本文通过逐步学习Spring Security,由浅入深,SpringBoot整合Spring Security 分别实现自定义的HTTP Basic认证 和 Form表单认证。
本文是学习笔记,网上的教程五花八门,由于时间久远,很难拿来就用。
在此特别感谢@IT老齐 老师,带我完整的用代码实现了一遍Spring Security的基本使用。
目录
- 一、Spring Security 快速开始
- 二、认证与授权
- 三、Spring Security基础认证与表单认证
- 1、HTTP基础认证
- 2、HTTP表单认证
- 四、Spring Security 用户与认证对象
- 1、用户对象
- 2、认证对象
- 五、基于MySQL自定义认证过程
- 1、项目结构
- 2、用户表
- 3、依赖
- 4、数据库配置
- 5、SpringBoot基本框架
- 6、自动定义Spring Security
- 7、接口测试
- 六、使用PasswordEncoder加密密码
- 七、Session会话控制
- 八、基于表单模式实现自定义认证
- 学习资料
主要内容:
- 用户信息管理
- 敏感信息加密解密
- 用户认证
- 权限控制
- 跨站点请求伪造保护
- 跨域支持
- 全局安全方法
- 单点登录
一、Spring Security 快速开始
创建SpringBoot项目
$ tree -I test
.
├── pom.xml
└── src
└── main
├── java
│ └── com
│ └── example
│ └── demo
│ ├── Application.java
│ └── controller
│ └── IndexController.java
└── resources
├── application.yml
├── static
└── templates
引入Spring Security依赖
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
完整依赖 pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.7</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>demo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>demo</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<scope>runtime</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<excludes>
<exclude>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</exclude>
</excludes>
</configuration>
</plugin>
</plugins>
</build>
</project>
配置 application.yml
server:
port: 8080
启动类 Application.java
package com.example.demo;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
控制器 IndexController.java
package com.example.demo.controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class IndexController {
@GetMapping("/")
public String index(){
return "Hello";
}
}
直接访问应用会被重定向到登录页面
http://localhost:8080/
=> 302
http://localhost:8080/login
现在使用默认的账号密码登录
- 默认的用户名:user
- 默认的密码:(控制台打印出的密码)
Using generated security password: cdd28beb-9a64-4130-be58-6bde1684476d
再次访问 http://localhost:8080/
可以看到返回结果
二、认证与授权
- 认证 authentication 用户身份
- 授权 authorization 用户权限
单体应用
微服务架构
三、Spring Security基础认证与表单认证
| 认证方式 | 有无状态 | 简介 | 应用场景 |
|---|---|---|---|
| 基础认证 | 无状态 | 不使用cookie | 对外API |
| 表单认证 | 有状态 | 使用session会话 | 网站应用 |
- 用户对象 UserDetails
- 内存存储
- 数据库存储
- 认证对象 Authentication
- HTTP基础认证
- HTTP表单认证
1、HTTP基础认证
通过HTTP请求头携带用户名和密码进行登录认证
HTTP请求头格式
# 用户名和密码的Base64编码
Authonrization: Basic Base64-encoded(username:password)
Spring Boot2.4版本以前
package com.example.demo.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// 所有请求都需要认证,认证方式:httpBasic
http.authorizeHttpRequests((auth) -> {
auth.anyRequest().authenticated();
}).httpBasic(Customizer.withDefaults());
}
}
Spring Boot2.4版本之后
package com.example.demo.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
public class SecurityConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
// 所有请求都需要认证,认证方式:httpBasic
http.authorizeHttpRequests((auth) -> {
auth.anyRequest().authenticated();
}).httpBasic(Customizer.withDefaults());
return http.build();
}
}
发送HTTP请求
GET http://localhost:8080/
