Spring security 自定义过滤器 Spring security 自定义过滤器实现Json参数传递并兼容表单参数(实例代码)
人气:0依赖
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.projectlombok</groupId> <artifactId>lombok</artifactId> <optional>true</optional> </dependency> <dependency> <groupId>org.projectlombok</groupId> <artifactId>lombok</artifactId> <optional>true</optional> </dependency>
配置安全适配类基本配置和配置自定义过滤器
package com.study.auth.config.core; import com.study.auth.config.core.authentication.AccountAuthenticationProvider; import com.study.auth.config.core.authentication.MailAuthenticationProvider; import com.study.auth.config.core.authentication.PhoneAuthenticationProvider; import com.study.auth.config.core.filter.CustomerUsernamePasswordAuthenticationFilter; import com.study.auth.config.core.handler.CustomerAuthenticationFailureHandler; import com.study.auth.config.core.handler.CustomerAuthenticationSuccessHandler; import com.study.auth.config.core.handler.CustomerLogoutSuccessHandler; import com.study.auth.config.core.observer.CustomerUserDetailsService; import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; /** * @Package: com.study.auth.config * @Description: <> * @Author: milla * @CreateDate: 2020/09/04 11:27 * @UpdateUser: milla * @UpdateDate: 2020/09/04 11:27 * @UpdateRemark: <> * @Version: 1.0 */ @Slf4j @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private AccountAuthenticationProvider provider; @Autowired private MailAuthenticationProvider mailProvider; @Autowired private PhoneAuthenticationProvider phoneProvider; @Autowired private CustomerUserDetailsService userDetailsService; @Autowired private CustomerAuthenticationSuccessHandler successHandler; @Autowired private CustomerAuthenticationFailureHandler failureHandler; @Autowired private CustomerLogoutSuccessHandler logoutSuccessHandler; /** * 配置拦截器保护请求 * * @param http * @throws Exception */ @Override protected void configure(HttpSecurity http) throws Exception { //配置HTTP基本身份验证//使用自定义过滤器-兼容json和表单登录 http.addFilterBefore(customAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class) .httpBasic() .and().authorizeRequests() //表示访问 /setting 这个接口,需要具备 admin 这个角色 .antMatchers("/setting").hasRole("admin") //表示剩余的其他接口,登录之后就能访问 .anyRequest() .authenticated() .and() .formLogin() //定义登录页面,未登录时,访问一个需要登录之后才能访问的接口,会自动跳转到该页面 .loginPage("/noToken") //登录处理接口-登录时候访问的接口地址 .loginProcessingUrl("/account/login") //定义登录时,表单中用户名的 key,默认为 username .usernameParameter("username") //定义登录时,表单中用户密码的 key,默认为 password .passwordParameter("password") // //登录成功的处理器 // .successHandler(successHandler) // //登录失败的处理器 // .failureHandler(failureHandler) //允许所有用户访问 .permitAll() .and() .logout() .logoutUrl("/logout") //登出成功的处理 .logoutSuccessHandler(logoutSuccessHandler) .permitAll(); //关闭csrf跨域攻击防御 http.csrf().disable(); } /** * 配置权限认证服务 * * @param auth * @throws Exception */ @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { //权限校验-只要有一个认证通过即认为是通过的(有一个认证通过就跳出认证循环)-适用于多登录方式的系统 // auth.authenticationProvider(provider); // auth.authenticationProvider(mailProvider); // auth.authenticationProvider(phoneProvider); //直接使用userDetailsService auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder()); } /** * 配置Spring Security的Filter链 * * @param web * @throws Exception */ @Override public void configure(WebSecurity web) throws Exception { //忽略拦截的接口 web.ignoring().antMatchers("/noToken"); } /** * 指定验证manager * * @return * @throws Exception */ @Override @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } /** * 注册自定义的UsernamePasswordAuthenticationFilter * * @return * @throws Exception */ @Bean public AbstractAuthenticationProcessingFilter customAuthenticationFilter() throws Exception { AbstractAuthenticationProcessingFilter filter = new CustomerUsernamePasswordAuthenticationFilter(); filter.setAuthenticationSuccessHandler(successHandler); filter.setAuthenticationFailureHandler(failureHandler); //过滤器拦截的url要和登录的url一致,否则不生效 filter.setFilterProcessesUrl("/account/login"); //这句很关键,重用WebSecurityConfigurerAdapter配置的AuthenticationManager,不然要自己组装AuthenticationManager filter.setAuthenticationManager(authenticationManagerBean()); return filter; } }
