目录
依赖:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
自定义过滤:
package com.example.security02.config;
import com.fasterxml.jackson.databind.ObjectMapper;
import lombok.SneakyThrows;
import org.springframework.http.MediaType;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.Map;
/**
* 自定义前后端分离认证 Filter
*/
public class LoginFilter extends UsernamePasswordAuthenticationFilter {
@SneakyThrows
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
// 1.判断是否是 post 方式请求
if (!request.getMethod().equals("POST")) {
throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
}
// 2.判断是否是 json 格式请求
if (request.getContentType().equalsIgnoreCase(MediaType.APPLICATION_JSON_VALUE)) {
// 3.从 json 数据中获取用户输入用户名和密码进行认证
try {
Map userInfo = new ObjectMapper().readValue(request.getInputStream(), Map.class);
String username = (String) userInfo.get(getUsernameParameter());
String password = (String) userInfo.get(getPasswordParameter());
System.out.println("用户名:"+username+"密码:"+password);
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
this.setDetails(request, authRequest);
return this.getAuthenticationManager().authenticate(authRequest);
} catch (Exception e) {
e.printStackTrace();
}
}
return super.attemptAuthentication(request, response);
}
}
配置:
package com.example.security02.config;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import java.util.HashMap;
import java.util.Map;
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public UserDetailsService userDetailsService() {
InMemoryUserDetailsManager userDetailsManager = new InMemoryUserDetailsManager();
userDetailsManager.createUser(User.withUsername("aaa").password("{noop}123").roles("admin").build()); // {noop} 明文意思
return userDetailsManager;
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService());
}
// 自定义 filter 交给工厂管理
@Bean
public LoginFilter loginFilter() throws Exception {
LoginFilter loginFilter = new LoginFilter();
loginFilter.setFilterProcessesUrl("/doLogin"); // 指定认证 URL
loginFilter.setUsernameParameter("uname"); // 指定接受 json 用户名 key
loginFilter.setPasswordParameter("passwd");// 指定接受 json 密码 key
loginFilter.setAuthenticationManager(authenticationManager());
// 认证成功处理
loginFilter.setAuthenticationSuccessHandler((req, resp, authentication) -> {
Map<String, Object> result = new HashMap<>();
result.put("msg", "登录成功");
result.put("用户信息", (User) authentication.getPrincipal());
// 状态码
resp.setStatus(HttpStatus.OK.value());
// JSON格式响应
resp.setContentType("application/json;charset=UTF-8");
String s = new ObjectMapper().writeValueAsString(result);
resp.getWriter().println(s);
});
// 认证失败处理
loginFilter.setAuthenticationFailureHandler((req, resp, ex) -> {
Map<String, Object> result = new HashMap<>();
result.put("msg", "登录失败" + ex.getMessage());
result.put("status", 500);
// 状态码
resp.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
// JSON格式响应
resp.setContentType("application/json;charset=UTF-8");
// 状态码
resp.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
// 打印到页面
String s = new ObjectMapper().writeValueAsString(result);
resp.getWriter().println(s);
});
return loginFilter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.and()
.exceptionHandling()
.authenticationEntryPoint((request, response, authExc) -> {
response.setContentType("application/json;charset=UTF-8");
// response.setContentType(MediaType.APPLICATION_JSON_VALUE);
// 状态码
response.setStatus(HttpStatus.UNAUTHORIZED.value());
response.getWriter().println("请认证之后进行处理!" + response);
})
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessHandler((req, resp, auth) -> {
Map<String, Object> result = new HashMap<>();
result.put("msg", "注销成功");
result.put("用户信息", auth.getPrincipal());
// 状态码
resp.setStatus(HttpStatus.OK.value());
// JSON格式响应
resp.setContentType("application/json;charset=UTF-8");
String s = new ObjectMapper().writeValueAsString(result);
resp.getWriter().println(s);
})
.and().csrf().disable()
;
// At 用来某个 filter 替换过滤器中哪个 filter
// before 放在过滤器中哪个 filter 之前
// after 放在过滤器中哪个 filter 之后
http.addFilterAt(loginFilter(), UsernamePasswordAuthenticationFilter.class);
}
// 作用: 用来将自定义(本地) AuthenticationManager 在工厂中暴漏,可以在任何位置注入
@Bean
@Override
public AuthenticationManager authenticationManager() throws Exception {
return super.authenticationManager();
}
}