Authorization: Basic dXNlcjo2ZjRhMGY5ZS1hY2ZkLTRmNTYtYjIzNy01MTZmYmZjMTk3NGM=
可以获得响应数据
Hello
base64解码之后可以得到用户名和密码
atob('dXNlcjo2ZjRhMGY5ZS1hY2ZkLTRmNTYtYjIzNy01MTZmYmZjMTk3NGM=')
'user:6f4a0f9e-acfd-4f56-b237-516fbfc1974c'
2、HTTP表单认证
Spring Security的默认认证方式
四、Spring Security 用户与认证对象
1、用户对象
| 接口名 | 说明 |
|---|---|
| UserDetails | 用户对象 |
| GrantedAuthority | 用户权限 |
| UserDetailsService | 用户对象查询操作 |
| UserDetailsManager | 创建用户、修改用户密码 |
UserDetails 用户对象接口
package org.springframework.security.core.userdetails;
import java.io.Serializable;
import java.util.Collection;
import org.springframework.security.core.GrantedAuthority;
public interface UserDetails extends Serializable {
// 获取用户权限信息
Collection<? extends GrantedAuthority> getAuthorities();
// 获取密码
java.lang.String getPassword();
// 获取用户名
java.lang.String getUsername();
// 判断账户是否失效
boolean isAccountNonExpired();
// 判断账户是否锁定
boolean isAccountNonLocked();
// 判断账户凭证信息是否已失效
boolean isCredentialsNonExpired();
// 判断账户是否可用
boolean isEnabled();
}
GrantedAuthority 用户拥有权限接口
package org.springframework.security.core;
import java.io.Serializable;
public interface GrantedAuthority extends Serializable {
// 获取权限信息
String getAuthority();
}
UserDetailsService 用户查询操作
package org.springframework.security.core.userdetails;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
public interface UserDetailsService {
// 根据用户名获取用户信息
UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;
}
UserDetailsManager 用户CRUD操作
package org.springframework.security.provisioning;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
public interface UserDetailsManager extends UserDetailsService {
// 创建用户
void createUser(UserDetails user);
// 更新用户
void updateUser(UserDetails user);
// 删除用户
void deleteUser(String username);
// 修改密码
void changePassword(String oldPassword, String newPassword);
// 判断用户是否存在
boolean userExists(String username);
}
2、认证对象
| 接口名 | 说明 |
|---|---|
| Authentication | 认证请求详细信息 |
| AuthenticationProvider | 认证的业务执行者 |
Authentication 认证请求详细信息
package org.springframework.security.core;
import java.io.Serializable;
import java.security.Principal;
import java.util.Collection;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.context.SecurityContextHolder;
public interface Authentication extends Principal, Serializable {
// 安全主体所具有的的权限
Collection<? extends GrantedAuthority> getAuthorities();
// 证明主体有效性的凭证
Object getCredentials();
// 认证请求的明细信息
Object getDetails();
// 主体的标识信息
Object getPrincipal();
// 是否认证通过
boolean isAuthenticated();
// 设置认证结果
void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException;
}
AuthenticationProvider 认证的业务执行者
package org.springframework.security.authentication;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
public interface AuthenticationProvider {
// 执行认证,返回认证结果
Authentication authenticate(Authentication authentication) throws AuthenticationException;
// 判断是否支持当前的认证对象
boolean supports(Class<?> authentication);
}
五、基于MySQL自定义认证过程
1、项目结构
$ tree -I target
.
