SpringSecurity笔记2-自定义认证
自定义用户
说明
- 用户名和密码通常存储于数据库中,表单输入的用户名和密码与数据库查询出来的用户名和密码进行比对
- 如下例子为SpringSecurity5.x
实现UserDetailsService接口
@Service
public class UserService implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
//此处根据用户名在数据库中查找,这里再也不查找,直接返回一个org.springframework.security.core.userdetails.User对象(若是是自定义的User类,须要实现UserDetails接口)
return new User(username,new BCryptPasswordEncoder().encode("123456"), AuthorityUtils.commaSeparatedStringToAuthorityList("admin"));
}
}
- AuthorityUtils.commaSeparatedStringToAuthorityList() 方法模拟一个admin的权限,该方法能够将逗号分隔的字符串转换为权限集合(理解)
- 用户认证流程
从数据库中查找用户信息,若是为空,则抛出异常,不然返回一个用户对象,再由系统提供的DaoAuthenticationProvider类去比对密码是否正确 - 若是本身编写User实体类,须要实现UserDetails 接口
编写配置类
@Configuration
public class BrowserSecurity extends WebSecurityConfigurerAdapter {
//引入自定义UserDetailsService
@Autowired
private UserService userService;
//加密
@Bean
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
//配置内存认证
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//设置UserDetailsService以及密码规则
auth.userDetailsService(userService).passwordEncoder(passwordEncoder());
}
}
UserDetails接口简介
自定义User类实现该接口,该接口主要有以下方法html
- getAuthorities():获取当前用户对象的角色信息
- getPassword(): 获取密码,与用户输入的密码进行比对
- getUsername: 获取当前用户对象的用户名
- isAccountNonExpired():当前用户是否未过时,可自定义逻辑判断,若是返回false,会抛出AccountExpiredException
- isAccountNonLocked() :当前用户是否未锁定,可自定义逻辑判断
- isCredentialsNonExpired(): 当前帐户密码是否未过时
- isEnabled(): 当前帐户是否可用
自定义登陆页
说明
- 在表单登陆中通常是采用本身的登陆页面
- 须要在SpringSecurity中配置相关设置
一个简单的登陆页面
- 在 resources/static 目录下编写一个登陆页面
myLogin.html
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>自定义登陆页面登陆</title>
</head>
<body>
<form action="/login" method="post">
<div class="form">
<h3>帐户登陆</h3>
<input type="text" placeholder="用户名" name="username" required="required" /></br>
<input type="password" placeholder="密码" name="password" required="required" />
<button type="submit">登陆</button>
</div>
</form>
</body>
</html>
在自定义用户的基础上增长配置
总体配置以下:java
@Configuration
public class BrowserSecurity extends WebSecurityConfigurerAdapter {
//引入自定义UserDetailsService
@Autowired
private UserService userService;
//加密
@Bean
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
//配置内存认证
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//设置UserDetailsService以及密码规则
auth.userDetailsService(userService).passwordEncoder(passwordEncoder());
}
//配置HttpSecurity
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
//受权配置
.antMatchers("/myLogin.html").permitAll().anyRequest().authenticated()
.and()
//表单配置
.formLogin().loginPage("/myLogin.html").loginProcessingUrl("/login")
.and()
//默认都会产生一个hiden标签 里面有安全相关的验证 防止请求伪造 这边咱们暂时不须要 可禁用掉
.csrf().disable();
}
}
结果
除了登陆页面能够直接访问,其余请求须要跳转到登陆页面完成认证后才能够访问web
自定义登陆成功和失败
修改表单登陆配置
总体配置以下:spring
@Configuration
public class BrowserSecurity extends WebSecurityConfigurerAdapter {
//引入自定义UserDetailsService
@Autowired
private UserService userService;
//加密
@Bean
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
//配置内存认证
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//设置UserDetailsService以及密码规则
auth.userDetailsService(userService).passwordEncoder(passwordEncoder());
}
//配置HttpSecurity
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
//受权配置
.antMatchers("/myLogin.html").permitAll().anyRequest().authenticated()
.and()
//表单配置
.formLogin().loginPage("/myLogin.html").loginProcessingUrl("/login")
