我要评论简介
spring security是一个功能强大的java安全框架,它提供了全面的安全认证(authentication)和授权(authorization)的支持
与rbac模型结合使用时,spring security能够实现灵活权限控制
spring security配置
spring security的配置类是实现安全控制的核心部分
开启spring security各种功能,以确保web应用程序的安全性,包括认证、授权、会话管理、过滤器添加等
配置实现代码
com.sky.framework.config.securityconfig
package com.sky.framework.config;
import org.springframework.beans.factory.annotation.autowired;
import org.springframework.context.annotation.bean;
import org.springframework.http.httpmethod;
import org.springframework.security.authentication.authenticationmanager;
import org.springframework.security.config.annotation.authentication.builders.authenticationmanagerbuilder;
import org.springframework.security.config.annotation.method.configuration.enableglobalmethodsecurity;
import org.springframework.security.config.annotation.web.builders.httpsecurity;
import org.springframework.security.config.annotation.web.configuration.websecurityconfigureradapter;
import org.springframework.security.config.annotation.web.configurers.expressionurlauthorizationconfigurer;
import org.springframework.security.config.http.sessioncreationpolicy;
import org.springframework.security.core.userdetails.userdetailsservice;
import org.springframework.security.crypto.bcrypt.bcryptpasswordencoder;
import org.springframework.security.web.authentication.usernamepasswordauthenticationfilter;
import org.springframework.security.web.authentication.logout.logoutfilter;
import org.springframework.web.filter.corsfilter;
import com.sky.framework.config.properties.permitallurlproperties;
import com.sky.framework.security.filter.jwtauthenticationtokenfilter;
import com.sky.framework.security.handle.authenticationentrypointimpl;
import com.sky.framework.security.handle.logoutsuccesshandlerimpl;
/**
* spring security配置
*
* @author ruoyi
*/
//开启方法级别的权限控制
@enableglobalmethodsecurity(prepostenabled = true, securedenabled = true)
public class securityconfig extends websecurityconfigureradapter
{
/**
* 自定义用户认证逻辑
*/
@autowired
private userdetailsservice userdetailsservice;
/**
* 认证失败处理类
*/
@autowired
private authenticationentrypointimpl unauthorizedhandler;
/**
* 退出处理类
*/
@autowired
private logoutsuccesshandlerimpl logoutsuccesshandler;
/**
* token认证过滤器
*/
@autowired
private jwtauthenticationtokenfilter authenticationtokenfilter;
/**
* 跨域过滤器
*/
@autowired
private corsfilter corsfilter;
/**
* 允许匿名访问的地址
*/
@autowired
private permitallurlproperties permitallurl;
/**
* 解决 无法直接注入 authenticationmanager
*
* @return
* @throws exception
*/
@bean
@override
public authenticationmanager authenticationmanagerbean() throws exception
{
return super.authenticationmanagerbean();
}
/**
* anyrequest | 匹配所有请求路径
* access | springel表达式结果为true时可以访问
* anonymous | 匿名可以访问
* denyall | 用户不能访问
* fullyauthenticated | 用户完全认证可以访问(非remember-me下自动登录)
* hasanyauthority | 如果有参数,参数表示权限,则其中任何一个权限可以访问
* hasanyrole | 如果有参数,参数表示角色,则其中任何一个角色可以访问
* hasauthority | 如果有参数,参数表示权限,则其权限可以访问
* hasipaddress | 如果有参数,参数表示ip地址,如果用户ip和参数匹配,则可以访问
* hasrole | 如果有参数,参数表示角色,则其角色可以访问
* permitall | 用户可以任意访问
* rememberme | 允许通过remember-me登录的用户访问
* authenticated | 用户登录后可访问
*/
@override
protected void configure(httpsecurity httpsecurity) throws exception
{
// 注解标记允许匿名访问的url
expressionurlauthorizationconfigurer<httpsecurity>.expressionintercepturlregistry registry = httpsecurity.authorizerequests();
permitallurl.geturls().foreach(url -> registry.antmatchers(url).permitall());
httpsecurity
// csrf禁用,因为不使用session
.csrf().disable()
// 禁用http响应标头
.headers().cachecontrol().disable().and()
// 认证失败处理类
.exceptionhandling().authenticationentrypoint(unauthorizedhandler).and()
// 基于token,所以不需要session
.sessionmanagement().sessioncreationpolicy(sessioncreationpolicy.stateless).and()
// 过滤请求
.authorizerequests()
// 对于登录login 注册register 验证码captchaimage 允许匿名访问
