欧美bbbwbbbw肥妇,免费乱码人妻系列日韩,一级黄片

springSecurity使用實(shí)戰(zhàn)指南

 更新時(shí)間:2025年08月13日 15:03:54   作者:哦塞  
本文系統(tǒng)講解了Spring Security的核心功能,包括實(shí)戰(zhàn)舉例,本文結(jié)合實(shí)例代碼給大家介紹的非常詳細(xì),感興趣的朋友跟隨小編一起看看吧

一.登錄security

1.自定義用戶(hù)賬號(hào)和密碼

step01-先導(dǎo)入兩個(gè)依賴(lài)

方式一:在核心配置文件下設(shè)定信息(不合理)

spring.security.user.password=123
spring.security.user.name=pan

方式二:根據(jù)數(shù)據(jù)庫(kù)數(shù)據(jù)進(jìn)行登錄驗(yàn)證(UserDetails)(重要)

step01-mysql的連接

spring.datasource.username=root
spring.datasource.password=123456
spring.datasource.url=jdbc:mysql:///test02?serverTimezone=Asia/Shanghai

step02-實(shí)體類(lèi)實(shí)現(xiàn)UserDetails(是SpringSecurity中定義的用戶(hù)定義規(guī)范)

//獲取當(dāng)前用戶(hù)的權(quán)限/角色
	Collection<? extends GrantedAuthority> getAuthorities();
	//獲取用戶(hù)密碼
    String getPassword();
	//如果SpringSecurity框架想要獲取用戶(hù)名就會(huì)調(diào)用改方法,返回的變量名叫什么都行
    String getUsername();
	//判斷當(dāng)前用戶(hù)賬戶(hù)是否沒(méi)有過(guò)期,正常來(lái)說(shuō)在數(shù)據(jù)庫(kù)中,有一個(gè)字段可以顯示該賬戶(hù)狀態(tài)
    boolean isAccountNonExpired();
	//當(dāng)前用戶(hù)是否沒(méi)有鎖定
    boolean isAccountNonLocked();
	//賬戶(hù)密碼是否沒(méi)有過(guò)期
    boolean isCredentialsNonExpired();
	//當(dāng)前用戶(hù)是否可用,正常來(lái)說(shuō)在數(shù)據(jù)庫(kù)中,有一個(gè)字段可以顯示該賬戶(hù)狀態(tài)
    boolean isEnabled();
public class User implements UserDetails {
    private Integer id;
    private String username;
    private String address;
    private String password;
    private String favorites;
    private Integer gender;
    private String grade;
    private Integer age;
    private boolean enabled;
    /**
     * 獲取當(dāng)前用戶(hù)的角色
     * @return
     */
    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return null;
    }
    /**
     * 獲取用戶(hù)密碼
     * @return
     */
    @Override
    public String getPassword() {
        return password;
    }
    /**
     * 如果 Spring Security 框架需要獲取到用戶(hù)名,他就會(huì)調(diào)用這個(gè)方法
     *
     * 所以,該方法返回值的變量名稱(chēng),實(shí)際上無(wú)所謂,變成名稱(chēng)可以是任何名字
     *
     * @return
     */
    @Override
    public String getUsername() {
        return username;
    }
    /**
     * 判斷當(dāng)前賬戶(hù)是否過(guò)期,正常來(lái)說(shuō),應(yīng)該在數(shù)據(jù)庫(kù)中,有一個(gè)賬戶(hù)是否過(guò)期的字段,在這里直接返回即可
     * @return
     */
    @Override
    public boolean isAccountNonExpired() {
        return true;
    }
    /**
     * 賬戶(hù)是否沒(méi)有鎖定
     * @return
     */
    @Override
    public boolean isAccountNonLocked() {
        return true;
    }
    /**
     * 賬戶(hù)密碼是否沒(méi)有過(guò)期
     * @return
     */
    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }
    /**
     * 賬戶(hù)是否可用
     * @return
     */
    @Override
    public boolean isEnabled() {
        return enabled;
    }
    public void setEnabled(boolean enabled) {
        this.enabled = enabled;
    }
    public void setUsername(String username) {
        this.username = username;
    }
    public String getAddress() {
        return address;
    }
    public void setAddress(String address) {
        this.address = address;
    }
    public Integer getId() {
        return id;
    }
    public void setId(Integer id) {
        this.id = id;
    }
    public void setPassword(String password) {
        this.password = password;
    }
    public String getFavorites() {
        return favorites;
    }
    public void setFavorites(String favorites) {
        this.favorites = favorites;
    }
    public Integer getGender() {
        return gender;
    }
    public void setGender(Integer gender) {
        this.gender = gender;
    }
    public String getGrade() {
        return grade;
    }
    public void setGrade(String grade) {
        this.grade = grade;
    }
    public Integer getAge() {
        return age;
    }
    public void setAge(Integer age) {
        this.age = age;
    }
    @Override
    public String toString() {
        return "User{" +
            "id=" + id +
            ", username=" + username +
            ", address=" + address +
            ", password=" + password +
            ", favorites=" + favorites +
            ", gender=" + gender +
            ", grade=" + grade +
            ", age=" + age +
        "}";
    }
}

第二步:在實(shí)現(xiàn)service層實(shí)現(xiàn)UserDetailsService,在loadUserByUsername中判斷前端與數(shù)據(jù)庫(kù)中的值是否一致,和shiro的Realm相似

@Service
public class UserService implements UserDetailsService {
    @Autowired
    UserMapper userMapper;
/**
     * 系統(tǒng)登錄的時(shí)候,該方法會(huì)被自動(dòng)調(diào)用
     */
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user = userMapper.loadUserByUsername(username);
        if (user == null) {
            throw new UsernameNotFoundException("賬戶(hù)不存在");
        }
        //查詢(xún)用戶(hù)角色
        user.setRoles(userMapper.getRolesByUid(user.getId()));
        //返回給User類(lèi)中,因?yàn)樵擃?lèi)實(shí)現(xiàn)UserDetails的方法中的很多方法,這些方法是將值給SpringSecurity
        return user;
    }
}

2.自制登錄頁(yè)面(SecurityFilterChain)

第一步:需要設(shè)置一個(gè)登錄界面,還有在Controller層輸寫(xiě)一個(gè)登錄界面的接口

第二步:配置類(lèi),改登錄界面的路徑

注意:security底層就是使用過(guò)濾器,一共有16個(gè)過(guò)濾器,稱(chēng)為過(guò)濾器鏈;

1.spring5以前,springboot2.7.7

@Configuration
public class SecurityConfig {
    /**
    *spring5之前配置spring security的過(guò)濾器鏈
    */
    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
                //開(kāi)始過(guò)濾器的配置
                .authorizeRequests()
                //攔截所有請(qǐng)求,這個(gè)就相當(dāng)于 /**
                .anyRequest()
                //表示攔截下來(lái)的請(qǐng)求,都必須認(rèn)證(登錄)之后才能訪(fǎng)問(wèn)
                .authenticated()
                .and()
                //開(kāi)始登錄表單的配置,其實(shí)配置的是 UsernamePasswordAuthenticationFilter 過(guò)濾器
                .formLogin()
                //首先指定登錄頁(yè)面的地址
                //登錄頁(yè)面,默認(rèn)是 /login GET 請(qǐng)求
                .loginPage("/login")
                //指定登錄接口的地址
                //默認(rèn)情況下,登錄接口也是 /login POST 請(qǐng)求
                .loginProcessingUrl("/doLogin")
                //配置登錄的用戶(hù)名的 key,默認(rèn)就是 username
                .usernameParameter("username")
                //配置登錄的用戶(hù)密碼的 key,默認(rèn)就是 password
                .passwordParameter("password")
                //登錄成功之后的跳轉(zhuǎn)頁(yè)面,這個(gè)是服務(wù)端跳轉(zhuǎn),請(qǐng)求轉(zhuǎn)發(fā)
//                .successForwardUrl("/hello")
                //登錄成功之后的跳轉(zhuǎn)頁(yè)面,這個(gè)是客戶(hù)端跳轉(zhuǎn),重定向
                //假設(shè)一開(kāi)始訪(fǎng)問(wèn) /a,系統(tǒng)自動(dòng)跳轉(zhuǎn)到登錄頁(yè)面,登錄成功之后,就會(huì)跳轉(zhuǎn)回 /a,就是你想訪(fǎng)問(wèn)哪個(gè)網(wǎng)頁(yè)的,等你登錄后,直接訪(fǎng)問(wèn)該網(wǎng)頁(yè)
                //假設(shè)一開(kāi)始就訪(fǎng)問(wèn)登錄頁(yè)面,那么登錄成功之后,才會(huì)來(lái)到 /hello
                .defaultSuccessUrl("/hello")
                //允許登錄表單的路徑訪(fǎng)問(wèn)得到
                .permitAll()
                .and()
                //禁用 csrf 保存策略,本質(zhì)上就是從 Security 過(guò)濾器鏈中移除 CsrfFilter 過(guò)濾器
                .csrf()
                .disable();
        return http.build();
        //第一個(gè)參數(shù)是攔截路徑,第二個(gè)參數(shù)是寫(xiě)過(guò)濾器,這里沒(méi)有寫(xiě)過(guò)濾器
        //這個(gè)配置表示攔截所有的請(qǐng)求,但是攔截下來(lái)的之后,不經(jīng)過(guò)任意過(guò)濾器
//        return new DefaultSecurityFilterChain(new AntPathRequestMatcher("/**"), new ArrayList<>());
    }
}

