Spring Security 自定义拦截器Filter实现登录认证
Posted Gene兵
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Spring Security 自定义拦截器Filter实现登录认证相关的知识,希望对你有一定的参考价值。
前言
需求来源: 微信小程序获取授权码code, 通过授权码code, 获取微信用户信息(比如openid,unionId), 并记录登录状态(比如token信息的获取);
原本打算使用Spring Security中OAuth2.0的机制 实现用小程序登录,发现小程序再已经获取授权码code登录流程和Spring Security中OAuth 2.0登录的流程有点不一样,所以直接使用spring security的Filter进行处理;
小程序登录流程
Spring Security中的OAuth 2.0 授权码模式:
获取授权码code部分已经由小程序做过了, 现在我们无需再自己的服务oauth2去获取code,而是要直接去认证获取我们所需要的access_token 信息;
小程序已经持有了code,它依然需要将code传递给后端服务器来执行后面的流程。那么我们能不能利用图2中第3个调用redirectUri的步骤呢?换个角度来看问题第三方就是小程序反正它也是将一个code传递给了后端服务器,只要返回登录状态就行了,反正剩下的登录流程都跟小程序无关。我觉得它是可以的。在Spring Security中我们可以使用code通过tokenUri来换取token。那么在微信小程序登录流程中,code最终换取的只是登录态,没有特定的要求。但是后端肯定需要去获取用户的一些信息,比如openId,用户微信信息之类的。总之要根据微信平台提供的API来实现。通过改造tokenUri和userInfoUri可以做到这一点。
思路
小程序实现Filter 过滤器链来完成, 基于ProxyFilter代理
默认的过滤器顺序列表
| order | 过滤器名称 |
|---|---|
| 100 | ChannelProcessingFilter |
| 200 | ConcurrentSessionFilter |
| 300 | SecurityContextPersistenceFilter |
| 400 | LogoutFilter |
| 500 | X509AuthenticationFilter |
| 600 | RequestHeaderAuthenticationFilter |
| 700 | CasAuthenticationFilter |
| 800 | UsernamePasswordAuthenticationFilter |
| 900 | OpenIDAuthenticationFilter |
| 1000 | DefaultLoginPageGeneratingFilter |
| 1100 | DigestAuthenticationFilter |
| 1200 | BasicAuthenticationFilter |
| 1300 | RequestCacheAwareFilter |
| 1400 | SecurityContextHolderAwareRequestFilter |
| 1500 | RememberMeAuthenticationFilter |
| 1600 | AnonymousAuthenticationFilter |
| 1700 | SessionManagementFilter |
| 1800 | ExceptionTranslationFilter |
| 1900 | FilterSecurityInterceptor |
| 2000 | SwitchUserFilter |
实现
登录拦截器
@Slf4j
public class LoginAuthenticationFilter extends AbstractAuthenticationProcessingFilter
@Resource
private SecurityConfigProperties securityConfigProperties;
@Resource
private JwtConfigProperties jwtConfigProperties;
private Class<?> requestDataType;
public LoginAuthenticationFilter(AuthenticationManager authenticationManager,String loginPath)
super(new AntPathRequestMatcher(loginPath));
super.setAuthenticationManager(authenticationManager);
@Override
public void afterPropertiesSet()
Assert.notNull(securityConfigProperties.getRequestDataTypeName(), "登录请求数据类型必须被设定");
try
this.requestDataType = Class.forName(securityConfigProperties.getRequestDataTypeName());
catch (ClassNotFoundException var2)
Assert.notNull(this.requestDataType, "登录请求数据类型必须是有效的类型");
super.afterPropertiesSet();
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException
ServletInputStream inputStream = request.getInputStream();
// String requestBody = StreamUtils.copyToString(inputStream, Charset.forName("UTF-8"));
Object requestData = new ObjectMapper().readValue(inputStream, this.requestDataType);
if (requestData != null)
if (requestData instanceof Map)
// 可以扩展不同的参数类型走不同的认证处理器; 比如走jwt的时候,会走JwtAuthenticationToken相关的认证处理器JwtAuthenticationProvider
// 此处不同引入的模块走自己的登录认证Provider
Authentication auth = this.getAuthenticationManager().authenticate((Authentication)requestData);
if (auth != null)
UserDetails userDetail = (UserDetails)auth.getDetails();
request.setAttribute(jwtConfigProperties.getUserKey(), userDetail.getUsername());
return auth;
else
return null;
else
throw new RuntimeException("无授权用户信息");
@Override
public void destroy()
if (log.isInfoEnabled())
log.info("正在注销......");
认证token拦截器
@Slf4j
@Component
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter
@Autowired
private UserDetailsService userService;
@Resource
private JwtConfigProperties jwtConfigProperties;
@Resource
private TokenParser tokenParser;
private List<RequestMatcher> permissiveRequestMatchers;
@Autowired
private JwtTokenService jwtTokenService;