.antmatchers("/login", "/register", "/captchaimage").permitall()
// 静态资源,可匿名访问
.antmatchers(httpmethod.get, "/", "/*.html", "/**/*.html", "/**/*.css", "/**/*.js", "/profile/**").permitall()
.antmatchers("/swagger-ui.html", "/swagger-resources/**", "/webjars/**", "/*/api-docs", "/druid/**").permitall()
// 除上面外的所有请求全部需要鉴权认证
.anyrequest().authenticated()
.and()
.headers().frameoptions().disable();
// 添加logout filter
httpsecurity.logout().logouturl("/logout").logoutsuccesshandler(logoutsuccesshandler);
// 添加jwt filter
httpsecurity.addfilterbefore(authenticationtokenfilter, usernamepasswordauthenticationfilter.class);
// 添加cors filter
httpsecurity.addfilterbefore(corsfilter, jwtauthenticationtokenfilter.class);
httpsecurity.addfilterbefore(corsfilter, logoutfilter.class);
}
/**
* 强散列哈希加密实现
*/
@bean
public bcryptpasswordencoder bcryptpasswordencoder()
{
return new bcryptpasswordencoder();
}
/**
* 身份认证接口
*/
@override
protected void configure(authenticationmanagerbuilder auth) throws exception
{
auth.userdetailsservice(userdetailsservice).passwordencoder(bcryptpasswordencoder());
}
}com.sky.framework.config.properties.permitallurlproperties
package com.sky.framework.config.properties;
import java.util.arraylist;
import java.util.list;
import java.util.map;
import java.util.objects;
import java.util.optional;
import java.util.regex.pattern;
import org.apache.commons.lang3.regexutils;
import org.springframework.beans.beansexception;
import org.springframework.beans.factory.initializingbean;
import org.springframework.context.applicationcontext;
import org.springframework.context.applicationcontextaware;
import org.springframework.context.annotation.configuration;
import org.springframework.core.annotation.annotationutils;
import org.springframework.web.method.handlermethod;
import org.springframework.web.servlet.mvc.method.requestmappinginfo;
import org.springframework.web.servlet.mvc.method.annotation.requestmappinghandlermapping;
import com.sky.common.annotation.anonymous;
/**
* 设置anonymous注解允许匿名访问的url
*
* @author ruoyi
*/
@configuration
public class permitallurlproperties implements initializingbean, applicationcontextaware
{
//定义一个静态的正则表达式模式,用于匹配路径变量
private static final pattern pattern = pattern.compile("\\{(.*?)\\}");
//应用上下文对象,用于获取spirng bean
private applicationcontext applicationcontext;
//存储允许匿名访问的url模式的列表
private list<string> urls = new arraylist<>();
//通配符,用于替换路径中的变量部分
public string asterisk = "*";
//在属性设置之后执行初始化操作
//主要用于解析请求映射,找出标记为匿名访问的方法和控制器,并将其url模式添加至urls列表中
@override
public void afterpropertiesset()
{
//从应用上下文中获取requestmappinghandlermapping的实例
requestmappinghandlermapping mapping = applicationcontext.getbean(requestmappinghandlermapping.class);
//获取所有处理器方法及其对应的请求映射信息
map<requestmappinginfo, handlermethod> map = mapping.gethandlermethods();
//遍历所有请求映射信息
map.keyset().foreach(info -> {
handlermethod handlermethod = map.get(info);
// 获取方法上边的注解
anonymous method = annotationutils.findannotation(handlermethod.getmethod(), anonymous.class);
// 如果方法上有anonymous注解 将方法上的url添加至urls
optional.ofnullable(method).ifpresent(anonymous -> objects.requirenonnull(info.getpatternscondition().getpatterns())
.foreach(url -> urls.add(regexutils.replaceall(url, pattern, asterisk))));
// 获取类上边的注解
anonymous controller = annotationutils.findannotation(handlermethod.getbeantype(), anonymous.class);
//如果控制类上有anonymous注解 将类下方法上的url添加至urls
optional.ofnullable(controller).ifpresent(anonymous -> objects.requirenonnull(info.getpatternscondition().getpatterns())
.foreach(url -> urls.add(regexutils.replaceall(url, pattern, asterisk))));
});
}
@override
public void setapplicationcontext(applicationcontext context) throws beansexception
{
this.applicationcontext = context;
}
public list<string> geturls()
{
return urls;
}
public void seturls(list<string> urls)
{
this.urls = urls;
