SpringSecurity最新版本使用总结

最新推荐文章于 2024-05-13 03:20:33 发布
最新推荐文章于 2024-05-13 03:20:33 发布
阅读量2.7k 收藏 36
点赞数 11
分类专栏: 安全框架 文章标签: spring java
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/very_Coolpad/article/details/128469656
版权

SpringSecurity使用总结:

1、Springsecurity目前问题:

网上的教程大部分都是基于之前的版本,使用的是已经抛弃的继承WebSecurityConfigurerAdapter这个类进行SpringSecurity配置,但是新版本的SpringSecurity已经弃用了WebSecurityConfigurerAdapter这个类,以前的方法依旧可以使用,但是官方并不推荐使用这种方式

这点在官网也可以看到

​ https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter

官方文档说的是:

To assist with the transition to this new style of configuration, we have compiled a list of common use-cases and the suggested alternatives going forward.

In the examples below we follow best practice by using the Spring Security lambda DSL and the method HttpSecurity#authorizeHttpRequests to define our authorization rules. If you are new to the lambda DSL you can read about it in this blog post. If you would like to learn more about why we choose to use HttpSecurity#authorizeHttpRequests you can check out the reference documentation.

翻译过来就是

在 Spring Security 5.7.0-M2 中,我们弃用WebSecurityConfigurerAdapter,因为我们鼓励用户转向基于组件的安全配置为了帮助过渡到这种新的配置方式,我们编制了一份常见用例列表和建议的替代方案。

在下面的示例中,我们遵循最佳实践,使用 Spring Security lambda DSL 和方法HttpSecurity#authorizeHttpRequests来定义我们的授权规则。如果您是 lambda DSL 的新手,您可以阅读这篇博文。如果您想详细了解我们选择使用HttpSecurity#authorizeHttpRequests的原因,可以查看参考文档

1.1、什么是Spring Security lambda DSL ?

https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html

我依旧推荐大家去官网查看,看不懂可以用翻译。

在之前的版本中 我们更加常用的方式是覆盖重写configure(HttpSecurity http)方法,例如:

@Configuration
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
    @Override
        protected void configure(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests()
                .mvcMatchers("/index").permitAll()
                .anyRequest().authenticated()
                .and().formLogin();
    }
}

而现版本推荐声明SecurityFilterChain而不是使用authorizeRequests,例如:

@Bean
SecurityFilterChain web(HttpSecurity http) throws AuthenticationException {
    http
        .authorizeHttpRequests((authorize) -> authorize
            .anyRequest().authenticated();
        )
        // ...

    return http.build();
}

这里不多赘述原理 如果大家很感兴趣的话,我可以专门出一个专栏给大家讲解原理,从基础到新版本的区别

本文章更多在于配置

2、首先登陆成功配置

package org.zhang.config;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.zhang.comont.AliErrorCodeEnum;
import org.zhang.comont.ResultBody;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.transform.Result;
import java.io.IOException;

public class MyAuthenticationEntryPoint implements AuthenticationEntryPoint {
    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException,  IOException {
        response.setStatus(HttpStatus.UNAUTHORIZED.value());
        response.setContentType("application/json;charset=UTF-8");
        ResultBody error = ResultBody.error(AliErrorCodeEnum.USER_ERROR_A0111);
        String s = new ObjectMapper().writeValueAsString(error);
        response.getWriter().println(s);
    }
}

3、登陆失败配置

package org.zhang.config;

import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.security.authentication.AccountExpiredException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.CredentialsExpiredException;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.zhang.comont.AliErrorCodeEnum;
import org.zhang.comont.ResultBody;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class FailHandler implements AuthenticationFailureHandler {
    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException {
        ResultBody result = null;
        if (e instanceof AccountExpiredException)
        {
            result = ResultBody.error(AliErrorCodeEnum.USER_ERROR_A0230);
        }else if (e instanceof BadCredentialsException){
            result = ResultBody.error(AliErrorCodeEnum.USER_ERROR_A0210);
        }else if (e instanceof CredentialsExpiredException){
            result = ResultBody.error(AliErrorCodeEnum.USER_ERROR_A0202);
        }else if (e instanceof InternalAuthenticationServiceException){
            result = ResultBody.error(AliErrorCodeEnum.USER_ERROR_A0201);
        }else{
            result = ResultBody.error(AliErrorCodeEnum.USER_ERROR_A0220);
        }

        response.setContentType("application/json;charset=UTF-8");
        String s = new ObjectMapper().writeValueAsString(result);
        response.getWriter().println(s);
    }
}