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException
String requestURI = request.getRequestURI();
if (log.isDebugEnabled())
log.debug("开始对请求:进行认证", requestURI);
if (!this.requireAuthentication(request))
filterChain.doFilter(request, response);
return;
// 获取 认证头
String authorizationHeader = request.getHeader(jwtConfigProperties.getAuthorizationHeaderName());
if (!checkIsTokenAuthorizationHeader(authorizationHeader))
log.debug("获取到认证头Authorization的值:[]但不是我们系统中登录后签发的。", authorizationHeader);
filterChain.doFilter(request, response);
return;
String token = JwtTokenOperator.getToken(request, jwtConfigProperties.getAuthorizationHeaderName(), jwtConfigProperties.getTokenHeaderPrefix());
JwtAuthInfo authInfo = tokenParser.parse(token, jwtConfigProperties.getTokenType());
if (authInfo == null)
writeJson(response, "认证token不合法");
return;
if (authInfo.getRefreshToken())
writeJson(response, "认证token不合法,请勿直接用刷新token认证");
return;
String userKey = authInfo.getUserKey();
UserDetails user = this.userService.loadUserByUsername(userKey);
if (ObjectUtil.isEmpty(user))
writeJson(response, "用户不存在,无效令牌");
return;
if (authInfo.getExpirationTime() < System.currentTimeMillis())
// 令牌失效自动刷新令牌
handleTokenExpired(response, request);
// 构建认证对象
JwtAuthenticationToken jwtAuthToken = new JwtAuthenticationToken(user, authInfo, user.getAuthorities());
request.setAttribute(jwtConfigProperties.getSignatureKey(), userKey);
jwtAuthToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(
request));
SecurityContextHolder.getContext().setAuthentication(jwtAuthToken);
filterChain.doFilter(request, response);
/**
* 請求認證
* @param request
* @return
*/
private boolean requireAuthentication(HttpServletRequest request)
String authHeader = request.getHeader(jwtConfigProperties.getAuthorizationHeaderName());
if (authHeader == null)
if (log.isDebugEnabled())
log.debug("请求头中不包含令牌信息,所以将跳过认证");
return false;
if (CollectionUtil.isNotEmpty(this.permissiveRequestMatchers))
Iterator var2 = this.permissiveRequestMatchers.iterator();
while(var2.hasNext())
RequestMatcher matcher = (RequestMatcher)var2.next();
boolean isPermissiveUrl = matcher.matches(request);
if (isPermissiveUrl)
if (log.isDebugEnabled())
log.debug("请求:为特权请求,将跳过认证", request.getRequestURI());
return false;
return true;
@Override
protected void initFilterBean() throws ServletException
super.initFilterBean();
if (CollectionUtil.isNotEmpty(jwtConfigProperties.getPermissiveRequestUrls()))
this.permissiveRequestMatchers = new ArrayList(jwtConfigProperties.getPermissiveRequestUrls().size());
Iterator var1 = jwtConfigProperties.getPermissiveRequestUrls().iterator();
while(var1.hasNext())
String url = (String)var1.next();
AntPathRequestMatcher matcher = new AntPathRequestMatcher(url);
this.permissiveRequestMatchers.add(matcher);
@Override
protected String getAlreadyFilteredAttributeName()
if (log.isDebugEnabled())
log.debug("正在检查时否已经拦截过滤过");
String name = this.getClass().getName();
return name + ".FILTERED";
/**
* 判断是否是系统中登录后签发的token
*
* @param authorizationHeader
* @return
*/
private boolean checkIsTokenAuthorizationHeader(String authorizationHeader)
if (StringUtils.isBlank(authorizationHeader))
return false;
if (!StringUtils.startsWith(authorizationHeader, jwtConfigProperties.getTokenHeaderPrefix()))
return false;
return true;
/**
* 处理token过期情况
*
* @param response
* @param request
* @return
* @throws IOException
*/
private void handleTokenExpired(HttpServletResponse response, HttpServletRequest request) throws IOException, ServletException
// 获取刷新 token
String refreshTokenHeader = request.getHeader(jwtConfigProperties.getRefreshHeaderName());
// 检测 refresh-token 是否是我们系统中签发的
