spring security
问题描述
某项目后台管理,既管理后台账号,又管理前台账号,前台账号信息存储front_account, 后台账号信息存储back_account。这里通过spring security 既管理后台账号的认证,也管理前台账号的认证。
分析问题
既然是两张表,而且为了适应不同环境,那么首先我们知道,单个项目内既要实现前台登录,又要实现后台登录,那么前后台的登录路径肯定不同,基于路径的区分,我们需要关心两点:
1.security是否对路径做拦截。
2.重写loadUserByUsername(String username)方法
解决方案
路径拦截在UsernamePasswordAuthenticationFilter中可以看到new AntPathRequestMatcher("/login", “POST”),这段代码就是过滤,所以重写它
loadUserByUsername authenticate#retrieveUser 里面有调用到loadUserByUsername,所以重写它
代码实现
基本套路为:
config 继承WebSecurityConfigurerAdapter,重写configure(HttpSecurity http)
Filter 继承AbstractAuthenticationProcessingFilter,参考UsernamePasswordAuthenticationFilter 实现路径过滤和attemptAuthentication(身份验证)
token 继承AbstractAuthenticationToken, 参考UsernamePasswordAuthenticationToken
provider 实现AuthenticationProvider,参考DaoAuthenticationProvider 重写authenticate和retrieveUser方法
Config
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
...//TODO 主要是下面两个
//后台过滤
http.addFilterAt(backAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
//前台过滤
http.addFilterAt(frontAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
BackAuthenticationFilter backAuthenticationFilter() throws Exception {
BackAuthenticationFilter filter = new BackAuthenticationFilter();
filter.setAuthenticationSuccessHandler(new AuthenticationSuccessHandler() {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
LoginUser loginUser = (LoginUser) authentication.getPrincipal();
Token token = tokenService.saveToken(loginUser);
ResponseUtil.responseJson(response, HttpStatus.OK.value(), token);
}
});
filter.setAuthenticationFailureHandler(new AuthenticationFailureHandler() {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
AuthenticationException exception) throws IOException, ServletException {
String msg = null;
if (exception instanceof BadCredentialsException) {
msg = "密码错误";
} else {
msg = exception.getMessage();
}
ResponseUtil.responseJson(response, HttpStatus.UNAUTHORIZED.value(), Result.error(HttpStatus.UNAUTHORIZED.value(), msg));
}
});
filter.setAuthenticationManager(authenticationManagerBean());
return filter;
}
BackAuthenticationFilter
public class BackAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
// ~ Static fields/initializers
// =====================================================================================
public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "username";
public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "password";
private String usernameParameter = SPRING_SECURITY_FORM_USERNAME_KEY;
private String passwordParameter = SPRING_SECURITY_FORM_PASSWORD_KEY;
private boolean postOnly = true;
// ~ Constructors
// ===================================================================================================
public BackAuthenticationFilter() {
//路径过滤
super(new AntPathRequestMatcher("/back/login", "POST"));
}
// ~ Methods
// ========================================================================================================
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
if (postOnly && !request.getMethod().equals("POST")) {
throw new AuthenticationServiceException(
"Authentication method not supported: " + request.getMethod());
}
String username = obtainUsername(request);
String password = obtainPassword(request);
if (username == null) {
username = "";
}
if (password == null) {
password = "";
}
username = username.trim();
AbstractAuthenticationToken authRequest = new BackAuthenticationToken(
username, password);
// Allow subclasses to set the "details" property
setDetails(request, authRequest);
return this.getAuthenticationManager().authenticate(authRequest);
}
protected String obtainPassword(HttpServletRequest request) {
return request.getParameter(passwordParameter);
}
protected String obtainUsername(HttpServletRequest request) {
return request.getParameter(usernameParameter);
}
protected void setDetails(HttpServletRequest request,
AbstractAuthenticationToken authRequest) {
authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
}
public void setUsernameParameter(String usernameParameter) {
Assert.hasText(usernameParameter, "Username parameter must not be empty or null");
this.usernameParameter = usernameParameter;
}
public void setPasswordParameter(String passwordParameter) {
Assert.hasText(passwordParameter, "Password parameter must not be empty or null");
this.passwordParameter = passwordParameter;
}
public void setPostOnly(boolean postOnly) {
this.postOnly = postOnly;
}
public final String getUsernameParameter() {
return usernameParameter;
}
public final String getPasswordParameter() {
return passwordParameter;
}
}
BackAuthenticationToken
public class BackAuthenticationToken extends AbstractAuthenticationToken {
private final Object principal;
private String credentials;
public BackAuthenticationToken(Object principal, String credentials) {
super(null);
this.principal = principal;
this.credentials = credentials;
setAuthenticated(false);
}
// ~ Methods
// ========================================================================================================
public String getCredentials() {
return this.credentials;
}
public Object getPrincipal() {
return this.principal;
}
public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
if (isAuthenticated) {
throw new IllegalArgumentException(
"Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
}
super.setAuthenticated(false);
}
@Override
public void eraseCredentials() {
super.eraseCredentials();
credentials = null;
}
}
BackAuthenticationProvider
public class BackAuthenticationProvider implements AuthenticationProvider {
@Autowired
@Qualifier("bCryptPasswordEncoder")
private BCryptPasswordEncoder passwordEncoder;
@Autowired
private BackUserDetailsServiceImpl userDetailsService;
/**
* The plaintext password used to perform
* PasswordEncoder#matches(CharSequence, String)} on when the user is
* not found to avoid SEC-2056.