这里面的ReusltBody是我自定义的统一返回数据类型,大家可以百度,也可以使用Map简单放回

4、注销成功配置

package org.zhang.config;

import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;

//注销成功
public class MyLogoutSuccessHandler implements LogoutSuccessHandler {
    @Override
    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
        Map<String, Object> result = new HashMap<String, Object>();
        result.put("msg", "注销成功");
        result.put("status", 200);
        response.setContentType("application/json;charset=UTF-8");
        String s = new ObjectMapper().writeValueAsString(result);
        response.getWriter().println(s);
    }
}

5、认证入口点配置

package org.zhang.config;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.zhang.comont.AliErrorCodeEnum;
import org.zhang.comont.ResultBody;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.transform.Result;
import java.io.IOException;

public class MyAuthenticationEntryPoint implements AuthenticationEntryPoint {
    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException,  IOException {
        response.setStatus(HttpStatus.UNAUTHORIZED.value());
        response.setContentType("application/json;charset=UTF-8");
        ResultBody error = ResultBody.error(AliErrorCodeEnum.USER_ERROR_A0111);
        String s = new ObjectMapper().writeValueAsString(error);
        response.getWriter().println(s);
    }
}

6、JWT认证配置

package org.zhang.config;

import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.util.ObjectUtils;
import org.zhang.utils.JwtUtils;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.HashMap;

public class JWTAuthorizationFilter extends BasicAuthenticationFilter {

    public JWTAuthorizationFilter(AuthenticationManager authenticationManager) {
        super(authenticationManager);
    }

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
        //获取请求的Token
        String token = request.getHeader("Authorization");
        //没有直接跳过
        if (ObjectUtils.isEmpty(token))
        {
            chain.doFilter(request,response);
            return;
        }
        //将token中的用户名和权限用户组放入Authentication对象,在之后实现鉴权
        SecurityContextHolder.getContext().setAuthentication(getAuthentication(token));
        super.doFilterInternal(request, response, chain);
    }
    //解析token获取用户信息
    private UsernamePasswordAuthenticationToken getAuthentication(String token)
    {
        HashMap<String, Object> tokenInfo = JwtUtils.decode(token);
        if(ObjectUtils.isEmpty(tokenInfo)){
            return null;
        }
        String username = (String) tokenInfo.get("username");
        String[] roles = (String[]) tokenInfo.get("roles");
        ArrayList<SimpleGrantedAuthority> authorities = new ArrayList<>();
        for(String role:roles){
            authorities.add(new SimpleGrantedAuthority(role));
        }
        return new UsernamePasswordAuthenticationToken(username,null,authorities);
    }
}

7、重写登陆配置(为了解决前端传值为Json类型)

package org.zhang.config;

import com.fasterxml.jackson.core.exc.StreamReadException;
import com.fasterxml.jackson.databind.DatabindException;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.zhang.pojo.User;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;

public class LoginFilter extends UsernamePasswordAuthenticationFilter{
    //登陆认证接口
    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        //判断是否为Post请求
        if(!request.getMethod().equals("POST"))
        {
            throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
        }
        //判断认证数据是否为Json 如果登陆数据为JSON 进行JSON处理
        if(request.getContentType().equals(MediaType.APPLICATION_JSON_VALUE) || request.getContentType().equals(MediaType.APPLICATION_JSON_UTF8_VALUE))
        {
            Map<String,String> loginData = new HashMap<>();
            try
            {
                //将Json数据转换为Map
                loginData = new ObjectMapper().readValue(request.getInputStream(),Map.class);
            }catch (IOException e)
            {
                throw new RuntimeException(e);
            }
            String username = loginData.get(getUsernameParameter());
            String password = loginData.get(getPasswordParameter());
            if (username == null)
            {
                throw new AuthenticationServiceException("用户名不能为空");
            }
            if (password == null)
            {
                throw new AuthenticationServiceException("密码不能为空");
            }
            UsernamePasswordAuthenticationToken authRequest = UsernamePasswordAuthenticationToken.unauthenticated(username, password);
            setDetails(request, authRequest);
            return this.getAuthenticationManager().authenticate(authRequest);
        }else
        {
            //普通表单提交数据处理
            String username = this.obtainUsername(request);
            String password = this.obtainPassword(request);
            if (username == null)
            {
                username = "";
            }
            if (password == null)
            {
                password = "";
            }
            username = username.trim();
            UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username,password);
            this.setDetails(request,authRequest);
            return this.getAuthenticationManager().authenticate(authRequest);
        }
    }


