- 安全管理
- Spring Security
- 手工配置用户名和密码
- HTTPSecurity配置
- 登录表单详细配置
- 注销登录配置
- 多个HTTPSecurity
- 密码加密
- 方法安全
- 基于数据库的认证
- 角色继承
- 动态配置权限
- OAuth2简介
- SpringSecurity结合OAuth2
- 整合Shiro方式一
- 整合Shiro方式二
- Spring Security使用JSON登录
- Spring Security(重量级的权限管理框架)shiro(轻量级权限管理框架)
创建SpringBoot项目,勾选Security下的Spring Security依赖 项目中的所有接口全都被保护起来了 创建一个controller
@RestController
public class HelloController{
@GetMapping("/hello")
public String hello(){
return "hello"
}
}启动项目,访问http://localhost:8080/hello,页面自动跳转到http://localhost:8080/login 用户名默认是user,密码是后台控制台上面的Using generated sercurity password:.....
- 手工配置用户名和密码
数据库中配置====建议 或者配置文件中配置application.properties或者代码配置 //application.properties配置 spring.security.user.password=123 spring.security.user.name=zenghao spring.security.user.roles=admin 下次启动项目的时候,就用配置好的zenghao 123登录 //代码配置 创建一个config目录和一个controller目录 config中创建一个SecurityConfig类继承WebSecurityConfigurerAdpter @Configuration Public class SecurityConfig extends WebSecurityConfigurerAdapter { //从spring5开始密码需要加密,下面先用一种过期的方式配置,密码不加密 @Bean PasswordEncoder passwordEncoder(){ return NoOpPasswordEncoder.getInstance(); } @Override protected void configure(AuthenticationManagerBuilder auth)throws Exception { auth.inMemoryAuthentication() .withUser("zenghao").password("123").roles("admin") //密码要加密 .and() .withUser("zhangsan").password("789").roles("user"); } }
- HttpSecurity配置
- 登录表单详细配置
- 注销登录配置
@Configuration Public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(AuthenticationManagerBuilder auth)throws Exception { auth.inMemoryAuthentication() .withUser("zenghao").password("123").roles("admin") //密码要加密 .and() .withUser("zhangsan").password("789").roles("user"); } @Override protected void configure(HttpSecurity http)throws Exception { http.authorizeRequests() .antMatchers("/admin/**").hasRole("admin") .antMatchers("/user/**").hasAnyRole("admin","user") .anyRequest().authenticated() .and() .formLogin() .loginProcessingUrl("/doLogin") // .loginPage("/hello") 配置登录页面 // .usernameParameter("uname") // .passwordParameter("passwd") /* 登录表单的详细配置 */ .successHandler (new AuthenticationSuccessHandler(){ 登录成功跳转,可返回一段json @Override public void onAuthenticationSuccess(HttpServletRequest req,HttpServletResponse resp,Authentication authentication) throws IOException,ServletException { resp.setContentType("application/json:charset=utf-8"); PringWriter out = resp.gerWriter(); Map<String,Object> map = new HashMap<>(); map.put("status",200); map.put("mag",authentication.getPPrincipal()); out.write(new ObjectMapper().writeValueAsString(map)); out.flush(); out.close(); } }) //登录失败的处理 .failureHandler(new AuthenticationFailureHandler(){ @Override public void AuthenticationFailure(HttpServletRequest req,HttpServletResponse resp,AuthenticationException e) throws IOException,ServletException { resp.setContentType("application/json:charset=utf-8"); PringWriter out = resp.gerWriter(); Map<String,Object> map = new HashMap<>(); map.put("status",401); if(e instanceof LockedException){ map.put("msg","账户被锁定,登录失败"); }else if(e instanceof BadCredentialsException){ map.put("msg","用户名或密码输入错误,登录失败"); }else if(e instanceof DisabledException){ map.put("msg","账户被禁用,登录失败"); }else if(e instanceof AccountExprireException){ map.put("msg","账户过期,登录失败"); }else if(e instanceof CredentialsExprieException){ map.put("msg","密码过期,登录失败"); }else{ map.put("msg","登录失败"); } out.write(new ObjectMapper().writeValueAsString(map)); out.flush(); out.close(); } }) .permitAll() /* 注销登录配置,发送注销登录请求 http://locahost:8080/logout */ .and() .logout() .logoutUrl("/logout") public void onLogoutSuccess(HttpServletRequest req,HttpServletResponse resp,Authentication authentication) throws IOException,ServletException { resp.setContentType("application/json:charset=utf-8"); PringWriter out = resp.gerWriter(); Map<String,Object> map = new HashMap<>(); map.put("status",200); map.put("mag","注销登录成功"); out.write(new ObjectMapper().writeValueAsString(map)); out.flush(); out.close(); } .and() .csrf().disable(); //测试的时候可以关闭 } }在controller目录创建一个helloController