2.spring6之后,springboot3.0.1

@Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        //這個(gè)配置表示攔截所有請(qǐng)求,但是攔截下來(lái)之后,不經(jīng)過(guò)任何過(guò)濾器
//        return new DefaultSecurityFilterChain(new AntPathRequestMatcher("/**"));
        http.authorizeHttpRequests()
                // /login.css 這個(gè)地址,不需要登錄就可以訪(fǎng)問(wèn)
//                .requestMatchers("/login.css").permitAll()
                .requestMatchers("/hello").permitAll()
                //攔截所有請(qǐng)求
                .requestMatchers("/**")
                //所有請(qǐng)求都必須登錄之后才可以訪(fǎng)問(wèn)
                .authenticated()
                .and()
                //表示禁用 csrf 防御機(jī)制,這個(gè)禁用的本質(zhì)就是將 CsrfFilter 從過(guò)濾器鏈中移除掉
                .csrf().disable()
                //開(kāi)啟表單登錄,如果沒(méi)有自己去配置 SecurityFilterChain,默認(rèn)表單登錄是開(kāi)啟的,但是如果自己配置了,則默認(rèn)的表單登錄就會(huì)被覆蓋掉,所以要重新配置
                .formLogin()
                //配置登錄接口,登錄接口是 POST 請(qǐng)求,這個(gè)地方,如果不配置,默認(rèn)地址是 /login
                .loginProcessingUrl("/doLogin")
                //配置登錄用戶(hù)名的 key,默認(rèn)就是 username
                .usernameParameter("name")
                //配置登陸密碼的 key,默認(rèn)是 password
                .passwordParameter("passwd")
                //配置登錄頁(yè)面,默認(rèn)登錄頁(yè)面地址是 /login(GET 請(qǐng)求)
                .loginPage("/login.html")
                //登錄成功之后的跳轉(zhuǎn)頁(yè)面,這個(gè)跳轉(zhuǎn)方式是請(qǐng)求轉(zhuǎn)發(fā)(服務(wù)端跳轉(zhuǎn))
                //一般不用這種
//                .successForwardUrl()
                //默認(rèn)登錄成功之后的跳轉(zhuǎn)頁(yè)面,這個(gè)是重定向跳轉(zhuǎn)
                //如果用戶(hù)首先訪(fǎng)問(wèn) /a,但是因?yàn)闆](méi)有登錄,自動(dòng)跳轉(zhuǎn)到登錄頁(yè)面,登錄成功之后,就會(huì)跳轉(zhuǎn)回 /a
                //如果用戶(hù)一開(kāi)始直接就訪(fǎng)問(wèn)的是登錄頁(yè)面,那么登錄成功之后,就會(huì)跳轉(zhuǎn)到 /hello
//                .defaultSuccessUrl("/hello")
                //登錄成功的處理器
                //auth 表示當(dāng)前登錄成功的用戶(hù)對(duì)象
                .successHandler((req, resp, auth) -> {
                    //獲取當(dāng)前登錄成功的用戶(hù)對(duì)象
                    User user = (User) auth.getPrincipal();
                    user.setPassword(null);
                    resp.setContentType("application/json;charset=utf-8");
                    Map<String, Object> map = new HashMap<>();
                    map.put("status", 200);
                    map.put("message", "登錄成功");
                    map.put("data", user);
                    resp.getWriter().write(new ObjectMapper().writeValueAsString(map));
                })
                //失敗之后的跳轉(zhuǎn)路徑(請(qǐng)求轉(zhuǎn)發(fā))
//                .failureForwardUrl()
                //失敗路徑
//                .failureUrl()
                //配置失敗的處理器
                .failureHandler((req, resp, e) -> {
                    resp.setContentType("application/json;charset=utf-8");
                    Map<String, Object> map = new HashMap<>();
                    map.put("status", 500);
                    map.put("message", "登錄失敗");
                    if (e instanceof BadCredentialsException) {
                        map.put("message", "用戶(hù)名或者密碼輸入錯(cuò)誤,登錄失敗");
                    } else if (e instanceof AccountExpiredException) {
                        map.put("message", "賬戶(hù)過(guò)期,登錄失敗");
                    } else if (e instanceof CredentialsExpiredException) {
                        map.put("message", "密碼過(guò)期,登錄失敗");
                    } else if (e instanceof DisabledException) {
                        map.put("message", "賬戶(hù)被禁用,登錄失敗");
                    } else if (e instanceof LockedException) {
                        map.put("message", "賬戶(hù)被鎖定,登錄失敗");
                    }
                    resp.getWriter().write(new ObjectMapper().writeValueAsString(map));
                })
                .permitAll();
        return http.build();
    }

3.放行策略

方法一:配置過(guò)濾器鏈(一般使用接口放行使用)

@Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
                //開(kāi)始過(guò)濾器的配置
                .authorizeRequests()
                //允許/css/login.css匿名訪(fǎng)問(wèn),就是給靜態(tài)資源直接訪(fǎng)問(wèn),不用攔截的,不能在anyrequest之后執(zhí)行
                .antMatchers("/css/login.css")
            	//允許所有用戶(hù)
            	.permitAll()
            	//允許匿名用戶(hù)訪(fǎng)問(wèn),不允許登錄用戶(hù)訪(fǎng)問(wèn),所以我們正常使用permitall
                //.anonymous()
                //攔截所有請(qǐng)求,這個(gè)就相當(dāng)于 /**
                .anyRequest()
                //表示攔截下來(lái)的請(qǐng)求,都必須認(rèn)證(登錄)之后才能訪(fǎng)問(wèn)
                .authenticated()

方法二:配置一個(gè)WebSecurityCustomizer接口進(jìn)行放行(一般靜態(tài)資源選擇用此放行規(guī)則)

    /**
     *spring6之后springboot3.0.1
     * 資源不用攔截,直接放行,有兩種思路:
     *
     * 1. web.ignoring().requestMatchers("/login.css"); 這個(gè)放行方式,本質(zhì)上。請(qǐng)求將不再經(jīng)過(guò) Spring Security 過(guò)濾器鏈
     * 2. .requestMatchers("/login.css").permitAll() 這個(gè)放行方式,請(qǐng)求還是會(huì)經(jīng)過(guò) Spring Security 過(guò)濾器鏈,但是不會(huì)被攔截
     *
     * 如果要放行的資源,是靜態(tài)資源,不需要進(jìn)行 Java 運(yùn)算的,例如 HTML/CSS/JS/mp3/mp4/圖片,那么可以使用第一種放行方式
     * 如果是一個(gè) Java 接口,則建議使用第二種放行方式。
     * @return
     */
    @Bean
    WebSecurityCustomizer webSecurityCustomizer() {
        return new WebSecurityCustomizer() {
            @Override
            public void customize(WebSecurity web) {
                //這個(gè)也是給資源放行
                web.ignoring().requestMatchers("/login.css");
            }
        };
    }
//spring5之前springboot2.7.7
    @Bean
    WebSecurityCustomizer webSecurityCustomizer() {
        return new WebSecurityCustomizer() {
            @Override
            public void customize(WebSecurity web) {
                web.ignoring().antMatchers("css/login.css");
            }
        };
    }

注意:如果是靜態(tài)資源就選擇用第二種方式用接口WebSecurityCustomizer進(jìn)行,但是如果是接口的放行那么就用第一種方式,因?yàn)楫?dāng)?shù)卿浀臅r(shí)候,我們希望請(qǐng)求可以經(jīng)過(guò)SpringSecurity的SecurityContextPersistenceFilter,這個(gè)過(guò)濾器將會(huì)從httpSession中獲得登錄用戶(hù)的對(duì)象,然后存到SecurityContextHolder里面去,然后SecurityContextHolder本質(zhì)上就是存儲(chǔ)到ThreadLocal里面,保持線(xiàn)程一致性

4.登錄的時(shí)候獲取登錄對(duì)象(SecurityContextHolder.getContext().getAuthentication())

1.在controller中獲取登錄對(duì)象

方式一:通過(guò)SecurityContextHolder來(lái)獲取

@RestController
//@RequestMapping("/user")
public class UserController {
    @GetMapping("/hello")
    public String hello(HttpSession session) {
//        獲取當(dāng)前登錄成功的登錄信息
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
//        獲得登錄用戶(hù)的名稱(chēng)
        String name = authentication.getName();
        //從httpSession里面獲取登錄對(duì)象,一般不這樣做,因?yàn)槲覀冞€是希望可以在同一個(gè)線(xiàn)程的
        //SecurityContext spring_security_context = (SecurityContext) session.getAttribute("SPRING_SECURITY_CONTEXT");
        //String name1 = spring_security_context.getAuthentication().getName();
        //System.out.println("name1 = " + name1);
        return "hello:" + name;
    }
}

方式二:通過(guò)參數(shù)Principal

	@GetMapping("/hello")
    public String hello(Principal principal) {
        //獲取當(dāng)前登錄成功的用戶(hù)名
        String name = principal.getName();
        System.out.println("name = " + name);
        return "hello";
    }

方式三:通過(guò)參數(shù)HttpSession

2 .在service中獲取登錄的對(duì)象

方式一:通過(guò)SecurityContextHolder

@Service
public class HelloService {
    public void hello() {
        SecurityContext securityContext = SecurityContextHolder.getContext();
        Authentication authentication = securityContext.getAuthentication();
        //獲取當(dāng)前登錄成功的用戶(hù)對(duì)象
        User user = (User) authentication.getPrincipal();
        System.out.println("user = " + user);
    }
}

方式二:RequestContextHolder.getRequestAttributes()).getRequest()來(lái)獲取request來(lái)獲取session

@Service
public class HelloService {
    public void hello() {
        HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
        HttpSession session = request.getSession();
        new Thread(new Runnable() {
            @Override
            public void run() {
                //獲取當(dāng)前請(qǐng)求對(duì)象
                SecurityContext sc = (SecurityContext) session.getAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY);
                Authentication authentication1 = sc.getAuthentication();
                User user = (User) authentication1.getPrincipal();
                System.out.println("fffffffff = " + user);
            }
        }).start();
    }
}

5.通過(guò)Json來(lái)進(jìn)行登錄驗(yàn)證

引言:springsecurity是通過(guò)key-value的形式獲取登錄的賬戶(hù)和密碼的

方式一:重寫(xiě)UsernamePasswordAuthenticationFilter類(lèi)里的attemptAuthentication方法

step01-重寫(xiě)attemptAuthentication方法

public class MyJsonFilter extends UsernamePasswordAuthenticationFilter {
    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        if (!request.getMethod().equals("POST")) {
            throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
        }
        if (request.getContentType().equalsIgnoreCase(MediaType.APPLICATION_JSON_VALUE) || request.getContentType().equalsIgnoreCase(MediaType.APPLICATION_JSON_UTF8_VALUE)) {
            //此時(shí)就認(rèn)為請(qǐng)求參數(shù)是 JSON 形式的
            User user = null;
            try {
                user = new ObjectMapper().readValue(request.getInputStream(), User.class);
            } catch (IOException e) {
                e.printStackTrace();
            }
            String username = user.getUsername();
            username = (username != null) ? username.trim() : "";
            String password = user.getPassword();
            password = (password != null) ? password : "";
            UsernamePasswordAuthenticationToken authRequest = UsernamePasswordAuthenticationToken.unauthenticated(username,
                    password);
            // Allow subclasses to set the "details" property
            setDetails(request, authRequest);
            return this.getAuthenticationManager().authenticate(authRequest);
        } else {
            return super.attemptAuthentication(request, response);
        }
    }
}

step02-注入到spring容器中

@Configuration
public class SecurityConfig {
    @Autowired
    UserService userService;
    /**
     * 這個(gè)過(guò)濾器,替代的是 UsernamePasswordAuthenticationFilter,所以我們之前關(guān)于表單的配置,現(xiàn)在都要配置給 MyJsonFilter 才會(huì)生效
     *
     * @return
     */
    @Bean
    MyJsonFilter myJsonFilter() {
        MyJsonFilter myJsonFilter = new MyJsonFilter();
//        myJsonFilter.setFilterProcessesUrl();
//        myJsonFilter.setUsernameParameter();
//        myJsonFilter.setPasswordParameter();
        myJsonFilter.setAuthenticationSuccessHandler((req, resp, auth) -> {
            resp.getWriter().write("success");
        });
        myJsonFilter.setAuthenticationFailureHandler(new AuthenticationFailureHandler() {
            @Override
            public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
            }
        });
        myJsonFilter.setAuthenticationManager(authenticationManager());
        return myJsonFilter;
    }
    /**
     * 這個(gè)是一個(gè)認(rèn)證管理器
     * @return
     */
    @Bean
    AuthenticationManager authenticationManager() {
        //DaoAuthenticationProvider 這個(gè)對(duì)象負(fù)責(zé)數(shù)據(jù)庫(kù)密碼的校驗(yàn)
        DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
        daoAuthenticationProvider.setUserDetailsService(userService);
        ProviderManager manager = new ProviderManager(daoAuthenticationProvider);
        return manager;
    }
    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/**")
                .authenticated()
                .and()
                .csrf().disable();
        http.formLogin()
                //如果只配置登錄頁(yè)面,那么默認(rèn)情況下,登錄接口也是 /login.html
                .permitAll();
        //新加一個(gè)過(guò)濾器進(jìn)來(lái),將之放到 UsernamePasswordAuthenticationFilter 過(guò)濾器所在的位置
        http.addFilterAt(myJsonFilter(), UsernamePasswordAuthenticationFilter.class);
        return http.build();
    }
}