}

7、SpringSecurity核心配置:

package org.zhang.config;

import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;


import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.zhang.comont.AliErrorCodeEnum;
import org.zhang.comont.ResultBody;
import org.zhang.service.impl.UserServiceImpl;


import java.util.Arrays;

import static org.springframework.security.config.Customizer.withDefaults;

@Configuration
@EnableWebSecurity
public class SecurityConfiguration {

    @Autowired
    private UserServiceImpl userService;


     /**
      * 获取AuthenticationManager(认证管理器),登录时认证使用
     * @param AuthenticationConfiguration
     * @return
      * @throws Exception
     */

    @Bean(name = "authenticationManager")
    public AuthenticationManager authenticationManager(AuthenticationConfiguration configuration) throws Exception {
        return configuration.getAuthenticationManager();
    }


    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests((authz)->
                        authz
                                .antMatchers("/root/doLogin").permitAll()
                                .antMatchers("/user/userLogin").permitAll()
                                .antMatchers("/film/**").permitAll()
                                .antMatchers("/order/queryTodayMarket").permitAll()
                                .anyRequest().authenticated())
                .logout(logout->
                        logout
                                .logoutSuccessHandler(new MyLogoutSuccessHandler()))
                .cors(cors->
                        cors
                                .configurationSource(configurationSource()))
                .httpBasic(withDefaults())
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .exceptionHandling()//异常处理
                .authenticationEntryPoint((request, response, e) -> {
                    response.setContentType("application/json;charset=UTF-8");
                    response.setStatus(HttpStatus.UNAUTHORIZED.value());
                    ResultBody error = ResultBody.error("401", "尚未认证,请进行认证操作!");
                    response.getWriter().write(new ObjectMapper().writeValueAsString(error));
                })
                .accessDeniedHandler((request, response, e) -> {
                    response.setContentType("application/json;charset=UTF-8");
                    ResultBody s = ResultBody.error(AliErrorCodeEnum.USER_ERROR_A0301);
                    response.getWriter().write(new ObjectMapper().writeValueAsString(s));
                })
                .and()
                .csrf().disable(); //前后端分离没有Session 不需要开启csrf

        http.addFilterAt(loginFilter(http.getSharedObject(AuthenticationManager.class)),UsernamePasswordAuthenticationFilter.class);
        http.addFilter(jwtAuthorizationFilter(http.getSharedObject(AuthenticationManager.class)));
        return http.build();
    }

    //过滤静态资源
    @Bean
    public WebSecurityCustomizer webSecurityCustomizer(){
        return (web)-> web.ignoring().antMatchers("/static/css");
    }


    // 注入登陆过滤器
    @Bean
    public LoginFilter loginFilter(AuthenticationManager authenticationManager) throws Exception {
        LoginFilter loginFilter = new LoginFilter();
        loginFilter.setFilterProcessesUrl("/root/doLogin");
        loginFilter.setUsernameParameter("username");
        loginFilter.setPasswordParameter("password");
        loginFilter.setAuthenticationManager(authenticationManager);
        loginFilter.setAuthenticationSuccessHandler(new SuccessHandler());
        loginFilter.setAuthenticationFailureHandler(new FailHandler());
        return loginFilter;
    }

    //加入token验证过滤器
    @Bean
    public JWTAuthorizationFilter jwtAuthorizationFilter(AuthenticationManager authenticationManager){
        JWTAuthorizationFilter filter = new JWTAuthorizationFilter(authenticationManager);
        return filter;
    }


