		};
		http.apply(securityConfigurerAdapter);
    }
    
    


}

五、授权

在这里插入图片描述
在实际开发中,我们往往会在controller接口上标明注解表达所需要的权限,当"经过认证"的用户访问这些受保护资源的时候,会按照图中的执行顺序执行方法
在这里插入图片描述

(一)基于注解授权

首先应当在配置类上增加@EnableGlobalMethodSecurity注解

@Secured

用于校验用户角色的注解

SpringSecurity中角色和权限放在一个容器中,角色前得加ROLE_来做区分,但若使用hasRole来判断角色则不用加该前缀

@Secured("ROLE_aaa")	// 判断请求是否有这个角色
@RequestMapping("/toMain")
public String login() {
    return "redirect:main.html";
}

@PreAuthorize

该注解即可校验权限也可校验角色,但必须开启@EnableGlobalMethodSecurity(prePostEnabled = true)


// 允许角色以 ROLE_ 开头,也可以不以 ROLE_ 开头,严格区分大小写
@PreAuthorize("hasRole('aaa')")
@RequestMapping("/toMain")
public String login() {
    return "redirect:main.html";
}

@RestController
public class OrderController {

    @GetMapping(value = "/r1")
    @PreAuthorize("hasAuthority('p1')")//拥有p1权限方可访问此url
    public String r1(){
        //获取用户身份信息
        UserDTO  userDTO = (UserDTO) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        return userDTO.getFullname()+"访问资源1";
    }

}

六、经验技巧

(一)SpringSecurity过滤器

如果我们需要扩展项目的登录方式比如手机验证码登录,我们往往需要自定义token、filter并实现新的UserDetailService

  1. SpringSecurity的过滤器都是AbstractAuthenticationProcessingFilter的子类,它们的业务逻辑大致相同。一般来说,一个filter只针对特定的路径,比如SpringSecurity封装好的UsernamePasswordAuthenticationFilter,它只针对以/login结尾的请求,/login以外的请求并不会经过该filter。
  2. SpringSecurity是通过authentication实现类来完成后续授权判断的,因此当认证成果时我们需要执行 SecurityContextHolder.getContext().setAuthentication(authentication)将authentication交由SpringSecurity框架

(二)UserDetailService

  1. UserDetail是SpringSecurity中用来描述用户信息的接口,主要包括Username、password和permissionList
  2. 而UserDetailService则是需要我们实现的接口,需要实现loadUserByUsername(String username) 返回UserDetails信息,需要注意的是UserDetails必须包含权限列表(如果项目中有授权需求的话)

上述两个接口都需要我们在项目中实现

(三)自定义认证逻辑

我们不需要像之前一样设计token、provider、filter。而是像web项目一样自己写接口实现认证逻辑,主要流程如下:

  1. 根据用户传来的认证信息(username、phone…)传入loadUserByUsername方法中得到UserDetails
  2. 判断userDetails是否为null,若不为null则判断credentials是否正确,若上述条件任意一个不满足则返回登录失败
  3. 将UserDetals传入到token中(使用默认的usernamToken就行),执行SecurityContextHolder.getContext().setAuthentication(authentication);
  4. 其余业务操作…

具体实现可以看这篇博客https://www.macrozheng.com/mall/architect/mall_arch_05.html#%E7%99%BB%E5%BD%95%E6%B3%A8%E5%86%8C%E5%8A%9F%E8%83%BD%E5%AE%9E%E7%8E%B0

