spring security使用分類:
成都創(chuàng)新互聯(lián)-專業(yè)網(wǎng)站定制�����、快速模板網(wǎng)站建設(shè)、高性價比廣漢網(wǎng)站開發(fā)��、企業(yè)建站全套包干低至880元,成熟完善的模板庫,直接使用��。一站式廣漢網(wǎng)站制作公司更省心,省錢,快速模板網(wǎng)站建設(shè)找我們����,業(yè)務(wù)覆蓋廣漢地區(qū)�。費(fèi)用合理售后完善�����,十余年實(shí)體公司更值得信賴�����。
如何使用spring security�����,相信百度過的都知道����,總共有四種用法��,從簡到深為:
1����、不用數(shù)據(jù)庫,全部數(shù)據(jù)寫在配置文件�����,這個也是官方文檔里面的demo;
2����、使用數(shù)據(jù)庫,根據(jù)spring security默認(rèn)實(shí)現(xiàn)代碼設(shè)計數(shù)據(jù)庫�,也就是說數(shù)據(jù)庫已經(jīng)固定了,這種方法不靈活���,而且那個數(shù)據(jù)庫設(shè)計得很簡陋��,實(shí)用性差�����;
3���、spring security和Acegi不同,它不能修改默認(rèn)filter了����,但支持插入filter,所以根據(jù)這個���,我們可以插入自己的filter來靈活使用����;
4、暴力手段���,修改源碼���,前面說的修改默認(rèn)filter只是修改配置文件以替換filter而已,這種是直接改了里面的源碼�,但是這種不符合OO設(shè)計原則,而且不實(shí)際�����,不可用��。
本文主要介紹了關(guān)于spring security自定義認(rèn)證登錄的相關(guān)內(nèi)容���,分享出來供大家參考學(xué)習(xí),下面話不多說了�����,來一起看看詳細(xì)的介紹吧。
1.概要
1.1.簡介
spring security是一種基于 Spring AOP 和 Servlet 過濾器的安全框架�����,以此來管理權(quán)限認(rèn)證等���。
1.2.spring security 自定義認(rèn)證流程
1)認(rèn)證過程
生成未認(rèn)證的AuthenticationToken
↑(獲取信息) (根據(jù)AuthenticationToken分配provider)
AuthenticationFilter -> AuthenticationManager -> AuthenticationProvider
↓(認(rèn)證)
UserDetails(一般查詢數(shù)據(jù)庫獲?����。? ↓(通過)
生成認(rèn)證成功的AuthenticationToken
↓(存放)
SecurityContextHolder2)將AuthenticationFilter加入到security過濾鏈(資源服務(wù)器中配置)����,如:
http.addFilterBefore(AuthenticationFilter, AbstractPreAuthenticatedProcessingFilter.class)
或者:
http.addFilterAfter(AuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
2.以手機(jī)號短信登錄為例
2.1.開發(fā)環(huán)境
- SpringBoot
- Spring security
- redis
2.2.核心代碼分析
2.2.1.自定義登錄認(rèn)證流程
2.2.1.1.自定義認(rèn)證登錄Token
/**
* 手機(jī)登錄Token
*
* @author : CatalpaFlat
*/
public class MobileLoginAuthenticationToken extends AbstractAuthenticationToken {
private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
private static final Logger logger = LoggerFactory.getLogger(MobileLoginAuthenticationToken.class.getName());
private final Object principal;
public MobileLoginAuthenticationToken(String mobile) {
super(null);
this.principal = mobile;
this.setAuthenticated(false);
logger.info("MobileLoginAuthenticationToken setAuthenticated ->false loading ...");
}
public MobileLoginAuthenticationToken(Object principal,
Collection<? extends GrantedAuthority> authorities) {
super(authorities);
this.principal = principal;
// must use super, as we override
super.setAuthenticated(true);
logger.info("MobileLoginAuthenticationToken setAuthenticated ->true loading ...");
}
@Override
public void setAuthenticated(boolean authenticated) {
if (authenticated) {
throw new IllegalArgumentException(
"Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
}
super.setAuthenticated(false);
}
@Override
public Object getCredentials() {
return null;
}
@Override
public Object getPrincipal() {
return this.principal;
}
@Override
public void eraseCredentials() {
super.eraseCredentials();
}
}注:
setAuthenticated():判斷是否已認(rèn)證
- 在過濾器時�����,會生成一個未認(rèn)證的AuthenticationToken�,此時調(diào)用的是自定義token的setAuthenticated(),此時設(shè)置為false -> 未認(rèn)證
- 在提供者時����,會生成一個已認(rèn)證的AuthenticationToken,此時調(diào)用的是父類的setAuthenticated()��,此時設(shè)置為true -> 已認(rèn)證
2.2.1.1.自定義認(rèn)證登錄過濾器
/**
* 手機(jī)短信登錄過濾器
*
* @author : CatalpaFlat
*/
public class MobileLoginAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
private boolean postOnly = true;
private static final Logger logger = LoggerFactory.getLogger(MobileLoginAuthenticationFilter.class.getName());
@Getter
@Setter
private String mobileParameterName;
public MobileLoginAuthenticationFilter(String mobileLoginUrl, String mobileParameterName,
String httpMethod) {
super(new AntPathRequestMatcher(mobileLoginUrl, httpMethod));