    //springsecurity跨域
    CorsConfigurationSource configurationSource() {
        CorsConfiguration corsConfiguration = new CorsConfiguration();
        corsConfiguration.setAllowedHeaders(Arrays.asList("*"));
        corsConfiguration.setAllowedMethods(Arrays.asList("*"));
        corsConfiguration.setAllowedOrigins(Arrays.asList("*"));
        corsConfiguration.setMaxAge(3600L);
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", corsConfiguration);
        return source;
    }
}
```# SpringSecurity使用总结:

## 1Springsecurity目前问题:

>网上的教程大部分都是基于之前的版本,使用的是已经抛弃的继承WebSecurityConfigurerAdapter这个类进行SpringSecurity配置,但是新版本的SpringSecurity已经弃用了WebSecurityConfigurerAdapter这个类,以前的方法依旧可以使用,但是官方并不推荐使用这种方式
>
>这点在官网也可以看到

​	https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter

官方文档说的是:

To assist with the transition to this new style of configuration, we have compiled a list of common use-cases and the suggested alternatives going forward.

In the examples below we follow best practice by using the Spring Security lambda DSL and the method `HttpSecurity#authorizeHttpRequests` to define our authorization rules. If you are new to the lambda DSL you can read about it in [this blog post](https://spring.io/blog/2019/11/21/spring-security-lambda-dsl). If you would like to learn more about why we choose to use `HttpSecurity#authorizeHttpRequests` you can check out the [reference documentation](https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html).

翻译过来就是

在 Spring Security 5.7.0-M2 中,我们[弃用](https://translate.google.com/website?sl=auto&tl=zh-CN&hl=zh-CN&client=webapp&u=https://github.com/spring-projects/spring-security/issues/10822)了`WebSecurityConfigurerAdapter`,因为我们鼓励用户转向基于组件的安全配置为了帮助过渡到这种新的配置方式,我们编制了一份常见用例列表和建议的替代方案。

在下面的示例中,我们遵循最佳实践,使用 Spring Security lambda DSL 和方法`HttpSecurity#authorizeHttpRequests`来定义我们的授权规则。如果您是 lambda DSL 的新手,您可以阅读[这篇博](https://spring-io.translate.goog/blog/2019/11/21/spring-security-lambda-dsl?_x_tr_sl=auto&_x_tr_tl=zh-CN&_x_tr_hl=zh-CN&_x_tr_pto=wapp)文。如果您想详细了解我们选择使用`HttpSecurity#authorizeHttpRequests`的原因,可以查看[参考文档](https://translate.google.com/website?sl=auto&tl=zh-CN&hl=zh-CN&client=webapp&u=https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html)。

### 1.1、什么是Spring Security lambda DSL ?

https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html

我依旧推荐大家去官网查看,看不懂可以用翻译。

在之前的版本中 我们更加常用的方式是覆盖重写configure(HttpSecurity http)方法,例如:

```java
@Configuration
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
    @Override
        protected void configure(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests()
                .mvcMatchers("/index").permitAll()
                .anyRequest().authenticated()
                .and().formLogin();
    }
}

而现版本推荐声明SecurityFilterChain而不是使用authorizeRequests,例如:

@Bean
SecurityFilterChain web(HttpSecurity http) throws AuthenticationException {
    http
        .authorizeHttpRequests((authorize) -> authorize
            .anyRequest().authenticated();
        )
        // ...

    return http.build();
}

这里不多赘述原理 如果大家很感兴趣的话,我可以专门出一个专栏给大家讲解原理,从基础到新版本的区别

本文章更多在于配置

2、首先登陆成功配置

package org.zhang.config;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.zhang.comont.AliErrorCodeEnum;
import org.zhang.comont.ResultBody;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.transform.Result;
import java.io.IOException;

public class MyAuthenticationEntryPoint implements AuthenticationEntryPoint {
    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException,  IOException {
        response.setStatus(HttpStatus.UNAUTHORIZED.value());
        response.setContentType("application/json;charset=UTF-8");
        ResultBody error = ResultBody.error(AliErrorCodeEnum.USER_ERROR_A0111);
        String s = new ObjectMapper().writeValueAsString(error);
        response.getWriter().println(s);
    }
}

3、登陆失败配置

package org.zhang.config;

import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.security.authentication.AccountExpiredException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.CredentialsExpiredException;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.zhang.comont.AliErrorCodeEnum;
import org.zhang.comont.ResultBody;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class FailHandler implements AuthenticationFailureHandler {
    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException {
        ResultBody result = null;
        if (e instanceof AccountExpiredException)
        {
            result = ResultBody.error(AliErrorCodeEnum.USER_ERROR_A0230);
        }else if (e instanceof BadCredentialsException){
            result = ResultBody.error(AliErrorCodeEnum.USER_ERROR_A0210);
        }else if (e instanceof CredentialsExpiredException){
            result = ResultBody.error(AliErrorCodeEnum.USER_ERROR_A0202);
        }else if (e instanceof InternalAuthenticationServiceException){
            result = ResultBody.error(AliErrorCodeEnum.USER_ERROR_A0201);
        }else{
            result = ResultBody.error(AliErrorCodeEnum.USER_ERROR_A0220);
        }

        response.setContentType("application/json;charset=UTF-8");
        String s = new ObjectMapper().writeValueAsString(result);
        response.getWriter().println(s);
    }
}