@RestController public class HelloController { @GetMappring("/admin/hello") public String admin(){ return "hello admin"; } @GetMapping("/user/hello") public String user(){ return "hello user"; } }postman中可以: http://localhost:8080/doLogin?username=zenghao&password=123
- 多个HTTPSecurity
创建一个MultiHTTPSecurityConfig
@Configuration
public class MultiHTTPSecurityConfig {
@Bean
PasswordEncoder passwordEncoder(){
return NoOPassword.getInstance();
}
@Override
protected void configure(AuthenticationManagerBuilder auth)throws Exception {
auth.inMemoryAuthentication()
.withUser("zenghao").password("123").roles("admin") //密码要加密
.and()
.withUser("zhangsan").password("789").roles("user");
}
@Configuration
@Order(1) //指定优先级
public static class AdminSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception{
http.antMatcher("/admin/**").authoruzeRequests().anyRequest().hasAnyRole("admin");
}
@Configuration
@Order(2)
public static class OtherSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http)htrows Exception {
http.authorizeRequests().anyRequest().authenticated()
.and()
.formLogin()
.loginProcessingUrl("doLogin")
.permitAll()
.and()
.csrf().disable();
}
}
}
}
- 密码加密
@Test
public void test(){
BCryptPasswordEncoder encoder = new BcrtptPasswordEncoder();
Systerm.out.println(encoder.encode("123"));//运行,控制台获取加密后的密文,假设是hihadgooi&&^khdgaoi@
}
上面就可改成
@Bean
PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
@Override
protected void configure(AuthenticationManagerBuilder auth)throws Exception {
auth.inMemoryAuthentication()
.withUser("zenghao").password("hihadgooi&&^khdgaoi@").roles("admin") //密码要加密 BcrtptPasswordEncoder
.and()
.withUser("zhangsan").password("hihadgooi&&^khdgaoi@").roles("user");
}
- 方法安全
- 直接在方法加注解,确保方法安全 前置条件:在Security配置文件上加一个注解
@EnableGlobalMethodSecurity(prePostEnabled=true,securedEnabled=true)创建一个service
@Service public class MethodService{ @preAuthorize("hsRole('admin')") //表示只有admin的角色才能访问 public String admin(){ return "hello admin"; } @Secured("ROLB_user") //user的角色才能访问 public String user(){ return "hello user"; } @PreAuthorize("hasAnyRole('admin','user')") //admin,user的角色都可以访问 public String hello(){ return "hello "; } }创建一个Controller测试
@Autowired MethodService methodService; @GetMapping("/hello1") public String hello1(){ return methodService.admin(); //admin可以访问 } @GetMapping("/hello2") public String hello2(){ return methodService.user(); //user可以访问 } @GetMapping("/hello3") public String hello3(){ return methodService.hello(); //admin、user都可以访问 } - 基于数据库的认证,加载数据库的用户实现鉴权的操作
- 创建springboot项目,勾选 web依赖、spring Security依赖,mysql 依赖,mybatis依赖 pom文件中引入druid和确定数据库版本
<dependency> <groupId>com.alibaba</groupId> <artifactId>druid-spring-boot-starter</artifactId> <version>1.1.10</version> </dependency> <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <scope>runtime</scope> <version>5.1.27</version> </dependency> //由于mapper.xml放在mapper目录下,所以还需配 <resources> <resource> <directory>src/main/java</directory> <includes> <include>**/*.xml</include> </includes> </resource> <resource> <directory>src/main/resources</directory> </resource> </resources>配置application.properties
spring.datasource.url=jdbc:mysql://localhost:3306/zenghao spring.datasource.type=com.alibaba.druid.pool.DruidDataSource spring.datasource.username=root spring.datasource.password=root创建Bean,【User\role】,实现get\set()
publicr class User implements UserDeatils{ //相当于一个规范 private Integer id; private String username; private String password; private Boolean enabled; //是否有效 private Boolean locked; //是否锁定 private List<Role> roles; @Override public Collection<? extends GrantedAuthority> getAuthorities(){ List<SimpleGrantedAuthority> authorities = new ArrayList<>(); for(Role role :roles){ authorities.add(new SimpleGrantedAuthority("Role_"+role.getName())); } return authorities; } } public class Role { private Integer id; private String name; Private String nameZh; //中文名字 } 创建一个UserService @Service public class UserService implements UserDetailsService { @Autowired UserMapper userMapper; @Override public UserDetails loadUserByUsername(Styring username) throws UsernameNotFoundException{ User user= userMapper.loadUserByUsername(username); if(user==null){ throw new UsernameNotFoundException("用户不存在") } user.setRoles(userMapper.getUserRolesById(user.getId())); return user; } }创建一个UserMaper