if (!checkIsTokenAuthorizationHeader(refreshTokenHeader))
log.debug("获取到刷新认证头:[]的值:[]但不是我们系统中登录后签发的。", jwtConfigProperties.getRefreshHeaderName(), refreshTokenHeader);
writeJson(response, "token过期了,refresh token 不是我们系统签发的");
return;
String referToken = JwtTokenOperator.getToken(request,jwtConfigProperties.getRefreshHeaderName(),jwtConfigProperties.getTokenHeaderPrefix());
JwtAuthInfo authInfo = this.tokenParser.parse(referToken, jwtConfigProperties.getTokenType());
if (authInfo == null)
writeJson(response, "refresh token不合法");
return;
// 判断 refresh-token 是否过期
if (authInfo.getExpirationTime() < System.currentTimeMillis())
writeJson(response, "refresh token 过期了");
return;
if (authInfo.getRefreshToken())
writeJson(response, "refresh token不合法,请勿直接用认证token刷新令牌");
return;
// 重新签发 token
authInfo.setEffectiveTime(0L);
String userToken = jwtTokenService.generateUserToken(authInfo);
// 刷新 refresh token, 刷新token,提供刷新token接口获取
// authInfo.setEffectiveTime(0L);
// String refreshToken = jwtTokenService.generateRefreshUserToken(authInfo);
response.addHeader(jwtConfigProperties.getAuthorizationHeaderName(), jwtConfigProperties.getTokenHeaderPrefix() + userToken);
// response.addHeader(jwtConfigProperties.getRefreshHeaderName(), jwtConfigProperties.getTokenHeaderPrefix() + refreshToken);
private void writeJson(HttpServletResponse response, String msg) throws IOException
response.setCharacterEncoding(StandardCharsets.UTF_8.name());
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
response.setStatus(HttpStatus.UNAUTHORIZED.value());
response.getWriter().println(JSONUtil.parse(CommonResult.buildFailure(StatusEnum.UNAUTHORIZED, msg)));
token 处理
@Service
public class JwtTokenService
@Resource
private JwtConfigProperties jwtConfigProperties;
private static String SECURITY_NAMESPACE_PREFIX = "security-auth";
public String generateUserToken(JwtAuthInfo auth)
String token = this._generateUserToken(auth);
return token;
public JwtAuthInfo parseToken(String token)
if (StringUtils.isNotBlank(jwtConfigProperties.getTokenHeaderPrefix()) && token.startsWith(jwtConfigProperties.getTokenHeaderPrefix()))
token = token.substring(jwtConfigProperties.getTokenHeaderPrefix().length());
return (JwtAuthInfo) TokenParserRegistrar.getInstance().getParser(jwtConfigProperties.getTokenType()).parse(token, jwtConfigProperties.getSignatureKey(), jwtConfigProperties.getTokenType());
public String generateRefreshUserToken(JwtAuthInfo auth)
long startTime = auth.getEffectiveTime();
if (startTime <= 0L)
startTime = System.currentTimeMillis();
auth.setEffectiveTime(startTime);
auth.setIssueTime(startTime);
long expireTime = startTime + jwtConfigProperties.getRefreshTokenExpiredSecond();
auth.setExpirationTime(expireTime);
auth.setRefreshToken(true);
return generateCommonToken(auth, jwtConfigProperties.getAlgorithmName(), jwtConfigProperties.getSignatureKey());
private String _generateUserToken(JwtAuthInfo auth)
long startTime = auth.getEffectiveTime();
if (startTime <= 0L)
startTime = System.currentTimeMillis();
auth.setEffectiveTime(startTime);
auth.setIssueTime(startTime);
long expireTime = startTime + jwtConfigProperties.getTokenExpireSecond();
auth.setExpirationTime(expireTime);
auth.setRefreshToken(false);
String token = generateCommonToken(auth, jwtConfigProperties.getAlgorithmName(), jwtConfigProperties.getSignatureKey());
this.cacheToken(auth, token);
return token;
private void cacheToken(JwtAuthInfo jwtAuthInfo,String token)
//String cacheKey = this.buildTokenCacheKey(userId, tokenId);
//this.redisTemplate.opsForValue().set(cacheKey, token);
//this.redisTemplate.expire(cacheKey, jwtConfigProperties.getRefreshInterval() + 5000L, TimeUnit.MILLISECONDS);
