策划人网站,广东企业信息查询系统,wordpress登录打不开,a5站长网文章目录 往期回顾#xff1a;Spring Boot集成Spring Security专栏及各章节快捷入口前言一、HTTP请求授权工作原理二、HTTP请求授权配置1、添加用户权限2、配置ExceptionTranslationFilter自定义异常处理器3、HTTP请求授权配置 三、测试接口1、测试类2、测试 四、总结 往期回顾… 文章目录 往期回顾Spring Boot集成Spring Security专栏及各章节快捷入口前言一、HTTP请求授权工作原理二、HTTP请求授权配置1、添加用户权限2、配置ExceptionTranslationFilter自定义异常处理器3、HTTP请求授权配置 三、测试接口1、测试类2、测试 四、总结 往期回顾Spring Boot集成Spring Security专栏及各章节快捷入口
Spring Boot集成Spring Security专栏一、Spring Boot集成Spring Security之自动装配二、Spring Boot集成Spring Security之实现原理三、Spring Boot集成Spring Security之过滤器链详解四、Spring Boot集成Spring Security之认证流程五、Spring Boot集成Spring Security之认证流程2六、Spring Boot集成Spring Security之前后分离认证流程最佳方案七、Spring Boot集成Spring Security之前后分离认证最佳实现八、Spring Boot集成Spring Security之前后分离认证最佳实现对接测试九、Spring Boot集成Spring Security之授权概述十、Spring Boot集成Spring Security之HTTP请求授权
前言
本文介绍HTTP请求授权工作原理、配置及适用场景配合以下内容观看效果更佳
什么是授权授权有哪些流程Spring Security的授权配置有几种请查看九、Spring Boot集成Spring Security之授权概述HTTP请求授权的实现原理是什么如何配置HTTP请求授权请查看十、Spring Boot集成Spring Security之HTTP请求授权方法授权的实现原理是什么如何配置方法授权请查看十一、Spring Boot集成Spring Security之方法授权如何实现基于RBAC模型的授权方式请查看十二、Spring Boot集成Spring Security之基于RBAC模型的授权
一、HTTP请求授权工作原理
基于Spring Security最新的Http请求授权讲解不再使用旧版的请求授权
授权过滤器AuthorizationFilter获取认证信息调用RequestMatcherDelegatingAuthorizationManager的check方法验证该用户是否具有该请求的授权RequestMatcherDelegatingAuthorizationManager根据配置的请求和授权关系校验用户是否具有当前请求的授权并返回授权结果AuthorizationFilter处理授权结果授权成功则继续调用过滤器链否则抛出AccessDeniedException异常认证失败时ExceptionTranslationFilter处理AccessDeniedException异常如果是当前认证是匿名认证或者RememberMe认证则调用AuthenticationEntryPoint的commence方法否则调用AccessDeniedHandler的handler方法工作原理图如下 二、HTTP请求授权配置
1、添加用户权限
package com.yu.demo.spring.impl;import com.yu.demo.entity.UserDetailsImpl;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;import java.util.ArrayList;
import java.util.List;
import java.util.UUID;Service
public class UserDetailsServiceImpl implements UserDetailsService {//Autowired//private UserService userService;// Autowired//private UserRoleService userRoleService;Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {//TODO 通过username从数据库中获取用户将用户转UserDetails//User user userService.getByUsername(username);//TODO 从数据库实现查询权限并转化为ListGrantedAuthority//ListString roleIds userRoleService.listRoleIdByUsername(username);//ListGrantedAuthority grantedAuthorities new ArrayList(roleIds.size());//roleIds.forEach(roleId - grantedAuthorities.add(new SimpleGrantedAuthority(roleId)));//return new User(username, user.getPassword(), user.getEnable(), user.getAccountNonExpired(), user.getCredentialsNonExpired(), user.getAccountNonLocked(), user.getAuthorities());//测试使用指定权限ListGrantedAuthority grantedAuthorities new ArrayList();//与hasXxxRole匹配时添加ROLE_前缀grantedAuthorities.add(new SimpleGrantedAuthority(ROLE_ADMIN));//与hasXxxAuthority匹配时原始值grantedAuthorities.add(new SimpleGrantedAuthority(OPERATE));//{noop}不使用密码加密器密码123的都可以验证成功UserDetailsImpl userDetails new UserDetailsImpl(username, {noop}123, true, true, true, true, grantedAuthorities);//userDetails中设置token该token只是实现认证流程未使用jwtuserDetails.setToken(UUID.randomUUID().toString());return userDetails;}}
2、配置ExceptionTranslationFilter自定义异常处理器 因AuthorizationFilter授权失败时会抛出异常该异常由ExceptionTranslationFilter处理所以要配置自定义的异常处理器。 自定义AccessDeniedHandler和AuthenticationEntryPoint异常处理器可以用一个类实现认证授权相关的所有接口也可以使用多个类分别实现。
package com.yu.demo.spring.impl;import com.yu.demo.entity.ApiResp;
import com.yu.demo.entity.UserDetailsImpl;