自定义过滤器根据ContentType是否为json进行判断,如果是就从body中读取参数,进行解析,并生成权限实体,进行权限认证
否则直接使用UsernamePasswordAuthenticationFilter中的方法
package com.study.auth.config.core.filter; import com.fasterxml.jackson.databind.ObjectMapper; import com.study.auth.config.core.util.AuthenticationStoreUtil; import com.study.auth.entity.bo.LoginBO; import lombok.extern.slf4j.Slf4j; import org.springframework.http.MediaType; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.InputStream; /** * @Package: com.study.auth.config.core.filter * @Description: <> * @Author: milla * @CreateDate: 2020/09/11 16:04 * @UpdateUser: milla * @UpdateDate: 2020/09/11 16:04 * @UpdateRemark: <> * @Version: 1.0 */ @Slf4j public class CustomerUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter { /** * 空字符串 */ private final String EMPTY = ""; @Override public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException { //如果不是json使用自带的过滤器获取参数 if (!request.getContentType().equals(MediaType.APPLICATION_JSON_UTF8_VALUE) && !request.getContentType().equals(MediaType.APPLICATION_JSON_VALUE)) { String username = this.obtainUsername(request); String password = this.obtainPassword(request); storeAuthentication(username, password); Authentication authentication = super.attemptAuthentication(request, response); return authentication; } //如果是json请求使用取参数逻辑 ObjectMapper mapper = new ObjectMapper(); UsernamePasswordAuthenticationToken authRequest = null; try (InputStream is = request.getInputStream()) { LoginBO account = mapper.readValue(is, LoginBO.class); storeAuthentication(account.getUsername(), account.getPassword()); authRequest = new UsernamePasswordAuthenticationToken(account.getUsername(), account.getPassword()); } catch (IOException e) { log.error("验证失败:{}", e); authRequest = new UsernamePasswordAuthenticationToken(EMPTY, EMPTY); } finally { setDetails(request, authRequest); Authentication authenticate = this.getAuthenticationManager().authenticate(authRequest); return authenticate; } } /** * 保存用户名和密码 * * @param username 帐号/邮箱/手机号 * @param password 密码/验证码 */ private void storeAuthentication(String username, String password) { AuthenticationStoreUtil.setUsername(username); AuthenticationStoreUtil.setPassword(password); } }
其中会有body中的传参问题,所以使用ThreadLocal传递参数
PS:枚举类具备线程安全性
package com.study.auth.config.core.util; /** * @Package: com.study.auth.config.core.util * @Description: <使用枚举可以保证线程安全> * @Author: milla * @CreateDate: 2020/09/11 17:48 * @UpdateUser: milla * @UpdateDate: 2020/09/11 17:48 * @UpdateRemark: <> * @Version: 1.0 */ public enum AuthenticationStoreUtil { AUTHENTICATION; /** * 登录认证之后的token */ private final ThreadLocal<String> tokenStore = new ThreadLocal<>(); /** * 需要验证用户名 */ private final ThreadLocal<String> usernameStore = new ThreadLocal<>(); /** * 需要验证的密码 */ private final ThreadLocal<String> passwordStore = new ThreadLocal<>(); public static String getUsername() { return AUTHENTICATION.usernameStore.get(); } public static void setUsername(String username) { AUTHENTICATION.usernameStore.set(username); } public static String getPassword() { return AUTHENTICATION.passwordStore.get(); } public static void setPassword(String password) { AUTHENTICATION.passwordStore.set(password); } public static String getToken() { return AUTHENTICATION.tokenStore.get(); } public static void setToken(String token) { AUTHENTICATION.tokenStore.set(token); } public static void clear() { AUTHENTICATION.tokenStore.remove(); AUTHENTICATION.passwordStore.remove(); AUTHENTICATION.usernameStore.remove(); } }
实现UserDetailsService接口
package com.study.auth.config.core.observer; import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.stereotype.Component; /** * @Package: com.study.auth.config.core * @Description: <自定义用户处理类> * @Author: milla * @CreateDate: 2020/09/04 13:53 * @UpdateUser: milla * @UpdateDate: 2020/09/04 13:53 * @UpdateRemark: <> * @Version: 1.0 */ @Slf4j @Component public class CustomerUserDetailsService implements UserDetailsService { @Autowired private PasswordEncoder passwordEncoder; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { //测试直接使用固定账户代替 return User.withUsername("admin").password(passwordEncoder.encode("admin")).roles("admin", "user").build(); } }