这里面的ReusltBody是我自定义的统一返回数据类型,大家可以百度,也可以使用Map简单放回

4、注销成功配置

package org.zhang.config;

import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;

//注销成功
public class MyLogoutSuccessHandler implements LogoutSuccessHandler {
    @Override
    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
        Map<String, Object> result = new HashMap<String, Object>();
        result.put("msg", "注销成功");
        result.put("status", 200);
        response.setContentType("application/json;charset=UTF-8");
        String s = new ObjectMapper().writeValueAsString(result);
        response.getWriter().println(s);
    }
}

5、认证入口点配置

package org.zhang.config;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.zhang.comont.AliErrorCodeEnum;
import org.zhang.comont.ResultBody;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.transform.Result;
import java.io.IOException;

public class MyAuthenticationEntryPoint implements AuthenticationEntryPoint {
    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException,  IOException {
        response.setStatus(HttpStatus.UNAUTHORIZED.value());
        response.setContentType("application/json;charset=UTF-8");
        ResultBody error = ResultBody.error(AliErrorCodeEnum.USER_ERROR_A0111);
        String s = new ObjectMapper().writeValueAsString(error);
        response.getWriter().println(s);
    }
}

6、JWT认证配置

package org.zhang.config;

import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.util.ObjectUtils;
import org.zhang.utils.JwtUtils;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.HashMap;

public class JWTAuthorizationFilter extends BasicAuthenticationFilter {

    public JWTAuthorizationFilter(AuthenticationManager authenticationManager) {
        super(authenticationManager);
    }

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
        //获取请求的Token
        String token = request.getHeader("Authorization");
        //没有直接跳过
        if (ObjectUtils.isEmpty(token))
        {
            chain.doFilter(request,response);
            return;
        }
        //将token中的用户名和权限用户组放入Authentication对象,在之后实现鉴权
        SecurityContextHolder.getContext().setAuthentication(getAuthentication(token));
        super.doFilterInternal(request, response, chain);
    }
    //解析token获取用户信息
    private UsernamePasswordAuthenticationToken getAuthentication(String token)
    {
        HashMap<String, Object> tokenInfo = JwtUtils.decode(token);
        if(ObjectUtils.isEmpty(tokenInfo)){
            return null;
        }
        String username = (String) tokenInfo.get("username");
        String[] roles = (String[]) tokenInfo.get("roles");
        ArrayList<SimpleGrantedAuthority> authorities = new ArrayList<>();
        for(String role:roles){
            authorities.add(new SimpleGrantedAuthority(role));
        }
        return new UsernamePasswordAuthenticationToken(username,null,authorities);
    }
}

7、重写登陆配置(为了解决前端传值为Json类型)

package org.zhang.config;

import com.fasterxml.jackson.core.exc.StreamReadException;
import com.fasterxml.jackson.databind.DatabindException;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.zhang.pojo.User;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;

public class LoginFilter extends UsernamePasswordAuthenticationFilter{
    //登陆认证接口
    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        //判断是否为Post请求
        if(!request.getMethod().equals("POST"))
        {
            throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
        }
        //判断认证数据是否为Json 如果登陆数据为JSON 进行JSON处理
        if(request.getContentType().equals(MediaType.APPLICATION_JSON_VALUE) || request.getContentType().equals(MediaType.APPLICATION_JSON_UTF8_VALUE))
        {
            Map<String,String> loginData = new HashMap<>();
            try
            {
                //将Json数据转换为Map
                loginData = new ObjectMapper().readValue(request.getInputStream(),Map.class);
            }catch (IOException e)
            {
                throw new RuntimeException(e);
            }
            String username = loginData.get(getUsernameParameter());
            String password = loginData.get(getPasswordParameter());
            if (username == null)
            {
                throw new AuthenticationServiceException("用户名不能为空");
            }
            if (password == null)
            {
                throw new AuthenticationServiceException("密码不能为空");
            }
            UsernamePasswordAuthenticationToken authRequest = UsernamePasswordAuthenticationToken.unauthenticated(username, password);
            setDetails(request, authRequest);
            return this.getAuthenticationManager().authenticate(authRequest);
        }else
        {
            //普通表单提交数据处理
            String username = this.obtainUsername(request);
            String password = this.obtainPassword(request);
            if (username == null)
            {
                username = "";
            }
            if (password == null)
            {
                password = "";
            }
            username = username.trim();
            UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username,password);
            this.setDetails(request,authRequest);
            return this.getAuthenticationManager().authenticate(authRequest);
        }
    }