RedisUtils.setObject(buildTokenCacheKey(jwtAuthInfo), token, Integer.parseInt(String.valueOf(jwtConfigProperties.getTokenExpireSecond())));
private String buildTokenCacheKey(JwtAuthInfo jwtAuthInfo)
return String.join(":",
SECURITY_NAMESPACE_PREFIX,
jwtAuthInfo.getApplicationKey(),
jwtAuthInfo.getUserKey());
public String fetchToken(JwtAuthInfo jwtAuthInfo)
String cacheKey = this.buildTokenCacheKey(jwtAuthInfo);
String cachedToken = RedisUtils.getObject(cacheKey, String.class);
return cachedToken;
public String generateCommonToken(AuthInfo authInfo, String algorithm, String signatureKey)
JwtAuthInfo jwtAuthInfo = (JwtAuthInfo)authInfo;
Map<String, Object> header = new HashMap();
header.put("alg", jwtConfigProperties.getAlgorithmName());
header.put("typ", "JWT");
JwtBuilder builder = Jwts.builder().setHeader(header).setHeaderParam("refresh_token", authInfo.getRefreshToken()).setSubject(jwtAuthInfo.getApplicationKey()).setId(jwtAuthInfo.getUserKey()).setIssuer(jwtAuthInfo.getIssuer()).setIssuedAt(new Date(jwtAuthInfo.getIssueTime())).setExpiration(new Date(jwtAuthInfo.getExpirationTime())).setNotBefore(new Date(jwtAuthInfo.getEffectiveTime())).setAudience(jwtAuthInfo.getTokenUser());
SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.forName(algorithm);
builder.signWith(signatureAlgorithm, signatureKey);
return builder.compact();
配置信息
security
@ConditionalOnProperty(name="security.enable",havingValue="true")
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
@Resource
private SecurityConfigProperties securityConfigProperties;
@Resource
private JwtConfigProperties jwtConfigProperties;
@Resource
private UserDetailsService userDetailsService;
// 处理业务的认证管理器
@Resource
private List<CustomerAuthenticationProvider> authenticationProviderList;
@Resource
private CustomerAuthenticationSuccessHandler customerAuthenticationSuccessHandler;
@Resource
private JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception
ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry = httpSecurity
.authorizeRequests();
for (String url : securityConfigProperties.getUrls())
registry.antMatchers(url).permitAll();
//允许跨域请求的OPTIONS请求
registry.antMatchers(HttpMethod.OPTIONS).permitAll();
//任何请求需要身份认证
registry.and()
.authorizeRequests()
.antMatchers("/login").permitAll()
.antMatchers("/**/*.js").permitAll()
.antMatchers("/**/*.css").permitAll()
.antMatchers("/images/**").permitAll()
.antMatchers("/**/*.html").permitAll()
.antMatchers("/**/*.ftl").permitAll()
.antMatchers(jwtConfigProperties.getRefreshTokenUrl()).permitAll()
.anyRequest()
// 允许认证过的用户访问
.authenticated()
// 关闭跨站请求防护及不使用session
.and()
.csrf()
.disable()
// //因为使用JWT,所以不需要HttpSession
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
// 自定义权限拒绝处理类
.and()
//允许配置错误处理
.exceptionHandling()
.accessDeniedHandler(restfulAccessDeniedHandler())
.authenticationEntryPoint(restAuthenticationEntryPoint())
// 自定义权限拦截器JWT过滤器
.and()
.addFilterAt(loginAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)//登录Filter
// 在指定的Filter类之前添加过滤器, 使用自定义的 Token过滤器 验证请求的Token是否合法
.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception
return super.authenticationManagerBean();
/**
* 省份认证接口
* @param auth 用来配置认证管理器AuthenticationManager
* 装配自定义的Provider
* @throws Exception
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception
// jwt; 多个就配置多个
for (CustomerAuthenticationProvider customerAuthenticationProvider : authenticationProviderList)
auth.authenticationProvider(customerAuthenticationProvider);
// 此处自定义userDetailsService;
auth.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder());
/**
* 强散列哈希加密实现
* @return
*/
@Bean
public PasswordEncoder passwordEncoder()
return new BCryptPasswordEncoder();
@Bean
