导入包:spring-boot-starter-security(注意导入spring统一的版本)
导入这个包之后,就会启动认证功能,凡是未认证的访问都会转到login页面去,并且这个页面不是我们自己写的,是security它内置的
配置开始
1、配置基本配置类SecurityConfig【放入ioc容器中,自定义类】 继承WebSecurityConfigurerAdapter
重写其中的configure方法
package com.neuedu.security;
import com.neuedu.security.RestNoToken;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import javax.annotation.Resource;
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Resource
RestNoToken restNoToken;
@Resource
JWTAuthentication jwtAuthentication;
@Override
protected void configure(HttpSecurity http) throws Exception {
//注册器 registry
ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry = http.authorizeRequests();
//.antMatchers(METHOD.post,"/user/login")
//.permitAll() //指定什么方法下的什么请求
registry.antMatchers("/index") //不用验证
.permitAll() //获取所有
.anyRequest() //任何请求
.authenticated(); //开启验证
//前后分离特殊设置
registry.and() //返回一个httpSecurity
.csrf()
.disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS); //让csrf和httpSession都不可用
// 自定义没有认证返回的内容 配置完自定义类之后,在这里启动下
registry.and()
.exceptionHandling()
.authenticationEntryPoint(restNoToken);
// 自定义验证
registry.and()
.addFilterBefore(jwtAuthentication, UsernamePasswordAuthenticationFilter.class);
}
}
2、自定义当没有权限时候返回的内容【自定义、放入ioc】
写完这个类RestNoToken之后,要在基本配置类【1】中的方法设置启用这个类
package com.neuedu.security;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.stereotype.Component;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Component
public class RestNoToken implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest httpServletRequest, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException {
response.setHeader("Access-Control-Allow-Origin","*");
response.setCharacterEncoding("UTF-8");
response.setContentType("text/html;charset=utf-8");
response.getWriter().write("notoken");
}
}
3、自定义实现认证的方式(怎样才算认证通过?)
自定义类JWTAuthentication【自定义、放入ioc】,实际是过滤器,继承父类重写方法
之后同样需要在基本配置类中启用这个类
package com.neuedu.security;
import com.neuedu.pojo.UmsUser;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
//这里强行通过验证了
@Component
public class JWTAuthentication extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
System.out.println("进入过滤器");
UmsUser user = new UmsUser(); //pojo中的bean
user.setUsername("admin");
user.setPassword("123456");
UserDetails details = new UmsUserDetails(user); //需要新建类实现这个UserDetails接口 这个里面有用户详细信息(包括配置)
//用户名密码权限认证
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(details,null,details.getAuthorities()); //参数1:用户信息 参数3:权限列表
SecurityContextHolder.getContext().setAuthentication(token);//有这句就表示有身份认证了
filterChain.doFilter(httpServletRequest,httpServletResponse);//传出去给下面servlet/controller
}
}
4、 上面需要自定义类实现UserDetails接口,同时要重写其中的所有方法(一键生成);这个是用户的详细信息以及一些配置,需要传pojo中user对象。
package com.neuedu.security;
import com.neuedu.pojo.UmsUser;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import java.util.Collection;
@Data
@NoArgsConstructor
@AllArgsConstructor
public class UmsUserDetails implements UserDetails {
private static final long serialVersionUID = 1643942226986503464L;
private UmsUser umsUser;
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return null;
}
@Override
public String getPassword() {
return umsUser.getPassword();
}
@Override
public String getUsername() {
return umsUser.getUsername();
}
@Override
public boolean isAccountNonExpired() {
return false;
}
@Override
public boolean isAccountNonLocked() {
return false;
}
@Override
public boolean isCredentialsNonExpired() {
return false;
}
@Override
public boolean isEnabled() {
return false;
}
}
最后建成了这四个类,注意他们要放到跟Controller同级或者子包下