*/
private static final String USER_NOT_FOUND_PASSWORD = "userNotFoundPassword";
private MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
private UserCache userCache = new NullUserCache();
private boolean hideUserNotFoundExceptions = true;
/**
* The password used to perform
* {@link PasswordEncoder#matches(CharSequence, String)} on when the user is
* not found to avoid SEC-2056. This is necessary, because some
* {@link PasswordEncoder} implementations will short circuit if the password is not
* in a valid format.
*/
private volatile String userNotFoundEncodedPassword;
public UserCache getUserCache() {
return userCache;
}
public void setUserCache(UserCache userCache) {
this.userCache = userCache;
}
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED" : authentication.getName();
String password = (String) authentication.getCredentials();
if (StringUtils.isEmpty(password)) {
throw new BadCredentialsException("密码不能为空");
}
boolean cacheWasUsed = true;
UserDetails user = this.userCache.getUserFromCache(username);
if (user == null) {
cacheWasUsed = false;
try {
user = retrieveUser(username,
(BackAuthenticationToken) authentication);
} catch (UsernameNotFoundException notFound) {
log.debug("User '" + username + "' not found");
if (hideUserNotFoundExceptions) {
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials",
"Bad credentials"));
} else {
throw notFound;
}
}
Assert.notNull(user,
"retrieveUser returned null - a violation of the interface contract");
}
if (null == user) {
throw new BadCredentialsException("用户不存在");
}
if (!passwordEncoder.matches(password, user.getPassword())) {
throw new BadCredentialsException("用户名或密码不正确");
}
if (!cacheWasUsed) {
this.userCache.putUserInCache(user);
}
UsernamePasswordAuthenticationToken result =
new UsernamePasswordAuthenticationToken(user, password, user.getAuthorities());
result.setDetails(authentication.getDetails());
return result;
}
private UserDetails retrieveUser(String username, BackAuthenticationToken authentication) throws AuthenticationException {
prepareTimingAttackProtection();
try {
UserDetails loadedUser = this.userDetailsService.loadUserByUsername(username);
if (loadedUser == null) {
throw new InternalAuthenticationServiceException(
"UserDetailsService returned null, which is an interface contract violation");
}
return loadedUser;
} catch (UsernameNotFoundException ex) {
mitigateAgainstTimingAttack(authentication);
throw ex;
} catch (InternalAuthenticationServiceException ex) {
throw ex;
} catch (Exception ex) {
throw new InternalAuthenticationServiceException(ex.getMessage(), ex);
}
}
private void prepareTimingAttackProtection() {
if (this.userNotFoundEncodedPassword == null) {
this.userNotFoundEncodedPassword = this.passwordEncoder.encode(USER_NOT_FOUND_PASSWORD);
}
}
private void mitigateAgainstTimingAttack(BackAuthenticationToken authentication) {
if (authentication.getCredentials() != null) {
String presentedPassword = authentication.getCredentials();
this.passwordEncoder.matches(presentedPassword, this.userNotFoundEncodedPassword);
}
}
@Override
public boolean supports(Class<?> authentication) {
return (BackAuthenticationToken.class.isAssignableFrom(authentication));
}
}
1762
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
