Title

SpringSecurity自定义验证登录

一、描述

使用springboot+spring security实现自定义登录验证及登录登出结果返回
适用于前后端分离

二、处理逻辑

简单流程

自定义UserDetails

@javax.persistence.Entity
@org.hibernate.annotations.Table(appliesTo = "local_user_details")
public class LocalUserDetails implements java.io.Serializable, UserDetails {
  private static final long serialVersionUID = 1594783117560L;

  @javax.persistence.Id
  @GeneratedValue(strategy = GenerationType.IDENTITY)
  @Column(name = "[id]", nullable = false, unique = true, length = 0, precision = 20, scale = 0, columnDefinition = "bigint(20) unsigned NOT NULL AUTO_INCREMENT COMMENT '主键'")
  @ApiModelProperty(value = "主键", required = false, hidden = false, example = "主键")
  @JsonInclude(value = JsonInclude.Include.NON_EMPTY)
  private Long id;

  @NonNull
  @Size(min = 3, max = 18)
  @Column(name = "[userid]", nullable = false, unique = false, length = 64, precision = 0, scale = 0, columnDefinition = "varchar(64) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT '' COMMENT '用户索引'")
  @ApiModelProperty(value = "用户索引", required = true, hidden = false, example = "用户索引")
  @JsonInclude(value = JsonInclude.Include.NON_EMPTY)
  private String userid = "";

  @NonNull
  @Size(min = 3, max = 64)
  @Column(name = "[passwd]", nullable = false, unique = false, length = 128, precision = 0, scale = 0, columnDefinition = "varchar(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL DEFAULT '' COMMENT '用户密码'")
  @ApiModelProperty(value = "用户密码", required = true, hidden = false, example = "用户密码")
  @JsonInclude(value = JsonInclude.Include.NON_EMPTY)
  private String passwd = "";

  public LocalUserDetails() {}
  public Long getId() {
    return this.id;
  }
  public void setId(Long id) {
    this.id = id;
  }
  public String getUserid() {
    return this.userid;
  }
  public void setUserid(String userid) {
    this.userid = userid;
  }
  public String getPasswd() {
    return this.passwd;
  }
  public void setPasswd(String passwd) {
    this.passwd = passwd;
  }
  @Override
  public Collection<? extends GrantedAuthority> getAuthorities() {
    //返回分配给用户的角色列表
    return new ArrayList<>();
  }
  @Override
  public String getPassword() {
    return this.getPasswd();
  }
  @Override
  public String getUsername() {
    return this.getUserid();
  }
  @Override
  public boolean isAccountNonExpired() {
    // 指定账户是否未过期.
    return true;
  }
  @Override
  public boolean isAccountNonLocked() {
    // 指定账户是否未锁定.
    return true;
  }
  @Override
  public boolean isCredentialsNonExpired() {
    // 指定密码是否未过期.
    return true;
  }
  @Override
  public boolean isEnabled() {
    // 指定用户是否已启用, 禁用的用户无法进行身份验证.
    return true;
  }
}

自定义UserDetailsDAO

public interface LocalUserDetailsDAO extends JpaRepository<LocalUserDetails, Long>, JpaSpecificationExecutor<LocalUserDetails> {
  Optional<LocalUserDetails> findByUserid(String userid);
}

自定义UserDetailsService

@Service
@Transactional
public class AuthorityUserLoginInfoService implements UserDetailsService {
  @Autowired
  private LocalUserDetailsDAO dao;
  @Override
  public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
    Optional<LocalUserDetails> user = dao.findByUserid(username);
    if (user.isPresent()) {
      if (!user.get().isEnabled()) { throw new DisabledException("暂无权限!"); }
    } else {
      throw new UsernameNotFoundException("用户名或密码不正确!");
    }
    return user.get();
  }
}

自定义用户登录验证逻辑AuthenticationProvider

@Component
public class LocalAuthenticationProvider implements AuthenticationProvider {
  @Autowired
  private AuthorityUserLoginInfoService userService;
  private final PasswordEncoder encoder = new BCryptPasswordEncoder();
  /** 自定义验证方式 */
  @Override
  public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    String username = authentication.getName();
    String password = (String) authentication.getCredentials();

    // 获取Request, 获取其他参数信息
    ServletRequestAttributes attributes = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
    HttpSession session = attributes.getRequest().getSession();
    Object others = session.getAttribute("others");