this.mobileParameterName = mobileParameterName;
logger.info("MobileLoginAuthenticationFilter loading ...");
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
if (postOnly && !request.getMethod().equals(HttpMethod.POST.name())) {
throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
}
//get mobile
String mobile = obtainMobile(request);
//assemble token
MobileLoginAuthenticationToken authRequest = new MobileLoginAuthenticationToken(mobile);
// Allow subclasses to set the "details" property
setDetails(request, authRequest);
return this.getAuthenticationManager().authenticate(authRequest);
}
/**
* 設(shè)置身份認(rèn)證的詳情信息
*/
private void setDetails(HttpServletRequest request, MobileLoginAuthenticationToken authRequest) {
authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
}
/**
* 獲取手機(jī)號
*/
private String obtainMobile(HttpServletRequest request) {
return request.getParameter(mobileParameterName);
}
public void setPostOnly(boolean postOnly) {
this.postOnly = postOnly;
}
}注:attemptAuthentication()方法:
- 過濾指定的url、httpMethod
- 獲取所需請求參數(shù)數(shù)據(jù)封裝生成一個未認(rèn)證的AuthenticationToken
- 傳遞給AuthenticationManager認(rèn)證
2.2.1.1.自定義認(rèn)證登錄提供者
/**
* 手機(jī)短信登錄認(rèn)證提供者
*
* @author : CatalpaFlat
*/
public class MobileLoginAuthenticationProvider implements AuthenticationProvider {
private static final Logger logger = LoggerFactory.getLogger(MobileLoginAuthenticationProvider.class.getName());
@Getter
@Setter
private UserDetailsService customUserDetailsService;
public MobileLoginAuthenticationProvider() {
logger.info("MobileLoginAuthenticationProvider loading ...");
}
/**
* 認(rèn)證
*/
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
//獲取過濾器封裝的token信息
MobileLoginAuthenticationToken authenticationToken = (MobileLoginAuthenticationToken) authentication;
//獲取用戶信息(數(shù)據(jù)庫認(rèn)證)
UserDetails userDetails = customUserDetailsService.loadUserByUsername((String) authenticationToken.getPrincipal());
//不通過
if (userDetails == null) {
throw new InternalAuthenticationServiceException("Unable to obtain user information");
}
//通過
MobileLoginAuthenticationToken authenticationResult = new MobileLoginAuthenticationToken(userDetails, userDetails.getAuthorities());
authenticationResult.setDetails(authenticationToken.getDetails());
return authenticationResult;
}
/**
* 根據(jù)token類型�,來判斷使用哪個Provider
*/
@Override
public boolean supports(Class<?> authentication) {
return MobileLoginAuthenticationToken.class.isAssignableFrom(authentication);
}
}注:authenticate()方法
- 獲取過濾器封裝的token信息
- 調(diào)取UserDetailsService獲取用戶信息(數(shù)據(jù)庫認(rèn)證)->判斷通過與否
- 通過則封裝一個新的AuthenticationToken,并返回
2.2.1.1.自定義認(rèn)證登錄認(rèn)證配置
@Configuration(SpringBeanNameConstant.DEFAULT_CUSTOM_MOBILE_LOGIN_AUTHENTICATION_SECURITY_CONFIG_BN)
public class MobileLoginAuthenticationSecurityConfig extends SecurityConfigurerAdapter {
private static final Logger logger = LoggerFactory.getLogger(MobileLoginAuthenticationSecurityConfig.class.getName());
@Value("${login.mobile.url}")
private String defaultMobileLoginUrl;
@Value("${login.mobile.parameter}")
private String defaultMobileLoginParameter;
@Value("${login.mobile.httpMethod}")
private String defaultMobileLoginHttpMethod;
@Autowired
private CustomYmlConfig customYmlConfig;
@Autowired
private UserDetailsService customUserDetailsService;
@Autowired
private AuthenticationSuccessHandler customAuthenticationSuccessHandler;
@Autowired
private AuthenticationFailureHandler customAuthenticationFailureHandler;
public MobileLoginAuthenticationSecurityConfig() {
logger.info("MobileLoginAuthenticationSecurityConfig loading ...");
}
@Override
public void configure(HttpSecurity http) throws Exception {
MobilePOJO mobile = customYmlConfig.getLogins().getMobile();