public LoginAuthenticationFilter loginAuthenticationFilter() throws Exception
LoginAuthenticationFilter loginAuthenticationFilter = new LoginAuthenticationFilter(authenticationManagerBean(), securityConfigProperties.getLoginPath());
// 自定义实现login success
loginAuthenticationFilter.setAuthenticationSuccessHandler(customerAuthenticationSuccessHandler);
return loginAuthenticationFilter;
@Bean
public RestfulAccessDeniedHandler restfulAccessDeniedHandler()
return new RestfulAccessDeniedHandler();
@Bean
public RestAuthenticationEntryPoint restAuthenticationEntryPoint()
return new RestAuthenticationEntryPoint();
认证成功或失败村里
@Slf4j
public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json");
log.info(request.getRequestURI() + authException.getMessage());
response.getWriter().println(JSONUtil.parse(CommonResult.buildFailure(StatusEnum.UNAUTHORIZED)));
response.getWriter().flush();
@Slf4j
public class RestfulAccessDeniedHandler implements AccessDeniedHandler
@Override
public void handle(HttpServletRequest request,
HttpServletResponse response,
AccessDeniedException e) throws IOException, ServletException
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json");
log.info(request.getRequestURI() + e.getMessage());
response.getWriter().println(JSONUtil.parse(CommonResult.buildFailure(StatusEnum.NO_OPERATION_PERMISSION)));
response.getWriter().flush();
jwt配置
@Component
@Data
public class JwtConfigProperties
@Value("$jwt.token-type:jwt")
private String tokenType;
@Value("$jwt.authorization-header-name:Authorization")
private String authorizationHeaderName;
// jwt 放开的请求
@Value("#'$jwt.permissive-request-urls:login'.split(',')")
private List<String> permissiveRequestUrls;
@Value("$jwt.signature-algorithm:HS256")
private String algorithmName;
@Value("$jwt.token-header-prefix:Bearer ")
private String tokenHeaderPrefix = "Bearer ";
@Value("$jwt.signature-key:xxxxx")
private String signatureKey;
@Value("$jwt.token-expire-second:300000")
private Long tokenExpireSecond = 300000L;
@Value("$jwt.refresh-token-url:/**/token/refresh")
private String refreshTokenUrl;
@Value("$jwt.refresh-token-expired-second:400000")
private Long refreshTokenExpiredSecond= 86400000L;
@Value("$jwt.refresh-header-name:Refresh-Token")
private String refreshHeaderName;
@Value("$jwt.user-key:userKey")
private String userKey;
@Getter
@Setter
@Component
public class SecurityConfigProperties
@Value("#'$security.url.ignored:login'.split(',')")
private List<String> urls = new ArrayList<>();
@Value("$security.url.login.path:wx/login")
private String loginPath;
@Value("$security.url.login.request-data-type")
private String requestDataTypeName;
#####设置认证类
@Getter
@Setter
public class DefaultMiniprogramAuthenticationData extends AbstractAuthenticationToken
private static final long serialVersionUID = 1L;
/**小程序访问Code*/
private String accessCode;;
/**小程序会话key*/
private String sessionKey;
/**小程序openId*/
private String openId;
/**小程序unionId*/
private String unionId;
public DefaultMiniprogramAuthenticationData()
super(Collections.emptyList());
public DefaultMiniprogramAuthenticationData(MiniprogramUserDetail user, String sessionKey)
super(Collections.emptyList());
super.setDetails(user);
super.setAuthenticated(true);
this.sessionKey = sessionKey;
@Override
public Object getPrincipal()
return this.getDetails();
@Override
public Object getCredentials()
return this.accessCode;
@Component
@Slf4j
public class MiniprogramAuthenticationProvider implements CustomerAuthenticationProvider
@Autowired
private ProgramWechatUserManager programWechatUserManager;
@Autowired
private MiniprogramAccountService miniprogramAccountService;
@Autowired
private ApplicationProperties applicationProperties;
@Autowired