方式二:通過(guò)將json的值直接放入到UsernamePasswordAuthenticationToken中,

step01-首先在配置類(lèi)中獲取AuthenticationManager

@Configuration
public class SecurityConfig {
	//獲取的是登錄成功的用戶(hù)名
    @Autowired
    UserService userService;
    //和shiro中的安全管理器DefaultWebSecurityManager相似,UserDetailsService相當(dāng)于shiro的Realm
    /**
     * 這個(gè)是一個(gè)認(rèn)證管理器
     * @return
     */
    @Bean
    AuthenticationManager authenticationManager() {
        //調(diào)用AuthenticationProvider的子類(lèi)DaoAuthenticationProvider來(lái)驗(yàn)證。
        //默認(rèn)實(shí)例化AuthenticationProvider的一個(gè)實(shí)現(xiàn):DaoAuthenticationProvider。DaoAuthenticationProvider通過(guò)接口UserDetailsService的實(shí)現(xiàn)類(lèi)從內(nèi)存或DB中獲取用戶(hù)信息UserDetails(UserDetails十分類(lèi)似Authentication,也是一個(gè)接口,但是與Authentication用途不同,不要搞混)。DaoAuthenticationProvider通過(guò)函數(shù)authenticate比較入?yún)uthentication與UserDetails是否相符,來(lái)判斷用戶(hù)是否可以登錄。如果相符,會(huì)將獲得的UserDetails中的信息補(bǔ)全到一個(gè)Authentication實(shí)現(xiàn)類(lèi),并將該實(shí)現(xiàn)類(lèi)作為認(rèn)證實(shí)體返回。以后便可以通過(guò)當(dāng)前上下文的認(rèn)證實(shí)體Authentication獲取當(dāng)前登錄用戶(hù)的信息。
        DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
        provider.setUserDetailsService(userService);
        //調(diào)用AuthenticationManager的實(shí)現(xiàn)類(lèi)ProviderManager
        ProviderManager pm = new ProviderManager(provider);
        return pm;
    }
    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/login").permitAll()
                .antMatchers("/**")
                .authenticated()
                .and()
                .csrf().disable();
        return http.build();
    }

step02-接口中直接獲取json

@RestController
public class LoginController {
    //設(shè)定一個(gè)json的登錄參數(shù),因?yàn)榈讓游覀兪歉鶕?jù)key-value登錄的
    @Autowired
    AuthenticationManager authenticationManager;
    @PostMapping("/doLogin")
    //@RequestBody是json的參數(shù)
    public String login(@RequestBody User user) {
        UsernamePasswordAuthenticationToken authRequest = UsernamePasswordAuthenticationToken.unauthenticated(user.getUsername(),user.getPassword());
        //執(zhí)行認(rèn)證操作
        try {
            //參數(shù) authRequest 是一個(gè)未經(jīng)認(rèn)證的 authentication,而方法的返回值是一個(gè)認(rèn)證后的 authentication
            Authentication authentication = authenticationManager.authenticate(authRequest);
            SecurityContextHolder.getContext().setAuthentication(authentication);
            return "success";
        } catch (AuthenticationException e) {
            e.printStackTrace();
            return e.getMessage();
        }
    }
}
@RestController
public class LoginController {

    @Autowired
    AuthenticationManager authenticationManager;

    @PostMapping("/login")
    public Map<String, Object> login(@RequestBody User user) throws IOException {
        UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated(user.getUsername(), user.getPassword());
        try {

            //這里就是執(zhí)行具體的認(rèn)證操作
            //參數(shù)是一個(gè)未經(jīng)認(rèn)證的 Authentication 對(duì)象,而 authenticate 方法返回值則是一個(gè)經(jīng)過(guò)認(rèn)證的 Authentication 的對(duì)象
            Authentication auth = authenticationManager.authenticate(token);
            //將認(rèn)證后的 auth 對(duì)象存入 SecurityContextHolder 中
            SecurityContextHolder.getContext().setAuthentication(auth);
            //獲取當(dāng)前登錄成功的用戶(hù)對(duì)象
            User authUser = (User) auth.getPrincipal();
            authUser.setPassword(null);
            Map<String, Object> map = new HashMap<>();
            map.put("status", 200);
            map.put("message", "登錄成功");
            map.put("data", authUser);
            return map;
        } catch (AuthenticationException e) {
            Map<String, Object> map = new HashMap<>();
            map.put("status", 500);
            map.put("message", "登錄失敗");
            if (e instanceof BadCredentialsException) {
                map.put("message", "用戶(hù)名或者密碼輸入錯(cuò)誤,登錄失敗");
            } else if (e instanceof AccountExpiredException) {
                map.put("message", "賬戶(hù)過(guò)期,登錄失敗");

            } else if (e instanceof CredentialsExpiredException) {
                map.put("message", "密碼過(guò)期,登錄失敗");

            } else if (e instanceof DisabledException) {
                map.put("message", "賬戶(hù)被禁用,登錄失敗");

            } else if (e instanceof LockedException) {
                map.put("message", "賬戶(hù)被鎖定,登錄失敗");

            }
            return map;
        }
    }
}

6.注銷(xiāo),未登錄訪(fǎng)問(wèn)的處理器

@Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/login").permitAll()
                .antMatchers("/**")
                .authenticated()
                .and()
                .csrf().disable()
                //開(kāi)啟注銷(xiāo)登錄的配置
                .logout()
            //第一個(gè)參數(shù)是訪(fǎng)問(wèn)路徑,第二個(gè)是請(qǐng)求的方法
                .logoutRequestMatcher(new AntPathRequestMatcher("/a", "POST"))
            //注銷(xiāo)成功后的回調(diào)
                .logoutSuccessHandler((req, resp, auth) -> {
                    try {
                        resp.getWriter().write("/a logout success");
                    } catch (IOException e) {
                        e.printStackTrace();
                    }
                })
                //是否清除認(rèn)證信息(清除 SecurityContextHolder 中的信息,默認(rèn)是true)
                .clearAuthentication(true)
                //是否銷(xiāo)毀 HttpSession
                .invalidateHttpSession(true)
                .permitAll()
                .and()
            //前端出現(xiàn)403,沒(méi)有登錄,禁止訪(fǎng)問(wèn)
                .exceptionHandling()
                //配置未認(rèn)證訪(fǎng)問(wèn)的處理器
                .authenticationEntryPoint(new AuthenticationEntryPoint() {
                    /**
                     * 當(dāng)用戶(hù)沒(méi)有認(rèn)證,但是卻訪(fǎng)問(wèn)了一個(gè)需要認(rèn)證之后才能訪(fǎng)問(wèn)的接口,那么就會(huì)觸發(fā)該方法
                     * @param request
                     * @param response
                     * @param authException
                     * @throws IOException
                     * @throws ServletException
                     */
                    @Override
                    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
                        Map<String, Object> map = new HashMap<>();
                        map.put("status", 500);
                        map.put("message", "尚未登錄,請(qǐng)登錄");
                        //設(shè)置UTF-8
                        response.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
                        response.getWriter().write(new ObjectMapper().writeValueAsString(map));
                    }
                });
        return http.build();
    }

7.加密(PasswordEncoder)

1.密碼的加密匹配器

以下是原理

接口(PasswordEncoder)自帶鹽

常用的實(shí)現(xiàn)類(lèi):DelegatingPasswordEncoder(代理密碼加密)通過(guò)PasswordEncoderFactories來(lái)調(diào)用,默認(rèn)使用的是BCryptPasswordEncoder

public interface PasswordEncoder {
    //將傳來(lái)的密碼,加鹽加密生成編碼,例如當(dāng)你注冊(cè)的時(shí)候,將明文轉(zhuǎn)成密文
    String encode(CharSequence rawPassword);
    //判斷密碼是否正確,第一個(gè)參數(shù)是明文密碼,第二個(gè)參數(shù)是加鹽加密密碼
    boolean matches(CharSequence rawPassword, String encodedPassword);
    //升級(jí)密碼
    default boolean upgradeEncoding(String encodedPassword) {
        return false;
    }
}

注意**:1.你用什么實(shí)現(xiàn)類(lèi)進(jìn)行加鹽加密的就得用什么實(shí)現(xiàn)類(lèi)來(lái)進(jìn)行比對(duì)

2.當(dāng)沒(méi)有配置加密匹配器的時(shí)候,就會(huì)用DelegatingPasswordEncoder密碼匹配器進(jìn)行調(diào)用默認(rèn)的密碼匹配器SCryptPasswordEncoder,因?yàn)樗讓涌梢越o其余的10種密碼匹配器取名,我們只需要在數(shù)據(jù)庫(kù)的密碼中前面寫(xiě):例如{noop}123,就是使用NoopPasswordEncode密碼匹配器

