devbox
繁依Fanyi0
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

Spring Security (二):自定义登陆_springboot security 自定义登录

作者:繁依Fanyi0 | 2024-08-03 07:02:34

springboot security 自定义登录

目录

前言

引入依赖

原理解析

最佳实践

自定义AuthenticationFilter

自定义AuthenticationManager

自定义Provider

自定义UserDetailsService

自定义用户信息

自定义认证成功handler

配置SecurityConfig

项目验证

前言

        Spring Security作为当下最流行的认证授权框架,提供了非常全面且完善的认证授权流程,并且通过与Springboot的结合,极大的简化了开发与使用。spring官方也提供了详细的文档和丰富的应用实例。

官方文档:Spring Security

应用实例:https://github.com/thombergs/code-examples/tree/master/spring-security

        但在我们的实际开发工作中,我们绝大部分都是前后端分离的项目,作为后端开发人员,我们并不关心前段页面的跳转,此外,大多数前后端业务数据都是通过JSON方式传递的,并不是Spring security 默认的form 格式。以下便是一个简单的通过JSON方式自定义登陆认证的项目简介。

引入依赖

  1.         <dependency>
  2.             <groupId>org.springframework.boot</groupId>
  3.             <artifactId>spring-boot-starter-security</artifactId>
  4.         </dependency>

原理解析

        spring security 提供了一个实现了DelegatingFilterProxy的Filter,使Servlet container 的生命周期和 Spring’s ApplicationContext建立联系,从而达到通过Filter对web请求进行授权认证,具体流程如下图所示:

delegatingfilterproxy

securityfilterchain

在spring security中,所有的filter都被放在SecurityFilterChain中 按照顺序被调用处理web request.

具体的源码解析可以参考:Spring Security (一):自定义登陆_见面说Hello的博客-CSDN博客

因此,要想实现自定义登陆认证,需要自定义Filter,具体项目代码如下所示。

最佳实践

自定义AuthenticationFilter

通过JSON方式获取用户名密码

  1. public class CustomUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
  2.  
  3.  
  4.     public CustomUsernamePasswordAuthenticationFilter() {
  5.         super();
  6.     }
  7.  
  8.  
  9.     @Override
  10.     public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
  11.         if (!request.getMethod().equals("POST") || (!request.getContentType().equalsIgnoreCase(MediaType.APPLICATION_JSON_VALUE))) {
  12.             throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
  13.         }
  14.         // 2. 判断是否是json格式请求类型
  15.         if (request.getContentType().equalsIgnoreCase(MediaType.APPLICATION_JSON_VALUE)) {
  16.             try {
  17.                 CustomUser customUser = new ObjectMapper().readValue(request.getInputStream(), CustomUser.class);
  18.                 String username = customUser.getUsername();
  19.                 String password = customUser.getPassword();
  20.                 UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(username, password);
  21.                 setDetails(request, authenticationToken);
  22.                 return this.getAuthenticationManager().authenticate(authenticationToken);
  23.             } catch (IOException e) {
  24.                 throw new AuthenticationServiceException(e.getMessage());
  25.             }
  26.  
  27.         }
  28.         return super.attemptAuthentication(request, response);
  29.     }
  30. }

自定义AuthenticationManager

  1. public class CustomAuthenticationManager implements AuthenticationManager {
  2.  
  3.     public CustomAuthenticationManager() {
  4.         super();
  5.     }
  6.  
  7.     private DaoAuthenticationProvider authenticationProvider;
  8.  
  9.     public void setAuthenticationProvider(DaoAuthenticationProvider authenticationProvider) {
  10.         this.authenticationProvider = authenticationProvider;
  11.     }
  12.  
  13.     @Override
  14.     public Authentication authenticate(Authentication authentication) throws AuthenticationException {
  15.         return authenticationProvider.authenticate(authentication);
  16.     }
  17. }

自定义Provider

  1. public class CustomAuthenticationProvider extends DaoAuthenticationProvider {
  2.  
  3.     public CustomAuthenticationProvider() {
  4.         super();
  5.     }
  6.  
  7. }

