springSecurity是spring官方给我们提供的一个非常强大的一个安全框架。也是现在最受欢迎的安全框架,比shiro更强大
springSecurity主要工作原理是内置了许多过滤器,组成过滤器链,每个过滤器都有自己的明确分工,然后还有异常处理类,还有最后的一个认证授权类。看图
绿色的是代表过滤器链,我们可以自己配置增加和删除,蓝色的是异常处理类,后面黄色的是最后的认证处理类,这两个类的位置是不会变的,所以说,最终我们的请求会到filterSecurityInterceptor这个类中来判断到底能不能访问我们请求的url
比如说:我们直接一个请求(不是登陆请求),他先会到filterSecurityInterceptor这个类,然后验证,没有成功就会抛出异常,让ExceptionTranslationFiter这个类来处理(实际上就是一个转发到登录页面),然后填上账号密码,登陆,会让usernamepasswordAuthenticationFilter这个类拦截,然后最后还是在filterSecurityInterceptor这个类来判断是否要对我们所请求的url做请求
看下面的一个简单demo
BrowserSecurityConfig.java
package com.imooc.security.browser; import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; /**
* Created by 敲代码的卡卡罗特
* on 2018/4/15 21:48.
*/
@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// http.httpBasic() //弹出框请求
http.formLogin() //表单验证
.and()
.authorizeRequests() //开启认证请求
.anyRequest() //任何请求
.authenticated(); //都需要认证
}
}
声明一个配置文件,配置最基本的功能。
然后我们再访问url就需要登陆了,原始的用户名是user,密码是框架系统生成了验证码,我们需要改变一下。用我们自定义的账号和密码。
MyUserDetailService.java (最终返回一个User对象) 自定义用户很简单就是@Component 这个类,让spring管理就行
package com.imooc.security.browser; import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component; /**
* Created by 敲代码的卡卡罗特
* on 2018/4/15 22:08.
*/
@Component
public class MyUserDetailService implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException { //、、、、、、省略根据用户名从数据库得到user对象的过程 这个方法就是根据登陆的用户名然后返回一个user对象,这个user对象是框架提供给我们的
//继承了UserDetails这个类。我们也可以自定义类继承UserDetails
return new User(s,"123", AuthorityUtils.commaSeparatedStringToAuthorityList("admin"));
}
}
UserDetails.java 源码解析
public interface UserDetails extends Serializable {
//权限集合
Collection<? extends GrantedAuthority> getAuthorities();
//密码
String getPassword();
//账号
String getUsername();
//账号是否过期
boolean isAccountNonExpired();
//账号是否锁定
boolean isAccountNonLocked();
//密码是否过期
boolean isCredentialsNonExpired();
//账号是否可用
boolean isEnabled();
}
密码--》很简单,只需要在配置文件配置一下这个bean就行, BCryptPasswordEncoder这个类是框架给我们提供的。
但是我们在平常用的时候肯定密码存的明文,所以我们需要一个加密算法,我们来配一个加密类。
@Bean
public PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
如果我们还想更加定制化一些呢?
比如说:登陆成功去那个方法,登陆失败去那一个方法。为了方便记录日志嘛。当然。这些可以在配置文件中配置,非常简单。看代码
自定义成功和失败的处理类,只需要new一个类实现框架给的特定的接口就行。然后在配置文件中配置
ImoocAuthenticationSuccessHandler.java //成功处理类
/**
*
*/
package com.imooc.security.browser.authentication; import java.io.IOException; import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.stereotype.Component; import com.fasterxml.jackson.databind.ObjectMapper;
import com.imooc.security.core.properties.LoginResponseType;
import com.imooc.security.core.properties.SecurityProperties; /**
* @author zhailiang
*
*/
@Component("imoocAuthenticationSuccessHandler")
public class ImoocAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler { private Logger logger = LoggerFactory.getLogger(getClass()); @Autowired
private ObjectMapper objectMapper; //springboot默认注入了这个类,处理json的 @Autowired
private SecurityProperties securityProperties; //自定义的参数类,不用管。就是配置的url之类的。 /*
* (non-Javadoc)
*
* @see org.springframework.security.web.authentication.
