手擼一個springsecurity,瞭解一下security原理
轉載自:www.javaman.cn 手擼一個springsecurity,瞭解一下security原理
今天手擼一個簡易版本的springsecurity,帶大家理解下springsecurity的原理:
安全框架的兩個特點就是認證和授權,讓我們來通過程式碼瞭解下認證和授權的處理方式:
1、認證
認證就是指需要登入才能進行系統操作,如:登入qq、微信或者是web系統的登入都是認證的過程
1.1 工程目錄
1.2 maven配置pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.6.3</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.dashi</groupId>
<artifactId>security</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>security</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<excludes>
<exclude>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</exclude>
</excludes>
</configuration>
</plugin>
</plugins>
</build>
</project>
1.3 application.yml
spring:
mvc:
view:
prefix: /
suffix: .html
1.4 建立User,模擬springsecurity的使用者資訊的核心介面UserDetails
import lombok.AllArgsConstructor;
import lombok.Data;
@Data
@AllArgsConstructor
public class User {
private Integer id;
private String username;
private String password;
}
1.5 建立AuthenticationService,模擬springsecurity的UserDetailsService核心介面
public interface AuthenticationService {
public User authentication(AuthenticationRequest authenticationRequest);
}
1.6 實現AuthenticationService,模擬實現UserDetailsService的過程
@Service
public class AuthenticationServiceImpl implements AuthenticationService {
private Map<String,User> users = new HashMap<String,User>();
@Override
public User authentication(AuthenticationRequest authenticationRequest) {
if(authenticationRequest == null||"".equals(authenticationRequest.getUsername())||"".equals(authenticationRequest.getPassword())){
throw new RuntimeException("使用者名稱或密碼為空");
}
User user = users.get(authenticationRequest.getUsername());
if(user == null){
throw new RuntimeException("使用者不存在");
}
if(!user.getPassword().equals(authenticationRequest.getPassword())){
throw new RuntimeException("密碼不正確");
}
return user; //模擬實現UserDetailS的User
}
public User getUser(String username){
return users.get(username);
}
//建立兩個賬戶,模擬管理員和普通的來賓使用者
{
users.put("admin",new User(1,"admin","123")); //管理員
users.put("guest",new User(2,"guest","111")); //來賓賬戶
}
}
1.7 接收請求引數封裝物件
@Data
public class AuthenticationRequest {
private String username;
private String password;
}
1.8 登入Controller,對/login請求處理,它呼叫AuthenticationService完成認證並返回登入結果提示資訊
@Controller
public class LoginController {
@Autowired
private AuthenticationService authenticationService;
@GetMapping("/login")
public String login(){
return "login";
}
@PostMapping(value = "/login",produces = {"text/plain;charset=UTF-8"})
public String login(AuthenticationRequest authenticationRequest, Model model){
System.out.println("111"+authenticationRequest);
User user = authenticationService.authentication(authenticationRequest);
String loginMsg = user.getUsername()+"登入成功";
System.out.println(loginMsg);
model.addAttribute("loginMsg",loginMsg);
return "loginsuccess";
}
}
1.9 認證頁面
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>登入</title>
</head>
<body>
<form action="/login" method="post">
使用者名稱:<input type="text" name="username"><br>
密碼:<input type="password" name="password"><br>
<input type="submit" value="登入1">
</form>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<title>Title</title>
</head>
<body>
<h1 th:text="${loginMsg}"></h1>
</body>
</html>
1.10 認證成功後列印登入成功
1)登入介面如下
2)密碼錯誤介面
3)登入成功介面
2、授權
授權就是控制什麼樣的使用者或者角色訪問什麼功能,例如:管理員可以訪問全部功能,guest普通使用者只能訪問某一個選單或者功能
2.1 User增加許可權authorities和session
package com.dashi.security.model;
import lombok.AllArgsConstructor;
import lombok.Data;
import java.util.Set;
@Data
@AllArgsConstructor
public class User {
private Integer id;
private String username;
private String password;
//登入使用者,增加登入使用者session
public static final String LOGIN_USER = "user";
/**
* 使用者許可權
*/
private Set<String> authorities;
}
2.2 使用者增加角色authorities
import com.dashi.security.model.AuthenticationRequest;
import com.dashi.security.model.User;
import com.dashi.security.service.AuthenticationService;
import org.springframework.stereotype.Service;
import org.springframework.util.StringUtils;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
@Service
public class AuthenticationServiceImpl implements AuthenticationService {
private Map<String,User> users = new HashMap<String,User>();
@Override
public User authentication(AuthenticationRequest authenticationRequest) {