//spring5+springboot2.7.7+jdk8 
public final class PasswordEncoderFactories {
    private PasswordEncoderFactories() {
    }
    public static PasswordEncoder createDelegatingPasswordEncoder() {
        String encodingId = "bcrypt";
        Map<String, PasswordEncoder> encoders = new HashMap();
        encoders.put(encodingId, new BCryptPasswordEncoder());
        encoders.put("ldap", new LdapShaPasswordEncoder());
        encoders.put("MD4", new Md4PasswordEncoder());
        encoders.put("MD5", new MessageDigestPasswordEncoder("MD5"));
        encoders.put("noop", NoOpPasswordEncoder.getInstance());
        encoders.put("pbkdf2", new Pbkdf2PasswordEncoder());
        encoders.put("scrypt", new SCryptPasswordEncoder());
        encoders.put("SHA-1", new MessageDigestPasswordEncoder("SHA-1"));
        encoders.put("SHA-256", new MessageDigestPasswordEncoder("SHA-256"));
        encoders.put("sha256", new StandardPasswordEncoder());
        encoders.put("argon2", new Argon2PasswordEncoder());
        //第一個(gè)參數(shù),表示的是默認(rèn)的密碼匹配器
        return new DelegatingPasswordEncoder(encodingId, encoders);
    }
}
//spring6+springboot3.0.1+jdk17 
public final class PasswordEncoderFactories {
    private PasswordEncoderFactories() {
    }
    public static PasswordEncoder createDelegatingPasswordEncoder() {
        String encodingId = "bcrypt";
        Map<String, PasswordEncoder> encoders = new HashMap();
        encoders.put(encodingId, new BCryptPasswordEncoder());
        encoders.put("ldap", new LdapShaPasswordEncoder());
        encoders.put("MD4", new Md4PasswordEncoder());
        encoders.put("MD5", new MessageDigestPasswordEncoder("MD5"));
        encoders.put("noop", NoOpPasswordEncoder.getInstance());
        encoders.put("pbkdf2", Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_5());
        encoders.put("pbkdf2@SpringSecurity_v5_8", Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_8());
        encoders.put("scrypt", SCryptPasswordEncoder.defaultsForSpringSecurity_v4_1());
        encoders.put("scrypt@SpringSecurity_v5_8", SCryptPasswordEncoder.defaultsForSpringSecurity_v5_8());
        encoders.put("SHA-1", new MessageDigestPasswordEncoder("SHA-1"));
        encoders.put("SHA-256", new MessageDigestPasswordEncoder("SHA-256"));
        encoders.put("sha256", new StandardPasswordEncoder());
        encoders.put("argon2", Argon2PasswordEncoder.defaultsForSpringSecurity_v5_2());
        encoders.put("argon2@SpringSecurity_v5_8", Argon2PasswordEncoder.defaultsForSpringSecurity_v5_8());
        return new DelegatingPasswordEncoder(encodingId, encoders);
    }
}

step01-配置passwordEncoder類(lèi),我們可以使用系統(tǒng)默認(rèn)的代理密碼匹配,也可以寫(xiě)自己想要的密碼匹配器,只需要在配置類(lèi)中修改 DelegatingPasswordEncoder passwordEncoder = new DelegatingPasswordEncoder(encodingId, encoders) ,它會(huì)自帶前綴

@Configuration
public class SecurityConfig {
    /**
     * 配置了這個(gè) Bean 之后,項(xiàng)目中的密碼加密都是用 BCryptPasswordEncoder,那么就不需要額外指定密碼加密方案了
     * @return
     */
    @Bean
    PasswordEncoder passwordEncoder() {
//        return new BCryptPasswordEncoder();
        String encodingId = "bcrypt";
        Map<String, PasswordEncoder> encoders = new HashMap();
        encoders.put(encodingId, new BCryptPasswordEncoder());
        encoders.put("ldap", new LdapShaPasswordEncoder());
        encoders.put("MD4", new Md4PasswordEncoder());
        encoders.put("MD5", new MessageDigestPasswordEncoder("MD5"));
        encoders.put("noop", NoOpPasswordEncoder.getInstance());
        encoders.put("pbkdf2", new Pbkdf2PasswordEncoder());
        encoders.put("scrypt", new SCryptPasswordEncoder());
        encoders.put("SHA-1", new MessageDigestPasswordEncoder("SHA-1"));
        encoders.put("SHA-256", new MessageDigestPasswordEncoder("SHA-256"));
        encoders.put("sha256", new StandardPasswordEncoder());
        encoders.put("argon2", new Argon2PasswordEncoder());
        DelegatingPasswordEncoder passwordEncoder = new DelegatingPasswordEncoder(encodingId, encoders);
        return passwordEncoder;
    }
}

2.密碼升級(jí)(UserDetailsPasswordService)

原因:當(dāng)用戶(hù)的密碼需要實(shí)現(xiàn)升級(jí)的時(shí)候,也就是想要修改成別的密碼匹配器時(shí)或者數(shù)據(jù)庫(kù)中可能存在不同的加密匹配器的加密機(jī)制,想數(shù)據(jù)庫(kù)中的密碼全部升級(jí)為統(tǒng)一的密碼加密機(jī)制時(shí),就會(huì)用到密碼升級(jí)

方式一:修改配置類(lèi)的密碼匹配器

步驟:step01-配置passwordEncoder類(lèi)

@Configuration
public class SecurityConfig {
    /**
     * 配置了這個(gè) Bean 之后,項(xiàng)目中的密碼加密都是用 BCryptPasswordEncoder,那么就不需要額外指定密碼加密方案了
     * @return
     */
    @Bean
    PasswordEncoder passwordEncoder() {
//        return new BCryptPasswordEncoder();
        String encodingId = "bcrypt";
        Map<String, PasswordEncoder> encoders = new HashMap();
        encoders.put(encodingId, new BCryptPasswordEncoder());
        encoders.put("ldap", new LdapShaPasswordEncoder());
        encoders.put("MD4", new Md4PasswordEncoder());
        encoders.put("MD5", new MessageDigestPasswordEncoder("MD5"));
        encoders.put("noop", NoOpPasswordEncoder.getInstance());
        encoders.put("pbkdf2", new Pbkdf2PasswordEncoder());
        encoders.put("scrypt", new SCryptPasswordEncoder());
        encoders.put("SHA-1", new MessageDigestPasswordEncoder("SHA-1"));
        encoders.put("SHA-256", new MessageDigestPasswordEncoder("SHA-256"));
        encoders.put("sha256", new StandardPasswordEncoder());
        encoders.put("argon2", new Argon2PasswordEncoder());
        DelegatingPasswordEncoder passwordEncoder = new DelegatingPasswordEncoder(encodingId, encoders);
        return passwordEncoder;
    }
}

step02-需要在service接口中繼承UserDetailsPasswordService接口,實(shí)現(xiàn)UserDetailsPasswordService接口中的updatePassword方法

/**
     * 當(dāng)用戶(hù)登錄的時(shí)候,系統(tǒng)會(huì)自動(dòng)判斷用戶(hù)密碼是否需要升級(jí)
     * @param user:登錄時(shí)候的用戶(hù)
     * @param newPassword 新的加密后的密碼
     * @return
     */
    @Override
    public UserDetails updatePassword(UserDetails user, String newPassword) {
        //條件構(gòu)造器
        UpdateWrapper<User> uw = new UpdateWrapper<>();
        //將修改為新密碼
        uw.lambda().set(User::getPassword, newPassword)
            //是根據(jù)哪個(gè)用戶(hù)id
                .eq(User::getId, ((User) user).getId());
        //sql修改
        boolean update = update(uw);
        //((User) user).setPassword(newPassword);
        return user;
    }
@Service
public class UserService implements UserDetailsService, UserDetailsPasswordService {
    @Autowired
    UserMapper userMapper;
    /**
     * 根據(jù)用戶(hù)名稱(chēng)查詢(xún)用戶(hù)對(duì)象,當(dāng)用戶(hù)登錄的時(shí)候,這個(gè)方法會(huì)被自動(dòng)觸發(fā)
     *
     * @param username
     * @return
     * @throws UsernameNotFoundException
     */
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user = userMapper.loadUserByUsername(username);
        if (user == null) {
            throw new UsernameNotFoundException("用戶(hù)名不存在");
        }
        return user;
    }
    /**
     * 當(dāng)用戶(hù)每次登錄的時(shí)候,都會(huì)去檢查用戶(hù)的密碼是否需要升級(jí),如果需要升級(jí),則當(dāng)前方法會(huì)被觸發(fā)。
     * 升級(jí)的情況:
     * 1. 無(wú)論是系統(tǒng)默認(rèn)配置的 DelegatingPasswordEncoder 還是開(kāi)發(fā)者自己配置的 DelegatingPasswordEncoder,DelegatingPasswordEncoder 中都有一個(gè)默認(rèn)的密碼加密方案。那么當(dāng)用戶(hù)登錄的時(shí)候,系統(tǒng)就會(huì)去檢查用戶(hù)當(dāng)前的密碼加密方案是否為 DelegatingPasswordEncoder 中默認(rèn)的加密方案,如果不是,則當(dāng)前方法就會(huì)被觸發(fā),系統(tǒng)會(huì)進(jìn)行密碼升級(jí),將現(xiàn)有的密碼加密方案改為 DelegatingPasswordEncoder 中默認(rèn)的密碼加密方案。
     * 2. 同一種密碼加密方案也可能存在升級(jí)的情況,例如 BCryptPasswordEncoder 中,可以設(shè)置密碼的強(qiáng)度,密碼強(qiáng)度不同,也會(huì)導(dǎo)致密碼自動(dòng)升級(jí)
     * @param user:實(shí)體類(lèi)的User
     * @param newPassword:新的加密后的密碼
     * @return
     */
    @Override
    public UserDetails updatePassword(UserDetails user, String newPassword) {
        User u = (User) user;
        u.setPassword(newPassword);
        //sql語(yǔ)句:修改數(shù)據(jù)庫(kù)的密碼
        userMapper.updatePassword(u);
        return user;
    }
}

step03-測(cè)試

如果數(shù)據(jù)庫(kù)密碼是{noop}123,就是升級(jí)為{bcrypt},系統(tǒng)默認(rèn)的

方式二:修改密碼匹配器的強(qiáng)度(參數(shù))

@Bean
    PasswordEncoder passwordEncoder() {
        String encodingId = "bcrypt";
        Map<String, PasswordEncoder> encoders = new HashMap();
        encoders.put(encodingId, new BCryptPasswordEncoder(11));
        encoders.put("ldap", new LdapShaPasswordEncoder());
        encoders.put("MD4", new Md4PasswordEncoder());
        encoders.put("MD5", new MessageDigestPasswordEncoder("MD5"));
        encoders.put("noop", NoOpPasswordEncoder.getInstance());
        encoders.put("pbkdf2", new Pbkdf2PasswordEncoder());
        encoders.put("scrypt", new SCryptPasswordEncoder());
        encoders.put("SHA-1", new MessageDigestPasswordEncoder("SHA-1"));
        encoders.put("SHA-256", new MessageDigestPasswordEncoder("SHA-256"));
        encoders.put("sha256", new StandardPasswordEncoder());
        encoders.put("argon2", new Argon2PasswordEncoder());
        DelegatingPasswordEncoder passwordEncoder = new DelegatingPasswordEncoder(encodingId, encoders);
        return passwordEncoder;
?
    }

