Spring Security

Posted 留有痕迹~

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Spring Security相关的知识,希望对你有一定的参考价值。

Spring Security(三)

个性化用户认证流程

自定义登录页面

在配置类中指定登录页面和接收登录的 url

@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter {

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new MyPasswordEncoder();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // 启用表单登陆
        http.formLogin()
                // 指定登录页面
                .loginPage("/imooc-signIn.html")
                // 登录页面表单提交的 action
                .loginProcessingUrl("/authentication/form")
                .and()
                // 对请求做授权
                .authorizeRequests()
                // 访问指定url时不需要身份认证(放行)
                .antMatchers("/imooc-signIn.html").permitAll()
                // 任何请求
                .anyRequest()
                // 都需要身份认证
                .authenticated()
                .and()
                .csrf().disable();
    }
}
  • 在项目中新建登录页面
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>登录</title>
</head>
<body>
    <h2>标准登录页面</h2>
    <h3>表单登录</h3>
    <form action="/authentication/form" method="post">
        <table>
            <tr>
                <td>用户名:</td>
                <td><label>
                    <input type="text" name="username" />
                </label></td>
            </tr>
            <tr>
                <td>密码:</td>
                <td><label>
                    <input type="password" name="password" />
                </label>
                </td>
            </tr>
            <tr>
                <td colspan="2">
                    <button type="submit">登录</button>
                </td>
            </tr>
        </table>
    </form>
</body>
</html>

启动项目时再访问 Security 就会跳转到你自已定义的登陆页面让你登录。

技术分享图片

  • 深入定义(判断是PC端还是移动端,PC端跳转页面,移动端响应 json)

创建一个控制器,用来处理操作

@RestController
public class BrowserSecurityController {

    private static final Logger log = LoggerFactory.getLogger(BrowserSecurityController.class);

    private RequestCache requestCache = new HttpSessionRequestCache();

    private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();

    /**
     * 当需要身份验证时跳转到这里处理
     */
    @RequestMapping("/authentication/require")
    @ResponseStatus(code = HttpStatus.UNAUTHORIZED)
    public Map<String, String> requireAuthentication(final HttpServletRequest request,
                                                final HttpServletResponse response) throws IOException {
        SavedRequest savedRequest = requestCache.getRequest(request, response);
        if (null != savedRequest) {
            String target = savedRequest.getRedirectUrl();
            log.info("引发跳转的请求是 ={}", target);
            if (StringUtils.endsWithIgnoreCase(target, ".html")) {
                redirectStrategy.sendRedirect(request, response, "/imooc-signIn.html");
            }
        }
        Map<String, String> map = new HashMap<>();
        map.put("status", "401");
        map.put("msg", "error");
        map.put("content","访问的服务需要身份认证,请引导用户到登录页!" );
        return map;
    }
}
自定义登录成功处理

要做自定义登录成功处理需要实现一下 Security 的 AuthenticationSuccessHandler 接口

/**
 * 自定义登录成功处理
 */
@Configuration
public class ImoocAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
    private static final Logger log = LoggerFactory.getLogger(ImoocAuthenticationSuccessHandler.class);

    private final ObjectMapper objectMapper;

    @Autowired
    public ImoocAuthenticationSuccessHandler(ObjectMapper objectMapper) {
        this.objectMapper = objectMapper;
    }
    // 参数 Authentication 是Security的核心接口之一,封装了用户登录认证信息
    // UserDetails 接口就包装到了此接口中
    @Override
    public void onAuthenticationSuccess(HttpServletRequest request,
                                        HttpServletResponse response,
                                        Authentication authentication) throws IOException, ServletException {
        log.info("登录成功");
        // 响应 json 信息
        response.setContentType("application/json;charset=utf-8");
        PrintWriter out = response.getWriter();
        out.write(objectMapper.writeValueAsString(authentication));
        out.flush();
        out.close();
    }

}
  • 启动项目,访问跳转登录页面后,输入正确用户名,密码后响应信息如下:
{
  "authorities": [
    {
      "authority": "admin"
    }
  ],
  // 包含了认证请求的信息
  "details": {
    "remoteAddress": "127.0.0.1",
    "sessionId": "1126C43793FD600CA6DC74169A38F64E"
  },
  // 这里代表当前用户是否经过了身份认证,boolean表示
  "authenticated": true,
  // 这里是 我们自定义UserDetailsService接口实现类 返回的数据
  "principal": {
    "password": null,
    "username": "user",
    // 用户权限
    "authorities": [
      {
        "authority": "admin"
      }
    ],
    "accountNonExpired": true,
    "accountNonLocked": true,
    "credentialsNonExpired": true,
    "enabled": true
  },
  // 这里一般代表用户输入的密码,Security 做了处理,前台不会响应
  "credentials": null,
  // 用户名
  "name": "user"
}
自定义登录错误处理

要做自定义登录成功处理需要实现一下 Security 的 AuthenticationFailureHandler 接口

/**
 * 自定义登录失败处理
 */
@Configuration
public class ImoocAuthenticationFailureHandler implements AuthenticationFailureHandler {
    // 参数 AuthenticationException 是 Security 的一个抽象异常类
    @Override
    public void onAuthenticationFailure(HttpServletRequest request,
                                        HttpServletResponse response,
                                        AuthenticationException exception) throws IOException, ServletException {

    }

}
  • 启动项目,访问跳转登录页面后,输入错误用户名,密码后响应信息如下:
{**省略堆栈信息**"localizedMessage":"坏的凭证","message":"坏的凭证","suppressed":[]}

注意:以上两个自定义登录/失败的处理,一定要在 自定义Security配置类中加入,不然不会生效!!!