@Mapper public Interface UserMaper { User.loadUserByUsername(String username); List<Role> getUserRolesById(Integer id); }创建UserMapper.xml
<mapper namespace="org.zenghao.mapper.UserMapper"> <selcet id="loadUserByUsername" resultType="org.zenghao.ben.User"> select * from user where username=#{username} </select> <select id="getUserRolesById" resultType="org.zenghao.bean.Role"> select * from role where id in (select rid from user_role where uid=#{id}) </select> </mapper>创建一个SecurityConfig
@Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired UserService userService; @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { autn.userDeatilsService(userService); } @Override protected void configure(HttpSecurity http)throws Exception{ http.authorizeRequests() .antMatchers("/dba/**").haRole("dba") .antMatchers("/admin/**").hasRole("admin") .antmatchers("/user/**").hasRole("user") .anyRequest().authenticated() .and() .formLogin() .oermitAll() .and() .scrf().disable(); } @Bean PasswordEncoder passwordEncoder(){ return new BCryptPasswordEncoder(); } }创建一个Contoller
@RestController public class HelloController { @GetMapping("/hello") public String hello(){ return "hello"; } @GetMapping("/dab/hello") public String hello(){ return "hello dba"; } @GetMapping("/admin/hello") public String hello(){ return "hello admin"; } @GetMapping("/user/hello") public String hello(){ return "hello user"; } - 角色继承
@Bean RoleHierarchy ro;eHierarchy(){ RolerHierarchyImpl roleHierarchy = new RoleHierarvhyImpl(); String hierarchy="ROLE_dba>ROLE_admin \n ROLE_admin > ROLE_user"; roleHiserarchy.setHierarchy(hierarchy); return roleHierarchy; } - 动态权限配置
- 把权限的配置放在数据库里面 创建一个类实现FilterInvocationSecurityMetadataSource里面的方法
- 更具请求的地址分析具备哪一个角色
@Compoent
public class MyFilter implements FilterInvocationSecurityMetadataSource{
//路径分割匹配符
AntPathMaMatcher pathMatcher = new AntPathMaMatcher ();
@Autowired
MenuService muenService;
@Override
public Collection<ConfigAtteribute> getAttributes(Onject 0)throws Illegal;ArtumentExcrption {
String requestUrl = ((FilterInvocation)o).getRequestUrl();
List<menu> allMenus = menuService.getAllMenus();
for(Menu menu : allMenus) {
if(pathMatcher.match(menu.getPattern(),requestUrl)){
List<Role> roles = menu.getRoles();
String[] rolesStr = nre String[roles.size()];
for (int i=0;i<roles.size();i++){
rolesStr[i]=roles.get(i).getName();
}
return SecurityConfig.createList(rolesStr);
}
}
return SecurityConfig.createList("ROLE_login");
}
@Overrid
public Collection<ConfigAttribute> getAllConfigAttributes() {
return null;
}
@OVerride
public boolean supports(Class<?> aClass) {
return null;
}
}- 创建一个类实现AccessDecisionManager里面的方法 //更具当前登录的角色分析具有哪些权限
@Componet public class MyAccessDecisionManager implements AccessDecisionManager { @Override public void decide(Authentication authentication,Object o,Collection<ConfigAtteribute> collection) throws AccessDeniedException ,InsufficientAuthenticationException { for(ConfigAttribute attribute :collection){ if(:ROLE_login".equals(attribute.getAttribute())){ if(authentication instanceof AnonymousAuthenticationToken){ throw new AccessDeniedException("非法请求!"); }else{ return; } } Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities(); for(GrantedAuthority authority:authorities) { //如果刚好有一种需要的角色 if(authority.getAuthority().equals(attribute.getAttribute())) { return; } } } throw new AccessDeniedException("非法请求!"); } @Override public boolean supports(ConfigAtteribute configAttribute) { return true; } @Override public boolean supports(Class<?> aClass) { return true; } }
在securityConfig类中配置上面两个类
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>(){
@Override
public <o extends FilterSecurityInterecptor> o postProcess(O o) {
o.setAccessDecisionManager(myAccessDecisionManager);
o.setSecurityMetadataSource(myFilter);
return o;
}
})
.and()
.formLogin()
.permitAll()
.and()
.csrf().disable();
}
@Componet
public class MyAccessDecisionManager implements AccessDecisionManager {
@Override