8.remember me

1.remember me的基本使用

1.與shiro的區(qū)別是:系統(tǒng)重啟了,remember me還是存在

2.springboot3.0.1才有算法名

step01-接口

@RestController
public class HelloController {
    /**
     * 這里的參數(shù) Principal 就表示當(dāng)前登錄成功的用戶(hù)對(duì)象
     * 設(shè)置這個(gè)接口remember me或者登錄都可以訪(fǎng)問(wèn)
     * @param principal
     * @return
     */
    @GetMapping("/hello")
    public String hello(Principal principal) {
        return "hello";
    }
    /**
     * 設(shè)置這個(gè)接口只有通過(guò)Rememeberme才能夠訪(fǎng)問(wèn)
     * @return
     */
    @GetMapping("/rm")
    public  String rm(){
        return "rm";
    }
    /**
     * 設(shè)置是賬戶(hù)密碼登錄時(shí)才可以登錄
     * @return
     */
    @GetMapping("/hello2")
    public String hello2(){
        return "密碼登錄的";
    }
}

 step02-配置過(guò)濾器鏈

@Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                //只能通過(guò)remember me才能夠訪(fǎng)問(wèn)
                .antMatchers("/rm").rememberMe()
                //只有時(shí)賬戶(hù)密碼登錄才能夠訪(fǎng)問(wèn)
                .antMatchers("/hello2").fullyAuthenticated()
                .anyRequest()
                .authenticated()
                .and()
                .formLogin()
                .permitAll()
                .and()
                .rememberMe()
                //隨便給一個(gè)key,以后系統(tǒng)重啟了,remember me還是存在的,和shiro不太一樣
                .key("a")
                .and()
                .csrf()
                .disable();
        return http.build();
    }

2.持續(xù)化令牌

將用戶(hù)登錄的用戶(hù)名,series,token存儲(chǔ)起來(lái),也是通過(guò)series,token來(lái)確定有沒(méi)有被別人登陸了,每當(dāng)自動(dòng)登錄的時(shí)候,token就會(huì)改變一次,提高安全性,當(dāng)注銷(xiāo)的時(shí)候存入到數(shù)據(jù)庫(kù)的信息就會(huì)刪除

step01-在數(shù)據(jù)庫(kù)中執(zhí)行上面的sql語(yǔ)句,創(chuàng)建表persistent_logins

step02-在配置文件中重新配置PersistentTokenBasedRememberMeServices里的PersistentTokenRepository

@Configuration
public class SecurityConfig {
    @Autowired
    DataSource dataSource;
    @Bean
    JdbcTokenRepositoryImpl jdbcTokenRepository() {
        JdbcTokenRepositoryImpl repository = new JdbcTokenRepositoryImpl();
        repository.setDataSource(dataSource);
        return repository;
    }
    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests()
                // /rm 必須是以 RememberMe 的方式登錄才可以訪(fǎng)問(wèn)
                .requestMatchers("/rm").rememberMe()
                //這個(gè)表示必須用戶(hù)名密碼登錄,才能訪(fǎng)問(wèn) /hello2
                .requestMatchers("/hello2").fullyAuthenticated()
                .requestMatchers("/**")
                .authenticated()
                .and()
                .formLogin()
                .permitAll()
                .and()
                .rememberMe()
                .key("123")
            //配置PersistentTokenRepository
                .tokenRepository(jdbcTokenRepository())
                .and()
                .csrf().disable();
        return http.build();
    }
}

9.會(huì)話(huà)管理

引言:如果在配置文件中設(shè)置了最大登錄的是1個(gè)時(shí),每一次登錄的時(shí)候都會(huì)將另一個(gè)擠下去,或者登不上,是根據(jù)User實(shí)體類(lèi)中的equals和hashCode來(lái)判斷用戶(hù)是否登錄

step01-實(shí)體類(lèi)User寫(xiě)equals和hashCode的方法

public class User implements UserDetails {
    private Integer id;
    private String username;
    private String password;
    private String address;
    private Boolean enabled;
    @Override
    public boolean equals(Object o) {
        if (this == o) return true;
        if (o == null || getClass() != o.getClass()) return false;
        User user = (User) o;
        return Objects.equals(username, user.username);
    }
    @Override
    public int hashCode() {
        return Objects.hash(username);
    }
    public Integer getId() {
        return id;
    }
    public void setId(Integer id) {
        this.id = id;
    }
    public void setUsername(String username) {
        this.username = username;
    }
    public void setPassword(String password) {
        this.password = password;
    }
    public String getAddress() {
        return address;
    }
    public void setAddress(String address) {
        this.address = address;
    }
    public void setEnabled(Boolean enabled) {
        this.enabled = enabled;
    }
    /**
     * 獲取當(dāng)前用戶(hù)的權(quán)限/角色
     * @return
     */
    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return null;
    }
    /**、
     * 獲取用戶(hù)密碼
     * @return
     */
    @Override
    public String getPassword() {
        return password;
    }
    /**
     * 獲取用戶(hù)名
     * @return
     */
    @Override
    public String getUsername() {
        return username;
    }
    /**
     * 賬戶(hù)是否沒(méi)有過(guò)期
     * @return
     */
    @Override
    public boolean isAccountNonExpired() {
        return true;
    }
    /**
     * 賬戶(hù)是否沒(méi)有被鎖定
     * @return
     */
    @Override
    public boolean isAccountNonLocked() {
        return true;
    }
    /**
     * 密碼是否沒(méi)有過(guò)期
     * @return
     */
    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }
    /**
     * 賬戶(hù)是否可用
     * @return
     */
    @Override
    public boolean isEnabled() {
        return enabled;
    }
}

step02-添加會(huì)話(huà)的配置信息

判斷用戶(hù)是可以同時(shí)在線(xiàn)幾個(gè)是根據(jù)Map<User,List<Session>>

@Configuration
public class SecurityConfig { 	
	@Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .permitAll()
                .and()
                .sessionManagement()
                /**
                 *Map<User,List<Session>>
                 * 底層邏輯是有一個(gè)映射表,Map,map 的 key 是用戶(hù)對(duì)象,value 則是一個(gè)集合,集合中保存了 session
                 */
            	//設(shè)置同一個(gè)用戶(hù)的 session 并發(fā)數(shù)
                .maximumSessions(1)
                //當(dāng)達(dá)到最大并發(fā)數(shù)的時(shí)候,是否禁止新的登錄
                .maxSessionsPreventsLogin(true)
                .and()
            //防止會(huì)話(huà)攻擊,(默認(rèn)也是這個(gè)配置)
                .sessionFixation().migrateSession()
                .and()
                .csrf()
                .disable();
        return http.build();
    }
	/**
	 * 當(dāng)注銷(xiāo)的時(shí)候,map里面還存著用戶(hù)的session的,我們得通過(guò)這個(gè)bean來(lái)觸發(fā)監(jiān)聽(tīng)器
     * 這是一個(gè)事件發(fā)布器,這個(gè)會(huì)自動(dòng)將 HttpSession 銷(xiāo)毀的事件發(fā)布出去,發(fā)布之后會(huì)被 map 感知到,進(jìn)而移除 map 中的 session
     *
     * @return
     */
 	@Bean
    HttpSessionEventPublisher httpSessionEventPublisher() {
        return new HttpSessionEventPublisher();
    }
}

10.防止csrf攻擊

起因:黑客利用瀏覽器存在cookie,當(dāng)你登錄時(shí),然后又訪(fǎng)問(wèn)了黑客訪(fǎng)問(wèn)的頁(yè)面的端口,當(dāng)你訪(fǎng)問(wèn)時(shí)就可以直接盜竊你的信息,甚至轉(zhuǎn)賬。(小程序和軟件不存在這個(gè)問(wèn)題)

解決:我們可以開(kāi)啟csrf,當(dāng)我們自己訪(fǎng)問(wèn)post,delete,put也無(wú)法訪(fǎng)問(wèn),黑客更加無(wú)法訪(fǎng)問(wèn)了,這是我們只需要在瀏覽器上添加過(guò)濾器給予你的csrf字符串,你就可以訪(fǎng)問(wèn),黑客是無(wú)法獲取csrf字符串的(可以獲取cookie是因?yàn)闉g覽器存著,然后訪(fǎng)問(wèn)時(shí)直接調(diào)用)

情況一:csrf過(guò)濾器隨機(jī)生成的值,我們要以參數(shù)的形式請(qǐng)求上去

//提交_csrf的參數(shù)過(guò)去,就可以訪(fǎng)問(wèn)了
<form action="/transfer" method="post">
    <input type="text" name="username">
    <input type="text" name="money">
    <input type="hidden" name="_csrf" th:value="${_csrf.token}">
    <input type="submit" value="轉(zhuǎn)賬">
</form>

情況二:用到ajax來(lái)進(jìn)行訪(fǎng)問(wèn),將cookie里面的參數(shù)提取出來(lái),然后發(fā)送請(qǐng)求上去

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
    <!--    <script src="jquery-3.6.3.min.js"></script>-->
    <!--    <script src="jquery.min.js"></script>
        <script src="jquery.cookie.js"></script>-->
    <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-cookie/1.4.1/jquery.cookie.min.js"></script>
</head>
<body>
<input type="text" id="username" value="zhangsan">
<input type="text" id="password" value="123">
<button onclick="doTransfer()">登錄</button>
<div id="result"></div>
<script>
    function doTransfer() {
        let token = $.cookie('XSRF-TOKEN');
        console.log("token>>>>", token)
        // _csrf: token:將配置中的
        $.post("/login", {username: $("#username").val(), password: $("#password").val(), _csrf: token},function (msg) {
            $("#result").html(msg);
        });
    }
</script>
</body>
</html>
@Configuration
public class SecurityConfig {
    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .permitAll()
                .and()
            //添加了csrf安全過(guò)濾器,因?yàn)楹诳涂梢酝ㄟ^(guò)你瀏覽的網(wǎng)址獲取你登錄時(shí)候的cookie,從而導(dǎo)致你的賬戶(hù)被獲取,你可以添加csrf自動(dòng)創(chuàng)建的字符串,加在后面,即便黑客獲取cookie,但是無(wú)法獲取你的字符串也沒(méi)用,因?yàn)槭强茨阏?qǐng)求的參數(shù)里面有沒(méi)有csrf參數(shù)的,不是看你的coken
            //這個(gè)將csrf存放在cookie里面的,然后通過(guò)js來(lái)將cookie的值讀取出來(lái),找到cookie中的_csrf中的值,作為普通請(qǐng)求的參數(shù)攜帶上。服務(wù)端是在你請(qǐng)求的參數(shù)上找有沒(méi)有_csrf的,并不是在cookie中解析尋找的
              .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
        return http.build();
    }
}

11.多個(gè)過(guò)濾器鏈

1.多個(gè)用戶(hù)訪(fǎng)問(wèn)是不同的過(guò)濾器鏈

step01-接口

@RestController
public class HelloController {
    /**
     * 我希望,這個(gè)訪(fǎng)問(wèn)這個(gè)接口的請(qǐng)求,需要經(jīng)過(guò) ConcurrentSessionFilter 過(guò)濾器
     * @return
     */
    @GetMapping("/user/hello")
    public String user() {
        return "hello uesr";
    }
    /**
     * 訪(fǎng)問(wèn)這個(gè)請(qǐng)求的地址,不需要經(jīng)過(guò) CsrfFilter
     * @return
     */
    @GetMapping("/admin/hello")
    public String admin() {
        return "hello admin";
    }
    @GetMapping("/hello")
    public String hello() {
        return "hello";
    }
}

step02-配置類(lèi)