}

7、SpringSecurity核心配置:

package org.zhang.config;

import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;


import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.zhang.comont.AliErrorCodeEnum;
import org.zhang.comont.ResultBody;
import org.zhang.service.impl.UserServiceImpl;


import java.util.Arrays;

import static org.springframework.security.config.Customizer.withDefaults;

@Configuration
@EnableWebSecurity
public class SecurityConfiguration {

    @Autowired
    private UserServiceImpl userService;


     /**
      * 获取AuthenticationManager(认证管理器),登录时认证使用
     * @param AuthenticationConfiguration
     * @return
      * @throws Exception
     */

    @Bean(name = "authenticationManager")
    public AuthenticationManager authenticationManager(AuthenticationConfiguration configuration) throws Exception {
        return configuration.getAuthenticationManager();
    }


    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests((authz)->
                        authz
                                .antMatchers("/root/doLogin").permitAll()
                                .antMatchers("/user/userLogin").permitAll()
                                .antMatchers("/film/**").permitAll()
                                .antMatchers("/order/queryTodayMarket").permitAll()
                                .anyRequest().authenticated())
                .logout(logout->
                        logout
                                .logoutSuccessHandler(new MyLogoutSuccessHandler()))
                .cors(cors->
                        cors
                                .configurationSource(configurationSource()))
                .httpBasic(withDefaults())
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .exceptionHandling()//异常处理
                .authenticationEntryPoint((request, response, e) -> {
                    response.setContentType("application/json;charset=UTF-8");
                    response.setStatus(HttpStatus.UNAUTHORIZED.value());
                    ResultBody error = ResultBody.error("401", "尚未认证,请进行认证操作!");
                    response.getWriter().write(new ObjectMapper().writeValueAsString(error));
                })
                .accessDeniedHandler((request, response, e) -> {
                    response.setContentType("application/json;charset=UTF-8");
                    ResultBody s = ResultBody.error(AliErrorCodeEnum.USER_ERROR_A0301);
                    response.getWriter().write(new ObjectMapper().writeValueAsString(s));
                })
                .and()
                .csrf().disable(); //前后端分离没有Session 不需要开启csrf

        http.addFilterAt(loginFilter(http.getSharedObject(AuthenticationManager.class)),UsernamePasswordAuthenticationFilter.class);
        http.addFilter(jwtAuthorizationFilter(http.getSharedObject(AuthenticationManager.class)));
        return http.build();
    }

    //过滤静态资源
    @Bean
    public WebSecurityCustomizer webSecurityCustomizer(){
        return (web)-> web.ignoring().antMatchers("/static/css");
    }


    // 注入登陆过滤器
    @Bean
    public LoginFilter loginFilter(AuthenticationManager authenticationManager) throws Exception {
        LoginFilter loginFilter = new LoginFilter();
        loginFilter.setFilterProcessesUrl("/root/doLogin");
        loginFilter.setUsernameParameter("username");
        loginFilter.setPasswordParameter("password");
        loginFilter.setAuthenticationManager(authenticationManager);
        loginFilter.setAuthenticationSuccessHandler(new SuccessHandler());
        loginFilter.setAuthenticationFailureHandler(new FailHandler());
        return loginFilter;
    }

    //加入token验证过滤器
    @Bean
    public JWTAuthorizationFilter jwtAuthorizationFilter(AuthenticationManager authenticationManager){
        JWTAuthorizationFilter filter = new JWTAuthorizationFilter(authenticationManager);
        return filter;
    }