.successHandler(new AuthenticationSuccessHandler() {
//登陆成功返回一段json信息
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
//Authentication authentication 包含用户登陆信息
String name = authentication.getName();
response.setContentType("application/json;charset=utf-8");
PrintWriter out = response.getWriter();
response.setStatus(200);
Map<String,Object> map = new HashMap<>();
map.put("status",200);
map.put("msg",name);
ObjectMapper mapper = new ObjectMapper();
out.write(mapper.writeValueAsString(map));
out.flush();
out.close();
}
})
.failureHandler(new AuthenticationFailureHandler() {
//登陆失败,根据相关异常返回失败信息
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException {
response.setContentType("application/json;charset=utf-8");
PrintWriter out = response.getWriter();
response.setStatus(401);
Map<String,Object> map = new HashMap<>();
map.put("status",401);
if(e instanceof LockedException){
map.put("msg","帐户被锁定");
}else if(e instanceof BadCredentialsException){
map.put("msg","帐户名或密码错误");
}else if(e instanceof DisabledException){
map.put("msg","帐户被禁用");
}else if(e instanceof AccountExpiredException){
map.put("msg","帐户已过时");
}else if(e instanceof CredentialsExpiredException){
map.put("msg","密码已过时");
}else{
map.put("msg","登陆失败");
}
ObjectMapper mapper = new ObjectMapper();
out.write(mapper.writeValueAsString(map));
out.flush();
out.close();
}
})
.and()
//默认都会产生一个hiden标签 里面有安全相关的验证 防止请求伪造 这边咱们暂时不须要 可禁用掉
.csrf().disable();
}
}
也能够自定义类实现接口的方式
- 成功登陆:实现org.springframework.security.web.authentication.AuthenticationSuccessHandler接口的onAuthenticationSuccess方法
@Component
public class MyAuthenticationSucessHandler implements AuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
response.setContentType("application/json;charset=utf-8");
response.getWriter().write(mapper.writeValueAsString(authentication));
}
}
- 登陆失败: 实现
org.springframework.security.web.authentication.AuthenticationFailureHandler的onAuthenticationFailure方法
@Component
public class MyAuthenticationFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
AuthenticationException exception) throws IOException {
}
}
- 以后在配置类中引入
@Autowired
private MyAuthenticationSucessHandler authenticationSucessHandler;
@Autowired
private MyAuthenticationFailureHandler authenticationFailureHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin() // 表单登陆
.successHandler(authenticationSucessHandler) // 处理登陆成功
.failureHandler(authenticationFailureHandler) // 处理登陆失败
}
结果
登陆成功
数据库登陆失败
json
相关文章
- 1. SpringSecurity之自定义认证
- 2. 使用SpringSecurity定义的登录认证
- 3. SpringSecurity学习之路6-自定义用户认证逻辑
- 4. spring security 自定义认证
- 5. 自定义认证FormAuthenticationFilter
- 6. SpringSecurity之认证
- 7. SpringSecurity自定义AuthenticationProvider和AuthenticationFilter
- 8. docker 学习笔记2 认识dockerfile自定义镜像
- 9. Ionic2学习笔记(2):自定义Component
- 10. Docker笔记(2)--自定义Tomcat Docker
- 更多相关文章...
- • 自定义TypeHandler - MyBatis教程
- • MySQL自定义函数(CREATE FUNCTION) - MySQL教程
- • Tomcat学习笔记(史上最全tomcat学习笔记)
- • RxJava操作符(十)自定义操作符
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
欢迎关注本站公众号,获取更多信息
相关文章
- 1. SpringSecurity之自定义认证
- 2. 使用SpringSecurity定义的登录认证
- 3. SpringSecurity学习之路6-自定义用户认证逻辑
- 4. spring security 自定义认证
- 5. 自定义认证FormAuthenticationFilter
- 6. SpringSecurity之认证
- 7. SpringSecurity自定义AuthenticationProvider和AuthenticationFilter
- 8. docker 学习笔记2 认识dockerfile自定义镜像
- 9. Ionic2学习笔记(2):自定义Component
- 10. Docker笔记(2)--自定义Tomcat Docker