加入自定义登录成功/失败处理

/**
 * Security 配置
 */
@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private SecurityProperties securityProperties;

    @Autowired
    private ImoocAuthenticationSuccessHandler imoocAuthenticationSuccessHandler;

    @Autowired
    private ImoocAuthenticationFailureHandler imoocAuthenticationFailureHandler;

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new MyPasswordEncoder();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        BrowserProperties browser = securityProperties.getBrowser();
        // 启用表单登陆
        http.formLogin()
                // 指定登录页面
                .loginPage("/authentication/require")
                // 登录页面表单提交的 action
                .loginProcessingUrl("/authentication/form")
                // 引入自己定义的登录成功处理配置类
                .successHandler(imoocAuthenticationSuccessHandler)
                // 引入自己定义的登录失败处理配置类
                .failureHandler(imoocAuthenticationFailureHandler)
                .and()
                // 对请求做授权
                .authorizeRequests()
                // 访问指定url时不需要身份认证(放行)
                .antMatchers("/authentication/require",
                        browser.getLoginPage()).permitAll()
                // 任何请求
                .anyRequest()
                // 都需要身份认证
                .authenticated()
                .and()
                .csrf().disable();

    }
}

以上实现了自定义成功/失败响应,但是要想PC/移动端通用,需要深化配置一下

  • 改造 自定义成功处理

创建一个枚举类,用来区分 重定向,还是响应 json

public enum LoginType {

    REDIRECT, JSON;

}

让此枚举类成为 BrowserProperties 类的一个属性

public class BrowserProperties {

    /**
     * 指定默认值(如果配置了用配置的页面,没配置用默认的。)
     */
    private String loginPage = "/imooc-signIn.html";

    /**
     * 指定登录成功/失败后的响应方式
     */
    private LoginType loginType = LoginType.JSON;
    
    // 省略 GET/SET/toString 方法
}

改造自定义成功处理类

/**
 * 自定义登录成功处理
 */
@Configuration
// 让自定义的成功处理类 继承 Security 默认的成功处理类 SavedRequestAwareAuthenticationSuccessHandler
public class ImoocAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {

    private static final Logger log = LoggerFactory.getLogger(ImoocAuthenticationSuccessHandler.class);

    private final ObjectMapper objectMapper;

    private final SecurityProperties securityProperties;

    @Autowired
    public ImoocAuthenticationSuccessHandler(ObjectMapper om, SecurityProperties sp) {
        this.objectMapper = om;
        this.securityProperties = sp;
    }

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request,
                                        HttpServletResponse response,
                                        Authentication authentication) throws IOException, ServletException {
        log.info("登录成功。。。");
        // 响应 json 信息
        response.setContentType("application/json;charset=utf-8");
        PrintWriter out = response.getWriter();
        out.write(objectMapper.writeValueAsString(authentication));
        out.flush();
        out.close();
    }

}

改造自定义失败处理类

/**
 * 自定义登录失败处理
 */
@Configuration
// SimpleUrlAuthenticationFailureHandler 为 Security 默认的登录失败处理类
public class ImoocAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {

    private static final Logger log = LoggerFactory.getLogger(ImoocAuthenticationSuccessHandler.class);

    private final ObjectMapper objectMapper;

    private final SecurityProperties securityProperties;

    @Autowired
    public ImoocAuthenticationFailureHandler(ObjectMapper om, SecurityProperties sp) {
        this.objectMapper = om;
        this.securityProperties = sp;
    }

    @Override
    public void onAuthenticationFailure(HttpServletRequest request,
                                        HttpServletResponse response,
                                        AuthenticationException exception) throws IOException, ServletException {
        log.info("登录失败。。。");
        // 如果配置了用 Json 响应
        if (LoginType.JSON.equals(securityProperties.getBrowser().getLoginType())) {
            // 响应状态码为 500
            response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
            // 响应 json 信息
            response.setContentType("application/json;charset=utf-8");
            PrintWriter out = response.getWriter();
            out.write(objectMapper.writeValueAsString(exception));
            out.flush();
            out.close();
        } else {
            // 调用父类方法
            super.onAuthenticationFailure(request, response, exception);
        }
    }
}

由于 BrowserProperties 类中的loginType属性默认为 Json ,你可以在具体的 properties 文件中,定义一下属性。如:

imooc.security.browser.login-type=REDIRECT

这样可以测试一下是否配置成功。

测试图就不贴上了,自已耐心测试一下~ :-)

以上是关于Spring Security的主要内容,如果未能解决你的问题,请参考以下文章

oauth2 spring-security 如果您在请求令牌或代码之前登录

Spring Security问题

Spring Security:如何获取自动渲染的登录页面代码?

spring security 匿名访问安全吗

springboot集成spring security实现restful风格的登录认证 附代码

未调用 Spring Security j_spring_security_check