登录成功类
package com.study.auth.config.core.handler; import org.springframework.security.core.Authentication; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.stereotype.Component; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; /** * @Package: com.study.auth.config.core.handler * @Description: <登录成功处理类> * @Author: milla * @CreateDate: 2020/09/08 17:39 * @UpdateUser: milla * @UpdateDate: 2020/09/08 17:39 * @UpdateRemark: <> * @Version: 1.0 */ @Component public class CustomerAuthenticationSuccessHandler implements AuthenticationSuccessHandler { @Override public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException { HttpServletResponseUtil.loginSuccess(response); } }
登录失败
package com.study.auth.config.core.handler; import org.springframework.security.core.AuthenticationException; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.stereotype.Component; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; /** * @Package: com.study.auth.config.core.handler * @Description: <登录失败操作类> * @Author: milla * @CreateDate: 2020/09/08 17:42 * @UpdateUser: milla * @UpdateDate: 2020/09/08 17:42 * @UpdateRemark: <> * @Version: 1.0 */ @Component public class CustomerAuthenticationFailureHandler implements AuthenticationFailureHandler { @Override public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException { HttpServletResponseUtil.loginFailure(response, exception); } }
登出成功类
package com.study.auth.config.core.handler; import org.springframework.security.core.Authentication; import org.springframework.security.web.authentication.logout.LogoutSuccessHandler; import org.springframework.stereotype.Component; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; /** * @Package: com.study.auth.config.core.handler * @Description: <登出成功> * @Author: milla * @CreateDate: 2020/09/08 17:44 * @UpdateUser: milla * @UpdateDate: 2020/09/08 17:44 * @UpdateRemark: <> * @Version: 1.0 */ @Component public class CustomerLogoutSuccessHandler implements LogoutSuccessHandler { @Override public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException { HttpServletResponseUtil.logoutSuccess(response); } }
返回值工具类
package com.study.auth.config.core.handler; import com.alibaba.fastjson.JSON; import com.study.auth.comm.ResponseData; import com.study.auth.constant.CommonConstant; import org.springframework.http.MediaType; import org.springframework.security.core.AuthenticationException; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; /** * @Package: com.study.auth.config.core.handler * @Description: <> * @Author: milla * @CreateDate: 2020/09/08 17:45 * @UpdateUser: milla * @UpdateDate: 2020/09/08 17:45 * @UpdateRemark: <> * @Version: 1.0 */ public final class HttpServletResponseUtil { public static void loginSuccess(HttpServletResponse resp) throws IOException { ResponseData success = ResponseData.success(); success.setMsg("login success"); response(resp, success); } public static void logoutSuccess(HttpServletResponse resp) throws IOException { ResponseData success = ResponseData.success(); success.setMsg("logout success"); response(resp, success); } public static void loginFailure(HttpServletResponse resp, AuthenticationException exception) throws IOException { ResponseData failure = ResponseData.error(CommonConstant.EX_RUN_TIME_EXCEPTION, exception.getMessage()); response(resp, failure); } private static void response(HttpServletResponse resp, ResponseData data) throws IOException { //直接输出的时候还是需要使用UTF-8字符集 resp.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE); PrintWriter out = resp.getWriter(); out.write(JSON.toJSONString(data)); out.flush(); } }
其他对象见Controller 层返回值的公共包装类-避免每次都包装一次返回-InitializingBean增强
至此,就可以传递Json参数了
加载全部内容