@Configuration
public class SecurityConfig {
    @Bean
    UserDetailsService us1() {
        InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
        manager.createUser(User.withUsername("zhangsan").password("{noop}123").roles("admin").build());
        return manager;
    }
    @Bean
    UserDetailsService us2() {
        InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
        manager.createUser(User.withUsername("lisi").password("{noop}123").roles("user").build());
        return manager;
    }
    /**
     * 這個(gè)就是配置的第一個(gè)過(guò)濾器鏈
     * @param http
     * @return
     * @throws Exception
     */
    @Bean
    SecurityFilterChain securityFilterChain01(HttpSecurity http) throws Exception {
        //這個(gè)地方是在配置過(guò)濾器鏈,這個(gè) antMatcher 方法表示如果你的請(qǐng)求格式是 /user/** 的話(huà),那么就會(huì)進(jìn)入到當(dāng)前鏈中
        http.antMatcher("/user/**")
                .authorizeRequests()
                .antMatchers("/user/**").hasAuthority("user")
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .loginProcessingUrl("/user/login")
                .successHandler((req, resp, auth) -> {
                    resp.getWriter().write("success01");
                })
                .failureHandler((req, resp, e) -> {
                    resp.getWriter().write("failure01");
                })
                .permitAll()
                .and()
                .sessionManagement()
                .maximumSessions(1)
                .and()
                .and()
                .csrf().disable()
                //每一個(gè)過(guò)濾器鏈,可以對(duì)應(yīng)不同的數(shù)據(jù)源,如果我們不為每一個(gè)過(guò)濾器鏈設(shè)置單獨(dú)的數(shù)據(jù)源,那么也可以直接向 Spring 容器中注冊(cè)一個(gè)數(shù)據(jù)源,那么這個(gè)數(shù)據(jù)源就是公用的。
                .userDetailsService(us1());
        return http.build();
    }
    /**
     * 這個(gè)就是配置的第二個(gè)過(guò)濾器鏈
     * @param http
     * @return
     * @throws Exception
     */
    @Bean
    SecurityFilterChain securityFilterChain02(HttpSecurity http) throws Exception {
        //這個(gè)地方是在配置過(guò)濾器鏈,這個(gè) antMatcher 方法表示如果你的請(qǐng)求格式是 /admin/** 的話(huà),那么就會(huì)進(jìn)入到當(dāng)前鏈中
        http.antMatcher("/admin/**")
                .authorizeRequests()
                .antMatchers("/admin/**").hasAuthority("admin")
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .loginProcessingUrl("/admin/login")
                .successHandler((req, resp, auth) -> {
                    resp.getWriter().write("success02");
                })
                .failureHandler((req, resp, e) -> {
                    resp.getWriter().write("failure02");
                })
                .permitAll()
                .and()
                .csrf().disable()
                .userDetailsService(us2());
        return http.build();
    }
    @Bean
    SecurityFilterChain securityFilterChain03(HttpSecurity http) throws Exception {
        //任何用戶(hù)都可以訪(fǎng)問(wèn)
        http.antMatcher("/**")
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .csrf().disable();
        return http.build();
    }
}

2.多個(gè)數(shù)據(jù)源對(duì)應(yīng)的過(guò)濾器鏈

多個(gè)數(shù)據(jù)源

 step01-配置多個(gè)數(shù)據(jù)源對(duì)應(yīng)的登錄UserDetailsService(這個(gè)相當(dāng)于Realm,用來(lái)獲取前端的username)

@Service
public class UserService2207 implements UserDetailsService {
    @Autowired
    UserMapper userMapper;
    /**
     * 根據(jù)用戶(hù)名稱(chēng)查詢(xún)用戶(hù)對(duì)象,當(dāng)用戶(hù)登錄的時(shí)候,這個(gè)方法會(huì)被自動(dòng)觸發(fā)
     *
     * @param username
     * @return
     * @throws UsernameNotFoundException
     */
    @Override
    @Ds("master")
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user = userMapper.loadUserByUsername(username);
        if (user == null) {
            throw new UsernameNotFoundException("用戶(hù)名不存在");
        }
        return user;
    }
}
@Service
public class UserServiceJpaDemo implements UserDetailsService {
    @Autowired
    UserMapper userMapper;
    /**
     * 根據(jù)用戶(hù)名稱(chēng)查詢(xún)用戶(hù)對(duì)象,當(dāng)用戶(hù)登錄的時(shí)候,這個(gè)方法會(huì)被自動(dòng)觸發(fā)
     *
     * @param username
     * @return
     * @throws UsernameNotFoundException
     */
    @Override
    @Ds("slave")
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user = userMapper.loadUserByUsername(username);
        if (user == null) {
            throw new UsernameNotFoundException("用戶(hù)名不存在");
        }
        return user;
    }
}

step02-配置類(lèi),給對(duì)應(yīng)的service匹配對(duì)應(yīng)的過(guò)濾器鏈

@Configuration
public class SecurityConfig {
    @Autowired
    UserService2207 userService2207;
    @Autowired
    UserServiceJpaDemo userServiceJpaDemo;
    /**
     * 提供一個(gè)這樣的 Bean,就是提供了一個(gè)過(guò)濾器鏈,這個(gè)過(guò)濾器鏈中約 10 多個(gè)過(guò)濾器
     *
     * @param http
     * @return
     * @throws Exception
     */
    @Bean
    SecurityFilterChain phoneSecurityFilterChain(HttpSecurity http) throws Exception {
        http
                //這個(gè)表示配置當(dāng)前過(guò)濾器鏈的攔截規(guī)則
                .securityMatcher("/phone/**")
                // UserDetailsService 分為兩種,一種是全局的,另外一種是局部的,如果我們不給每一個(gè)過(guò)濾器鏈單獨(dú)設(shè)置 UserDetailsService,則都使用的是全局的
                .userDetailsService(userService2207)
                .authorizeHttpRequests().requestMatchers("/**")
                .authenticated()
                .and()
                .formLogin()
                .loginProcessingUrl("/phone/login")
                .successHandler((req,resp,auth)->{
                    resp.getWriter().write("phone login success");
                })
                .failureHandler((req,resp,e)->{
                    resp.getWriter().write(e.getMessage());
                })
                .permitAll()
                .and()
                .csrf().disable();
        return http.build();
    }
    @Bean
    SecurityFilterChain webSecurityFilterChain(HttpSecurity http) throws Exception {
        http
                //這個(gè)表示配置當(dāng)前過(guò)濾器鏈的攔截規(guī)則
                .securityMatcher("/web/**")
                .userDetailsService(userServiceJpaDemo)
                .authorizeHttpRequests().requestMatchers("/**")
                .authenticated()
                .and()
                .formLogin()
                .successHandler((req,resp,auth)->{
                    resp.getWriter().write("web login success");
                })
                .loginPage("/web/login")
                .loginProcessingUrl("/web/login")
                .permitAll();
        return http.build();
    }
}

12.JWT登錄(無(wú)狀態(tài)登錄)

有狀態(tài)登錄攜帶的sessionid是沒(méi)有含義的,就只是隨機(jī)id;無(wú)狀態(tài)的token是有含義的

1.httpBasic

只需要將formLogin()寫(xiě)成httpBasic()就可以實(shí)現(xiàn)了,但是有缺點(diǎn):1.注銷(xiāo)問(wèn)題,無(wú)法注銷(xiāo) 2.續(xù)期問(wèn)題,不會(huì)自動(dòng)重置時(shí)間 3.密碼重置 4.把密碼用戶(hù)信息放在請(qǐng)求頭,不安全,每一次調(diào)用一個(gè)接口都會(huì)顯示,因?yàn)槭菬o(wú)狀態(tài),它需要無(wú)時(shí)無(wú)刻校驗(yàn)

@Configuration
public class SecurityConfig {
    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests()
                .requestMatchers("/**")
                .authenticated()
                .and()
                .httpBasic();
        return http.build();
    }
}

2./jwtk/jjwt

step01-jwt專(zhuān)屬·依賴(lài)

 step02-配置類(lèi),如果成功登錄就生成JWT字符串

@Configuration
public class SecurityConfig {
    //可以隨機(jī)是一段字符串
    public static final Key KEY = Keys.hmacShaKeyFor("jfkdafljksajklf75894237uafkldsjfalkj8134784395jfkdafljksajklf75894237uafkldsjfalkj8134784395jfkdafljksajklf75894237uafkldsjfalkj8134784395jfkdafljksajklf75894237uafkldsjfalkj8134784395jfkdafljksajklf75894237uafkldsjfalkj8134784395jfkdafljksajklf75894237uafkldsjfalkj8134784395jfkdafljksajklf75894237uafkldsjfalkj8134784395".getBytes());
    //引入寫(xiě)好的過(guò)濾器
    @Autowired
    JwtFilter jwtFilter;
    /**
     * 配置 Spring Security 的過(guò)濾器鏈
     *
     * @return
     */
    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        //因?yàn)閖wtFilter中有用戶(hù)名,密碼,權(quán)限的設(shè)置在UsernamePasswordAuthentication該類(lèi),所以在它前面執(zhí)行
        http.addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class);
        http.authorizeHttpRequests()
                .requestMatchers("/**")
                .authenticated()
                .and()
                //關(guān)閉 session 的創(chuàng)建,這樣就不會(huì)產(chǎn)生sessionid了,實(shí)現(xiàn)無(wú)狀態(tài)訪(fǎng)問(wèn)
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
                .and()
                .formLogin()
                .successHandler((req, resp, auth) -> {
                    //保存的數(shù)據(jù)是需要map存儲(chǔ)
                    Map<String, String> map = new HashMap<>();
                    //獲取當(dāng)前登錄成功的用戶(hù)角色,是在User實(shí)體類(lèi)的權(quán)限角色方法中獲取的
                    Collection<? extends GrantedAuthority> authorities = auth.getAuthorities();
                    //  ROLE_admin,ROLE_user,使用Stream流將獲取的權(quán)限以,隔開(kāi)
                    map.put("authorities", authorities.stream().map(a -> a.getAuthority()).collect(Collectors.joining(",")));
                    //生成 JWT 字符串
                    String jws = Jwts.builder()
                            //配置主題
                            .setSubject(auth.getName())
                            //過(guò)期時(shí)間,七天之后過(guò)期
                            .setExpiration(new Date(System.currentTimeMillis() + 7 * 24 * 60 * 60 * 1000))
                            //令牌簽發(fā)時(shí)間
                            .setIssuedAt(new Date())
                            //這個(gè)里邊可以保存比較豐富的數(shù)據(jù)類(lèi)型
                            .setClaims(map)
                        //將Key放入
                            .signWith(KEY).compact();
                    resp.getWriter().write(jws);
                })
                .failureHandler((req, resp, e) -> {
                    resp.getWriter().write("login error>>>" + e.getMessage());
                })
                .and()
                .csrf().disable()
            //拋出的異??梢栽诖双@得
                .exceptionHandling().accessDeniedHandler(new AccessDeniedHandler() {
            @Override
            public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
                response.getWriter().write(accessDeniedException.getMessage());
            }
        });
        return http.build();
    }
}

step03-寫(xiě)一個(gè)過(guò)濾器,用戶(hù)每申請(qǐng)一個(gè)請(qǐng)求就觸碰這個(gè)類(lèi)來(lái)解析JWT字符串