}
}com.sky.framework.security.handle.authenticationentrypointimpl
package com.sky.framework.security.handle;
import java.io.ioexception;
import java.io.serializable;
import javax.servlet.http.httpservletrequest;
import javax.servlet.http.httpservletresponse;
import org.springframework.security.core.authenticationexception;
import org.springframework.security.web.authenticationentrypoint;
import org.springframework.stereotype.component;
import com.alibaba.fastjson2.json;
import com.sky.common.constant.httpstatus;
import com.sky.common.core.domain.ajaxresult;
import com.sky.common.utils.servletutils;
import com.sky.common.utils.stringutils;
/**
* 认证失败处理类 返回未授权
*
* @author ruoyi
*/
@component
public class authenticationentrypointimpl implements authenticationentrypoint, serializable
{
private static final long serialversionuid = -8970718410437077606l;
/**
* 处理未通过身份验证的请求
* 当用户尝试访问需要身份验证的资源但未通过认证时,此方法被调用
* 它向客户端放回一个包含错误信息的http响应,指示认证失败
* @param request 请求对象,包含用户尝试访问的uri等信息
* @param response 响应对象,用于向客户端发送错误信息
* @param e 身份验证异常对象,指示用户身份验证失败的原因
* @throws ioexception 如果在向客户端发送响应时发生输入输出错误
* */
@override
public void commence(httpservletrequest request, httpservletresponse response, authenticationexception e)
throws ioexception
{
//http状态码401,表示未授权
int code = httpstatus.unauthorized;
//构建错误信息,包含尝试访问的uri
string msg = stringutils.format("请求访问:{},认证失败,无法访问系统资源", request.getrequesturi());
//使用json格式向客户端返回错误信息
servletutils.renderstring(response, json.tojsonstring(ajaxresult.error(code, msg)));
}
}com.sky.framework.security.handle.logoutsuccesshandlerimpl
package com.sky.framework.security.handle;
import java.io.ioexception;
import javax.servlet.servletexception;
import javax.servlet.http.httpservletrequest;
import javax.servlet.http.httpservletresponse;
import org.springframework.beans.factory.annotation.autowired;
import org.springframework.context.annotation.configuration;
import org.springframework.security.core.authentication;
import org.springframework.security.web.authentication.logout.logoutsuccesshandler;
import com.alibaba.fastjson2.json;
import com.sky.common.constant.constants;
import com.sky.common.core.domain.ajaxresult;
import com.sky.common.core.domain.model.loginuser;
import com.sky.common.utils.messageutils;
import com.sky.common.utils.servletutils;
import com.sky.common.utils.stringutils;
import com.sky.framework.manager.asyncmanager;
import com.sky.framework.manager.factory.asyncfactory;
import com.sky.framework.web.service.tokenservice;
/**
* 自定义退出处理类 返回成功
*
* @author ruoyi
*/
@configuration
public class logoutsuccesshandlerimpl implements logoutsuccesshandler
{
@autowired
private tokenservice tokenservice;
/**
* 退出处理
*
* @return
*/
@override
public void onlogoutsuccess(httpservletrequest request, httpservletresponse response, authentication authentication)
throws ioexception, servletexception
{
//获取当前登录用户
loginuser loginuser = tokenservice.getloginuser(request);
//检查用户是否已登录
if (stringutils.isnotnull(loginuser))
{
//获取用户名
string username = loginuser.getusername();
// 删除用户缓存记录,实现退出
tokenservice.delloginuser(loginuser.gettoken());
// 记录用户退出日志
asyncmanager.me().execute(asyncfactory.recordlogininfor(username, constants.logout, messageutils.message("user.logout.success")));
}
//向客户端返回退出成功的消息
servletutils.renderstring(response, json.tojsonstring(ajaxresult.success(messageutils.message("user.logout.success"))));
}
}com.sky.framework.security.filter.jwtauthenticationtokenfilter
package com.sky.framework.security.filter;
import java.io.ioexception;
import javax.servlet.filterchain;
import javax.servlet.servletexception;
import javax.servlet.http.httpservletrequest;
import javax.servlet.http.httpservletresponse;
import org.springframework.beans.factory.annotation.autowired;
import org.springframework.security.authentication.usernamepasswordauthenticationtoken;
