之前都是自个实现登录拦截、用户验证,自从发现了研究springSecurity这个框架之后,爱不释手,基本上权限+验证方面的操作都可以完成,是spring中一个重量级的安全校验框架。
很多人抱怨springSecurity的api太复杂,其实不然,当你了解它的流程操作时,用起来相当顺手,搭配springboot可快速搭建一个有权限控制级别的项目。
在使用springSecurity之前,我们先来认识一下它的核心类。
Authentication
Authentication是表示用户信息的一个接口,通过它可封装一些用户登录认证的对象,用户认证成功后,又会生成一个信息更加全面,包括用户所拥有的角色等信息的Authentication对象,然后把它保存在SecurityContextHolder 所持有的 SecurityContext 中,供后续的程序进行调用,如访问权限的鉴定等。
SecurityContextHolder
根据以上所知,它是一个用来保存SecurityContext的一个类,而SecurityContext中又存储着用户信息。它含有很多静态方法,如getContext、setContext、clearContext来对SecurityContext进行操作。
AuthenticationManager 和 AuthenticationProvider
AuthenticationManager 是一个用来处理认证(Authentication)请求的接口。在其中只定义了一个方法 authenticate(),该方法只接收一个代表认证请求的 Authentication 对象作为参数,如果认证成功,则会返回一个封装了当前用户权限等信息的 Authentication 对象进行返回。
AuthenticationManager 的默认实现是 ProviderManager,它不自己处理请求,而是通过委托机制给其配置的AuthenticationProvider 列表,然后会依次使用每一个 AuthenticationProvider 进行认证,如果有一个 AuthenticationProvider 认证后的结果不为 null,则表示该 AuthenticationProvider 已经认证成功,之后的 AuthenticationProvider 将不再继续认证
UserDetailsService
认识这个接口之前我们先来看一下UserDetails接口,UserDetails中定义了用户的账户、密码、权限等信息,可通过实现该接口中的方式自行定义用户信息类。而UserDetailsService中只有一个方法loadUserByUsername(),该方法返回的便是一个UserDetails对象。这个方法主要是对web传来的用户信息进行验证操作,验证成功便返回用户所属的UserDetails信息。用户验证不通过则抛出UsernameNotFoundException异常。
现在我们来开始搭建我们的springSecurity。
首先,定义好我们的用户信息类User
@Entity
@Table(name = "SISE_USER")
public class User extends BaseEntity{
@Column(name="USER_USERNAME",length=400)
private String username;
@Column(name="USER_ACCOUNT",length=400)
private String account;
@Column(name="USER_PASSWORD",length = 400)
private String password;
@Column(name="USER_EMAIL",length = 400)
private String email;
@Column(name = "USER_PHONE",length = 400)
private String phone;
@ManyToMany(fetch = FetchType.EAGER, targetEntity = Role.class)
@JoinTable(name = "TT_USER_ROLE",joinColumns = @JoinColumn(name = "USER_ID"),inverseJoinColumns = @JoinColumn(name = "ROLE_ID"))
private Set<Role> roles = new LinkedHashSet<>();
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getAccount() {
return account;
}
public void setAccount(String account) {
this.account = account;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public String getEmail() {
return email;
}
public void setEmail(String email) {
this.email = email;
}
public String getPhone() {
return phone;
}
public void setPhone(String phone) {
this.phone = phone;
}
public Set<Role> getRoles() {
return roles;
}
public void setRoles(Set<Role> roles) {
this.roles = roles;
}
}然后创建一个SecurityUser类来继承这个User和实现Usertails接口
public class SecurityUser extends User implements UserDetails {
private static final long serialVersionUID = 1L;
public SecurityUser(User suser) {
if (suser != null)
{
this.setsId(suser.getsId());
this.setUsername(suser.getUsername());
this.setAccount(suser.getAccount());
this.setEmail(suser.getEmail());
this.setPassword(suser.getPassword());
this.setRoles(suser.getRoles());
}
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
Set<Role> roles = super.getRoles();
if(roles != null){
for(Role role : roles){
SimpleGrantedAuthority authority = new SimpleGrantedAuthority(role.getRoleName());
authorities.add(authority);
}
}
return authorities;
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}到了这里,我们的用户信息基本定义完成。
接下来我们来实现UserDetailsService接口,我们创建一个CustomerUserService来实现它。
@Component
public class CustomUserDetailsService implements UserDetailsService{
@Autowired
private UserService userService;
@Override
public UserDetails loadUserByUsername(String account) throws UsernameNotFoundException {
User user = userService.findByAccount(account);
if(user == null){
throw new UsernameNotFoundException("Username :" + account + "not found");
}
SecurityUser securityUser = new SecurityUser(user);
return securityUser;
}
}记得使用@Component把它注册为组件,便于spring进行实例化。
接下来就是要对springSercurity进行配置和使用,我们创建一个WebSecurityConfig继承WebSecurityConfiguConfigurerAdater
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception{
http.authorizeRequests().anyRequest().authenticated()
.and()
.formLogin().loginPage("/login_p")
.loginProcessingUrl("/login")
.usernameParameter("account")
.passwordParameter("password")
.permitAll()
