您的位置: 首页  >  文章  >  SpringSecurity开发基于表单的认证

SpringSecurity开发基于表单的认证

分类: 文章 2023-11-08 18:09:28

核心功能

  1. 认证(你是谁)
  2. 授权(你能干什么)
  3. 攻击防护(防止伪造身份)

一组过滤器链

//所有请求都需要认证 几乎是默认的
@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter {
	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http.formLogin().and().authorizeRequests()
				.anyRequest().authenticated();
			
http.httpBasic();

SpringSecurity开发基于表单的认证

#security.basic.enabled = false

使用密码加密

@Configuration
public class AuthenticationBeanConfig {

	/**
	 * 默认密码处理器
	 * @return
	 */
	@Bean
	@ConditionalOnMissingBean(PasswordEncoder.class)
	public PasswordEncoder passwordEncoder() {
		return new BCryptPasswordEncoder();
	}

定义认证授权 用户名密码

@Component
@Transactional
public class DemoUserDetailsService implements UserDetailsService

	@Override
	public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
//		logger.info("表单登录用户名:" + username);
//		Admin admin = adminRepository.findByUsername(username);
//		admin.getUrls();
//		return admin;
		return buildUser(username);   //直接new User 也行
	}

	private SocialUserDetails buildUser(String userId) { //返回user也行
		// 根据用户名查找用户信息
		//根据查找到的用户信息判断用户是否被冻结
		String password = passwordEncoder.encode("123456");
		logger.info("数据库密码是:"+password);
		
		return new SocialUser(userId, password,
				true, true, true, true,
				AuthorityUtils.commaSeparatedStringToAuthorityList("xxx"));
	}

SpringSecurity开发基于表单的认证

实现不同样式的请求,不同样式的转发

SpringSecurity开发基于表单的认证

	@Override
	protected void configure(HttpSecurity http) throws Exception {

		http.formLogin()
				.loginPage("/imooc-signIn.html")
				.loginProcessingUrl("/authentication/form")
				.and().authorizeRequests()
				.antMatchers("/imooc-signIn.html").permitAll()   //同理这里也要加入,自定义的登录页面,不需要权限认证
				.anyRequest().authenticated()
				.and().csrf().disable();

就是把html界面,换成请求,

@RestController
public class BrowserSecurityController {
	private Logger logger = LoggerFactory.getLogger(getClass());
	private RequestCache requestCache = new HttpSessionRequestCache();
	private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();

	@Autowired
	private SecurityProperties securityProperties;

	@RequestMapping(SecurityConstants.DEFAULT_UNAUTHENTICATION_URL)
	@ResponseStatus(code = HttpStatus.UNAUTHORIZED)
	public SimpleResponse requireAuthentication(HttpServletRequest request, HttpServletResponse response)
			throws IOException {

		SavedRequest savedRequest = requestCache.getRequest(request, response);

		if (savedRequest != null) {
			String targetUrl = savedRequest.getRedirectUrl();
			logger.info("引发跳转的请求是:" + targetUrl);
			if (StringUtils.endsWithIgnoreCase(targetUrl, ".html")) {
				redirectStrategy.sendRedirect(request, response, securityProperties.getBrowser().getSignInPage()); //如果用户配置了值,就用,没有用默认的值
			}
		}

		return new SimpleResponse("访问的服务需要身份认证,请引导用户到登录页");
	}

public class SimpleResponse {
	private Object content;
	}

配置文件

SpringSecurity开发基于表单的认证

@ConfigurationProperties(prefix = "imooc.security")
public class SecurityProperties {
	
	/**
	 * 浏览器环境配置
	 */
	private BrowserProperties browser = new BrowserProperties();  //browser下面有loginPage 就能读取到下面的配置

SpringSecurity开发基于表单的认证
SpringSecurity开发基于表单的认证

让读取器生效:
@Configuration
@EnableConfigurationProperties(SecurityProperties.class)
public class SecurityCoreConfig {
}

自定义登录成功处理

SpringSecurity开发基于表单的认证

相关推荐