文章目录
1 引言
Spring Security是一个功能强大且高度可定制的身份验证和访问控制框架。它是保护基于spring的应用程序的实际标准。
最近一直在学习使用Springboot整合Springsecurity框架,下面分享一下登录校验以及权限校验后,成功与失败都不走Springsecurity默认的界面,改为返回一串json,便于前后端分离项目。
2 引入依赖
<!--导入spring security -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
3 WebSecurityConfig
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private final MyAuthenticationSuccessHandler myAuthenticationSuccessHandler; // 自定义登录成功处理
private final MyAuthenticationFailureHandler myAuthenticationFailureHandler; // 自定义登录失败处理
@Autowired
public WebSecurityConfig(MyAuthenticationSuccessHandler myAuthenticationSuccessHandler, MyAuthenticationFailureHandler myAuthenticationFailureHandler) {
this.myAuthenticationSuccessHandler = myAuthenticationSuccessHandler;
this.myAuthenticationFailureHandler = myAuthenticationFailureHandler;
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("static/admin/**");
}
// 授权
@Override
protected void configure(HttpSecurity http) throws Exception {
// 暂时关掉csrf跨域拦截,便于开发测试
http.csrf().disable();
// login页面所有人可以访问
http.authorizeRequests()
.antMatchers("/admin/login").permitAll()
.antMatchers("/admin/index.html").hasRole("ADMIN")
.and()
.formLogin()
.successHandler(myAuthenticationSuccessHandler)
.failureHandler(myAuthenticationFailureHandler)
.and()
.formLogin()
.loginPage("/admin/login").loginProcessingUrl("/admin/toLogin");
}
// 认证
// There is no PasswordEncoder mapped for the id "null"
// 密码没被加密会报错~
// 在 spring security 5.0+ 中新增了很多密码加密到方法~
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
.withUser("admin")
.password(new BCryptPasswordEncoder().encode("123456")).roles("ADMIN")
.and()
.withUser("123")
.password(new BCryptPasswordEncoder().encode("123")).roles("ADMIN");
}
}
这是SpringSecurity的配置文件
.formLogin()
.successHandler(myAuthenticationSuccessHandler) // 登录成功后走的自定义处理
.failureHandler(myAuthenticationFailureHandler) // 登录失败后走的自定义处理
4 MyAuthenticationSuccessHandler
/**
* Spring security 登录成功后返回一串json
*/
@Component("MyAuthenticationSuccessHandler")
public class MyAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
String currentUser = authentication.getName();
logger.info("用户"+currentUser+"登录成功");
response.setStatus(200);
response.setContentType("application/json;charset=UTF-8");
response.getWriter().append("{\"code\":0,\"msg\":\"登录成功!\",\"data\":\"success\"}");
}
}
校验成功后,走自定义的这个MyAuthenticationSuccessHandler,重写onAuthenticationSuccess方法,然后通过response返回一串json,博主这里直接写了一串json。
5 MyAuthenticationFailureHandler
/**
* Spring security 登录失败后返回一串json
*/
@Component("MyAuthenticationFailureHandler")
public class MyAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
logger.info("登录失败");
response.setStatus(403); // 403 普通用户访问管理员页面
response.setContentType("application/json;charset=UTF-8");
response.getWriter().append("{\"code\":1,\"msg\":\"登录失败!\",\"data\":\"failed\"}");
}
}
校验失败,即登录失败后的处理,也是返回的json。
6 测试
// WebSecurityConfig.java的认证配置中
.withUser("admin")
.password(new BCryptPasswordEncoder().encode("123456")).roles("ADMIN")
.and()
.withUser("123")
.password(new BCryptPasswordEncoder().encode("123")).roles("ADMIN");
由于在配置中我们写了两个具有"ADMIN"权限的用户(admin-123456; 123-123),就用账户admin做测试。
用Postman
测试一下登录API。
正确的用户名、密码(admin-123456)
错误的用户名、密码(admin-654321)
7 总结
Springsecurity这个框架不仅可以自定义校验后的处理,还可以自定义登录校验等等,还有许多值得探索学习的地方~