Spring-security在SpringMvc中的使用_securitywebfiltersorder.authentication的值

作者：我家小花儿 | 2024-02-08 11:37:47

踩

securitywebfiltersorder.authentication的值

  Spring-security是spring中的校验流程，有SpringMVC配置和SpringFlux配置两种模式，关于使用方式，我们在这里说下 

1、SpirngMVC中的Security配置

  在SpirngMVC中的Security配置，我们需要有一个类继承WebSecurityConfigurerAdapter类，在里面可以配置自己需要的bean和拦截属性，更多详细介绍请看官方文档，这里只是简单做下介绍 


@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
    @Bean
    public UsernamePasswordAuthFilter usernamePasswordAuthFilter() {
        return new UsernamePasswordAuthFilter(this.getApplicationContext());
    }
 
    @Bean
    public Oauth2LoginAuthenticationFilter Oauth2LoginAuthenticationFilter() {
        return new Oauth2LoginAuthenticationFilter(this.getApplicationContext());
    }
 
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
//                .requestMatchers(CorsUtils::isPreFlightRequest).permitAll()
                // 对于获取token的rest api要允许匿名访问
                .antMatchers("/auth_center/auth/**").permitAll()
                .antMatchers("/auth_center/oauth2/**").permitAll()
                .antMatchers("/auth_center/druid/**").permitAll()
                .antMatchers(HttpMethod.GET, "/").permitAll()
                .antMatchers(HttpMethod.HEAD).permitAll()
                // 除上面外的所有请求全部需要鉴权认证
                .anyRequest().authenticated().and().formLogin().disable()
                .httpBasic().disable()
                .openidLogin().disable()
                .logout().disable()
                .rememberMe().disable()
 
                // 由于使用的是JWT，我们这里不需要csrf
                .csrf().disable()
                // 基于token，所以不需要session
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
 
        //http.addFilterBefore(userCenterFilterSecurityInterceptor, FilterSecurityInterceptor.class);
        // 添加JWT filter
        http.addFilterAt(usernamePasswordAuthFilter(), UsernamePasswordAuthenticationFilter.class);
        http.addFilterAt(Oauth2LoginAuthenticationFilter(), OAuth2LoginAuthenticationFilter.class);
 
        // 禁用缓存
        http.headers().cacheControl();
 
 
    }
}

2、Spring-security关于在WebFlux项目中的配置

Spring-security关于在WebFlux项目中的配置，与在SpringMVC中的注解是不同的，为@EnableWebFluxSecurity，使用方式如下，可以自己配置Filter和权限属性：


@EnableWebFluxSecurity
public class WebfluxSecurityConfig {
/**  **/
    @Autowired
    private AuthReactiveAuthenticationManager reactiveAuthenticationManager;
    @Autowired
    private ServerHttpAuthenticationConverter serverHttpAuthenticationConverter;
    @Autowired
    public RequiresServerWebExchangeMatcher serverWebExchangeMatcher;
 
    @Resource(name="delegatingAuthorizationManager")
    public DelegatingReactiveAuthorizationManager delegatingAuthorizationManager;
 
    @Bean
    public ServerAuthenticationFailureHandler serverAuthenticationFailureHandler(){
        return new ServerAuthenticationEntryPointFailureHandler(serverAuthenticationEntryPoint());
    }
    @Bean
    public ServerAuthenticationEntryPoint serverAuthenticationEntryPoint(){
        return new RestServerAuthenticationEntryPoint();
    }
 
    /**
     * 身份认证
     * @return
     */
    public AuthenticationWebFilter authenticationWebFilter(){
        AuthenticationWebFilter authenticationWebFilter= new AuthenticationWebFilter(reactiveAuthenticationManager);
        authenticationWebFilter.setRequiresAuthenticationMatcher(serverWebExchangeMatcher);
        authenticationWebFilter.setAuthenticationConverter(serverHttpAuthenticationConverter);
        authenticationWebFilter.setAuthenticationFailureHandler(serverAuthenticationFailureHandler());
        return authenticationWebFilter;
    }
 
    /**
     * 访问授权
     * @return
     */
    public AuthorizationWebFilter authorizationWebFilter(){
        return new AuthorizationWebFilter(delegatingAuthorizationManager);
    }
 
    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
 
        http.authorizeExchange()
                .anyExchange().authenticated()
                .and().csrf().disable()
                .httpBasic().disable()
                .formLogin().disable()
                .logout().disable()
                .requestCache().disable();
        http.addFilterAt(authenticationWebFilter(), SecurityWebFiltersOrder.FORM_LOGIN);
        http.addFilterAt(authorizationWebFilter(),SecurityWebFiltersOrder.AUTHENTICATION);
        return http.build();
    }
 
}

声明：本文内容由网友自发贡献，不代表【wpsshop博客】立场，版权归原作者所有，本站不承担相应法律责任。如您发现有侵权的内容，请联系我们。转载请注明出处：https://www.wpsshop.cn/w/我家小花儿/article/detail/68915