private ProgramConfigProperties programConfigProperties;
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException
log.info("MiniprogramAuthenticationProvider");
if (!(authentication instanceof DefaultMiniprogramAuthenticationData))
return null;
DefaultMiniprogramAuthenticationData authenticationToken = (DefaultMiniprogramAuthenticationData)authentication;
String accessCode = authenticationToken.getAccessCode();
try
UserinfoResponse userInfo = programWechatUserManager.getUserInfo(accessCode);
if (userInfo == null)
if (log.isErrorEnabled())
log.error("使用访问令牌无法获取到用户信息", accessCode);
throw new BadCredentialsException("无法识别用户");
else
String sessionKey = userInfo.getSessionKey();
String openId = userInfo.getOpenid();
String unionId = userInfo.getUnionid();
DefaultMiniprogramAuthenticationData authenticationProgramToken = new DefaultMiniprogramAuthenticationData(new MiniprogramUserDetail(miniprogramAccount), sessionKey);
authenticationToken.setUnionId(unionId);
authenticationToken.setOpenId(openId);
return authenticationProgramToken;
catch (Exception var10)
throw new RuntimeException(var10);
@Override
public boolean supports(Class<?> authentication)
return authentication.isAssignableFrom(DefaultMiniprogramAuthenticationData.class);
spring Security项目快速搭建
spring Security的底层原理就是拦截器链。在上一篇文章使用注解方式搭建spring项目中,
可以自定义一套拦截器,拦截实现spring提供的HandlerInterceptr接口,然后实现三个拦截器方法,
在prexxx方法中定义验证逻辑。拦截器定义好后在servletContext容器的配置类中注入进来再进行注册。就可以使用。
这是基于session进行认证授权的方式。
spring Security为我们提供了认证授权的框架。下面大概上说明一下怎么快速搭建一个spring Security项目。
1 创建maven工程
2 pom依赖,加上spring Security的相关依赖
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>5.1.5.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>5.1.5.RELEASE</version>
</dependency>
3 和上篇文章一样,创建两个配置文件 ,一个是spring容器相当于applicationContext.xml,
一个是servletContext容器,向当与springmvc.xml.这里面不用注册自己的拦截器。
4 加载spring容器
5 安全配置 在配置包下定义
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigAdapetor{
//配置用户信息服务
@Bean
public UserDetailsService userDetailsService(){
InMemoryUserDetailManger manger = new InMemoryUserDetailManger();
manger,createUser(User.withUsername("zhangsan").password("111").authorities("a1","a2").build()));
manger,createUser(User.withUsername("lisi").password("222").authorities("b1","b2").build()));
return manger ;
}
//定义密码编码器
@Bean
public PasswordEncoder passwordEncoder(){
return noOpPasswordEncoder .getIntance() ;
}
//定义安全拦截机制
@Bean
protected void configure(HttpSecurity http) throws Exception{
http.authorizeRequests()
.antMatchers("/r/**").authenticated()
.anyRequest().permitAll()
.and()
.formLogin()
.sucessFowardUrl("/login-sucess");
}
}
6 在加载类中加载此配置
在getRootConfigClasses方法中,在数组中加上此配置的class。
7 初始化spring Security.由于当前使用spring环境,所以不需要多余代码
如果没有使用spring环境,就需要将WebSecurityConfig(spring Security配置类)传入父类,
以便获取配合,创建spring context
public class SpringSecurotyApplicationInitializer extends AbstractSecurityWebApplicationInitializer{
public SpringSecurotyApplicationInitializer (){
//super(WebSecurityConfig); //如果没有spring或springMvc就需要加上此行
}
}
8 当点击登录时候(认证结束)需要跳转到我们自己的页面去,所以需要修改配置servletContext里面的登录地址 即:
Override
public void addViewControlers(viewControllerRegistry registry){
registry.addViewController("/").setViewName("redirect:/login");
}
9 在controller中定义 /login-sucess 的请求。spring Security默认退出的请求是 /logout
10 测试
11 配置授权 在配置类中配置
http.authorizeRequests()
.antMatchers("/r/r1").hasAuthority("a1")
.antMatchers("/r/r2").hasAuthority("b1")
.antMatchers("/r/**").authenticated()
.anyRequest().permitAll()
.and()
.formLogin()
.sucessFowardUrl("/login-sucess");
以上是关于Spring Security 自定义拦截器Filter实现登录认证的主要内容,如果未能解决你的问题,请参考以下文章
spring security使用自定义登录界面后,不能返回到之前的请求界面的问题
250.Spring Boot+Spring Security:基于URL动态权限:自定义AccssDesionManager