public void decide(Authentication authentication,Object o,Collection<ConfigAtteribute> collection) throws
AccessDeniedException ,InsufficientAuthenticationException {
for(ConfigAttribute attribute :collection){
if(:ROLE_login".equals(attribute.getAttribute())){
if(authentication instanceof AnonymousAuthenticationToken){
throw new AccessDeniedException("非法请求!");
}else{
}
- OAuth2简介
- Spring Security结合OAuth2
允许用户第三方登录访问一个地方的资源,例如QQ登录网易云音乐 通过提供一个Token,特定时间访问特定资源 四个基本的角色: 资源所有者-用户 客户端-第三方应用 授权服务器:提供一个令牌给第三方应用 资源服务器: 六个步骤,四种不同的授权模式
创建一个项目,添加web依赖,添加Spring security依赖 在pom中加入OAuth2依赖
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.3.6RELEASE</version>
</denpendency>
redis依赖
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId?spring-boot-starter-data-redis<artifactId>
</dependency>在 application.properties中配置
spring.redis.host:localhost
spring.redis.port=6379
spring.redis.password=123
spring.redis.database=0配置一个授权服务器 ,创建一个AuthorizationServerConfig
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
AuthenticationManager authenticationManager;
@Autowired
RedisConnectionFactory redisConnectionFactory;
@Autowired
UserDetailsService userDetailsService;
@Bean
PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("password")
.withauthorizedGrantTypes("password","refresh_token")
.accessTokenValiditySeconds(1800) //设置失效时间30分钟
.resourceIds("rid")
.scopes("all")
.secret("hadiogaglkds*dihih$ihdfa@#$"); //置放passwordEncoder转换123的加密值
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(new RedisTokenStore(redisConnectionFactory))
.authenticationManager(authenticationManager)
.userDeatilsService(userDeatilsService);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security)throws Exception {
security.allwFormAuthenticationForClients();
}
}配置一个资源服务器 ResourceServerConfig
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception{
resources.resourceId("rid").stateless(true);
}
@Override
public void configre(HttpSecurity http) throws Exception {
http.authoruzeRequests().antMatchers("/admin/**").hasRole("admin")
.antMatchers("/user/**").hasRole("user")
.anyRequest().authenticated();
}
}创建一个SecurityConfig
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
@Bean
protected AuthenticationManager authenticationManager() throws Exception {
return super.authenticationManager()
}
@Bean
@Override
protected UserDeatilsService userDeatilsService(){
return super.userDeatilsService()
}
@Override
protected void configre(AuthenticationManagerBuilder auth )throws Exception {
auth.inMemoryAuthentication()
.withUser("zenghao").password("hadiogaglkds*dihih$ihdfa@#$").roles("admin")
.and()
.withUser("zhansan")
.password("hadiogaglkds*dihih$ihdfa@#$")
.roles("user");
}
@Override
protected void configure(HttpSecurity http) throws Exception{
http.antMatcher("/pauth/**)
.authorizeRequests()
.antMatchers("/oauth/**")/permitAll()
.and().scrf().disable();
}
}创建Controller
@RestController
public class HelloController {
@GetMapping("/admin/hello")
public String admin(){
return "hello admin";
}
@GetMapping("/user/hello")
public String admin(){
return "hello user";
}
@GetMapping("/hello")
public String admin(){
return "hello";
}
}- 整合Shiro方式一
- 在pom中手动添加
dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-web</artifactId> <version>1.4.0</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.4.0</version> </dependency>创建一个类
public class MyRealm extends AuthorizingReam { //授权 @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection princiipals) { return null; } //认证 @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticaionToken token)throws AuthentiticationException { String username = (String) token.getPrincipal(); if("zenghao".equals(username)) { return new SimpleAuthenticationInfo(username,"123",getName()); } return null; } }创建一个Shiro的配置文件
@Configuration public class ShiroConfig { @Bean MyRealm myRealm(){ return new MyRealm(); } @Bean SecuirtuManager securityManager(){ DefaultWebSecurityManager manager = new DefaultWebSecurityManager (); manager.setRealm(myRealem()); return manager; } @Bean ShiroFilterFactoryBean shiroFilterFactoryBean() { ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean (); bean.setSecurityManager(securityManager()); bean.setLoginUrl("/login"); bean.setSuccessUrl(".index"); Map<String,String> map = new LinkedHashMap<>(); map.put("/dologin","anon"); map.put("/**","authc"); bean.setFilterChainDefinitionMap(map); return bean; } }创建一个Controller
