springboot security 安全机制
springboot security 安全机制
认证流程:
1、由认证配置WebSecurityConfigurerAdapter的configure(HttpSecurity http)方法进入,添加拦截器addFilterBefore
2、进入拦截器AbstractAuthenticationProcessingFilter的attemptAuthentication方法,指定认证对象AbstractAuthenticationToken
3、进入认证逻辑AuthenticationProvider,根据supports的断定对认证的目标对象指定对哪个拦截器进行认证,进入具体的认证逻辑方法authenticate
4、认证结果:认证成功后进入拦截器的successfulAuthentication方法;认证失败后进入拦截器的unsuccessfulAuthentication方法
5、对认证结果进行处理
a.认证成功的逻辑:进入SimpleUrlAuthenticationSuccessHandler的onAuthenticationSuccess方法
b.认证失败的逻辑:进入SimpleUrlAuthenticationFailureHandler的onAuthenticationFailure方法
6、返回结果给页面,将数据封装在ObjectMapper对象中,将会以文本形式返回给客户端(页面)
代码块
自定义认证配置,实现WebSecurityConfigurerAdapter
package com.travelsky.config;
import com.travelsky.auto.login.BeforeLoginFilter;
import com.travelsky.auto.login.LoginProvider;
import com.travelsky.auto.login.OnFailureLogin;
import com.travelsky.auto.token.OnFailureToken;
import com.travelsky.auto.token.TokenFilter;
import com.travelsky.auto.token.TokenProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
/**
* 认证配置
*/
@Configuration
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
/**
* 认证成功处理
*/
@Autowired
private SimpleUrlAuthenticationSuccessHandler successHandler;
/**
* 登录认证失败后处理
*/
@Autowired
private OnFailureLogin failureHandler;
/**
* token认证失败后处理
*/
@Autowired
private OnFailureToken onFailureToken;
/**
* 登录认证逻辑
*/
@Autowired
private LoginProvider loginProvider;
/**
* token认证逻辑
*/
@Autowired
private TokenProvider tokenProvider;
/**
* 配置请求权限
* @param http
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
// 允许登录路径通过
.antMatchers("/login").permitAll()
// 允许业务路径通过
.antMatchers("/**").permitAll()
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.csrf().disable()
// 添加拦截器
.addFilterBefore(getLoginFilter(), UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(getTokenFilter(), UsernamePasswordAuthenticationFilter.class);
}
/**
* 登录拦截器
* @return
* @throws Exception
*/
private AbstractAuthenticationProcessingFilter getLoginFilter() throws Exception {
BeforeLoginFilter beforeLoginFilter = new BeforeLoginFilter("/login", successHandler, failureHandler);
beforeLoginFilter.setAuthenticationManager(super.authenticationManager());
return beforeLoginFilter;
}
/**
* token拦截器
* @return
* @throws Exception
*/
private AbstractAuthenticationProcessingFilter getTokenFilter() throws Exception {
TokenFilter tokenFilter = new TokenFilter("/**", onFailureToken);
tokenFilter.setAuthenticationManager(super.authenticationManager());
return tokenFilter;
}
/**
* 配置认证逻辑列表,按顺序进行认证
* @param auth
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) {
auth.authenticationProvider(loginProvider);
auth.authenticationProvider(tokenProvider);
}
}
自定义拦截器,继承AbstractAuthenticationProcessingFilter
package com.travelsky.auto.login;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* 登录自定义拦截器,继承AbstractAuthenticationProcessingFilter
*/
@Slf4j
public class BeforeLoginFilter extends AbstractAuthenticationProcessingFilter {
/**
*认证成功的处理对象
*/
private AuthenticationSuccessHandler successHandler;
/**
* 认证失败的处理对象
*/
private AuthenticationFailureHandler failureHandler;
public BeforeLoginFilter(String defaultFilterProcessesUrl, AuthenticationSuccessHandler successHandler, AuthenticationFailureHandler failureHandler) {
super(defaultFilterProcessesUrl);
this.successHandler = successHandler;
this.failureHandler = failureHandler;
}
/**
* 过滤器处理逻辑
* @param request
* @param response
* @return
* @throws AuthenticationException
* @throws IOException
* @throws ServletException
*/
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
log.info("进入登录过滤器");
String userName = request.getParameter("userName");
String password = request.getParameter("password");
LoginInfo loginInfo = new LoginInfo(null, userName, password);
log.info("username = {}", userName);
log.info("password = {}", password);
// 返回指定的认证对象
LoginAuthenticationToken loginAuthentication = new LoginAuthenticationToken(null, loginInfo, null);
// 将来由认证逻辑AuthenticationProvider来处理,这里返回LoginAuthenticationToken对象,将来由AuthenticationProvider的supports方法相匹配的认证逻辑来处理
return this.getAuthenticationManager().authenticate(loginAuthentication);
}
/**
* 认证逻辑认证成功成功后会调用此方法
* @param request
* @param response
* @param chain
* @param authResult
* @throws IOException
* @throws ServletException
*/
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
successHandler.onAuthenticationSuccess(request, response, authResult);
}
/**
* 认证逻辑认证失败后调用此方法
* @param request
* @param response
* @param failed
* @throws IOException
* @throws ServletException
*/
@Override
protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException {
failureHandler.onAuthenticationFailure(request, response, failed);
}
}
自定义认证逻辑,继承AuthenticationProvider
package com.travelsky.auto.login;
import com.alibaba.fastjson.JSONObject;
import com.travelsky.pojo.MenuVO;
import com.travelsky.pojo.SysUserInfo;
import com.travelsky.service.SysUserInfoService;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.stereotype.Component;
import java.util.List;
/**
* 认证逻辑
*/
@Component
@Slf4j
public class LoginProvider implements AuthenticationProvider {