自定义UserDetailsService

这里我为了方便仅构造了一个Map,实际应用中应从数据库获取

  1. @Service
  2. public class CustomUserDetailsService implements UserDetailsService {
  3.  
  4.     protected static final Map<String, CustomUser> map = new HashMap<>();
  5.  
  6.     public static Map<String, CustomUser> getMap() {
  7.         return map;
  8.     }
  9.  
  10.     static {
  11.         String pwd = new BCryptPasswordEncoder().encode("userPwd");
  12.         map.put("user", new CustomUser(1L, "user", pwd));
  13.         map.put("admin", new CustomUser(2L, "admin", pwd));
  14.     }
  15.  
  16.  
  17.     @Override
  18.     public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
  19.         CustomUser customUser = map.get(username);
  20.         if (customUser == null) {
  21.             throw new UsernameNotFoundException("username " + username + " is not found");
  22.         }
  23.         return new CustomUserDetails(customUser);
  24.     }
  25.  
  26.  
  27. }

自定义用户信息

  1. public class CustomUser implements Serializable {
  2.  
  3.     private Long userId;
  4.  
  5.     private String username;
  6.  
  7.     private String password;
  8.  
  9.     public CustomUser() {
  10.     }
  11.  
  12.  
  13.     public CustomUser(Long userId, String username, String password) {
  14.         this.userId = userId;
  15.         this.username = username;
  16.         this.password = password;
  17.     }
  18.  
  19.     public Long getUserId() {
  20.         return userId;
  21.     }
  22.  
  23.     public void setUserId(Long userId) {
  24.         this.userId = userId;
  25.     }
  26.  
  27.     public String getUsername() {
  28.         return username;
  29.     }
  30.  
  31.     public void setUsername(String username) {
  32.         this.username = username;
  33.     }
  34.  
  35.     public String getPassword() {
  36.         return password;
  37.     }
  38.  
  39.     public void setPassword(String password) {
  40.         this.password = password;
  41.     }
  42. }

自定义认证成功handler

  1. public class CustomLoginSuccessHandler implements AuthenticationSuccessHandler {
  2.  
  3.     @Override
  4.     public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
  5.         response.setCharacterEncoding("UTF-8");
  6.         response.setContentType("application/json; charset=utf-8");
  7.         response.setStatus(HttpServletResponse.SC_OK);
  8.         UserDetails customUser = (UserDetails) authentication.getPrincipal();
  9.         String username = customUser.getUsername();
  10.         response.addCookie(new Cookie("username", username));
  11.         WebResponse<String> success = WebResponse.success(username);
  12.         response.getWriter().write(JSON.toJSONString(success));
  13.     }
  14. }

自定义认证失败Handler

  1. package com.study.security.config;
  2.  
  3. import com.alibaba.fastjson.JSON;
  4. import org.springframework.security.core.AuthenticationException;
  5. import org.springframework.security.web.authentication.AuthenticationFailureHandler;
  6.  
  7. import javax.servlet.ServletException;
  8. import javax.servlet.http.Cookie;
  9. import javax.servlet.http.HttpServletRequest;
  10. import javax.servlet.http.HttpServletResponse;
  11. import java.io.IOException;
  12.  
  13. /**
  14.  * @author Say Hello
  15.  * @version 1.0.0
  16.  * @Date 2023/7/27
  17.  * @Description
  18.  */
  19. public class CustomAuthenticationFailureHandler implements AuthenticationFailureHandler {
  20.     @Override
  21.     public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
  22.         response.setCharacterEncoding("UTF-8");
  23.         response.setContentType("application/json; charset=utf-8");
  24.         response.setStatus(HttpServletResponse.SC_OK);
  25.         WebResponse<Object> fail = WebResponse.fail();
  26.         response.getWriter().write(JSON.toJSONString(fail));
  27.     }
  28. }