/**
 * @author baize
 * @date 2023/1/5
 * @site www.qfedu.com
 * <p>
 * 這里專(zhuān)門(mén)用來(lái)解析 JWT 字符串,以后每個(gè)請(qǐng)求到達(dá)的時(shí)候都從這里去解析 JWT 字符串
 */
@Component
public class JwtFilter extends GenericFilterBean {
    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) servletRequest;
        //當(dāng)是登錄接口的時(shí)候就不需要執(zhí)行下面的解析,而是直接往下別的過(guò)濾器執(zhí)行
        if (req.getRequestURI().contains("/login")) {
            //說(shuō)明是一個(gè)登錄請(qǐng)求
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        //獲取請(qǐng)求頭參數(shù)是Authorization來(lái)獲取jwt字符串
        String authorization = req.getHeader("Authorization");
        //如果請(qǐng)求頭中沒(méi)有就在請(qǐng)求參數(shù)中獲取
        if (authorization == null || "".equalsIgnoreCase(authorization)) {
            authorization = req.getParameter("token");
        }
        //如果jwt字符串不為空
        if (authorization != null && !"".equals(authorization)) {
            //因?yàn)閖wt字符串的開(kāi)頭是以Bearer 存在的
            authorization = authorization.replace("Bearer ", "");
            Jws<Claims> claimsJws = null;
            try {
                //開(kāi)始解析,將Key和jwt字符串放入
                claimsJws = Jwts.parserBuilder().setSigningKey(SecurityConfig.KEY).build().parseClaimsJws(authorization);
            } catch (Exception e) {
                servletResponse.getWriter().write("jwt error");
                return;
            }
            //獲取配置文件中存儲(chǔ)的豐富的數(shù)據(jù)類(lèi)型的對(duì)象
            Claims claims = claimsJws.getBody();
            //獲取存儲(chǔ)在map中的權(quán)限
            // ROLE_admin,ROLE_user
            String authorities = (String) claims.get("authorities");
            //將ROLE_admin,ROLE_user轉(zhuǎn)為集合
            List<SimpleGrantedAuthority> list = Arrays.stream(authorities.split(",")).map(a -> new SimpleGrantedAuthority(a)).collect(Collectors.toList());
            //獲取用戶(hù)名
            String username = claims.getSubject();
            //將獲取的用戶(hù)名和權(quán)限存入到該類(lèi)中
            UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, null, list);
            SecurityContextHolder.getContext().setAuthentication(token);
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
//            throw new AuthenticationServiceException("jwt error");
            servletResponse.getWriter().write("jwt error");
        }
    }
}

step04-在配置類(lèi)中的拋出異常顯示的權(quán)限不夠可以用全局異常機(jī)制

@RestControllerAdvice
public class GlobalException {
    @ExceptionHandler(AuthenticationServiceException.class)
    public String authenticationException(AuthenticationServiceException e) {
        return e.getMessage();
    }
}

13.用戶(hù)名密碼分開(kāi)提示

1.創(chuàng)造一個(gè)類(lèi),讓該類(lèi)來(lái)返回登錄成功或者失敗的信息

public class RespBean {
    private Integer status;
    private String msg;
    private Object data;
    public static RespBean ok(String msg, Object data) {
        return new RespBean(200, msg, data);
    }
    public static RespBean ok(String msg) {
        return new RespBean(200, msg, null);
    }
    public static RespBean error(String msg, Object data) {
        return new RespBean(500, msg, data);
    }
    public static RespBean error(String msg) {
        return new RespBean(500, msg, null);
    }
    private RespBean() {
    }
    private RespBean(Integer status, String msg, Object data) {
        this.status = status;
        this.msg = msg;
        this.data = data;
    }
    public Integer getStatus() {
        return status;
    }
    public void setStatus(Integer status) {
        this.status = status;
    }
    public String getMsg() {
        return msg;
    }
    public void setMsg(String msg) {
        this.msg = msg;
    }
    public Object getData() {
        return data;
    }
    public void setData(Object data) {
        this.data = data;
    }
}

2.配置登錄時(shí)的配置類(lèi)

@Configuration
public class SecurityConfig {
    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                //登陸成功時(shí)
                .successHandler((req, resp, authentication) -> {
                    resp.setContentType("application/json;charset=utf-8");
                    PrintWriter out = resp.getWriter();
                    RespBean respBean = RespBean.ok("登錄成功", authentication.getPrincipal());
//                    通過(guò)json將對(duì)象轉(zhuǎn)成String類(lèi)型傳到前端
                    String s = new ObjectMapper().writeValueAsString(respBean);
                    out.write(s);
                })
                .failureHandler((req, resp, e) -> {
                    resp.setContentType("application/json;charset=utf-8");
                    PrintWriter out = resp.getWriter();
                    RespBean respBean = null;
                    if (e instanceof BadCredentialsException) {
                        respBean = RespBean.error("密碼輸入錯(cuò)誤,登錄失敗");
                    } else if (e instanceof UsernameNotFoundException) {
                        respBean = RespBean.error("用戶(hù)名輸入錯(cuò)誤,登錄失敗");
                    } else if (e instanceof AccountExpiredException) {
                        respBean = RespBean.error("賬戶(hù)過(guò)期,登錄失敗");
                    } else if (e instanceof LockedException) {
                        respBean = RespBean.error("賬戶(hù)被鎖定,登錄失敗");
                    } else if (e instanceof CredentialsExpiredException) {
                        respBean = RespBean.error("密碼過(guò)期,登錄失敗");
                    } else if (e instanceof DisabledException) {
                        respBean = RespBean.error("賬戶(hù)被禁用,登錄失敗");
                    } else {
                        respBean = RespBean.error("登錄失敗");
                    }
                    String s = new ObjectMapper().writeValueAsString(respBean);
                    out.write(s);
                })
                .and()
                .csrf()
                .disable()
                .exceptionHandling()
                //當(dāng)訪(fǎng)問(wèn)一個(gè)需要認(rèn)證的地址時(shí),會(huì)調(diào)用到該方法
                .authenticationEntryPoint((req, resp, authException) -> {
                    resp.setContentType("application/json;charset=utf-8");
                    PrintWriter out = resp.getWriter();
                    RespBean respBean = RespBean.error("尚未登錄,請(qǐng)登錄");
                    String s = new ObjectMapper().writeValueAsString(respBean);
                    out.write(s);
                })
            //當(dāng)權(quán)限不足的時(shí)候,拋出異常,會(huì)在這里被捕獲
                //即 throw new AccessDeniedException("權(quán)限不足,請(qǐng)聯(lián)系管理員");拋出的異常,在這里處理
                .accessDeniedHandler((req, resp, e) -> {
                    resp.setContentType("application/json;charset=utf-8");
                    RespBean respBean = RespBean.error(e.getMessage());
                    resp.getWriter().write(new ObjectMapper().writeValueAsString(respBean));
                })
            ;
        return http.build();
    }
}

如果你想賬戶(hù)和密碼分開(kāi)提示,在.formLogin()上加這段代碼

//對(duì)象后置處理器,Spring Security 默認(rèn)已經(jīng)幫我們處理好了 DaoAuthenticationProvider Bean,該 Bean 即將注冊(cè)到 Spring 容器中,這里是一個(gè)對(duì)象的后置處理器,就是可以在這里對(duì) Bean 的屬性再做一次修改
                .withObjectPostProcessor(new ObjectPostProcessor<UsernamePasswordAuthenticationFilter>() {
                    @Override
                    public <O extends UsernamePasswordAuthenticationFilter> O postProcess(O object) {
                        DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
                        daoAuthenticationProvider.setHideUserNotFoundExceptions(false);
                        InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
                        manager.createUser(User.withUsername("zhangsan").password("{noop}123").roles("admin").build());
                        daoAuthenticationProvider.setUserDetailsService(manager);
                        object.setAuthenticationManager(new ProviderManager(daoAuthenticationProvider));
                        return object;
                    }
                })

二.權(quán)限與角色

1.權(quán)限和角色的配置

step01-設(shè)置接口,每一種權(quán)限對(duì)應(yīng)不同的接口訪(fǎng)問(wèn)

@RestController
public class HelloController {
    /**
     * 只要用戶(hù)登錄了就可以訪(fǎng)問(wèn)這個(gè)接口
     *
     * @return
     */
    @GetMapping("/hello")
    public String hello() {
        return "hello";
    }
    /**
     * 用戶(hù)登錄之后,必須具備 admin 這個(gè)角色才可以訪(fǎng)問(wèn)
     * @return
     */
    @GetMapping("/admin/hello")
    public String admin() {
        return "hello admin";
    }
    /**
     * 用戶(hù)登錄之后,必須具備 user 角色才可以訪(fǎng)問(wèn)
     * @return
     */
    @GetMapping("/user/hello")
    public String user() {
        return "hello user";
    }
}

step02-在UserService中,因?yàn)樵诘卿浀臅r(shí)候就要查看有什么權(quán)限了,所以在這里設(shè)置好權(quán)限返回給User實(shí)體類(lèi)