@Autowired
private SysUserInfoService userInfoService;
/**
* 认证逻辑,认证的目标对象由supports断定,supports断定的目标对象是LoginAuthenticationToken自定义认证对象
* @param authentication
* @return
* @throws AuthenticationException
*/
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
log.info("登录验证器,接收参数:{}", JSONObject.toJSONString(authentication));
// Authentication的具体子类,可由supports断定,supports断定子类是LoginAuthenticationToken,因此可以强转
final LoginAuthenticationToken loginAuthentication = (LoginAuthenticationToken) authentication;
final LoginInfo loginInfo = loginAuthentication.getLoginInfo();
final String userName = loginInfo.getUserName();
final SysUserInfo userInfo = userInfoService.getByUserId(userName);
if (userInfo.getPassword().equals(loginInfo.getPassword())) {
final List<MenuVO> userInfoMenus = userInfoService.getUserInfoMenus(userInfo.getId());
return new LoginAuthenticationToken(null, loginInfo, userInfoMenus);
} else {
log.error("登录验证失败");
throw new AuthenticationServiceException("登录失败.........");
}
}
/**
* 指定对谁进行认证,这里指定对LoginAuthenticationToken自定义认证对象进行认证
* @param authentication
* @return
*/
@Override
public boolean supports(Class<?> authentication) {
return LoginAuthenticationToken.class.isAssignableFrom(authentication);
}
}
自定义认证成功的处理逻辑,继承SimpleUrlAuthenticationSuccessHandler
package com.travelsky.auto.login;
import com.alibaba.fastjson.JSONObject;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.travelsky.auto.token.TokenContent;
import com.travelsky.auto.token.TokenFactory;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
import org.springframework.stereotype.Component;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* 自定义认证成功处理逻辑,继承SimpleUrlAuthenticationSuccessHandler类
*/
@Component
@Slf4j
public class OnSuccessfulLogin extends SimpleUrlAuthenticationSuccessHandler {
/**
* 返回页面的对象,可将对象转化为文本形式(json格式)
*/
@Autowired
private ObjectMapper objectMapper;
/**
* token工厂
*/
@Autowired
private TokenFactory tokenFactory;
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
log.info("登录认证成功,传入参数:{}", JSONObject.toJSONString(authentication));
// 配置响应编码格式为UTF-8
response.setCharacterEncoding("UTF-8");
// 配置返回格式为json
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
// Authentication的具体子类为LoginAuthenticationToken
final LoginAuthenticationToken loginAuthenticationToken = (LoginAuthenticationToken) authentication;
final TokenContent tokenContent = tokenFactory.createToken("token");
JSONObject json = new JSONObject();
json.put("code", "000000");
json.put("message", "认证成功");
json.put("claims", tokenContent.getClaims());
json.put("token", tokenContent.getToken());
json.put("menuList", loginAuthenticationToken.getUserInfoMenus());
log.info("生产token:{}",tokenContent.getToken());
// 将数据保存到objectMapper中,将会转化为文本格式,返回给页面
objectMapper.writeValue(response.getWriter(), json);
}
}
自定义认证失败逻辑,继承SimpleUrlAuthenticationFailureHandler
package com.travelsky.auto.login;
import com.alibaba.fastjson.JSONObject;
import com.fasterxml.jackson.databind.ObjectMapper;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.stereotype.Component;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Slf4j
@Component
public class OnFailureLogin extends SimpleUrlAuthenticationFailureHandler {
@Autowired
private ObjectMapper objectMapper;
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
log.info("登录认证失败,传入参数:{}", JSONObject.toJSONString(exception));
response.setCharacterEncoding("UTF-8");
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
JSONObject json = new JSONObject();
json.put("code", "999999");
json.put("message", exception.getMessage());
objectMapper.writeValue(response.getWriter(), json);
}
}
自定义认证对象,继承AbstractAuthenticationToken
package com.travelsky.auto.login;
import com.travelsky.pojo.MenuVO;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import java.util.Collection;
import java.util.List;
/**
* 自定义登录认证对象
*/
public class LoginAuthenticationToken extends AbstractAuthenticationToken {
/**
* 登录数据对象
*/
private LoginInfo loginInfo;
/**
* 菜单数据对象
*/
private List<MenuVO> userInfoMenus;
LoginAuthenticationToken(Collection<? extends GrantedAuthority> authorities, LoginInfo loginInfo, List<MenuVO> userInfoMenus) {
super(authorities);
this.userInfoMenus = userInfoMenus;
this.loginInfo = loginInfo;
}
@Override
public Object getCredentials() {
return loginInfo.getPassword();
}
@Override
public Object getPrincipal() {
return loginInfo.getUserName();
}
public LoginInfo getLoginInfo() {
return loginInfo;
}
public List<MenuVO> getUserInfoMenus() {
return userInfoMenus;
}
}
自定义拦截器:继承AbstractAuthenticationProcessingFilter,重写attemptAuthentication(HttpServletRequest request, HttpServletResponse response) 方法,返回AbstractAuthenticationToken的子类,AbstractAuthenticationToken的子类可自己定义内容(例如:用户信息,token字符串,Claims),只要继承AbstractAuthenticationToken即可
自定义验证规则:实现AuthenticationProvider接口,authenticate方法参数Authentication与拦截器attemptAuthentication方法返回的是同一个对象,重写 authenticate(Authentication authentication),其中supports(Class<?> authentication)方法用来指定当前检验规则是针对哪个AbstractAuthenticationToken子类对象。springboot自带默认的登录验证是返回UsernamePasswordAuthenticationToken对象。
有志之士,共同学习