├── pom.xml
└── src
├── main
│ ├── java
│ │ └── com
│ │ └── example
│ │ └── demo
│ │ ├── Application.java
│ │ ├── controller
│ │ │ └── IndexController.java
│ │ ├── entity
│ │ │ └── User.java
│ │ ├── mapper
│ │ │ └── UserMapper.java
│ │ ├── security
│ │ │ ├── SecurityConfiguration.java
│ │ │ └── UserAuthenticationProvider.java
│ │ └── service
│ │ ├── UserService.java
│ │ └── impl
│ │ └── UserServiceImpl.java
│ └── resources
│ ├── application.yml
│ ├── sql
│ │ └── schema.sql
│ ├── static
│ └── templates
└── test
├── http
│ └── IndexController.http
└── java
└── com
└── example
└── demo
└── ApplicationTests.java
2、用户表
默认表结构的SQL路径
spring-security-core-5.7.6.jar!/org/springframework/security/core/userdetails/jdbc/users.ddl
create table users(
username varchar_ignorecase(50) not null primary key,
password varchar_ignorecase(500) not null,
enabled boolean not null
);
create table authorities (
username varchar_ignorecase(50) not null,
authority varchar_ignorecase(50) not null,
constraint fk_authorities_users foreign key(username) references users(username)
);
create unique index ix_auth_username on authorities (username,authority);
一般情况下,我们使用自己创建的用户表
schema.sql
-- 创建用户表
CREATE TABLE `tb_user` (
`id` int NOT NULL AUTO_INCREMENT COMMENT '主键id',
`username` varchar(255) COLLATE utf8mb4_general_ci NOT NULL COMMENT '用户名',
`password` varchar(255) COLLATE utf8mb4_general_ci NOT NULL COMMENT '密码',
`nickname` varchar(32) COLLATE utf8mb4_general_ci NOT NULL DEFAULT '昵称',
`enabled` tinyint NOT NULL DEFAULT '1' COMMENT '账号可用标识',
PRIMARY KEY (`id`),
UNIQUE KEY `idx_username` (`username`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci COMMENT='用户表';
-- 添加初始数据
insert into `tb_user` values (1, "zhangsan", "zhangsan", "张三", 1);
insert into `tb_user` values (2, "lisi", "lisi", "李四", 1);
insert into `tb_user` values (3, "wangwu", "wangwu", "王五", 1);
3、依赖
- Spring Security
- MyBatis-Plus
- MySQL8 JDBC
- Lombok
完整依赖
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.7</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>demo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>demo</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<scope>runtime</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>com.baomidou</groupId>
<artifactId>mybatis-plus-boot-starter</artifactId>
<version>3.5.2</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<excludes>
<exclude>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</exclude>
</excludes>
</configuration>
</plugin>
</plugins>
</build>
</project>
4、数据库配置
application.yml
server:
port: 8080
# DataSource Config
spring:
datasource:
driver-class-name: com.mysql.cj.jdbc.Driver
url: jdbc:mysql://127.0.0.1:3306/data?useUnicode=true&characterEncoding=utf-8&useSSL=false&serverTimezone=Asia/Shanghai
username: root
password: 123456
mybatis-plus:
configuration:
# 开启SQL语句打印
log-impl: org.apache.ibatis.logging.stdout.StdOutImpl
global-config:
db-config:
# 自增主键策略
id-type: AUTO
5、SpringBoot基本框架
启动类 Application.java
package com.example.demo;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
实体类 User.java
package com.example.demo.entity;
import com.baomidou.mybatisplus.annotation.TableId;
import com.baomidou.mybatisplus.annotation.TableName;
import lombok.Data;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import java.util.Arrays;
import java.util.Collection;
@Data
@TableName("tb_user")
public class User implements UserDetails {
/**
* 主键id
*/
@TableId
private Long id;
/**
* 用户名
*/
private String username;
/**
* 密码
*/
private String password;
/**
* 昵称
*/
private String nickname;
/**
* 账号可用标识
*/
private Integer enabled;
/**
* 获取用户权限信息
*
* @return
*/
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return Arrays.asList(new SimpleGrantedAuthority("ROLE_USER"));
}
/**
* 判断账户是否失效
*
* @return
*/
@Override
public boolean isAccountNonExpired() {
return true;
}
/**
* 判断账户是否锁定
*
* @return
*/
@Override
public boolean isAccountNonLocked() {
return true;
}
/**
* 判断账户凭证信息是否已失效
*
* @return
*/
@Override
public boolean isCredentialsNonExpired() {
return true;
}
/**
* 判断账户是否可用
*
* @return
*/
@Override
public boolean isEnabled() {
return this.enabled == 1;
}
}