* AuthenticationSuccessHandler#onAuthenticationSuccess(javax.servlet.http.
* HttpServletRequest, javax.servlet.http.HttpServletResponse,
* org.springframework.security.core.Authentication)
*/
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
// 注意authentication这个参数可牛了 这里面封装了你当前对象的所有信息
logger.info("登录成功");
//这是业务逻辑,不用管,就是说如果设置了json格式,就返回前台json,如果不是就返回页面
if (LoginResponseType.JSON.equals(securityProperties.getBrowser().getLoginType())) {
response.setContentType("application/json;charset=UTF-8");
response.getWriter().write(objectMapper.writeValueAsString(authentication));
} else {
//调用父类的方法,其实就是跳转到原来的页面
super.onAuthenticationSuccess(request, response, authentication);
} } }
onAuthenticationFailure.java //失败处理类
/**
*
*/
package com.imooc.security.browser.authentication; import java.io.IOException; import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.stereotype.Component; import com.fasterxml.jackson.databind.ObjectMapper;
import com.imooc.security.browser.support.SimpleResponse;
import com.imooc.security.core.properties.LoginResponseType;
import com.imooc.security.core.properties.SecurityProperties; /**
* @author zhailiang
*
*/
@Component("imoocAuthenctiationFailureHandler")
public class ImoocAuthenctiationFailureHandler extends SimpleUrlAuthenticationFailureHandler { private Logger logger = LoggerFactory.getLogger(getClass()); @Autowired
private ObjectMapper objectMapper; @Autowired
private SecurityProperties securityProperties; /* (non-Javadoc)
* @see org.springframework.security.web.authentication.AuthenticationFailureHandler#onAuthenticationFailure(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, org.springframework.security.core.AuthenticationException)
*/
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
AuthenticationException exception) throws IOException, ServletException { logger.info("登录失败"); if (LoginResponseType.JSON.equals(securityProperties.getBrowser().getLoginType())) {
response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
response.setContentType("application/json;charset=UTF-8");
response.getWriter().write(objectMapper.writeValueAsString(new SimpleResponse(exception.getMessage())));
}else{
super.onAuthenticationFailure(request, response, exception);
} } }
BrowserSecurityConfig.java //配置文件
package com.imooc.security.browser; import com.imooc.security.browser.authentication.ImoocAuthenctiationFailureHandler;
import com.imooc.security.browser.authentication.ImoocAuthenticationSuccessHandler;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder; /**
* Created by 敲代码的卡卡罗特
* on 2018/4/15 21:48.
*/
@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
ImoocAuthenticationSuccessHandler imoocAuthenticationSuccessHandler;
@Autowired
ImoocAuthenctiationFailureHandler imoocAuthenctiationFailureHandler; @Bean
public PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
} @Override
protected void configure(HttpSecurity http) throws Exception {
// http.httpBasic() //弹出框请求
http.formLogin() //表单验证
.loginPage("/authentication/require") //返回登录页,可以是一个action,也可以是一个html页面
.loginProcessingUrl("/authentication/form") //点击登陆的action,默认是login 我们可以自定义
.successHandler(imoocAuthenticationSuccessHandler) //配置登陆成功的处理类
.failureHandler(imoocAuthenctiationFailureHandler)//配置登陆失败的处理类
.and()
.authorizeRequests() //开启认证请求
.antMatchers("/imooc-signIn.html","/authentication/require").permitAll()//忽略认证
.anyRequest() //任何请求
.authenticated(); //都需要认证 http.csrf().disable(); //关闭csrf }
}
自定义未登陆跳转接口 (也就是进一步细化判断,写日志什么的,平常我们在配置文件中配的就是跳转到登陆页面,这是跳转到接口)
package com.imooc.security.browser; import com.imooc.security.browser.support.SimpleResponse;
import com.imooc.security.core.properties.SecurityConstants;
import com.imooc.security.core.properties.SecurityProperties;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.RedirectStrategy;
import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
import org.springframework.security.web.savedrequest.RequestCache;
import org.springframework.security.web.savedrequest.SavedRequest;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseStatus;
import org.springframework.web.bind.annotation.RestController; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException; /**
* Created by 敲代码的卡卡罗特
* on 2018/4/16 0:16.
