自定义资源规则权限
Spring Security 5.7.0 弃用了 WebSecurityConfigurerAdapter
官网博客链接地址:
5.7.0 之前的配置
@Configuration
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeHttpRequests()
.mvcMatchers("/index").permitAll()
.anyRequest().authenticated()
.and().formLogin();
}
}
5.7.0 之后的配置
@Configuration
public class WebSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests()
.mvcMatchers("/index") // 注意: 放⾏资源必须放在所有认证请求之前!
.permitAll() // 代表放⾏该资源,该资源为公共资源 ⽆需认证和授权可以直接访问
.anyRequest().authenticated() // 代表所有请求,必须认证之后才能访问
.and().formLogin(); // 代表开启表单认证
return http.build();
}
}
自定义登入成功 / 失败处理
由于现在项目都为前后端分离,所以这里展示页面跳转情况,如有需求,B站搜索:编程不良人
在前后端分离开发中就不需要成功之后跳转⻚⾯。只需要给前端返回⼀个 apiKey。
public interface AuthenticationSuccessHandler {
/**
* Called when a user has been successfully authenticated.
* @param request the request which caused the successful authentication
* @param response the response
* @param chain the {@link FilterChain} which can be used to proceed other filters in
* the chain
* @param authentication the <tt>Authentication</tt> object which was created during
* the authentication process.
* @since 5.2.0
*/
default void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
Authentication authentication) throws IOException, ServletException {
onAuthenticationSuccess(request, response, authentication);
chain.doFilter(request, response);
}
/**
* Called when a user has been successfully authenticated.
* @param request the request which caused the successful authentication
* @param response the response
* @param authentication the <tt>Authentication</tt> object which was created during
* the authentication process.
*/
void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException;
}
根据接⼝的描述信息,也可以得知登录成功会⾃动回调这个⽅法,进⼀步查看它的默认实现,你会发现successForwardUrl、 defaultSuccessUrl也是由它的⼦类实现的
public class LoginSuccessHandler implements AuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
HashMap<String, Object> map = new HashMap<>();
map.put("msg", "登入成功");
map.put("status", 200);
map.put("code", "apiKey");
response.setContentType("application/json;charset=UTF-8");
String json = new ObjectMapper().writeValueAsString(map);
response.getWriter().println(json);
}
}
自定义登入失败处理类
public interface AuthenticationFailureHandler {
/**
* Called when an authentication attempt fails.
* @param request the request during which the authentication attempt occurred.
* @param response the response.
* @param exception the exception which was thrown to reject the authentication
* request.
*/
void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
AuthenticationException exception) throws IOException, ServletException;
}
public class LoginFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
HashMap<String, Object> map = new HashMap<>();
map.put("msg", "登入失败:" + exception.getMessage());
map.put("status", 500);
response.setContentType("application/json;charset=UTF-8");
String json = new ObjectMapper().writeValueAsString(map);
response.getWriter().println(json);
}
}
总配置
@Configuration
public class WebSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests()
.mvcMatchers("/index")
.permitAll()
.anyRequest().authenticated()
.and().formLogin()
.successHandler(new LoginSuccessHandler())
.failureHandler(new LoginFailureHandler())
.and().csrf().disable();
return http.build();
}
}
启动项目登入
注销登入
Spring Security 中也提供了默认的注销登录配置,在开发时也可以按照⾃⼰需求对注销进⾏个性化定制。
前后端分离开发,注销成功之后就不需要⻚⾯跳转了,只需要将注销成功的信息返回前端即可,此时我们可以通过⾃定义 LogoutSuccessHandler 实现来返回注销之后信息:
public class LogoutHandler implements LogoutSuccessHandler {
@Override
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
HashMap<String, Object> map = new HashMap<>();
map.put("msg", "注销成功" );
map.put("status", 200);
response.setContentType("application/json;charset=UTF-8");
String json = new ObjectMapper().writeValueAsString(map);
response.getWriter().println(json);
}
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests()
.mvcMatchers("/index")
.permitAll()
.anyRequest().authenticated()
.and().formLogin()
.successHandler(new LoginSuccessHandler())
.failureHandler(new LoginFailureHandler())
.and()
.logout()
.logoutRequestMatcher(
new OrRequestMatcher(
new AntPathRequestMatcher("/logout1", "GET"),
new AntPathRequestMatcher("/logout2", "GET")))
.logoutSuccessHandler(new LogoutHandler());
return http.csrf().disable().build();
}