想到的名字都被人用了
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Spring security认证授权
11-30
Spring security认证授权例子,自动创建数据库,在SysUser类增加字段,即可动态增加数据库对应表sys_user字段(前提是要删除原表,启动应用时才会重建表)
springcloud 集成 activiti 工作流 报错调试(三)
qq_34595792的博客
10-21 3174
报错:Parameter 0 of method managementSecurityFilterChain in org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration required a bean of type 'org.springframework.security.config.annotation.web.builders.HttpSecur.
spingCloud gateway 启动报错: xxx.ReactiveJwtDecoder that could not be found
执笔成念的博客
02-26 4116
spingCloud gateway 启动报错: xxx.ReactiveJwtDecoder that could not be found 报错信息如下: Parameter 0 of method setSecurityWebFilterChains in org.springframework.security.config.annotation.web.reactive.WebFluxSecurityConfiguration required a bean of type 'org.spr
UsernamePasswordAuthenticationToken使用
最新发布
m0_67318913的博客
03-09 479
二、参数使用 其中,principal 是认证的主体信息,通常为用户名或者用户对象;credentials 是认证的凭证信息,通常为密码或者其他类似信息。在构造时,还可以使用其他构造方法为认证请求设置授权信息、权限列表等。 在 Spring Security 中,通过 AuthenticationManager 对象对认证请求进行认证认证成功后会生成一个 Authentication 对象,并将其存储在 SecurityContextHolder 中,用于表示当前的认证信息。在应用程序中,可以通过 Se
oauth2自定义granter与provider实现自定义身份认证
weixin_45738731的博客
05-17 815
oauth接收到了你传入的grant_type,并把你的请求转发到了你自己的Granter,但谁来进行真正的用户信息合法性校验呢?这段代码比较简单,说白了,当用户进行身份校验时,如果传入的grant_type为group_token_authentication,那么则自动进入这段逻辑创建GroupCompanyAuthenticationToken对象的实例,并将request接收到的参数传入。同时,还提供了认证模式的扩展机制,以便于我们在遇到特殊情况时根据自己的需求来完成身份验证。
SpringBootc出现Parameter 0 of method modifyRequestBodyGatewayFilterFactory in org.springframework.clo
weixin_45132209的博客
08-20 1598
去掉<dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-gateway</artifactId> </dependency> ...
springboot 使用@Bean 注入失败,Parameter 0 of method required a bean of type that could not be found.
qq_36407469的博客
09-22 8431
springboot中我们经常使用@Configuration 和 @Bean注解的方式去声明Bean, @Configuration public class SecurityAccessAutoConfiguration { @ConditionalOnMissingBean @Bean public ISecurityAccessUserProviderAdapter defaultSecurityAccessTokenResolver(SecurityAccessTok
spring security 认证授权实现
10-14
项目包含认证实现和jwt结合内容 项目使用redis cluster 和mybatis-plus 技术 项目包含建库脚本,一键使用,现成的认证授权框架 本项目不包含oauth2.0开放授权的内容
资料-Spring Security Oauth2.0认证授权专题.rar
05-03
spring security oauth2.0
Spring Security Oauth2.0认证授权专题
06-19
Spring boot+Spring Security Oauth2.0,Sprint cloud+Spring Security Oauth2集成。四种认证方式。附带有代码,和案例,案例,还有视频链接。我保证看完就回,如果视频链接失效,评论回复我,我单独再给你一份。
SpringBoot-27-springSecurity(安全:认证授权)demo的静态资源
08-23
SpringBoot专栏中SpringBoot-27-springSecurity(安全:认证授权)demo的静态资源
解决Parameter 0 of method modifyRequestBodyGatewayFilterFactory in org.springfra。。。
热门推荐
泯灭于众生,高歌于孤夜!
12-10 2万+
报错信息: *************************** APPLICATION FAILED TO START *************************** Description: Parameter 0 of method modifyRequestBodyGatewayFilterFactory in org.springframework.cloud.gat...
Spring报错解决一览
05-13 6947
Spring错误持续更新贴...... 问题一 springcloud-OAuth2.0配置的时候报错 Method springSecurityFilterChain in org.springframework.security.config.annotation.web.configuration.WebSecurityConfig...
SpringCloud2020.0.3 Gateway启动报错Parameter 0 of method
贾世鑫的博客
06-20 5110
SpringCloud2020.0.3Gateway启动报错Parameter 0 of method loadBalancerWebClientBuilderBeanPostProcessor in
SpringSecurity认证流程分析
sdaujsj1的博客
07-04 451
认证流程分析 AuthenticationManager AuthenticationManager是认证管理器 它定义了Spring Security过滤器要如何执行认证操作。AuthenticationManager在认证后会返回一个Authentication对象,它是一个接口,默认实现类是ProviderManager AuthenticationProvider AuthenticationProvider针对不同的身份类型执行具体的身份认证。 DaoAuthenticationProvider
SpringBoot排除自动配置
波波的博客
01-15 1万+
SpringBoot的自动配置给我们开发带来了极大的便利,但有些时候也带来了一些问题。 问题场景: 该项目是基于Springboot + dubbo的微服务架构,框架结构web + facade + service,某个模块的facade引用了Spring Security的pom文件为了继承其中的接口,导致实现该facade接口的service启动时报springsecurity中XXXCo...
自定义的方式,使用oauth2生成token+token续命
m0_56356631的博客
05-14 4513
使用oauth2生成 token 的流程+续命
SpringSecurity学习之路12-完成短信验证码的开发
kevin
06-16 523
目的:在验证码的重构完成之后,已经实现了发送验证码的功能,接下来要做的就是将短信验证码登录的逻辑添加就如程序里。使用户可以以账号、密码或手机号加验证码的方式登录。 下图是短信验证码的实现逻辑: 当用户以用户名+密码的形式登录时,经过UsernamepasswordAuthenticationFilter,将用户信息封装为一个token。然后AuthenticationManager是会根据...
SpringSecurity OAuth2 自定义授权 微信小程序登录
走在编程之路.....
06-18 7716
结合网络上的方法,主要有两种方式,一种是采用Filter,一种是采用自定义授权,目前我实现的方式是采用的是“自定义授权”的方式实现微信小程序登录验证。
springsecurity认证授权流程
06-06
Spring Security是一种基于Spring框架的安全性解决方案,它为应用程序提供了认证(Authentication)和授权(Authorization)机制。其认证授权的流程如下: 1. 用户请求访问应用程序受保护的资源。 2. Spring Security的过滤器链首先对请求进行拦截。 3. 如果用户没有认证Spring Security会将请求重定向到登录页面。 4. 用户输入用户名和密码,这些凭据提交到认证管理器(Authentication Manager)进行认证。 5. 认证管理器使用用户提供的凭据来验证用户的身份。如果身份验证成功,则Authentication Manager将返回Authentication对象。 6. Spring Security将Authentication对象存储在SecurityContextHolder中。 7. 接下来,Spring Security会检查用户是否有访问受保护资源的权限。 8. 如果用户没有权限,Spring Security将返回403 Forbidden错误。 9. 如果用户有权限访问资源,Spring Security将允许访问。 总结来说,Spring Security认证授权流程是:请求 -> 过滤器 -> 认证 -> 授权 -> 响应。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值