spring-security实战
项目架构:spring-boot+spring-security+thymeleaf
1.导包(boot和thymeleaf的包请自行导入,版本号我抽的properties)
<dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-test</artifactId> <scope>test</scope> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>
2.核心配置类(完整代码最后放出)
2.1自定义security的配置类,然后继承WebSecurityConfigurerAdapter这个抽象类。
2.2打上@EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true)这两个注解
2.3重写configure(HttpSecurity http)方法,使用链式编程使用http.formLogin()方法设置你需要的配置(拦截参数,登录路径,跨域请求等)
2.4重写configure(WebSecurity web)方法,释放静态资源
web.ignoring().antMatchers("/**/*.js", "/**/*.css", "/**/*.png", "/**/*.jpg", "/**/*.gif", "/**/*.map");
2.5重写configure(AuthenticationManagerBuilder auth)方法,自定义你的登录验证
loginAuthenticationProvider:这是自定义的登录验证类,注入调用
customUserDetailsService:这是自定义的账号存储类,注入调用
customPasswordEncoder:这是自定义的密码加密类,注入调用
loginAuthenticationProvider.setUserDetailsService(customUserDetailsService); loginAuthenticationProvider.setPasswordEncoder(customPasswordEncoder); auth.authenticationProvider(loginAuthenticationProvider); super.configure(auth);
3.security国际化问题
在使用security过程中,因为原生代码中DaoAuthenticationProvider这个类的additionalAuthenticationChecks方法
会在你前端页面登陆失败的时候返回Bad credentials这个消息。这会让系统看上去不那么友好。
解决方法是:
1.在resources文件夹中添加messages_zh_CN.properties这个文件。自定义你想返回前端的话。
2.自定义登录验证类loginAuthenticationProvider(最后放出完整代码)
3.在自定义security的配置类中做相应配置
完整代码:
1.自定义security配置类
@EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class SecurityConfiguration extends WebSecurityConfigurerAdapter { private final CustomPasswordEncoder customPasswordEncoder; private final CustomUserDetailsService customUserDetailsService; private final CommonProperties commonProperties; @Autowired public SecurityConfiguration(CustomPasswordEncoder customPasswordEncoder, CustomUserDetailsService customUserDetailsService, CommonProperties commonProperties) { this.customPasswordEncoder = customPasswordEncoder; this.customUserDetailsService = customUserDetailsService; this.commonProperties = commonProperties; } @Autowired private LoginAuthenticationProvider loginAuthenticationProvider; /** * http配置 * @param http * @throws Exception */ @Override protected void configure(HttpSecurity http) throws Exception { http.formLogin() .loginPage("/login") .loginProcessingUrl("/doLogin") // 指定登录页面及成功后跳转页面 .successForwardUrl("/loadIndex") .and().authorizeRequests() .antMatchers(commonProperties.getAllowList()) // 上述url所有用户都可访问(无需登录) .permitAll() .and() .authorizeRequests() .anyRequest() // 除上面之外的都需要登录 .authenticated() .and() .logout() // 指定登出url .logoutUrl("/doLogout") .invalidateHttpSession(true) .and() .headers() .frameOptions() // frame框架 .sameOrigin() // csrf跨域保护忽略特殊url .and().csrf().ignoringAntMatchers(commonProperties.getAllowList()); } /** * 静态资源放行 * @param web */ @Override public void configure(WebSecurity web) { //静态资源过滤 web.ignoring().antMatchers("/**/*.js", "/**/*.css", "/**/*.png", "/**/*.jpg", "/**/*.gif", "/**/*.map"); } /** * 自定义认证方法 * @param auth * @throws Exception */ @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { loginAuthenticationProvider.setUserDetailsService(customUserDetailsService); loginAuthenticationProvider.setPasswordEncoder(customPasswordEncoder); auth.authenticationProvider(loginAuthenticationProvider); super.configure(auth); } /** * 自定义认证管理类 * @return * @throws Exception */ @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } /** * 自定义密码加密类 * @return */ @Bean public PasswordEncoder passwordEncoder() { return PasswordEncoderFactories.createDelegatingPasswordEncoder(); } }
2.自定义账号存储类
@Service public class CustomUserDetailsService implements UserDetailsService { private final AuthTokenService authTokenService; private Logger log = LoggerFactory.getLogger(this.getClass()); @Autowired public CustomUserDetailsService(AuthTokenService authTokenService) { this.authTokenService = authTokenService; } /** * 将用户详细信息放入security session中 * @param username * @return */ @Override public UserDetails loadUserByUsername(String username) { try{ Assert.isTrue(StringUtils.isNotBlank(username),"用户或密码错误,请重新输入"); // 通过用户名获取用户详细信息,构造权限 UserDTO userInfo = authTokenService.getUserDetail(username); ResourceBO resource = userInfo.getResource(); List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); if(resource != null){ buildAuth(resource, authorities); } return new UserBO(userInfo, authorities); }catch (IllegalArgumentException e){ throw new UsernameNotFoundException("用户或密码错误,请重新输入"); }catch (Exception e){ log.error("获取用户信息异常",e); throw new UsernameNotFoundException("用户或密码错误,请重新输入"); } } }
3.自定义密码加密类
@Service public class CustomPasswordEncoder implements PasswordEncoder { @Override public String encode(CharSequence charSequence) { return charSequence.toString(); } @Override public boolean matches(CharSequence charSequence, String s) { return s.equals(encode(charSequence)); } }
4.自定义security认证类
@Component public class LoginAuthenticationProvider extends DaoAuthenticationProvider { @Autowired private CustomUserDetailsService customUserDetailsService; @Autowired private CustomPasswordEncoder customPasswordEncoder; @Autowired private void setJdbcUserDetailsService() { setUserDetailsService(customUserDetailsService); } /** * 自定义security国际化 */ @PostConstruct public void initProvider() { ReloadableResourceBundleMessageSource localMessageSource = new ReloadableResourceBundleMessageSource(); localMessageSource.setBasenames("messages_zh_CN"); messages = new MessageSourceAccessor(localMessageSource); } /** * 复写认证失败方法 * @param userDetails * @param authentication * @throws AuthenticationException */ @Override protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException { if (authentication.getCredentials() == null) { logger.debug("Authentication failed: no credentials provided"); throw new BadCredentialsException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials")); } String presentedPassword = authentication.getCredentials().toString(); if (!customPasswordEncoder.matches(presentedPassword, userDetails.getPassword())) { logger.debug("Authentication failed: password does not match stored value"); throw new BadCredentialsException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials")); } } }