    //springsecurity跨域
    CorsConfigurationSource configurationSource() {
        CorsConfiguration corsConfiguration = new CorsConfiguration();
        corsConfiguration.setAllowedHeaders(Arrays.asList("*"));
        corsConfiguration.setAllowedMethods(Arrays.asList("*"));
        corsConfiguration.setAllowedOrigins(Arrays.asList("*"));
        corsConfiguration.setMaxAge(3600L);
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", corsConfiguration);
        return source;
    }
}
秃头路上的小强
关注
  • 11
    点赞
  • 36
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 2
    评论
专栏目录
spring-security-web-4.2.8.RELEASE-API文档-中文版.zip
04-08
赠送jar包:spring-security-web-4.2.8.RELEASE.jar; 赠送原API文档:spring-security-web-4.2.8.RELEASE-javadoc.jar; 赠送源代码:spring-security-web-4.2.8.RELEASE-sources.jar; 包含翻译后的API文档:spring-security-web-4.2.8.RELEASE-javadoc-API文档-中文(简体)版.zip 对应Maven信息:groupId:org.springframework.security,artifactId:spring-security-web,version:4.2.8.RELEASE 使用方法:解压翻译后的API文档,用浏览器打开“index.html”文件,即可纵览文档内容。 人性化翻译,文档中的代码和结构保持不变,注释和说明精准翻译,请放心使用
Spring Security(新版本)实现权限认证与授权
热门推荐
weixin_46073538的博客
02-02 3万+
Spring 是非常流行和成功的 Java 应用开发框架,Spring Security 正是 Spring 家族中的成员。Spring Security 基于 Spring 框架,提供了一套 Web 应用安全性的完整解决方案。正如你可能知道的关于安全方面的两个核心功能是认证和授权,一般来说,Web 应用的安全性包括**用户认证(Authentication)和用户授权(Authorization)**两个部分,这两点也是 SpringSecurity 重要核心功能。
springboot版本升级,及解决springsecurity漏洞问题
最新发布
2401_84968693的博客
05-13 989
自我介绍一下,小编13年上海交大毕业,曾经在小公司待过,也去过华为、OPPO等大厂,18年进入阿里一直到现在。深知大多数网络安全工程师,想要提升技能,往往是自己摸索成长,但自己不成体系的自学效果低效又漫长,而且极易碰到天花板技术停滞不前!因此收集整理了一份《2024年网络安全全套学习资料》,初衷也很简单,就是希望能够帮助到想自学提升又不知道该从何学起的朋友。既有适合小白学习的零基础资料,也有适合3年以上经验的小伙伴深入学习提升的进阶课程,基本涵盖了95%以上网络安全知识点!真正的体系化!
SpringSecurity安全框架教程(全网最全教程)
miserable_world的博客
08-15 1050
SpringSecurity全网最全教程
SpringBoot整合Spring Security【超详细教程】
justlpf的专栏
03-27 871
这段代码中,我们先定义了一个接口UserService去继承UserDetailsService,然后用UserServiceImpl实现了UserService,就相当于UserServiceImpl实现了UserDetailsService,这样我们就可以去实现loadUserByUsername()方法,内容很简单,就是用用户名去数据库中查出对应的SysUser,然后具体的验证流程就可以交给其它的过滤器去实现了,我们就不用管了。现在再去写一个测试类,调用RsaUtils中的相应方法去生成公钥和私钥。
别再用过时的方式了!全新版本Spring Security,这样用才够优雅!
weixin_42907150的博客
01-26 1115
Spring Security的升级用法确实够优雅,够简单,而且对之前用法的兼容性也比较好!个人感觉一个成熟的框架不太会在升级过程中大改用法,即使改了也会对之前的用法做兼容,所以对于绝大多数框架来说旧版本会用,新版本照样会用!
springsecurity:Spring安全学习总结
01-29
Spring安全学习总结 ...spring security 学习总结总结是逐步进行重建的,逐步版本我都使用了git tag来管理。例如,最开始的tag是step1 ,那么可以使用 git checkout step1 来获得这一版本版本历史见 。
Spring security实现登陆和权限角色控制
09-09
首先,确保你正在使用的Spring版本为4.3.2.RELEASE,而Spring Security版本是4.1.2.RELEASE。在开始之前,你需要对Spring MVC、SPeL(Spring Expression Language)和EL(Expression Language)有一定的了解。 ### ...
