springsecurity
1.定义
Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组可以在Spring应用上下文中配置的Bean,充分利用了Spring IoC,DI(控制反转Inversion of Control ,DI:Dependency Injection 依赖注入)和AOP(面向切面编程)功能,为应用系统提供声明式的安全访问控制功能,减少了为企业系统安全控制编写大量重复代码的工作。
https://springcloud.cc/spring-security-zhcn.html 中文版参考手册
2.基本原理:一组过滤器链
UsernamePasswordAuthenticationFilter:用户认证
ExceptionTranslation:异常处理
FilterSecurityInterceptor:最终确认是否能登录的拦截器
备注:在没有验证的情况下,登录后会到默认的验证页面,默认会拦截所有页面,待验证成功后会转到相应的页面
3.依赖
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-test</artifactId> <scope>test</scope> </dependency>
4.Api简要说明
authorizeRequests():请求授权
formLogin():表单登录(表单登录含两部分一个是认证一个是授权)
anyRequest():任何请求
authenticated():身份认证
httpBasic():httpBasic认证方式
loginPage():指定登录时的认证页面,这里有一个坑死循环需要注意。
antMatchers():匹配
permitAll():不需要身份认证
5.使用数据库验证登录方式
@Configuration @ComponentScan("springsecurity.demo") @MapperScan("springsecurity.demo.Mapper") public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.formLogin()//表单登录 .and() .authorizeRequests()//权限认证 .anyRequest()//任何请求 .authenticated()//需要认证 ; } }
@Component public class MyUserDetailsService implements UserDetailsService { @Autowired UserMapper userMapper; @Autowired PasswordEncoder passwordEncoder; @Override public UserDetails loadUserByUsername(String username) { //查询表 springsecurity.demo.domain.User userByName = userMapper.getUserByName(username); //加密 String encode = passwordEncoder.encode(userByName.getPassword().toString());//应该是在放入数据库的时候加密,这里直接直接取出 //将查询的结果放入user中, // AuthorityUtils.commaSeparatedStringToAuthorityList("admin")表示角色admin(拥有的权限) return new User(username,encode , AuthorityUtils.commaSeparatedStringToAuthorityList("admin"));//需要采用加密方式否者出现{id}为null } }
@Configuration
public class SecurityBeanConfig {
@Bean
@ConfigurationProperties(prefix = "spring.datasource")
public DataSource getdaDataSource(){
return new DruidDataSource();
}
@Bean
public PasswordEncoder getPasswordEncoder(){
return new BCryptPasswordEncoder();//springsecurity 内置的加密器,建议使用
}
}
@RestController public class UserController { @GetMapping("/hello") public String testLogin(){ return "helloworld security"; } }
自定义加密方式
需要实现PasswordEncoder
重写方法
encode:对密码进行加密
matches(CharSequence var1, String var2):var1原密码,var2传过来的密码
User(String username, String password, boolean enabled, boolean accountNonExpired, boolean credentialsNonExpired, boolean accountNonLocked, Collection<? extends GrantedAuthority> authorities)
enabled:是否可用
accountNonExpired:账户是否过期
credentialsNonExpired:密码是否过期
accountNonLocked:是否被冻结
6.自定义登录页面
6.1使用默认的自定义方式配置
@Configuration @ComponentScan("springsecurity.demo") @MapperScan("springsecurity.demo.Mapper") public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.formLogin() .loginPage("/logintest.html") //登录页面定义 .loginProcessingUrl("/authentication/logintest")//默认处理的是login post .and() .authorizeRequests() .antMatchers("/logintest.html") .permitAll() .anyRequest() .authenticated() .and() .csrf().disable()//跨站域请求伪造关闭,注意不关闭在Chrome中没反应 ; } }
6.2使用自定义配置登录页面
@Configuration
@ComponentScan("springsecurity.demo")
@MapperScan("springsecurity.demo.Mapper")
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
MySecurityProperties mySecurityProperties;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin()
.loginPage("/logintest")
.loginProcessingUrl("/authentication/logintest")
.and()
.authorizeRequests()
.antMatchers("/logintest",mySecurityProperties.getLogin())
.permitAll()
.anyRequest()
.authenticated()
.and()
.csrf().disable()
;
}
}
@RestController public class UserController { HttpSessionRequestCache cache= new HttpSessionRequestCache(); DefaultRedirectStrategy defaultRedirectStrategy = new DefaultRedirectStrategy();//重定向页面 @Autowired MySecurityProperties securityProperties; @GetMapping("/logintest") @ResponseStatus(HttpStatus.UNAUTHORIZED) public Message testAuthentication(HttpServletRequest request, HttpServletResponse response) throws IOException { SavedRequest savedRequest = cache.getRequest(request, response); if(savedRequest!=null){ String redirectUrl = savedRequest.getRedirectUrl();//获取请求地址 if(StringUtils.endsWithIgnoreCase(redirectUrl, ".html")){ defaultRedirectStrategy.sendRedirect(request, response, securityProperties.getLogin()); } } return new Message("请先登录"); } }
@AllArgsConstructor @NoArgsConstructor @Data @Accessors(chain = true) public class Message implements Serializable { private Object mesaage; }
<body>
<h2 style="color: red">简单的登录页面login</h2>
<form action="/authentication/logintest" method="post">
<table>
<tr>
<td>账号:</td>
<td ><input type="text" name="username"/></td>
</tr>
<tr>
<td>密码:</td>
<td> <input type="password" name="password"/></td>
</tr>
<tr>
<td colspan="2" style="text-align: right"><input type="submit" value="提交" /></td>
</tr>
</table>
</form>
</body>
</html>
@ConfigurationProperties("spring.security") @AllArgsConstructor @NoArgsConstructor @Data @Accessors(chain = true) @Component public class MySecurityProperties { private String login="/logintest.html"; }
7.自定义成功登陆的返回值
@Configuration @ComponentScan("springsecurity.demo") @MapperScan("springsecurity.demo.Mapper") public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired MySecurityProperties mySecurityProperties; @Autowired MyUserDetails myUserDetails; @Override protected void configure(HttpSecurity http) throws Exception { http.formLogin() .loginPage("/logintest") .loginProcessingUrl("/authentication/logintest") .successHandler(myUserDetails) .and() .authorizeRequests() .antMatchers("/logintest",mySecurityProperties.getLogin()) .permitAll() .anyRequest() .authenticated() .and() .csrf().disable() ; } }
@Component public class MyUserDetails implements AuthenticationSuccessHandler { @Override public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException { response.setContentType("application/json;charset=UTF-8"); response.getWriter().write(new ObjectMapper().writeValueAsString(authentication)); } }
失败类似
实现AuthenticationFailureHandler实现onAuthenticationFailure方法
.failureHandler(AuthenticationFailureHandler xxx)
8.图片验证