import com.yu.demo.util.SpringUtil;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.stereotype.Component;import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.HashSet;
import java.util.Set;Component
public class LoginResultHandler implements AuthenticationSuccessHandler, LogoutSuccessHandler, AuthenticationEntryPoint, AuthenticationFailureHandler, AccessDeniedHandler {/*** 登录成功*/Overridepublic void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException {UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken (UsernamePasswordAuthenticationToken) authentication;UserDetailsImpl userDetailsImpl (UserDetailsImpl) usernamePasswordAuthenticationToken.getPrincipal();//token返回到前端SpringUtil.respJson(response, ApiResp.success(userDetailsImpl.getToken()));}/*** 登录失败*/Overridepublic void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {SpringUtil.respJson(response, ApiResp.loginFailure());}/*** 登出成功*/Overridepublic void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {SpringUtil.respJson(response, ApiResp.success());}/*** 未登录调用需要登录的接口时*/Overridepublic void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {SpringUtil.respJson(response, ApiResp.notLogin());}/*** 已登录调用未授权的接口时*/Overridepublic void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {SpringUtil.respJson(response, ApiResp.forbidden());}
}
配置异常处理 //异常处理配置.exceptionHandling(exceptionHandlingCustomizer - exceptionHandlingCustomizer//授权失败处理器登录账号访问未授权的资源时.accessDeniedHandler(loginResultHandler)//登录失败处理器匿账号访问需要未授权的资源时.authenticationEntryPoint(loginResultHandler))3、HTTP请求授权配置
本文使用最新的authorizeHttpRequestsAuthorizationFilterAuthorizationManager配置不在使用authorizeRequestsFilterSecurityInterceptorAccessDecisionManagerAccessDecisionVoter请求和授权配置成对出现配置在前的优先级更高请求种类 antMatchersAnt风格的路径模式?匹配一个字符、*匹配零个或多个字符但不包括目录分隔符、**匹配零个或多个目录mvcMatchersSpring MVC的路径模式支持路径变量和请求参数regexMatchers正则表达式路径模式requestMatchers实现RequestMatcher自定义匹配逻辑anyRequest未匹配的其他请求只能有一个且只能放在最后 授权种类 permitAll匿名或登录用户都允许访问denyAll匿名和登录用户都不允许访问hasAuthority有配置的权限允许访问AuthorityAuthorizationManager校验hasRole有配置的角色允许访问ROLE_{配置角色}与用户权限匹配AuthorityAuthorizationManager校验hasAnyAuthority有配置的任意一个权限的允许访问AuthorityAuthorizationManager校验hasAnyRole有配置的任意一个角色允许访问ROLE_{配置角色}与用户权限匹配AuthorityAuthorizationManager校验authenticated已认证不包括匿名的允许访问AuthenticatedAuthorizationManager校验access自定义授权处理 因authorizeHttpRequests不支持使用anonymous()的方式配置匿名访问未自定义匿名角色时可以通过hasRole(“ANONYMOUS”)或者hasAuthority(“ROLE_ANONYMOUS”)或其他类似的方式实现允许匿名请求的设置 http请求授权配置 //http请求授权.authorizeHttpRequests(authorizeHttpRequestsCustomizer - authorizeHttpRequestsCustomizer//不允许访问.antMatchers(/test/deny).denyAll()//允许匿名访问.antMatchers(/test/anonymous).hasRole(ANONYMOUS)//允许访问.antMatchers(/test/permit).permitAll()//测试使用拥有ADMIN角色.antMatchers(/test/admin)//拥有ROLE_ADMIN权限配置的角色不能以ROLE_作为前缀.hasRole(ADMIN)//测试使用拥有OPERATE权限.antMatchers(/test/operate)//拥有OPERATE权限.hasAuthority(OPERATE)//其他的任何请求.anyRequest()//需要认证且不能是匿名.authenticated())完整过滤器链配置
package com.yu.demo.config;import com.yu.demo.spring.filter.RestfulLoginConfigurer;
import com.yu.demo.spring.filter.RestfulUsernamePasswordAuthenticationFilter;
import com.yu.demo.spring.impl.LoginResultHandler;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
import org.springframework.security.config.annotation.web.configurers.FormLoginConfigurer;
import org.springframework.security.config.annotation.web.configurers.HttpBasicConfigurer;
import org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.context.SecurityContextRepository;Configuration
EnableWebSecurity