import org.springframework.security.core.context.securitycontextholder;
import org.springframework.security.web.authentication.webauthenticationdetailssource;
import org.springframework.stereotype.component;
import org.springframework.web.filter.onceperrequestfilter;
import com.sky.common.core.domain.model.loginuser;
import com.sky.common.utils.securityutils;
import com.sky.common.utils.stringutils;
import com.sky.framework.web.service.tokenservice;
/**
* token过滤器 验证token有效性
*
* @author ruoyi
*/
@component
public class jwtauthenticationtokenfilter extends onceperrequestfilter
{
@autowired
private tokenservice tokenservice;
@override
protected void dofilterinternal(httpservletrequest request, httpservletresponse response, filterchain chain)
throws servletexception, ioexception
{
//通过令牌服务获取登录用户信息
loginuser loginuser = tokenservice.getloginuser(request);
//检查是否已登录且ss当前没有认证对象
if (stringutils.isnotnull(loginuser) && stringutils.isnull(securityutils.getauthentication()))
{
//验证用户令牌是否有效
tokenservice.verifytoken(loginuser);
//创建认证对象
usernamepasswordauthenticationtoken authenticationtoken = new usernamepasswordauthenticationtoken(loginuser, null, loginuser.getauthorities());
//设置认证对象的详细信息,这些详细信息是基于web的认证细节
authenticationtoken.setdetails(new webauthenticationdetailssource().builddetails(request));
//将认证对象设置到安全上下文中,这样应用的其他部分可以访问到用户信息
securitycontextholder.getcontext().setauthentication(authenticationtoken);
}
//继续执行过滤器链中的下一个过滤器或目标servlet
chain.dofilter(request, response);
}
}com.sky.framework.web.service.userdetailsserviceimpl#loaduserbyusername
package com.sky.framework.web.service;
import org.slf4j.logger;
import org.slf4j.loggerfactory;
import org.springframework.beans.factory.annotation.autowired;
import org.springframework.security.core.userdetails.userdetails;
import org.springframework.security.core.userdetails.userdetailsservice;
import org.springframework.security.core.userdetails.usernamenotfoundexception;
import org.springframework.stereotype.service;
import com.sky.common.core.domain.entity.sysuser;
import com.sky.common.core.domain.model.loginuser;
import com.sky.common.enums.userstatus;
import com.sky.common.exception.serviceexception;
import com.sky.common.utils.messageutils;
import com.sky.common.utils.stringutils;
import com.sky.system.service.isysuserservice;
/**
* 用户验证处理
*
* @author ruoyi
*/
@service
public class userdetailsserviceimpl implements userdetailsservice
{
private static final logger log = loggerfactory.getlogger(userdetailsserviceimpl.class);
@autowired
private isysuserservice userservice;
@autowired
private syspasswordservice passwordservice;
@autowired
private syspermissionservice permissionservice;
@override
public userdetails loaduserbyusername(string username) throws usernamenotfoundexception
{
//通过用户名查询用户信息
sysuser user = userservice.selectuserbyusername(username);
//检查用户是否存在
if (stringutils.isnull(user))
{
log.info("登录用户:{} 不存在.", username);
//抛出异常提示用户不存在
throw new serviceexception(messageutils.message("user.not.exists"));
}
//检查用户是否已经被删除
else if (userstatus.deleted.getcode().equals(user.getdelflag()))
{
log.info("登录用户:{} 已被删除.", username);
//抛出异常提示用户已经被删除
throw new serviceexception(messageutils.message("user.password.delete"));
}
//检查用户是否被停用
else if (userstatus.disable.getcode().equals(user.getstatus()))
{
log.info("登录用户:{} 已被停用.", username);
//抛出异常提示用户已经被停用
throw new serviceexception(messageutils.message("user.blocked"));
}
//验证用户密码是否正确
passwordservice.validate(user);
//创建并返回登录用户对象
return createloginuser(user);
}
public userdetails createloginuser(sysuser user)
{
return new loginuser(user.getuserid(), user.getdeptid(), user, permissionservice.getmenupermission(user));
}
}到此这篇关于spring security介绍及配置实现代码的文章就介绍到这了,更多相关spring security介绍及配置内容请搜索代码网以前的文章或继续浏览下面的相关文章希望大家以后多多支持代码网!
发表评论