代码下载地址
git@github.com:only-care/springboot-security.git
一、权限验证拦截器,重写attemptAuthentication实现自定义拦截直接执行校验权限处理,封装为UsernamePasswordAuthenticationToken返回认证
import java.util.ArrayList;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
public class OpenIdAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
//仅处理post
private boolean postOnly = true;
/***
* 用于拦截封装token具体验证交由anthenticationManager属性完成,可以在创建时自己设置
*/
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
throws AuthenticationException {
if (postOnly && !request.getMethod().equals("POST")) {
throw new AuthenticationServiceException(
"Authentication method not supported: " + request.getMethod());
}
String username = request.getParameter("username"); //默认
String password = request.getParameter("password");
username = username == null?"":username.trim();
password = password == null?"":password;
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
username, password);
authRequest.setDetails(request);//放入token 的detials中
//默认认证成功
final List<GrantedAuthority> AUTHORITIES = new ArrayList<GrantedAuthority>();
AUTHORITIES.add(new SimpleGrantedAuthority("ROLE_USER"));
return new UsernamePasswordAuthenticationToken(authRequest.getPrincipal(), authRequest.getCredentials(), AUTHORITIES);
}
}
二、将自定义的filter添加到httpSecurity配置完成,结果如下
@RestController @EnableWebSecurity @SpringBootApplication public class StartApp extends WebSecurityConfigurerAdapter{ @RequestMapping("/") String index() { return "Hello World!"; } public static void main(String[] args) { SpringApplication.run(StartApp.class, args); } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic(); //添加自定义拦截器到httpSecurity OpenIdAuthenticationFilter openIdAuthenticationFilter = new OpenIdAuthenticationFilter(); //此处可以添加认证处理对象 openIdAuthenticationFilter.setAuthenticationManager(null); openIdAuthenticationFilter.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher("/login", "POST")); http.addFilter(openIdAuthenticationFilter); } }