public class SecurityConfig {//登录参数用户名private static final String LOGIN_ARG_USERNAME username;//登录参数密码private static final String LOGIN_ARG_PASSWORD password;//登录请求类型private static final String LOGIN_HTTP_METHOD HttpMethod.POST.name();//登录请求地址private static final String LOGIN_URL /login;//登出请求地址private static final String LOGOUT_URL /logout;Autowiredprivate LoginResultHandler loginResultHandler;Autowiredprivate SecurityContextRepository securityContextRepository;Beanpublic SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {httpSecurity//禁用UsernamePasswordAuthenticationFilter、DefaultLoginPageGeneratingFilter、DefaultLogoutPageGeneratingFilter.formLogin(FormLoginConfigurer::disable)//禁用BasicAuthenticationFilter.httpBasic(HttpBasicConfigurer::disable)//禁用CsrfFilter.csrf(CsrfConfigurer::disable)//禁用SessionManagementFilter.sessionManagement(SessionManagementConfigurer::disable)//异常处理配置.exceptionHandling(exceptionHandlingCustomizer - exceptionHandlingCustomizer//授权失败处理器登录账号访问未授权的资源时.accessDeniedHandler(loginResultHandler)//登录失败处理器匿账号访问需要未授权的资源时.authenticationEntryPoint(loginResultHandler))//http请求授权.authorizeHttpRequests(authorizeHttpRequestsCustomizer - authorizeHttpRequestsCustomizer//不允许访问.antMatchers(/test/deny).denyAll()//允许匿名访问.antMatchers(/test/anonymous).hasRole(ANONYMOUS)//允许访问.antMatchers(/test/permit).permitAll()//测试使用拥有ADMIN角色.antMatchers(/test/admin)//拥有ROLE_ADMIN权限配置的角色不能以ROLE_作为前缀.hasRole(ADMIN)//测试使用拥有OPERATE权限.antMatchers(/test/operate)//拥有OPERATE权限.hasAuthority(OPERATE)//其他的任何请求.anyRequest()//需要认证且不能是匿名.authenticated())//安全上下文配置.securityContext(securityContextCustomizer - securityContextCustomizer//设置自定义securityContext仓库.securityContextRepository(securityContextRepository)//显示保存SecurityContext官方推荐.requireExplicitSave(true))//登出配置.logout(logoutCustomizer - logoutCustomizer//登出地址.logoutUrl(LOGOUT_URL)//登出成功处理器.logoutSuccessHandler(loginResultHandler))//注册自定义登录过滤器的配置器自动注册自定义登录过滤器//需要重写FilterOrderRegistration的构造方法FilterOrderRegistration(){}在构造方法中添加自定义过滤器的序号否则注册不成功.apply(new RestfulLoginConfigurer(new RestfulUsernamePasswordAuthenticationFilter(LOGIN_ARG_USERNAME, LOGIN_ARG_PASSWORD, LOGIN_URL, LOGIN_HTTP_METHOD), LOGIN_URL, LOGIN_HTTP_METHOD))//设置登录地址未设置时系统默认生成登录页面登录地址/login.loginPage(LOGIN_URL)//设置登录成功之后的处理器.successHandler(loginResultHandler)//设置登录失败之后的处理器.failureHandler(loginResultHandler);//创建过滤器链对象return httpSecurity.build();}}
三、测试接口
1、测试类
package com.yu.demo.web;import com.yu.demo.entity.ApiResp;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;RestController
RequestMapping(/test)
public class TestController {GetMapping(/hello)public ApiResp hello() {return ApiResp.success(hello);}/*** 匿名允许访问接口地址*/GetMapping(/anonymous)public ApiResp anonymous() {return ApiResp.success(anonymous);}/*** 禁止访问接口地址*/GetMapping(/deny)public ApiResp deny() {return ApiResp.success(deny);}/*** 允许访问接口地址*/GetMapping(/permit)public ApiResp permit() {return ApiResp.success(permit);}/*** 拥有ADMIN角色或ROLE_ADMIN权限允许访问接口地址*/GetMapping(/admin)public ApiResp admin() {return ApiResp.success(admin);}/*** 拥有OPERATE权限的允许访问接口地址*/GetMapping(/operate)public ApiResp operate() {return ApiResp.success(operate);}}
2、测试
登录获取token admin接口测试 其他接口不在一一测试有疑问或问题评论或私聊
四、总结
授权是拿用户的权限和可以访问接口的权限进行匹配匹配成功时授权成功匹配失败时授权失败用户的权限对象是SimpleGrantedAuthority字符串属性role接口的role权限会通过ROLE_{role}转化为SimpleGrantedAuthority及其字符串属性role接口的authority权限会直接转化为SimpleGrantedAuthority及其字符串属性role拥有ROLE_ANONYMOUS权限或者ANONYMOUS角色可以访问匿名接口后续会讲使用HTTP请求授权自定义AuthorizationManager方式实现基于RBAC权限模型欢迎持续关注源码下载