UserMapper.java
package com.example.demo.mapper;
import com.baomidou.mybatisplus.core.mapper.BaseMapper;
import com.example.demo.entity.User;
import org.apache.ibatis.annotations.Mapper;
@Mapper
public interface UserMapper extends BaseMapper<User> {
}
UserService.java
package com.example.demo.service;
import com.baomidou.mybatisplus.extension.service.IService;
import com.example.demo.entity.User;
public interface UserService extends IService<User> {
}
UserServiceImpl.java
package com.example.demo.service.impl;
import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl;
import com.example.demo.entity.User;
import com.example.demo.mapper.UserMapper;
import com.example.demo.service.UserService;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
@Service
@Slf4j
public class UserServiceImpl
extends ServiceImpl<UserMapper, User>
implements UserService, UserDetailsService {
/**
* 根据用户名获取用户信息
* @param username
* @return UserDetails
* @throws UsernameNotFoundException
*/
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
LambdaQueryWrapper<User> queryWrapper = new LambdaQueryWrapper<>();
queryWrapper.eq(User::getUsername, username);
User user = super.getOne(queryWrapper);
if(user == null){
log.error("Access Denied, user not found:" + username);
throw new UsernameNotFoundException("user not found:" + username);
}
return user;
}
}
IndexController.java
package com.example.demo.controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class IndexController {
@GetMapping("/hello")
public String hello(){
return "Hello";
}
}
6、自动定义Spring Security
SecurityConfiguration.java
package com.example.demo.security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
public class SecurityConfiguration {
/**
* 基于基础认证模式
* @param http
* @return
* @throws Exception
*/
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
// 所有请求都需要认证,认证方式:httpBasic
http.authorizeHttpRequests((auth) -> {
auth.anyRequest().authenticated();
}).httpBasic(Customizer.withDefaults());
return http.build();
}
}
UserAuthenticationProvider.java
package com.example.demo.security;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.stereotype.Component;
@Component
@Slf4j
public class UserAuthenticationProvider implements AuthenticationProvider {
@Autowired
private UserDetailsService userService;
/**
* 自己实现认证过程
*
* @param authentication
* @return
* @throws AuthenticationException
*/
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
// 从Authentication 对象中获取用户名和密码
String username = authentication.getName();
String password = authentication.getCredentials().toString();
UserDetails user = userService.loadUserByUsername(username);
if (password.equals(user.getPassword())) {
// 密码匹配成功
log.info("Access Success: " + user);
return new UsernamePasswordAuthenticationToken(username, password, user.getAuthorities());
} else {
// 密码匹配失败
log.error("Access Denied: The username or password is wrong!");
throw new BadCredentialsException("The username or password is wrong!");
}
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
7、接口测试
IndexController.http
###
# 不提供认证信息
GET http://localhost:8080/hello
###
# 提供错误的认证信息
GET http://localhost:8080/hello
Authorization: Basic dXNlcjo2YzVlMTUyOS1kMTc2LTRkYjItYmZlMy0zZTIzOTNlMjY2MTk=
###
# 提供正确的认证信息
GET http://localhost:8080/hello
Authorization: Basic emhhbmdzYW46emhhbmdzYW4=
###
六、使用PasswordEncoder加密密码
PasswordEncoder接口
package org.springframework.security.crypto.password;
public interface PasswordEncoder {
// 对原始密码编码
String encode(CharSequence rawPassword);
// 密码比对
boolean matches(CharSequence rawPassword, String encodedPassword);
// 判断加密密码是否需要再次加密
default boolean upgradeEncoding(String encodedPassword) {
return false;
}
}
常见的实现类
| 实现类 | 说明 |
|---|---|
| NoOpPasswordEncoder | 明文存储,仅用于测试 |
| StandardPasswordEncoder | SHA-256算法(已过期) |
| BCryptPasswordEncoder | bcrypt算法 |
| Pbkdf2PasswordEncoder | Pbkdf2算法 |
Bcrypt算法简介
例如:
package com.example.demo;
import org.junit.jupiter.api.Test;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
public class BCryptPasswordEncoderTest {
@Test
public void encode(){
BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();
String encode = bCryptPasswordEncoder.encode("123456");