.failureHandler(new AuthenticationFailureHandler() {
@Override
public void onAuthenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
httpServletResponse.setContentType("application/json;charset=utf-8");
PrintWriter out = httpServletResponse.getWriter();
StringBuffer sb = new StringBuffer();
sb.append("{\"status\":\"error\",\"msg\":\"");
if (e instanceof UsernameNotFoundException || e instanceof BadCredentialsException) {
sb.append("用户名或密码输入错误,登录失败!");
} else if (e instanceof DisabledException) {
sb.append("账户被禁用,登录失败,请联系管理员!");
} else {
sb.append("登录失败!");
}
sb.append("\"}");
out.write(sb.toString());
out.flush();
out.close();
}
}).successHandler(new AuthenticationSuccessHandler() {
@Override
public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
httpServletResponse.setContentType("application/json;charset=utf-8");
PrintWriter out = httpServletResponse.getWriter();
SecurityUser user = (SecurityUser) SecurityContextHolder.getContext()
.getAuthentication()
.getPrincipal();
Set<Menu> menus = new HashSet<>();
for(Role role : user.getRoles()){
menus.addAll(role.getMenus());
}
ArrayNode datas = JsonUtils.createArrayNode();
ObjectNode data;
data = datas.addObject();
data.put("account",user.getAccount());
data.put("userId",user.getsId());
data.put("username",user.getUsername());
ObjectMapper objectMapper = new ObjectMapper();
String s = "{\"status\":\"success\",\"msg\":" + objectMapper.writeValueAsString(datas) + "}";
out.write(s);
out.flush();
out.close();
}
}).and().logout().permitAll().and().csrf().disable();
}
@Autowired
public void globalConfigure(AuthenticationManagerBuilder auth) throws Exception{
auth.userDetailsService(customUserDetailsService())
.passwordEncoder(passwordEncoder());
}
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public CustomUserDetailsService customUserDetailsService(){
return new CustomUserDetailsService();
}
}http.authorizeRequests().anyRequest().authenticated()
.and()
.formLogin().loginPage("/login_p")
.loginProcessingUrl("/login")
.usernameParameter("account")
.passwordParameter("password")
.permitAll()loginPage方法指定登录界面,因为我们使用vue前后端分离,所以这里可以不用指定,可直接去掉
loginprocessingUrl方法设置登录接口,前端登录访问的接口,默认为/login。
usernameParameter和passwordParameter便是接口所需的参数。
.failureHandler(new AuthenticationFailureHandler() {
@Override
public void onAuthenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
httpServletResponse.setContentType("application/json;charset=utf-8");
PrintWriter out = httpServletResponse.getWriter(); StringBuffer sb = new StringBuffer();
sb.append("{\"status\":\"error\",\"msg\":\"");
if (e instanceof UsernameNotFoundException || e instanceof BadCredentialsException) {
sb.append("用户名或密码输入错误,登录失败!");
} else if (e instanceof DisabledException) {
sb.append("账户被禁用,登录失败,请联系管理员!");
} else {
sb.append("登录失败!");
}
sb.append("\"}");
out.write(sb.toString());
out.flush();
out.close();
}该方法主要是登录失败之后所进行的操作
.successHandler(new AuthenticationSuccessHandler() {
@Override
public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
httpServletResponse.setContentType("application/json;charset=utf-8");
PrintWriter out = httpServletResponse.getWriter();
SecurityUser user = (SecurityUser) SecurityContextHolder.getContext()
.getAuthentication()
.getPrincipal();
Set<Menu> menus = new HashSet<>();
for(Role role : user.getRoles()){
menus.addAll(role.getMenus());
}
ArrayNode datas = JsonUtils.createArrayNode();
ObjectNode data;
data = datas.addObject();
data.put("account",user.getAccount());
data.put("userId",user.getsId());
data.put("username",user.getUsername());
ObjectMapper objectMapper = new ObjectMapper();
String s = "{\"status\":\"success\",\"msg\":" + objectMapper.writeValueAsString(datas) + "}";
out.write(s);
out.flush();
out.close();
}
})登录成功后所进行的操作。
在登录中,我们还需要对密码进行加密,springSecurity有很多hash加密方法,在这里我们使用BCryptPasswordEncoder对密码进行加密
@Autowired
public void globalConfigure(AuthenticationManagerBuilder auth) throws Exception{
auth.userDetailsService(customUserDetailsService())
.passwordEncoder(passwordEncoder());
}
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}到了这一步,我们就基本完成了一个登录验证的功能,后面我会用vue+springboot完成一个拥有权限控制的系统。
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