*/
@RestController
public class BrowserSecurityController {
private Logger logger = LoggerFactory.getLogger(getClass());
private RequestCache requestCache = new HttpSessionRequestCache(); //提供用缓存中得到url的类
private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy(); //提供跳转的类 @Autowired
private SecurityProperties securityProperties;
/**
* 当需要身份认证时,跳转到这里
*
* @param request
* @param response
* @return
* @throws IOException
*/
@RequestMapping(SecurityConstants.DEFAULT_UNAUTHENTICATION_URL)
@ResponseStatus(code = HttpStatus.UNAUTHORIZED) //返回错误状态码
public SimpleResponse requireAuthentication(HttpServletRequest request, HttpServletResponse response)
throws IOException { SavedRequest savedRequest = requestCache.getRequest(request, response); if (savedRequest != null) {
String targetUrl = savedRequest.getRedirectUrl();
logger.info("引发跳转的请求是:" + targetUrl);
if (StringUtils.endsWithIgnoreCase(targetUrl, ".html")) {
redirectStrategy.sendRedirect(request, response, securityProperties.getBrowser().getLoginPage());
}
} return new SimpleResponse("访问的服务需要身份认证,请引导用户到登录页");
} }
最后:我们可以在代码的任何地方拿到当前登陆对象的信息(首先是已经登录) 有三种方法
@GetMapping("/user1")
public Object getUser1() {
return SecurityContextHolder.getContext().getAuthentication();
}
@GetMapping("/user2")
public Object getUser2(Authentication authentication) {
return authentication;
}
@GetMapping("/user3")
public Object getUser3(@AuthenticationPrincipal UserDetails user) {
return user;
}
实现记住我功能 ,配置很简单,业务逻辑是,你配置好框架会给你在你数据库中创建一个表,包含用户名,token,时间等字段,然后也会在你本地存个cookie,登陆完成在表中插入一条数据,如果下次登陆的话,验证你信息,如果没有携带认证信息,最后会查你的数据库,然后得到你用户名,然后再调那个根据用户名得到用户的方法认证成功。看代码
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private SecurityProperties securityProperties;
@Bean
public PersistentTokenRepository persistentTokenRepository() {
JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl(); //new一个这个类
tokenRepository.setDataSource(dataSource); //指定数据源,因为要存数据库
tokenRepository.setCreateTableOnStartup(true);//在启动的时候创建表
return tokenRepository;
} @Override
protected void configure(HttpSecurity http) throws Exception {
// http.httpBasic() //弹出框请求
http.formLogin() //表单验证
.loginPage("/authentication/require") //返回登录页,可以是一个action,也可以是一个html页面
.loginProcessingUrl("/authentication/form") //点击登陆的action,默认是login 我们可以自定义
.successHandler(imoocAuthenticationSuccessHandler) //配置登陆成功的处理类
.failureHandler(imoocAuthenctiationFailureHandler)//配置登陆失败的处理类
.and()
.rememberMe() //记住我
.tokenRepository(persistentTokenRepository()) //指定TokenRepository的bean
.tokenValiditySeconds(securityProperties.getBrowser().getRememberMeSeconds())//过期时间
.userDetailsService(userDetailsService)//指定根据名字得到用户的类
.and()
.authorizeRequests() //开启认证请求
.antMatchers("/imooc-signIn.html","/authentication/require").permitAll()//忽略认证
.anyRequest() //任何请求
.authenticated(); //都需要认证 http.csrf().disable(); //关闭csrf }
最后:前台传过来的一定是 name="remember-me" 这个字段