    UserDetails node = userService.loadUserByUsername(username);
    if (!encoder.matches(password, node.getPassword())) { throw new BadCredentialsException("用户名或密码不正确!"); }
    return new UsernamePasswordAuthenticationToken(node, password, node.getAuthorities());
  }
  @Override
  public boolean supports(Class<?> authentication) {
    return true;
  }
}

三、Spring Security基本配置信息

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

  @Value(value = "${ignoringAntMatchers:/**}")
  private String ignoringAntMatchers;

  @Value(value = "${loginPage:/login}")
  private String loginPage;

  @Value(value = "${loginProcessingUrl:/api/user/login}")
  private String loginProcessingUrl;

  @Value(value = "${logoutUrl:/api/user/logout}")
  private String logoutUrl;

  @Value(value = "${expiredUrl:/login}")
  private String expiredUrl;

  @Autowired
  private DataSource dataSource;

  @Autowired
  private AuthorityUserLoginInfoService userService;

  @Bean
  public BCryptPasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder(4);
  }

  @Bean
  public AuthenticationProvider authenticationProvider() {
    return new LocalAuthenticationProvider();
  }

  @Override
  public void configure(AuthenticationManagerBuilder auth) throws Exception {
    // 自定义用户登录验证
    auth.authenticationProvider(authenticationProvider());
    // 指定密码加密所使用的加密器为passwordEncoder(), 需要将密码加密后写入数据库
    auth.userDetailsService(this.userService).passwordEncoder(passwordEncoder());
    // 不删除凭据,以便记住用户
    auth.eraseCredentials(false);
  }

  @Override
  public void configure(WebSecurity web) throws Exception {
    // 设置不拦截规则
    web.ignoring().antMatchers(this.ignoringAntMatchers.split(","));
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    // 设置拦截规则
    http.authorizeRequests().anyRequest().authenticated();

    // 自定义登录信息
    http.csrf().disable().formLogin() //
        .loginPage(this.loginPage) // 自定义登录页url,默认为/login
        .loginProcessingUrl(this.loginProcessingUrl) // 登录验证地址, 即RequestMapping地址
        // 用户名的请求字段. 默认为org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.SPRING_SECURITY_FORM_USERNAME_KEY
        .usernameParameter("username")
        // 用户名的请求字段. 默认为org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.SPRING_SECURITY_FORM_PASSWORD_KEY
        .passwordParameter("password") // 
        .successHandler(new LocalAuthenticationSuccessHandler()) // 登录验证成功后, 执行的内容
        // .defaultSuccessUrl("/index") // 登录验证成功后, 跳转的页面, 如果自定义返回内容, 请使用successHandler方法
        // .successForwardUrl("/index") // 登录验证成功后, 跳转的页面, 如果自定义返回内容, 请使用successHandler方法
        .failureHandler(new LocalAuthenticationFailureHandler()) // 登录验证失败后, 执行的内容
        // .failureUrl("/login?error")  // 登录验证失败后, 跳转的页面, 如果自定义返回内容, 请使用failureHandler方法
        .permitAll();

    // 自定义异常处理器
    http.exceptionHandling() // 异常处理器
        // 用来解决匿名用户访问无权限资源时的异常
        .authenticationEntryPoint(new LocalAuthenticationEntryPoint())
        // 用来解决认证过的用户访问无权限资源时的异常, 跳转的页面, 如果自定义返回内容, 请使用accessDeniedHandler方法
        // .accessDeniedPage("/error")
        // 用来解决认证过的用户访问无权限资源时的异常
        .accessDeniedHandler(new LocalAccessDeniedHandler());

    // 自定义注销信息
    http.logout() // 
        .logoutUrl(this.logoutUrl) // 登出验证地址, 即RequestMapping地址
        .logoutSuccessHandler(new LocalLogoutSuccessHandler()) // 登出验证成功后, 执行的内容
        // .logoutSuccessUrl("/login?logout") // 登出验证成功后, 跳转的页面, 如果自定义返回内容, 请使用logoutSuccessHandler方法
        .deleteCookies("JSESSIONID") // 退出登录后需要删除的cookies名称
        .invalidateHttpSession(true) // 退出登录后, 会话失效
        .permitAll();