SpringSecurity3.1实际摸索总结
05-08
SpringSecurity 3.1 版本在此前的基础上进行了改进和调整,本文将深入探讨其关键知识点。 首先,SpringSecurity 的核心架构基于一系列过滤器。这些过滤器协同工作以确保请求的安全性。其中,`DelegatingFilterProxy...
Spring Security 学习总结1_3
03-14
"springsecurity-namespace"可能指的是Spring Security的XML命名空间配置。在Spring Security的早期版本中,使用XML配置是最常见的实践。例如,你可能会看到以下片段: ```xml **" access="hasRole('ROLE_ADMIN')...
Spring Security示例
09-29
- 定期更新Spring Security版本以获取最新的安全修复。 - 实施强密码策略并使用加盐哈希存储用户密码。 - 对敏感数据进行加密,如存储在数据库中的用户密码。 总结来说,Spring Security是一个强大且灵活的安全框架...
SpringSecurity 新版2.7+用法
weixin_45011048的博客
10-31 2954
SpringSecurity 新版2.7+使用方式
Spring — Spring Security 5.7与6.0差异性对比
qq_38658567的博客
08-03 2672
Spring Security 默认处理登录数据的过滤器是,在这个过滤器中,系统会通过 request.getParameter(this.passwordParameter) 的方式将用户名和密码读取出来,很明显这就要求前端传递参数的形式是 key-value。首先我们获取请求头,根据请求头的类型来判断请求参数的格式。如果是 JSON 格式的参数,就在 if 中进行处理,否则说明是 key-value 形式的参数,那么我们就调用父类的方法进行处理即可。
SpringBoot最新版本Security配置(2023年),亲测成功
ns3405453840的博客
05-12 3157
application.properties SecurityConfig: 配置默认登录用户(即用数据库的用户和密码登录): 1:UserDetailsServiceImpl 2:UserDetailsImpl: 3:配置完,记得更改SecurityConfig配置,添加前端密码加密验证, 这里就可以使用security自带登录对数据库信息进行验证登录了通过该工具类根据用户id生成jwt
SpringSecurity最新版从入门到精通,WebSecurityConfigurerAdapter已经过时?最新版来了。
qq_42713539的博客
03-25 2830
spring security的超详细配置和使用攻略,包括从登录校验开始到不同页面、不同功能的权限管理,包括了整合thymeleaf框架、用户登录信息持久化处理、csrf防护等web安全。
新版Spring Security6.2 - Digest Authentication
喝醉的鱼博客
12-15 666
新版Spring Security6.2 - Digest Authentication官网文档翻译
Spring Security最简单全面教程(带Demo)
目标检测专栏持续更新中,改进YOLO系列通用,适用v5、v7、v8、所有博客均是团队原创博客,所有文章禁止转载,违者必究。
04-08 4547
一、Spring Security简介 Spring Security是为基于Spring的应用程序提供声明式安全保护的安全性框架,它提供了完整的安全性解决方案,能够在web请求级别和方法调用级别处理身份证验证和授权。因为基于Spring框架,所以Spring Security充分利用了依赖注入和面向切面的技术。 Spring Security主要是从两个方面解决安全性问题: web请求级别:使用Servlet规范中的过滤器(Filter)保护Web请求并限制URL级别的访问。 方法调用级别:使
Spring Security 6.x 系列【1】基础篇之概述及入门案例
记录知识、锤炼自我
03-23 8902
是Spring组织提供的一个开源安全框架,目前最新版本为6.0.2,基于Spring开发,所以非常适合在中使用。提供认证、授权、抵御常见攻击等功能,将认证与授权分离,并提供了扩展点。对保护命令式(Spring MVC)和响应式()应用程序有一流的支持,是保护基于Spring开发的应用程序的事实标准。认证为身份验证提供了全面的支持,身份验证是验证进行访问的主体身份。常用方法是要求用户输入用户名和密码。一旦执行身份验证,就知道身份并可以执行授权。授权授权指的是验证某个用户是否有权限执行某个操作。
Spring Security教程
qq_28248897的博客
08-31 4040
Spring Security教程 Web系统中登录认证(Authentication)的核心就是凭证机制,无论是Session还是JWT,都是在用户成功登录时返回给用户一个凭证,后续用户访问接口需携带凭证来标明自己的身份。后端会对需要进行认证的接口进行安全判断,若凭证没问题则代表已登录就放行接口,若凭证有问题则直接拒绝请求。这个安全判断都是放在过滤器里统一处理的: 登录认证是对用户的身份进行确认,权限授权(Authorization)是对用户能否访问某个资源进行确认,授权发生在认证之后。 这种通用逻辑都

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

秃头路上的小强

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值