@RestController public class HelloController { @GetMappin("/login") public String login(){ return "plealse login"; } @PostMapping("/doLogin") public String doLogin(String username,String password){ Subject subject = SecurityUtils.getSubject(); try{ subject.login(new UsernamePasswordToken(username,password)); System.out.println("success"); }catch(AuthenticationException e){ e.printStackTrace() System.out.println("fail>>"+e.getMessage()); } } @GetMapping("/hello") public String hello(){ return "hello shrio"; } } - 整合Shiro方式二
- 在pom中手动添加
<dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-sprin-boot-web-starter</artifactId> <version>1.4.0</version> </dependency>
在application.properties中配置
shiro.enabled=true
shiro.unauthorizedUrl=/unauthorizedUrl
shiro.web.enabled=true
shrio.successUrl=/success
shiro.loginUrl=/login
//选配
shiro.sessionManager.sessionIdUrlRewritingEnabled=true //是否支持放入session里俩民
shiro.seessionManager.sessionIdCookieEnabled=true
创建一个ShiroConfig
@Configuration
public class ShiroConfig {
//配置角色权限
@Bean
Realm realm() {
TextConfigurationReal realm = new TextConfigurationRealm();
realm.setUserDefinitions("zenghao,user \n admin=123,admin")
realm.setRoleDefinitions("admin=read,write \n user=read");
return realm;
}
//配置拦截规则
@Bean
ShiroFilterChainDefinition shiroFilterChainDefinition(){
DefaultShiroFilterChainDefinition definition = new DefaultShiroFilterChainDefinition();
definition.addPathDefinition("/doLogin","anon");
definition.addPathDefinition("/**","authc");
return definotion;
}
}创建一个Controller
@RestController
public class LoginController{
@GetMappin("/hello")
public String hello(){
return "hello shiro";
}
@GetMappin("/login")
public String hello(){
return "please login";
}
@PostMapping("/doLogin")
public String doLogin(String username,String password){
Subject subject = SecurityUtils.getSubject();
try{
subject.login(new UsernamePasswordToken(username,password));
System.out.println("success");
}catch(AuthenticationException e){
e.printStackTrace()
System.out.println("fail>>"+e.getMessage());
}
}
- Spring Security 使用JSON登录
- UsernamePasswordAuthenticationFilter 创建一个类
创建一个SecurityConfig配置public class MyAuthenticationFiler extends UsernamePasswordAuthenticationFilter { @Override public Authentication attemptAutentication(HttpServletRequest request,HttpServletResponse response)throws AuthenticaionException { if(!request.getMethod().equals("POST")){ throw new AuthenticationServiceException( "不是Post请求"+request.getMethod() ); } if(request.getContentType().equals(MedialType.APPLICATION_JSON_VALUE)){ //说明用户以JSON的形式传递参数 String username= null; String password = null); try{ Map<String,String> map = new ObjectMapper().readValue(request.getInputStream(),Map.class); username=map.get("username"); password=map.get("password"); }catch(IOException e){ e.printStackTrace(); } if(username==null){ username=""; } if(password==null){ password=""; } username=username.trim(); UsernmePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username,password); setDetails(request,authRequest); return this.getAuthenticationManager().authenticate(authRequest); } return super.attemptAuthentication(request,response); } }@Configuration public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().anyRequest().authenticated() .and() .formLogin().permitAll() .and().scrf().disable(); http.addFilterAt(myAuthenticationFilter(),UsernamePasswordAuthenticationFilter.class); } @Bean MyAuthenticationFilter myAuthenticationFilter() throws Exception { MyAuthenticationFilter filter = new MyAuthenticationFilter(); filter.setAuthenticationManager(authenticationManagerBean()); return filter; } }创建一个Controller
@RestController public class HelloController{ @GetMappin("/hello") public String hello(){ return "hello Security"; } } {"username":"zenghao","password":"123"}
1039
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