    // remember-me配置
    http.rememberMe() // 
        // org.springframework.security.config.annotation.web.configurers.RememberMeConfigurer.DEFAULT_REMEMBER_ME_NAME
        .rememberMeCookieName("remember-me")
        // org.springframework.security.config.annotation.web.configurers.RememberMeConfigurer.DEFAULT_REMEMBER_ME_NAME
        .rememberMeParameter("remember-me")
        // org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices.TWO_WEEKS_S
        .tokenValiditySeconds(360000)
        // tokenRepository
        .tokenRepository(new LocalPersistentTokenRepository(this.dataSource));

    // session管理
    http.sessionManagement().sessionFixation().changeSessionId() //
        .maximumSessions(1) // 最大会话数
        .maxSessionsPreventsLogin(false) // 达到最大数后, 强制验证, 踢出旧用户
        // 旧用户被踢出后, 跳转的页面, 如果自定义返回内容, 请使用expiredSessionStrategy方法
        // .expiredUrl("/login?expired")
        // 旧用户被踢出后, 执行的内容
        .expiredSessionStrategy(new LocalSessionInformationExpiredStrategy());
  }

  @Bean
  @Override
  protected AuthenticationManager authenticationManager() throws Exception {
    return super.authenticationManager();
  }

}

四、登录登出自定义处理器

登录成功处理器LocalAuthenticationSuccessHandler

public class LocalAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
  private static final Gson gson = new GsonBuilder().disableHtmlEscaping().create();

  @Override
  public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
      throws IOException, ServletException {
    response.setCharacterEncoding("utf-8");
    response.setContentType("application/json;charset=utf-8");
    response.getWriter().print(gson.toJson(new Result<>(ResultStatus.SUCCESS_LOGIN)));
  }
}

登录失败处理器LocalAuthenticationFailureHandler

public class LocalAuthenticationFailureHandler implements AuthenticationFailureHandler {
  private static final Gson gson = new GsonBuilder().disableHtmlEscaping().create();

  @Override
  public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception)
      throws IOException, ServletException {
    response.setCharacterEncoding("utf-8");
    response.setContentType("application/json;charset=utf-8");
    response.getWriter().print(gson.toJson(new Result<>(ResultStatus.ERROR_LOGIN)));
  }
}

登出成功处理器LocalLogoutSuccessHandler

public class LocalLogoutSuccessHandler implements LogoutSuccessHandler {
  private static final Gson gson = new GsonBuilder().disableHtmlEscaping().create();

  @Override
  public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
      throws IOException, ServletException {
    response.setCharacterEncoding("utf-8");
    response.setContentType("application/json;charset=utf-8");
    response.getWriter().print(gson.toJson(new Result<>(20001, "登出成功!")));
  }
}

匿名用户访问无权限处理器LocalAuthenticationEntryPoint

public class LocalAuthenticationEntryPoint implements AuthenticationEntryPoint {
  private static final Gson gson = new GsonBuilder().disableHtmlEscaping().create();

  @Override
  public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
      throws IOException, ServletException {
    response.setCharacterEncoding("utf-8");
    response.setContentType("application/json;charset=utf-8");
    response.getWriter().print(gson.toJson(new Result<>(ResultStatus.WRONG_DEAL)));
  }
}

认证用户访问无权限处理器LocalAccessDeniedHandler

public class LocalAccessDeniedHandler implements AccessDeniedHandler {
  private static final Gson gson = new GsonBuilder().disableHtmlEscaping().create();

  @Override
  public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException)
      throws IOException, ServletException {
    response.setCharacterEncoding("utf-8");
    response.setContentType("application/json;charset=utf-8");
    response.getWriter().print(gson.toJson(new Result<>(ResultStatus.WRONG_DEAL)));
  }
}

旧用户被踢处理器LocalSessionInformationExpiredStrategy

public class LocalSessionInformationExpiredStrategy implements SessionInformationExpiredStrategy {
  private static final Gson gson = new GsonBuilder().disableHtmlEscaping().create();

  @Override
  public void onExpiredSessionDetected(SessionInformationExpiredEvent event) throws IOException, ServletException {
    HttpServletResponse response = event.getResponse();
    response.setCharacterEncoding("utf-8");
    response.setContentType("application/json;charset=utf-8");
    response.getWriter().print(gson.toJson(new Result<>(20002, "用户已退出!")));
  }
}

参考文章:https://blog.csdn.net/dahaiaixiaohai/article/details/107375939

posted @ 2021-11-02 14:52  快乐小洋人  阅读(1051)  评论(1编辑  收藏  举报