配置SecurityConfig

  1. package com.study.security.config;
  2.  
  3.  
  4. import com.study.security.config.cookie.CustomCookieAuthenticationFilter;
  5. import com.study.security.config.phone.CustomPhoneAuthenticationManager;
  6. import com.study.security.config.phone.CustomPhoneAuthenticationProcessingFilter;
  7. import com.study.security.config.phone.CustomPhoneAuthenticationProvider;
  8. import com.study.security.service.CustomPhoneDetailsService;
  9. import com.study.security.service.CustomUserDetailsService;
  10. import org.springframework.beans.factory.annotation.Value;
  11. import org.springframework.context.annotation.Bean;
  12. import org.springframework.context.annotation.Configuration;
  13. import org.springframework.context.annotation.Primary;
  14. import org.springframework.core.annotation.Order;
  15. import org.springframework.security.authentication.AuthenticationManager;
  16. import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
  17. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
  18. import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
  19. import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
  20. import org.springframework.security.crypto.password.PasswordEncoder;
  21. import org.springframework.security.web.SecurityFilterChain;
  22. import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
  23.  
  24. import javax.annotation.Resource;
  25.  
  26. /**
  27.  * @author Say Hello
  28.  * @version 1.0.0
  29.  * @Date 2023/7/26
  30.  * @Description
  31.  */
  32. @Configuration
  33. @EnableWebSecurity
  34. public class SecurityConfig {
  35.  
  36.     @Value("${spring.security.custom.url.login}")
  37.     String loginUrl;
  38.  
  39.     @Resource
  40.     CustomUserDetailsService customUserDetailsService;
  41.  
  42.     @Bean
  43.     public PasswordEncoder customPasswordEncoder() {
  44.         return new BCryptPasswordEncoder();
  45.     }
  46.  
  47.     @Bean
  48.     @Order(1)
  49.     public SecurityFilterChain customSecurityFilterChain(HttpSecurity http) throws Exception {
  50.         http.authorizeRequests()
  51.                 .anyRequest().authenticated()
  52.                 .and()
  53.                 .csrf().disable()
  54.                 //向SecurityFilterChain中插入自定以的AuthenticationManager
  55.                 .authenticationManager(customAuthenticationManager())
  56.                 .authenticationManager(customPhoneAuthenticationManager())
  57.                 //向SecurityFilterChain中插入自定以的AuthenticationProvider
  58.                 .authenticationProvider(customAuthenticationProvider())
  59.                 .authenticationProvider(customPhoneAuthenticationProvider())
  60.                 .exceptionHandling().authenticationEntryPoint(new CustomAuthenticationEntryPoint())
  61.                 .and()
  62.                 .logout().logoutUrl(logoutUrl)
  63.                 .logoutSuccessHandler(new CustomLogoutSuccessHandler());
  64.         // 将loginFilter过滤器添加到UsernamePasswordAuthenticationFilter过滤器所在的位置
  65.         http.addFilterAt(customUsernamePasswordAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
  66.         return http.build();
  67.     }
  68.  
  69.     @Bean
  70.     public CustomUsernamePasswordAuthenticationFilter customUsernamePasswordAuthenticationFilter() {
  71.         CustomUsernamePasswordAuthenticationFilter customUsernamePasswordAuthenticationFilter = new CustomUsernamePasswordAuthenticationFilter();
  72.        //配置登陆认证的入口
  73.         customUsernamePasswordAuthenticationFilter.setFilterProcessesUrl(loginUrl);
  74.         //配置manager
  75.         customUsernamePasswordAuthenticationFilter.setAuthenticationManager(customAuthenticationManager());
  76.         //设置认证成功Handler
  77.         customUsernamePasswordAuthenticationFilter.setAuthenticationSuccessHandler(new CustomLoginSuccessHandler());
  78.         //设置认证失败Handler
  79.         customUsernamePasswordAuthenticationFilter.setAuthenticationFailureHandler(new CustomAuthenticationFailureHandler());
  80.         return customUsernamePasswordAuthenticationFilter;
  81.     }
  82.  
  83.     @Bean
  84.     public AuthenticationManager customAuthenticationManager() {
  85.         CustomAuthenticationManager customAuthenticationManager = new CustomAuthenticationManager();
  86.         customAuthenticationManager.setAuthenticationProvider(customAuthenticationProvider());
  87.         return customAuthenticationManager;
  88.     }
  89.  
  90.  
  91.     @Bean
  92.     public DaoAuthenticationProvider customAuthenticationProvider() {
  93.         CustomAuthenticationProvider customAuthenticationProvider = new CustomAuthenticationProvider();
  94.         customAuthenticationProvider.setPasswordEncoder(customPasswordEncoder());
  95.         customAuthenticationProvider.setUserDetailsService(customUserDetailsService);
  96.         return customAuthenticationProvider;
  97.     }
  98.  
  99. }

项目验证

未登陆访问

认证失败 

认证成功

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/繁依Fanyi0/article/detail/921910
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号