程序员程序猿阵线联盟-汇总各类技术干货技术干货

使用Spring Security开发基于表单的认证(二)

2018-04-30  本文已影响985人  我可能是个假开发

使用Spring Security开发基于表单的认证(二)

个性化用户认证流程

一、自定义登录页面

①加页面:定义该页面hcx-signIn.html为登录页面:
②配授权

@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter{
    
    @Bean //加密
    public PasswordEncoder passwordEncoder() {
        //如果系统本身有了其他的加密方式,此处就应该返回自己写的passwordencoder,再实现encoder和matches方法
        return new BCryptPasswordEncoder();
    }
    
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //使用表单登录:指定了身份认证的方式
        http.formLogin()
            .loginPage("/hcx-signIn.html")//自定义登录页面
        //http.httpBasic() //使用回之前的认证方式
            .and()
            .authorizeRequests()//表示以下都是授权的配置 
            .antMatchers("/hcx-signIn.html").permitAll()//访问该url不需要身份认证
            .anyRequest()//任何请求
            .authenticated();//都需要身份认证
        
    }

}

hcx-signIn.html:

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>登录</title>
</head>
<body>
    <h2>标准登录页面</h2>
</body>
</html>
登录页面目录.png

注意,如果忘记配授权的话就会进入死循环:

死循环.png

运行后访问http://localhost:8060/user:

访问结果页面.png

过滤器默认处理的登录请求是/login post形式
如果使用了新的请求路径,还需要配置,让SpringSecurity知道

hcx-signIn.html:

<title>登录</title>
</head>
<body>
    <h2>标准登录页面</h2>
    <h3>表单登录</h3>
    <form action="/authentication/form" method="post">
        <table>
            <tr>
                <td>用户名:</td> 
                <td><input type="text" name="username"></td>
            </tr>
            <tr>
                <td>密码:</td>
                <td><input type="password" name="password"></td>
            </tr>
            <tr>
                <td colspan="2"><button type="submit">登录</button></td>
            </tr>
        </table>
    </form>
</body>

MyUserDetailsService:

@Component
public class MyUserDetailsService implements UserDetailsService{

    private Logger logger = LoggerFactory.getLogger(getClass());
    
    
    @Autowired
    private PasswordEncoder passwordEncoder;
    
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        logger.info("登录用户名:"+username);
        //根据用户名查找用户信息
        
        //根据查找到的用户信息判断用户是否被冻结
        
        //为了把用户是否冻结的信息告诉SpringSecurity,new User的构造方法使用包含四个布尔返回值的参数的方法
        
        //此处没有读取数据库,直接用静态数据 密码:123456 静态权限:admin 这些在实际开发中需要从数据库中获取
        //passwordEncoder.encode("123456"),在实际应用中,此步骤应该在注册的时候就做好了,此处就直接在数据库拿出加密好的数据
        String password = passwordEncoder.encode("123456");
        logger.info("数据库密码是:"+password);
        
        return new User(username,password,
                true,true,true,false,
                AuthorityUtils.commaSeparatedStringToAuthorityList("admin"));
    }
    
    /**
     * 此处,当前的方法loadUserByUsername返回的是UserDetails接口的实例,使用了Spring默认的User类
     * 实际的应用中,并不一定更要使用该类,只要是UserDetails这个接口的实现就可以
     * 可以使用对应的DAO接口实现UserDetails接口
     */
    
}

BrowserSecurityConfig:

@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter{
    
    @Bean //加密
    public PasswordEncoder passwordEncoder() {
        //如果系统本身有了其他的加密方式,此处就应该返回自己写的passwordencoder,再实现encoder和matches方法
        return new BCryptPasswordEncoder();
    }
    
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //使用表单登录:指定了身份认证的方式
        http.formLogin()
            .loginPage("/hcx-signIn.html")//自定义登录页面
            .loginProcessingUrl("/authentication/form") //配置让Spring知道让UsernamePasswordAuthenticationFilter过滤器去处理/authentication/form路径
        //http.httpBasic() //使用回之前的认证方式
            .and()
            .authorizeRequests()//表示以下都是授权的配置 
            .antMatchers("/hcx-signIn.html").permitAll()//当访问hcx-signIn.html时,不需要身份认证
            .anyRequest()//任何请求
            .authenticated()//都需要身份认证
            .and()
            .csrf().disable();
    }

}
表单登录页面.png

改进:处理不同类型的请求
把上面直接是跳转到一个页面,换成一个Controller,让Controller判断是否是一个HTML请求引发的跳转,如果是就返回登录页面如果不是就返回401状态码和错误信息:

处理不同类型的请求.png

BrowserSecurityController:在该类中处理需要身份认证的请求:

@RestController
public class BrowserSecurityController { 
    
    private Logger logger = LoggerFactory.getLogger(getClass());
    
    //判断引发跳转的是否是html
    //用RequestCache拿到引发跳转的请求
    private RequestCache requestCache = new HttpSessionRequestCache();
    
    private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
    
    @Autowired
    private SecurityProperties securityProperties;
    
    
    /**
     * 当需要身份认证时,跳转到这里
     * @param request
     * @param response
     * @return
     * @throws IOException
     */
    @RequestMapping("/authentication/require")
    @ResponseStatus(code=HttpStatus.UNAUTHORIZED) //返回状态码
    public SimpleResponse requireAuthentication(HttpServletRequest request,HttpServletResponse response) throws IOException{
        //拿到引发跳转的请求
        SavedRequest savedRequest = requestCache.getRequest(request, response);
        if(savedRequest!=null) {
            //引发跳转请求的url
            String targetUrl = savedRequest.getRedirectUrl();
            logger.info("引发跳转的请求时: "+targetUrl);
            if(StringUtils.endsWithIgnoreCase(targetUrl, ".html")) {//判断引发跳转的请求是否是以.html结尾
                //跳转到登录页
                /**
                 * request
                 * response
                 * url:要跳转的url 此处不可能固定的跳转到某一个页面,配置可以使用标准登录页还是使用自己写的登录页
                 */
                redirectStrategy.sendRedirect(request, response,securityProperties.getBrowser().getLoginPage());//url://跳转到用户配置的login的配置
            }
        }
        //如果不是一个html请求,返回401状态码和错误信息
        return new SimpleResponse("访问的服务需要身份认证,请引导用户到登录页");
    }

}

使用户可以自己去配登录页面:
在application.properties中配置:

hcx.security.browser.loginPage = /demo-signIn.html

demo-signIn.html:

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>登录</title>
</head>
<body>
    <h2>Demo登录页</h2>
</body>
</html>

当做了该配置之后,就会跳转到demo-signIn.html该页面;如果没有该配置,则跳转到原本配置的标准登录页

实现配置跳转到不同登录页.png

系统配置封装:

系统配置封装.png

SecurityProperties:

package com.hcx.security.core.properties;

import org.springframework.boot.context.properties.ConfigurationProperties;

/**
 * @author HCX
 *
 */
@ConfigurationProperties(prefix="hcx.security")//该类会读取配置文件中所有以hcx.security开头的配置项
public class SecurityProperties {
    
    private BrowserProperties browser = new BrowserProperties();

    public BrowserProperties getBrowser() {
        return browser;
    }

    public void setBrowser(BrowserProperties browser) {
        this.browser = browser;
    }
}

BrowserProperties:

/**
 * @author HCX
 *
 */
public class BrowserProperties {
    
    /**
     * 如果用户配置了就使用用户配置的;
     * 如果没有配,则使用/hcx-signIn.html
     */
    private String loginPage = "/hcx-signIn.html";//指定默认跳转

    public String getLoginPage() {
        return loginPage;
    }

    public void setLoginPage(String loginPage) {
        this.loginPage = loginPage;
    }
    
}

BrowserSecurityConfig:

@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter{
    
    
    @Autowired
    private SecurityProperties securityProperties;
    
    @Bean //加密
    public PasswordEncoder passwordEncoder() {
        //如果系统本身有了其他的加密方式,此处就应该返回自己写的passwordencoder,再实现encoder和matches方法
        return new BCryptPasswordEncoder();
    }
    
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //使用表单登录:指定了身份认证的方式
        http.formLogin()
            .loginPage("/authentication/require")//自定义登录页面
            .loginProcessingUrl("/authentication/form") //配置让Spring知道让UsernamePasswordAuthenticationFilter过滤器去处理/authentication/form路径
        //http.httpBasic() //使用回之前的认证方式
            .and()
            .authorizeRequests()//表示以下都是授权的配置 
            .antMatchers("/authentication/require",
                    securityProperties.getBrowser().getLoginPage()).permitAll()
            .anyRequest()//任何请求
            .authenticated()//都需要身份认证
            .and()
            .csrf().disable();
    }

}

要使配置生效,还需要一个配置类:

@Configuration //声明其为一个配置类
@EnableConfigurationProperties(SecurityProperties.class)//作用:让SecurityProperties配置读取器生效
public class SecurityCoreConfig {

}

使用注解返回状态码:@ResponseStatus(code=HttpStatus.UNAUTHORIZED)

返回错误信息:服务应该返回json
包装,把字符串包装成对象返回

public class SimpleResponse {
    
    private Object content;

    public Object getContent() {
        return content;
    }

    public SimpleResponse(Object content) {
        super();
        this.content = content;
    }

    public void setContent(Object content) {
        this.content = content;
    }
    
}

运行访问:localhost:8060/user:

