网站设计创意方案,常德地区网站建设,简单网站开发实例教程,什么时候友情链接简介
Spring Security是一个专注于为Java程序提供身份认证和授权的框架#xff0c;他可以轻松扩展以满足自定义的需求
特征
对身份的认证和授权提供全面的、可扩展的支持防止各种攻击#xff0c;如回话固定攻击、点击劫持、csrf攻击等支持与Servlet API、Spring MVC等Web技…简介
Spring Security是一个专注于为Java程序提供身份认证和授权的框架他可以轻松扩展以满足自定义的需求
特征
对身份的认证和授权提供全面的、可扩展的支持防止各种攻击如回话固定攻击、点击劫持、csrf攻击等支持与Servlet API、Spring MVC等Web技术集成
引入依赖
dependencygroupIdorg.springframework.boot/groupIdartifactIdspring-boot-starter-security/artifactId
/dependency只要引入依赖Spring Security会立刻对该项目生效。自动生成账号密码管理用户登录并使用它自带的登录界面。
更改Spring Security的配置
// User.java
public class User implements UserDetails {private int id;private String username;private String password;private String salt;private String email;private int type;private int status;private String activationCode;private String headerUrl;private Date createTime;public int getId() {return id;}public void setId(int id) {this.id id;}public String getUsername() {return username;}public void setUsername(String username) {this.username username;}public String getPassword() {return password;}public void setPassword(String password) {this.password password;}public String getSalt() {return salt;}public void setSalt(String salt) {this.salt salt;}public String getEmail() {return email;}public void setEmail(String email) {this.email email;}public int getType() {return type;}public void setType(int type) {this.type type;}public int getStatus() {return status;}public void setStatus(int status) {this.status status;}public String getActivationCode() {return activationCode;}public void setActivationCode(String activationCode) {this.activationCode activationCode;}public String getHeaderUrl() {return headerUrl;}public void setHeaderUrl(String headerUrl) {this.headerUrl headerUrl;}public Date getCreateTime() {return createTime;}public void setCreateTime(Date createTime) {this.createTime createTime;}Overridepublic String toString() {return User{ id id , username username \ , password password \ , salt salt \ , email email \ , type type , status status , activationCode activationCode \ , headerUrl headerUrl \ , createTime createTime };}// true: 账号未过期.Overridepublic boolean isAccountNonExpired() {return true;}// true: 账号未锁定.Overridepublic boolean isAccountNonLocked() {return true;}// true: 凭证未过期.Overridepublic boolean isCredentialsNonExpired() {return true;}// true: 账号可用.Overridepublic boolean isEnabled() {return true;}Overridepublic Collection? extends GrantedAuthority getAuthorities() {ListGrantedAuthority list new ArrayList();list.add(new GrantedAuthority() {Overridepublic String getAuthority() {switch (type) {case 1:return ADMIN;default:return USER;}}});return list;}}// UserService.java
// Spring Security底层本身就有自动判断账号密码的功能依赖于UserDetailsService接口
// 在UserService中实现的原因是UserService中有查询用户的功能
Service
public class UserService implements UserDetailsService {Autowiredprivate UserMapper userMapper;public User findUserByName(String username) {return userMapper.selectByName(username);}Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {return this.findUserByName(username);}
}Spring Security配置类
// SecurityConfig.java
Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {Autowiredprivate UserService userService;Overridepublic void configure(WebSecurity web) throws Exception {// 忽略静态资源的访问提高性能web.ignoring().antMatchers(/resources/**);}// AuthenticationManager: 认证的核心接口.// AuthenticationManagerBuilder: 用于构建AuthenticationManager对象的工具.// ProviderManager: AuthenticationManager接口的默认实现类.Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {// 内置的认证规则// auth.userDetailsService(userService).passwordEncoder(new Pbkdf2PasswordEncoder(12345));// 自定义认证规则// AuthenticationProvider: ProviderManager持有一组AuthenticationProvider,每个AuthenticationProvider负责一种认证.// 委托模式: ProviderManager将认证委托给AuthenticationProvider.auth.authenticationProvider(new AuthenticationProvider() {// Authentication: 用于封装认证信息的接口,不同的实现类代表不同类型的认证信息.// 此处Authentication代表封装账号密码的实现类Overridepublic Authentication authenticate(Authentication authentication) throws AuthenticationException {// 获取账号String username authentication.getName();// 获取密码String password (String) authentication.getCredentials();User user userService.findUserByName(username);if (user null) {throw new UsernameNotFoundException(账号不存在!);}password CommunityUtil.md5(password user.getSalt());if (!user.getPassword().equals(password)) {throw new BadCredentialsException(密码不正确!);}// principal: 主要信息; credentials: 证书通常为密码; authorities: 权限;return new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities());}// 当前的AuthenticationProvider支持哪种类型的认证.Overridepublic boolean supports(Class? aClass) {// UsernamePasswordAuthenticationToken: Authentication接口的常用的实现类.return UsernamePasswordAuthenticationToken.class.equals(aClass);}});}Overrideprotected void configure(HttpSecurity http) throws Exception {// 登录相关配置http.formLogin().loginPage(/loginpage).loginProcessingUrl(/login).successHandler(new AuthenticationSuccessHandler() {Overridepublic void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {response.sendRedirect(request.getContextPath() /index);}}).failureHandler(new AuthenticationFailureHandler() {Overridepublic void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException {request.setAttribute(error, e.getMessage());request.getRequestDispatcher(/loginpage).forward(request, response);}});// 退出相关配置http.logout().logoutUrl(/logout).logoutSuccessHandler(new LogoutSuccessHandler() {Overridepublic void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {response.sendRedirect(request.getContextPath() /index);}});// 授权配置http.authorizeRequests().antMatchers(/letter).hasAnyAuthority(USER, ADMIN).antMatchers(/admin).hasAnyAuthority(ADMIN).and().exceptionHandling().accessDeniedPage(/denied);// 增加Filter,处理验证码http.addFilterBefore(new Filter() {Overridepublic void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {HttpServletRequest request (HttpServletRequest) servletRequest;HttpServletResponse response (HttpServletResponse) servletResponse;if (request.getServletPath().equals(/login)) {String verifyCode request.getParameter(verifyCode);if (verifyCode null || !verifyCode.equalsIgnoreCase(1234)) {request.setAttribute(error, 验证码错误!);request.getRequestDispatcher(/loginpage).forward(request, response);return;}}// 让请求继续向下执行.filterChain.doFilter(request, response);}}, UsernamePasswordAuthenticationFilter.class);// 记住我http.rememberMe().tokenRepository(new InMemoryTokenRepositoryImpl()).tokenValiditySeconds(3600 * 24).userDetailsService(userService);}
}
