springsecurity

1.定义

Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组可以在Spring应用上下文中配置的Bean,充分利用了Spring IoC,DI(控制反转Inversion of Control ,DI:Dependency Injection 依赖注入)和AOP(面向切面编程)功能,为应用系统提供声明式的安全访问控制功能,减少了为企业系统安全控制编写大量重复代码的工作。

https://springcloud.cc/spring-security-zhcn.html   中文版参考手册

2.基本原理:一组过滤器链

UsernamePasswordAuthenticationFilter:用户认证

ExceptionTranslation:异常处理

FilterSecurityInterceptor:最终确认是否能登录的拦截器

备注:在没有验证的情况下,登录后会到默认的验证页面,默认会拦截所有页面,待验证成功后会转到相应的页面

3.依赖

 <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-test</artifactId>
            <scope>test</scope>
        </dependency>

4.Api简要说明

authorizeRequests():请求授权

formLogin():表单登录(表单登录含两部分一个是认证一个是授权)

anyRequest():任何请求

authenticated():身份认证

httpBasic():httpBasic认证方式

loginPage():指定登录时的认证页面,这里有一个坑死循环需要注意。

antMatchers():匹配

permitAll():不需要身份认证

5.使用数据库验证登录方式

@Configuration
@ComponentScan("springsecurity.demo")
@MapperScan("springsecurity.demo.Mapper")
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.formLogin()//表单登录
                .and()
                .authorizeRequests()//权限认证
                .anyRequest()//任何请求
                .authenticated()//需要认证
        ;
    }
}

@Component
public class MyUserDetailsService  implements UserDetailsService {
    @Autowired
    UserMapper  userMapper;

    @Autowired
    PasswordEncoder passwordEncoder;

    @Override
    public UserDetails loadUserByUsername(String username) {
        //查询表
        springsecurity.demo.domain.User userByName = userMapper.getUserByName(username);
        //加密
        String encode = passwordEncoder.encode(userByName.getPassword().toString());//应该是在放入数据库的时候加密,这里直接直接取出
        //将查询的结果放入user中,
        // AuthorityUtils.commaSeparatedStringToAuthorityList("admin")表示角色admin(拥有的权限)
        return   new User(username,encode , AuthorityUtils.commaSeparatedStringToAuthorityList("admin"));//需要采用加密方式否者出现{id}为null
    }
}

@Configuration
public class SecurityBeanConfig {
    @Bean
    @ConfigurationProperties(prefix = "spring.datasource")
    public DataSource  getdaDataSource(){
        return  new DruidDataSource();
    }
    @Bean
    public PasswordEncoder  getPasswordEncoder(){
        return  new BCryptPasswordEncoder();//springsecurity 内置的加密器,建议使用
    }
}

@RestController
public class UserController {
    @GetMapping("/hello")
    public String testLogin(){
        return  "helloworld  security";
    }
}

自定义加密方式

需要实现PasswordEncoder

重写方法

encode:对密码进行加密

matches(CharSequence var1, String var2):var1原密码,var2传过来的密码

User(String username, String password, boolean enabled, boolean accountNonExpired, boolean credentialsNonExpired, boolean accountNonLocked, Collection<? extends GrantedAuthority> authorities)

enabled:是否可用

accountNonExpired:账户是否过期

credentialsNonExpired:密码是否过期

accountNonLocked:是否被冻结

6.自定义登录页面

6.1使用默认的自定义方式配置

@Configuration
@ComponentScan("springsecurity.demo")
@MapperScan("springsecurity.demo.Mapper")
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.formLogin()
                .loginPage("/logintest.html")  //登录页面定义
                .loginProcessingUrl("/authentication/logintest")//默认处理的是login  post
                .and()
                .authorizeRequests()
                .antMatchers("/logintest.html")
                .permitAll()
                .anyRequest()
                .authenticated()
                .and()
                .csrf().disable()//跨站域请求伪造关闭,注意不关闭在Chrome中没反应
        ;
    }
}

 6.2使用自定义配置登录页面

@Configuration
@ComponentScan("springsecurity.demo")
@MapperScan("springsecurity.demo.Mapper")
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    MySecurityProperties mySecurityProperties;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.formLogin()
                .loginPage("/logintest")
                .loginProcessingUrl("/authentication/logintest")
                .and()
                .authorizeRequests()
                .antMatchers("/logintest",mySecurityProperties.getLogin())
                .permitAll()
                .anyRequest()
                .authenticated()
                .and()
                .csrf().disable()
        ;
    }
}

@RestController
public class UserController {
    HttpSessionRequestCache  cache= new  HttpSessionRequestCache();
    DefaultRedirectStrategy defaultRedirectStrategy =  new DefaultRedirectStrategy();//重定向页面

    @Autowired
    MySecurityProperties securityProperties;

    @GetMapping("/logintest")
    @ResponseStatus(HttpStatus.UNAUTHORIZED)
    public Message  testAuthentication(HttpServletRequest request, HttpServletResponse response) throws IOException {
        SavedRequest savedRequest = cache.getRequest(request, response);
        if(savedRequest!=null){
            String redirectUrl = savedRequest.getRedirectUrl();//获取请求地址
            if(StringUtils.endsWithIgnoreCase(redirectUrl, ".html")){
                defaultRedirectStrategy.sendRedirect(request, response, securityProperties.getLogin());
            }
        }
        return  new Message("请先登录");
    }
}

@AllArgsConstructor
@NoArgsConstructor
@Data
@Accessors(chain = true)
public class Message implements Serializable {
    private   Object  mesaage;
}

<body>
    <h2  style="color: red">简单的登录页面login</h2>
   <form  action="/authentication/logintest" method="post">
       <table>
           <tr>
               <td>账号:</td>
               <td ><input type="text"  name="username"/></td>
           </tr>
           <tr>
               <td>密码:</td>
               <td> <input type="password"  name="password"/></td>
           </tr>
           <tr>
               <td colspan="2" style="text-align: right"><input type="submit" value="提交" /></td>
           </tr>
       </table>
   </form>
</body>
</html>

@ConfigurationProperties("spring.security")
@AllArgsConstructor
@NoArgsConstructor
@Data
@Accessors(chain = true)
@Component
public class MySecurityProperties {
    private   String  login="/logintest.html";
}

 7.自定义成功登陆的返回值

@Configuration
@ComponentScan("springsecurity.demo")
@MapperScan("springsecurity.demo.Mapper")
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    MySecurityProperties mySecurityProperties;

    @Autowired
    MyUserDetails  myUserDetails;
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.formLogin()
                .loginPage("/logintest")
                .loginProcessingUrl("/authentication/logintest")
                .successHandler(myUserDetails)
                .and()
                .authorizeRequests()
                .antMatchers("/logintest",mySecurityProperties.getLogin())
                .permitAll()
                .anyRequest()
                .authenticated()
                .and()
                .csrf().disable()
        ;
    }
}

@Component
public class MyUserDetails implements AuthenticationSuccessHandler {

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
        response.setContentType("application/json;charset=UTF-8");
        response.getWriter().write(new ObjectMapper().writeValueAsString(authentication));
    }
}

 失败类似

实现AuthenticationFailureHandler实现onAuthenticationFailure方法

.failureHandler(AuthenticationFailureHandler  xxx)

8.图片验证

 



 






            

            
posted @ 
2018-11-13 19:29 
fatale 
阅读(188) 
评论(0编辑 
收藏 
举报