运行结果1.png

访问:localhost:8060/index.html则跳转到系统配置的登录页,如果没有配置hcx.security.browser.loginPage = /demo-signIn.html,则跳转到标准登录页

二、自定义登录成功处理

场景:默认情况下,SpringSecurity的登录成功的处理会首先跳到之前引发登录的请求上,比如访问/user,需要身份认证,就会跳转到登录页,登录成功了,又会跳回user请求上。但是在现在前端spa比较流行的情况下,登录可能不是一个表单提交的同步方式,而是由异步的ajax请求访问登录。此时,前端想要拿到的是用户相关的json格式的信息,此时如果登录成功了进行跳转,此种行为肯定是不合适的。

实现AuthenticationSuccessHandler接口即可。

自定义成功处理器HCXAuthenticationSuccessHandler:

package com.hcx.security.browser.authentication;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.stereotype.Component;
@Component("hcxAuthenticationSuccessHandler")
public class HCXAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
    
    private Logger logger = LoggerFactory.getLogger(getClass());
    
    @Autowired
    private ObjectMapper objectMapper;

    //登录成功后会被调用
    /**
     * Authentication:封装认证信息:包括发起的认证请求的信息,比如IP session和用户信息等
     */
    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
            Authentication authentication) throws IOException, ServletException {
        
        logger.info("登录成功");
        
        response.setContentType("application/json;charset=UTF-8");
        response.getWriter().write(objectMapper.writeValueAsString(authentication));
        
    }

}

配置:让SpringSecurity知道在登录成功以后用自己定义的登录成功处理器来处理,而不是用Spring默认的处理器,修改配置类

注入自定义的成功处理器.png

BrowserSecurityConfig:

package com.hcx.security.browser;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;

import com.hcx.security.core.properties.SecurityProperties;
@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter{
    
    
    @Autowired
    private SecurityProperties securityProperties;
    
    //注入自己写的登录成功处理器
    @Autowired
    private AuthenticationSuccessHandler hcxAuthenticationSuccessHandler;
    
    @Bean //加密
    public PasswordEncoder passwordEncoder() {
        //如果系统本身有了其他的加密方式,此处就应该返回自己写的passwordencoder,再实现encoder和matches方法
        return new BCryptPasswordEncoder();
    }
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //使用表单登录:指定了身份认证的方式
        http.formLogin()
            .loginPage("/authentication/require")//自定义登录页面
            .loginProcessingUrl("/authentication/form") //配置让Spring知道让UsernamePasswordAuthenticationFilter过滤器去处理/authentication/form路径
        //http.httpBasic() //使用回之前的认证方式
            .successHandler(hcxAuthenticationSuccessHandler)
            .and()
            .authorizeRequests()//表示以下都是授权的配置 
            .antMatchers("/authentication/require",
                    securityProperties.getBrowser().getLoginPage()).permitAll()
            .anyRequest()//任何请求
            .authenticated()//都需要身份认证
            .and()
            .csrf().disable();
    }

}
返回的json.png

三、自定义登录失败处理

失败处理器HCXAuthencationFailHandler:

package com.hcx.security.browser.authentication;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.stereotype.Component;

import com.fasterxml.jackson.databind.ObjectMapper;

@Component("hcxAuthenticationFailHandler")
public class HCXAuthencationFailHandler implements AuthenticationFailureHandler {

    
    private Logger logger = LoggerFactory.getLogger(getClass());
    
    @Autowired
    private ObjectMapper objectMapper;
    /**
     * AuthenticationException:认证过程中发生错误产生异常的信息
     */
    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException exception) throws IOException, ServletException {
        
        logger.info("登录失败");
        response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
        response.setContentType("application/json;charset=UTF-8");
        response.getWriter().write(objectMapper.writeValueAsString(exception));
        
    }

}

使失败处理器生效的配置:

注入自定义的失败处理器.png

BrowserSecurityConfig:

package com.hcx.security.browser;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;

import com.hcx.security.core.properties.SecurityProperties;
@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter{
    
    
    @Autowired
    private SecurityProperties securityProperties;
    
    //注入自己写的登录成功处理器
    @Autowired
    private AuthenticationSuccessHandler hcxAuthenticationSuccessHandler;
    
    //注入自己写的登录失败处理器
    @Autowired
    private AuthenticationFailureHandler hcxAuthencationFailHandler;
    