if(authenticationRequest == null||"".equals(authenticationRequest.getUsername())||"".equals(authenticationRequest.getPassword())){
throw new RuntimeException("使用者名稱或密碼為空");
}
User user = users.get(authenticationRequest.getUsername());
if(user == null){
throw new RuntimeException("使用者不存在");
}
if(!user.getPassword().equals(authenticationRequest.getPassword())){
throw new RuntimeException("密碼不正確");
}
return user;
}
public User getUser(String username){
return users.get(username);
}
{
//增加管理員許可權
Set<String> authorities1 = new HashSet<>();
authorities1.add("admin");
//增加來賓許可權
Set<String> authorities2 = new HashSet<>();
authorities2.add("guest");
users.put("admin",new User(1,"admin","123",authorities1));
users.put("guest",new User(2,"guest","111",authorities2));
}
}
2.3登入成功後,將使用者放到session中
import com.dashi.security.model.AuthenticationRequest;
import com.dashi.security.model.User;
import com.dashi.security.service.AuthenticationService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ModelAttribute;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.servlet.ModelAndView;
import javax.servlet.http.HttpSession;
@Controller
public class LoginController {
@Autowired
private AuthenticationService authenticationService;
@GetMapping("/login")
public String login(){
return "login";
}
@PostMapping(value = "/login",produces = {"text/plain;charset=UTF-8"})
public String login(AuthenticationRequest authenticationRequest, Model model, HttpSession session){
System.out.println("111"+authenticationRequest);
User user = authenticationService.authentication(authenticationRequest);
session.setAttribute(User.LOGIN_USER,user);
String loginMsg = user.getUsername()+"登入成功";
System.out.println(loginMsg);
model.addAttribute("loginMsg",loginMsg);
return "loginsuccess";
}
}
2.4 增加Springboot攔截器配置,判斷是admin使用者,可以訪問所有資源resource1和resource2,如果是guest使用者只允許訪問resource2資源
import com.dashi.security.model.User;
import org.springframework.stereotype.Component;
import org.springframework.web.servlet.HandlerInterceptor;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
@Component
public class MyAuthenInterceptor implements HandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
Object object = request.getSession().getAttribute(User.LOGIN_USER);
System.out.println("object = " + object);
if(object == null){
writeContent(response,"請登入");
}
//獲取請求的url
String requestURI = request.getRequestURI();
User user = (User)object;
if(user.getAuthorities().contains("admin") && requestURI.contains("/resource1") || requestURI.contains("/resource2")){
writeContent(response,user.getUsername()+"訪問:"+requestURI+"訪問成功!");
return true;
}
if(user.getAuthorities().contains("guest") && requestURI.contains("/resource2")){
writeContent(response,user.getUsername()+"訪問:"+requestURI+"訪問成功!");
return true;
}
writeContent(response,"許可權不足!");
return false;
}
private void writeContent(HttpServletResponse response,String msg) throws IOException {
response.setContentType("text/html;charset=utf-8");
PrintWriter printWriter = response.getWriter();
printWriter.write(msg);
printWriter.close();
response.resetBuffer();
}
}
2.5 攔截器進行請求攔截,攔截/resource/**請求
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@Configuration
public class LoginConfig implements WebMvcConfigurer {
@Autowired
private MyAuthenInterceptor myAuthenInterceptor;
public void addInterceptors(InterceptorRegistry registry){
registry.addInterceptor(myAuthenInterceptor).addPathPatterns("/resource/**");
}
}
2.6 授權測試介面如下:
1)登入成功後設定resource1和resource2訪問功能
2)admin使用者訪問資源1和資源2
3)guest使用者只能訪問資源2,不能訪問資源1
2.7 實現了springsecurity的認證和授權
1、 認證功能:
loginPage("/login.html")即為認證
2、 授權功能:
.antMatchers("/resource/resource1").hasAuthority(“admin”)
.antMatchers("/resource/resource2").hasAuthority(“admin”)
.antMatchers("/resource/resource2").hasAuthority(“guest”)
@Override
protected void configure(HttpSecurity http) throws Exception {
//以下五步是表單登入進行身份認證最簡單的登入環境
http.formLogin() //表單登陸
.loginPage("/login.html") //指定登陸頁面
.loginProcessingUrl("/authentication/form")//登陸頁面提交的頁面 開始使用UsernamePasswordAuthenticationFilter過濾器處理請求
.and() //
.authorizeRequests() //下面的都是授權的配置
.antMatchers("/resource/resource1").hasAuthority("admin")
.antMatchers("/resource/resource2").hasAuthority("admin") .antMatchers("/resource/resource2").hasAuthority("guest")
.and()
.csrf().disable();//關閉跨站請求偽造攻擊攔截