String url = mobile.getUrl();
String parameter = mobile.getParameter().getMobile();
String httpMethod = mobile.getHttpMethod();
MobileLoginAuthenticationFilter mobileLoginAuthenticationFilter = new MobileLoginAuthenticationFilter(StringUtils.isBlank(url) ? defaultMobileLoginUrl : url,
StringUtils.isBlank(parameter) ? defaultMobileLoginUrl : parameter, StringUtils.isBlank(httpMethod) ? defaultMobileLoginHttpMethod : httpMethod); mobileLoginAuthenticationFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class)); mobileLoginAuthenticationFilter.setAuthenticationSuccessHandler(customAuthenticationSuccessHandler); mobileLoginAuthenticationFilter.setAuthenticationFailureHandler(customAuthenticationFailureHandler);
MobileLoginAuthenticationProvider mobileLoginAuthenticationProvider = new MobileLoginAuthenticationProvider(); mobileLoginAuthenticationProvider.setCustomUserDetailsService(customUserDetailsService);
http.authenticationProvider(mobileLoginAuthenticationProvider)
.addFilterAfter(mobileLoginAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
}
}
注:configure()方法
實(shí)例化AuthenticationFilter和AuthenticationProvider
將AuthenticationFilter和AuthenticationProvider添加到spring security中����。
2.2.2.基于redis自定義驗(yàn)證碼校驗(yàn)
2.2.2.1.基于redis自定義驗(yàn)證碼過濾器
/**
* 驗(yàn)證碼過濾器
*
* @author : CatalpaFlat
*/
@Component(SpringBeanNameConstant.DEFAULT_VALIDATE_CODE_FILTER_BN)
public class ValidateCodeFilter extends OncePerRequestFilter implements InitializingBean {
private static final Logger logger = LoggerFactory.getLogger(ValidateCodeFilter.class.getName());
@Autowired
private CustomYmlConfig customYmlConfig;
@Autowired
private RedisTemplate redisTemplate;
/**
* 驗(yàn)證請求url與配置的url是否匹配的工具類
*/
private AntPathMatcher pathMatcher = new AntPathMatcher();
public ValidateCodeFilter() {
logger.info("Loading ValidateCodeFilter...");
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
String url = customYmlConfig.getLogins().getMobile().getUrl();
if (pathMatcher.match(url, request.getRequestURI())) {
String deviceId = request.getHeader("deviceId");
if (StringUtils.isBlank(deviceId)) {
throw new CustomException(HttpStatus.NOT_ACCEPTABLE.value(), "Not deviceId in the head of the request");
}
String codeParamName = customYmlConfig.getLogins().getMobile().getParameter().getCode();
String code = request.getParameter(codeParamName);
if (StringUtils.isBlank(code)) {
throw new CustomException(HttpStatus.NOT_ACCEPTABLE.value(), "Not code in the parameters of the request");
}
String key = SystemConstant.DEFAULT_MOBILE_KEY_PIX + deviceId;
SmsCodePO smsCodePo = (SmsCodePO) redisTemplate.opsForValue().get(key);
if (smsCodePo.isExpried()){
throw new CustomException(HttpStatus.BAD_REQUEST.value(), "The verification code has expired");
}
String smsCode = smsCodePo.getCode();
if (StringUtils.isBlank(smsCode)) {
throw new CustomException(HttpStatus.BAD_REQUEST.value(), "Verification code does not exist");
}
if (StringUtils.equals(code, smsCode)) {
redisTemplate.delete(key);
//let it go
filterChain.doFilter(request, response);
} else {
throw new CustomException(HttpStatus.BAD_REQUEST.value(), "Validation code is incorrect");
}
}else {
//let it go
filterChain.doFilter(request, response);
}
}
}注:doFilterInternal()
自定義驗(yàn)證碼過濾校驗(yàn)
2.2.2.2.將自定義驗(yàn)證碼過濾器添加到spring security過濾器鏈
http.addFilterBefore(validateCodeFilter, AbstractPreAuthenticatedProcessingFilter.class)
注:添加到認(rèn)證預(yù)處理過濾器前
3.測試效果
最后附上源碼地址:https://gitee.com/CatalpaFlat/springSecurity.git (本地下載)
總結(jié)
以上就是這篇文章的全部內(nèi)容了,希望本文的內(nèi)容對大家的學(xué)習(xí)或者工作具有一定的參考學(xué)習(xí)價值�,如果有疑問大家可以留言交流,謝謝大家對創(chuàng)新互聯(lián)的支持��。
新聞標(biāo)題:springsecurity自定義認(rèn)證登錄的全過程記錄
轉(zhuǎn)載注明:
http://weahome.cn/article/jpoojg.html
重慶分公司
重慶分公司