    @Bean //加密
    public PasswordEncoder passwordEncoder() {
        //如果系统本身有了其他的加密方式,此处就应该返回自己写的passwordencoder,再实现encoder和matches方法
        return new BCryptPasswordEncoder();
    }
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //使用表单登录:指定了身份认证的方式
        http.formLogin()
            .loginPage("/authentication/require")//自定义登录页面
            .loginProcessingUrl("/authentication/form") //配置让Spring知道让UsernamePasswordAuthenticationFilter过滤器去处理/authentication/form路径
        //http.httpBasic() //使用回之前的认证方式
            .successHandler(hcxAuthenticationSuccessHandler)
            .failureHandler(hcxAuthencationFailHandler)
            .and()
            .authorizeRequests()//表示以下都是授权的配置 
            .antMatchers("/authentication/require",
                    securityProperties.getBrowser().getLoginPage()).permitAll()
            .anyRequest()//任何请求
            .authenticated()//都需要身份认证
            .and()
            .csrf().disable();
    }

}

四、改造代码

即支持表单提交跳转也支持json返回,让用户可以通过自己的配置决定使用哪一种

声明枚举类:LoginType:

package com.hcx.security.core.properties;

public enum LoginType {
    
    REDIRECT,
    
    JSON

}

BrowserProperties中配置:

package com.hcx.security.core.properties;

/**
 * @author HCX
 *
 */
public class BrowserProperties {
    
    /**
     * 如果用户配置了就使用用户配置的;
     * 如果没有配,则使用/hcx-signIn.html
     */
    private String loginPage = "/hcx-signIn.html";//指定默认跳转
    
    //配置默认返回json
    private LoginType loginType = LoginType.JSON;

    public String getLoginPage() {
        return loginPage;
    }

    public void setLoginPage(String loginPage) {
        this.loginPage = loginPage;
    }

    public LoginType getLoginType() {
        return loginType;
    }

    public void setLoginType(LoginType loginType) {
        this.loginType = loginType;
    }
    
    
}

HCXAuthenticationSuccessHandler:

package com.hcx.security.browser.authentication;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.hcx.security.core.properties.LoginType;
import com.hcx.security.core.properties.SecurityProperties;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.stereotype.Component;
@Component("hcxAuthenticationSuccessHandler")
public class HCXAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
    
    private Logger logger = LoggerFactory.getLogger(getClass());
    
    @Autowired
    private ObjectMapper objectMapper;
    
    @Autowired
    private SecurityProperties securityProperties;

    //登录成功后会被调用
    /**
     * Authentication:封装认证信息:包括发起的认证请求的信息,比如IP session和用户信息等
     */
    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
            Authentication authentication) throws IOException, ServletException {
        
        logger.info("登录成功");
        
        if(LoginType.JSON.equals(securityProperties.getBrowser().getLoginType())) {
            //是json,调用自己的
            response.setContentType("application/json;charset=UTF-8");
            response.getWriter().write(objectMapper.writeValueAsString(authentication));
        }else {
            //不是json,则调用父类的,父类为跳转
            super.onAuthenticationSuccess(request, response, authentication);
        }
        
        
        
    }

}

HCXAuthencationFailHandler:

package com.hcx.security.browser.authentication;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.stereotype.Component;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.hcx.security.core.properties.LoginType;
import com.hcx.security.core.properties.SecurityProperties;

@Component("hcxAuthenticationFailHandler")
public class HCXAuthencationFailHandler extends SimpleUrlAuthenticationFailureHandler {

    private Logger logger = LoggerFactory.getLogger(getClass());
    
    @Autowired
    private ObjectMapper objectMapper;
    
    @Autowired
    private SecurityProperties securityProperties;
    
    /**
     * AuthenticationException:认证过程中发生错误产生异常的信息
     */
    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException exception) throws IOException, ServletException {
        
        logger.info("登录失败");
        if(LoginType.JSON.equals(securityProperties.getBrowser().getLoginType())) {
            response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
            response.setContentType("application/json;charset=UTF-8");
            response.getWriter().write(objectMapper.writeValueAsString(exception));
        }else {
            super.onAuthenticationFailure(request, response, exception);
        }
        
    }

}

修改配置来决定使用哪一种方式(在BrowserProperties配置中配置了默认使用json返回):修改demo项目中的配置文件application.properties

修改配置文件决定使用哪种方式响应.png 登录成功跳转页.png

springsecurity认证执行流程:

springsecurity认证执行流程.png

认证结果在多个请求之间共享:

认证结果在多个请求之间共享.png 过滤器链.png

获取认证用户信息:

在UserController中添加获取用户认证信息:

@GetMapping("/me")
public Object getCurrentUser() {
    return SecurityContextHolder.getContext().getAuthentication();
}

或者直接:

@GetMapping("/me")
public Object getCurrentUser(Authentication authentication) {
    return authentication;
}

或只获取具体某一部分信息:

@GetMapping("/me")
public Object getCurrentUser(@AuthenticationPrincipal UserDetails user) {
    return user;
}
上一篇 下一篇

猜你喜欢

热点阅读