System.out.println(encode);
}
}
输出
$2a$10$lKqmIKbEPNDx/RXssgN6POgb8YssAK7pVtMFDosmC8FxozUgQq58K
解释
$是分隔符
2a表示Bcrypt算法版本
10表示算法强度
中间22位表示盐值
中间面的位数表示加密后的文本
总长度60位
使用Bcrypt算法加密密码后的数据
-- 建表
CREATE TABLE `tb_user` (
`id` int NOT NULL AUTO_INCREMENT COMMENT '主键id',
`username` varchar(255) COLLATE utf8mb4_general_ci NOT NULL COMMENT '用户名',
`password` varchar(255) COLLATE utf8mb4_general_ci NOT NULL COMMENT '密码',
`nickname` varchar(32) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NOT NULL DEFAULT '' COMMENT '昵称',
`enabled` tinyint NOT NULL DEFAULT '1' COMMENT '账号可用标识',
PRIMARY KEY (`id`),
UNIQUE KEY `idx_username` (`username`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci COMMENT='用户表';
-- 数据
INSERT INTO `tb_user` VALUES (1, 'zhangsan', '$2a$10$/1XHgJYXtF4g/AiR41si8uvVC6Zc.Z9xVmXX4hO2z.b4.DX.H2j5W', '张三', 1);
INSERT INTO `tb_user` VALUES (2, 'lisi', '$2a$10$PEcF03ina7x9mmt2VbB0ueVkLZWQo/yoKOfvfQpoL09/faBlNuuZ.', '李四', 1);
INSERT INTO `tb_user` VALUES (3, 'wangwu', '$2a$10$PMumxkwwrELTbNDXCj0N4.jD/e/Hv.JiiZTFkdFqlDNLU2TahdYNq', '王五', 1);
UserAuthenticationProvider实现类替换如下
package com.example.demo.security;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Component;
@Component
@Slf4j
public class UserAuthenticationProvider implements AuthenticationProvider {
@Autowired
private UserDetailsService userService;
// 密码加密
public PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
/**
* 自己实现认证过程
*
* @param authentication
* @return
* @throws AuthenticationException
*/
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
// 从Authentication 对象中获取用户名和密码
String username = authentication.getName();
String password = authentication.getCredentials().toString();
UserDetails user = userService.loadUserByUsername(username);
// 替换密码比对方式
// if (password.equals(user.getPassword())) {
if (this.passwordEncoder().matches(password, user.getPassword())) {
// 密码匹配成功
log.info("Access Success: " + user);
return new UsernamePasswordAuthenticationToken(username, password, user.getAuthorities());
} else {
// 密码匹配失败
log.error("Access Denied: The username or password is wrong!");
throw new BadCredentialsException("The username or password is wrong!");
}
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
七、Session会话控制
修改配置类SecurityConfiguration
package com.example.demo.security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
public class SecurityConfiguration {
/**
* 基于基础认证模式
* @param http
* @return
* @throws Exception
*/
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
// 禁用session会话
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// 所有请求都需要认证,认证方式:httpBasic
http.authorizeHttpRequests((auth) -> {
auth.anyRequest().authenticated();
}).httpBasic(Customizer.withDefaults());
return http.build();
}
}
八、基于表单模式实现自定义认证
SecurityFormConfiguration 配置类
package com.example.demo.security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
public class SecurityFormConfiguration {
/**
* 基于表单认证模式
* @param http
* @return
* @throws Exception
*/
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
// 启用session会话
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
// 认证方式:Form
http.authorizeRequests()
// 所有请求都需要认证
.anyRequest().authenticated()
.and()
// 启动表单认证模式
.formLogin()
// 登录页面
.loginPage("/login.html")
// 请求提交地址
.loginProcessingUrl("/login")
// 放行上面的两个地址
.permitAll()
// 设置提交的参数名
.usernameParameter("username")
.passwordParameter("password")
.and()
// 开始设置注销功能
.logout()
// 注销的url
.logoutUrl("/logout")
// session直接过期
.invalidateHttpSession(true)
// 清除认证信息
.clearAuthentication(true)
// 注销成功后跳转地址
.logoutSuccessUrl("/login.html")
.and()
// 禁用csrf安全防护
.csrf().disable();
return http.build();
}
}
登录页面 static/login.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Login</title>
</head>
<body>
<h2>Login</h2>
<form action="/login" method="post">
<div><label>username:<input type="text" name="username"></label></div>
<div><label>password:<input type="password" name="password"></label></div>
<div><input type="submit"></div>
</form>
</body>
</html>
显示效果
学习资料
- IT老齐的Spring Security实战课
- 完整代码: https://github.com/mouday/spring-boot-demo/tree/master/SpringBoot-Security-Basic-Form
