SpringSecurity开发基于表单的认证
核心功能
- 认证(你是谁)
- 授权(你能干什么)
- 攻击防护(防止伪造身份)
一组过滤器链
//所有请求都需要认证 几乎是默认的
@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin().and().authorizeRequests()
.anyRequest().authenticated();
http.httpBasic();
#security.basic.enabled = false
使用密码加密
@Configuration
public class AuthenticationBeanConfig {
/**
* 默认密码处理器
* @return
*/
@Bean
@ConditionalOnMissingBean(PasswordEncoder.class)
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
定义认证授权 用户名密码
@Component
@Transactional
public class DemoUserDetailsService implements UserDetailsService
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
// logger.info("表单登录用户名:" + username);
// Admin admin = adminRepository.findByUsername(username);
// admin.getUrls();
// return admin;
return buildUser(username); //直接new User 也行
}
private SocialUserDetails buildUser(String userId) { //返回user也行
// 根据用户名查找用户信息
//根据查找到的用户信息判断用户是否被冻结
String password = passwordEncoder.encode("123456");
logger.info("数据库密码是:"+password);
return new SocialUser(userId, password,
true, true, true, true,
AuthorityUtils.commaSeparatedStringToAuthorityList("xxx"));
}
实现不同样式的请求,不同样式的转发
@Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin()
.loginPage("/imooc-signIn.html")
.loginProcessingUrl("/authentication/form")
.and().authorizeRequests()
.antMatchers("/imooc-signIn.html").permitAll() //同理这里也要加入,自定义的登录页面,不需要权限认证
.anyRequest().authenticated()
.and().csrf().disable();
就是把html界面,换成请求,
@RestController
public class BrowserSecurityController {
private Logger logger = LoggerFactory.getLogger(getClass());
private RequestCache requestCache = new HttpSessionRequestCache();
private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
@Autowired
private SecurityProperties securityProperties;
@RequestMapping(SecurityConstants.DEFAULT_UNAUTHENTICATION_URL)
@ResponseStatus(code = HttpStatus.UNAUTHORIZED)
public SimpleResponse requireAuthentication(HttpServletRequest request, HttpServletResponse response)
throws IOException {
SavedRequest savedRequest = requestCache.getRequest(request, response);
if (savedRequest != null) {
String targetUrl = savedRequest.getRedirectUrl();
logger.info("引发跳转的请求是:" + targetUrl);
if (StringUtils.endsWithIgnoreCase(targetUrl, ".html")) {
redirectStrategy.sendRedirect(request, response, securityProperties.getBrowser().getSignInPage()); //如果用户配置了值,就用,没有用默认的值
}
}
return new SimpleResponse("访问的服务需要身份认证,请引导用户到登录页");
}
public class SimpleResponse {
private Object content;
}
配置文件
@ConfigurationProperties(prefix = "imooc.security")
public class SecurityProperties {
/**
* 浏览器环境配置
*/
private BrowserProperties browser = new BrowserProperties(); //browser下面有loginPage 就能读取到下面的配置
让读取器生效:
@Configuration
@EnableConfigurationProperties(SecurityProperties.class)
public class SecurityCoreConfig {
}