@Service
public class UserService implements UserDetailsService {
    @Autowired
    UserMapper userMapper;
    /**
     * 根據(jù)用戶(hù)名稱(chēng)查詢(xún)用戶(hù)對(duì)象,當(dāng)用戶(hù)登錄的時(shí)候,這個(gè)方法會(huì)被自動(dòng)觸發(fā)
     *
     * @param username
     * @return
     * @throws UsernameNotFoundException
     */
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user = userMapper.loadUserByUsername(username);
        if (user == null) {
            throw new UsernameNotFoundException("用戶(hù)名不存在");
        }
        user.setRoles(userMapper.getUserRolesByUserId(user.getId()));
        return user;
    }
}

mapper接口

@Mapper
public interface UserMapper {
    User loadUserByUsername(String username);
    List<Role> getUserRolesByUserId(Integer uid);
}
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE mapper
        PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
        "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.qfedu.authorize.mapper.UserMapper">
    <select resultType="com.qfedu.authorize.model.User" id="loadUserByUsername">
            select * from user where username=#{username};
    </select>
    <select id="getUserRolesByUserId" resultType="com.qfedu.authorize.model.Role">
        SELECT r.* FROM role r,user_role ur WHERE r.`id`=ur.`rid` AND ur.`uid`=#{uid}
    </select>
</mapper>

step03-定義Role的實(shí)體類(lèi),User實(shí)體類(lèi)中可能有多個(gè)Role還有配置權(quán)限的方法

public class Role {
    private Integer id;
    private String name;
    public Integer getId() {
        return id;
    }
    public void setId(Integer id) {
        this.id = id;
    }
    public String getName() {
        return name;
    }
    public void setName(String name) {
        this.name = name;
    }
}
public class User implements UserDetails {
    private Integer id;
    private String username;
    private String password;
    private String address;
    private Boolean enabled;
    //一個(gè)用戶(hù)可能有多個(gè)角色
    private List<Role> roles;
    /**
     * 獲取當(dāng)前用戶(hù)的權(quán)限/角色
     *
     * 當(dāng)系統(tǒng)需要知道當(dāng)前用戶(hù)的角色/權(quán)限的時(shí)候,都是調(diào)用這個(gè)方法。這塊跟 Shiro 不同,在 Spring Security 中,用戶(hù)的權(quán)限和角色都是通過(guò)這個(gè)方法來(lái)返回的
     *
     * @return
     */
    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
//        List<SimpleGrantedAuthority> authorities = new ArrayList<>();
//        for (Role role : roles) {
//            SimpleGrantedAuthority authority = new SimpleGrantedAuthority(role.getName());
//            authorities.add(authority);
//        }
        return roles.stream().map(r -> new SimpleGrantedAuthority(r.getName())).collect(Collectors.toList());
    }

step04-配置角色

注意:角色記得要在數(shù)據(jù)庫(kù)的前面加Role_

@Configuration
public class SecurityConfig {
    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                //訪(fǎng)問(wèn) /admin/** 必須具備 admin 這個(gè)角色
                //無(wú)論是 hasRole 還是 hasAuthority,最終調(diào)用的權(quán)限判斷方法都是同一個(gè),僅僅只是從參數(shù)上去區(qū)分到底是權(quán)限還是角色,如果參數(shù)是以 ROLE_ 開(kāi)始的,則表示這是一個(gè)角色;否則就是一個(gè)權(quán)限字符串
                .antMatchers("/admin/**").hasRole("admin")
                //這里會(huì)自動(dòng)給角色加上 ROLE_ 前綴
                .antMatchers("/user/**").hasRole("user")
                //剩下的所有請(qǐng)求,都必須登錄之后才可以訪(fǎng)問(wèn)
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .permitAll()
                .and()
                .csrf().disable();
        return http.build();
    }
}

2.通過(guò)注解來(lái)處理角色

1.角色權(quán)限的登錄

step01-設(shè)置角色的注解,在Controller層,方法接口上寫(xiě):@PreAuthorize("hasRole('user')"):方法執(zhí)行之前進(jìn)行校驗(yàn)有沒(méi)有此角色,也可以用過(guò)@PreAuthorize("hasAuthortity('teacher:create')")權(quán)限

step02-還要在配置類(lèi)中,開(kāi)啟上面的注解的權(quán)限:@EnableGlobalMethodSecurity(prePostEnabled = true)

step03-在service層,在登錄驗(yàn)證的時(shí)候,順便獲取角色查詢(xún),但是在數(shù)據(jù)庫(kù)中role字段的值必須有前綴ROLE_

 step04-通過(guò)User方法里的方法setRoles,將從數(shù)據(jù)庫(kù)中用戶(hù)roles數(shù)據(jù)存入到內(nèi)存中

 step05-然后通過(guò)獲取的roles放入到secutity里面,這是從數(shù)據(jù)庫(kù)中獲得的角色權(quán)限,這樣就可以聯(lián)想到@PreAuthorize("hasRole('user')")進(jìn)行對(duì)比,這個(gè)用戶(hù)是否有權(quán)限

2.角色的繼承,層次關(guān)系(Hierarchy)

\r\n可以接著配多個(gè)層次關(guān)系

3.自定義權(quán)限匹配方法

1.spel(Spring express language)

    @Test
    void contextLoads() {
        //定義的表達(dá)式
        String exp1 = "1+2";
        //表達(dá)式解析器
        SpelExpressionParser parser = new SpelExpressionParser();
        //解析字符串,將字符串的內(nèi)容當(dāng)成一個(gè)表達(dá)式執(zhí)行
        Expression expression = parser.parseExpression(exp1);
        //獲取執(zhí)行的結(jié)果
        Object value = expression.getValue();
        System.out.println("value = " + value);
    }
    @Test
    public void test01() {
        User user = new User();
        user.setUsername("張三");
        //這個(gè)是計(jì)算的上下文對(duì)象
        StandardEvaluationContext ctx = new StandardEvaluationContext();
        ctx.setVariable("user", user);
        //這個(gè)表達(dá)式表示獲取 user 對(duì)象中的 username 屬性值
        // #user 表示獲取 user 對(duì)象
        String exp = "#user.username";
        SpelExpressionParser parser = new SpelExpressionParser();
        Expression expression = parser.parseExpression(exp);
        Object value = expression.getValue(ctx);
        System.out.println("value = " + value);
    }
 @Test
    public void test02() {
        //設(shè)置上下文對(duì)象
        StandardEvaluationContext ctx = new StandardEvaluationContext();
        //獲得User類(lèi)
        User user = new User();
        ctx.setVariable("user", user);
        //調(diào)用User對(duì)象的方法
        String exp = "#user.saHello()";
        //表達(dá)式分析器
        SpelExpressionParser parser = new SpelExpressionParser();
        //解析字符串
        Expression expression = parser.parseExpression(exp);
        Object value = expression.getValue(ctx);
        System.out.println("value = " + value);
    }

到此這篇關(guān)于springSecurity使用實(shí)戰(zhàn)指南的文章就介紹到這了,更多相關(guān)springSecurity使用內(nèi)容請(qǐng)搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家!

相關(guān)文章

  • SpringBoot配置主從數(shù)據(jù)庫(kù)實(shí)現(xiàn)讀寫(xiě)分離

    SpringBoot配置主從數(shù)據(jù)庫(kù)實(shí)現(xiàn)讀寫(xiě)分離

    現(xiàn)在的 Web 應(yīng)用大都是讀多寫(xiě)少,本文主要介紹了SpringBoot配置主從數(shù)據(jù)庫(kù)實(shí)現(xiàn)讀寫(xiě)分離,具有一定的參考價(jià)值,感興趣的可以了解一下
    2023-11-11
  • Idea啟動(dòng)SpringBoot程序報(bào)錯(cuò):Veb server failed to start. Port 8082 was already in use;端口沖突的原理與解決方案

    Idea啟動(dòng)SpringBoot程序報(bào)錯(cuò):Veb server failed to&nbs

    這篇文章主要介紹了Idea啟動(dòng)SpringBoot程序報(bào)錯(cuò):Veb server failed to start. Port 8082 was already in use;端口沖突的原理與解決方案,文中通過(guò)代碼示例介紹的非常詳細(xì),需要的朋友可以參考下
    2024-10-10
  • 強(qiáng)烈推薦 5 款好用的REST API工具(收藏)

    強(qiáng)烈推薦 5 款好用的REST API工具(收藏)

    市面上可用的 REST API 工具選項(xiàng)有很多,我們來(lái)看看其中一些開(kāi)發(fā)人員最喜歡的工具。本文通過(guò)圖文實(shí)例代碼相結(jié)合給大家介紹的非常詳細(xì),感興趣的朋友跟隨小編一起看看吧
    2020-12-12
  • springBoot集成shiro實(shí)現(xiàn)權(quán)限刷新

    springBoot集成shiro實(shí)現(xiàn)權(quán)限刷新

    在SpringBoot項(xiàng)目中集成Shiro進(jìn)行權(quán)限管理,包括基礎(chǔ)配置引入依賴(lài)、創(chuàng)建Shiro配置類(lèi)以及用戶(hù)認(rèn)證與授權(quán)實(shí)現(xiàn),具有一定的參考價(jià)值,感興趣的可以了解一下
    2024-11-11
  • Java垃圾回收之標(biāo)記清除算法詳解

    Java垃圾回收之標(biāo)記清除算法詳解

    今天小編就為大家分享一篇關(guān)于Java垃圾回收之標(biāo)記清除算法詳解,小編覺(jué)得內(nèi)容挺不錯(cuò)的,現(xiàn)在分享給大家,具有很好的參考價(jià)值,需要的朋友一起跟隨小編來(lái)看看吧
    2018-10-10
  • Java實(shí)現(xiàn)一個(gè)簡(jiǎn)單的長(zhǎng)輪詢(xún)的示例代碼

    Java實(shí)現(xiàn)一個(gè)簡(jiǎn)單的長(zhǎng)輪詢(xún)的示例代碼

    長(zhǎng)輪詢(xún)是與服務(wù)器保持即時(shí)通信的最簡(jiǎn)單的方式,它不使用任何特定的協(xié)議,例如 WebSocket ,所以也不依賴(lài)于瀏覽器版本等外部條件的兼容性。本文將用Java實(shí)現(xiàn)一個(gè)簡(jiǎn)單的長(zhǎng)輪詢(xún),需要的可以參考一下
    2022-08-08
  • 基于Java創(chuàng)建XML(無(wú)中文亂碼)過(guò)程解析

    基于Java創(chuàng)建XML(無(wú)中文亂碼)過(guò)程解析

    這篇文章主要介紹了基于Java創(chuàng)建XML(無(wú)中文亂碼)過(guò)程解析,文中通過(guò)示例代碼介紹的非常詳細(xì),對(duì)大家的學(xué)習(xí)或者工作具有一定的參考學(xué)習(xí)價(jià)值,需要的朋友可以參考下
    2019-10-10
  • 簡(jiǎn)單了解springboot eureka交流機(jī)制

    簡(jiǎn)單了解springboot eureka交流機(jī)制

    這篇文章主要介紹了簡(jiǎn)單了解springboot eureka交流機(jī)制,文中通過(guò)示例代碼介紹的非常詳細(xì),對(duì)大家的學(xué)習(xí)或者工作具有一定的參考學(xué)習(xí)價(jià)值,需要的朋友可以參考下
    2020-04-04
  • 解決 java.lang.NoSuchMethodError的錯(cuò)誤

    解決 java.lang.NoSuchMethodError的錯(cuò)誤

    這篇文章主要介紹了解決 java.lang.NoSuchMethodError的錯(cuò)誤的相關(guān)資料,需要的朋友可以參考下
    2017-06-06
  • 在java中main函數(shù)如何調(diào)用外部非static方法

    在java中main函數(shù)如何調(diào)用外部非static方法

    這篇文章主要介紹了在java中main函數(shù)如何調(diào)用外部非static方法,具有很好的參考價(jià)值,希望對(duì)大家有所幫助。一起跟隨小編過(guò)來(lái)看看吧
    2020-12-12

最新評(píng)論