devbox
笔触狂放9
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

SpringBoot3配置SpringSecurity6_spring boot 3.0 security

作者:笔触狂放9 | 2024-05-20 23:07:49

spring boot 3.0 security

访问1:localhost:8080/security,返回:需要先认证才能访问(说明没有权限)

访问2:localhost:8080/anonymous,返回:anonymous(说明正常访问)


 

相关文件如下:

pom.xml:

  1.    <parent>
  2.         <groupId>org.springframework.boot</groupId>
  3.         <artifactId>spring-boot-starter-parent</artifactId>
  4.         <version>3.2.4</version>
  5.         <relativePath/> <!-- lookup parent from repository -->
  6.     </parent>
  7.  
  8.  
  9.  <dependency>
  10.             <groupId>org.springframework.boot</groupId>
  11.             <artifactId>spring-boot-starter-security</artifactId>
  12.         </dependency>
  13.  
  14.         <dependency>
  15.             <groupId>cn.hutool</groupId>
  16.             <artifactId>hutool-all</artifactId>
  17.             <version>5.8.18</version>
  18.         </dependency>

 WebSecurityConfiguration:

  1.  
  2.  
  3. /**
  4.  * Spring Security 配置项
  5.  */
  6. @Configuration
  7. @EnableWebSecurity
  8. @EnableMethodSecurity
  9. @EnableGlobalAuthentication
  10. public class WebSecurityConfiguration {
  11.  
  12.     @Autowired
  13.     private JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;
  14.  
  15.     @Autowired
  16.     private RestAuthenticationEntryPoint restAuthenticationEntryPoint;
  17.  
  18.     @Autowired
  19.     private RestAccessDeniedHandler restAccessDeniedHandler;
  20.  
  21.     private UserDetailsService userDetailsService;
  22.  
  23.     @Autowired
  24.     private ApplicationContext applicationContext;
  25.  
  26.  
  27.     @Bean
  28.     public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
  29.  
  30.         // 搜寻 匿名标记 url: PreAuthorize("hasAnyRole('anonymous')") 和 PreAuthorize("@tsp.check('anonymous')") 和 AnonymousAccess
  31.         Map<RequestMappingInfo, HandlerMethod> handlerMethodMap = applicationContext.getBean(RequestMappingHandlerMapping.class).getHandlerMethods();
  32.         Set<String> anonymousUrls = new HashSet<>();
  33.         for (Map.Entry<RequestMappingInfo, HandlerMethod> infoEntry : handlerMethodMap.entrySet()) {
  34.             HandlerMethod handlerMethod = infoEntry.getValue();
  35.             AnonymousAccess anonymousAccess = handlerMethod.getMethodAnnotation(AnonymousAccess.class);
  36.             PreAuthorize preAuthorize = handlerMethod.getMethodAnnotation(PreAuthorize.class);
  37.             PathPatternsRequestCondition pathPatternsCondition = infoEntry.getKey().getPathPatternsCondition();
  38.             Set<String> patternList = new HashSet<>();
  39.             if (null != pathPatternsCondition){
  40.                 Set<PathPattern> patterns = pathPatternsCondition.getPatterns();
  41.                 for (PathPattern pattern : patterns) {
  42.                     patternList.add(pattern.getPatternString());
  43.                 }
  44.             }
  45.             if (null != preAuthorize && preAuthorize.value().toLowerCase().contains("anonymous")) {
  46.                 anonymousUrls.addAll(patternList);
  47.             } else if (null != anonymousAccess && null == preAuthorize) {
  48.                 anonymousUrls.addAll(patternList);
  49.             }
  50.         }
  51.  
  52.         httpSecurity
  53.                 // 禁用basic明文验证
  54.                 .httpBasic(it -> it.disable())
  55.                 // 前后端分离架构不需要csrf保护
  56.                 .csrf(it -> it.disable())
  57.                 // 禁用默认登录页
  58.                 .formLogin(it -> it.disable())
  59.                 // 禁用默认登出页
  60.                 .logout(it -> it.disable())
  61.                 // 设置异常的EntryPoint,如果不设置,默认使用Http403ForbiddenEntryPoint
  62.                 .exceptionHandling(exceptions -> {
  63.                     // 401
  64.                     exceptions.authenticationEntryPoint(restAuthenticationEntryPoint);
  65.                     // 403
  66.                     exceptions.accessDeniedHandler(restAccessDeniedHandler);
  67.                 })
  68.                 // 前后端分离是无状态的,不需要session了,直接禁用。
  69.                 .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
  70.                 .authorizeHttpRequests(authorizeHttpRequests -> authorizeHttpRequests
  71.                         // 允许匿名访问
  72.                         .requestMatchers(anonymousUrls.toArray(new String[0])).permitAll()
  73.                         // 允许所有OPTIONS请求
  74.                         .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
  75.                         // 允许 SpringMVC 的默认错误地址匿名访问
  76.                         .requestMatchers("/error").permitAll()
  77.                         // 允许任意请求被已登录用户访问,不检查Authority
  78.                         .anyRequest().authenticated())
  79.                 .authenticationProvider(authenticationProvider())
  80.                 // 加我们自定义的过滤器,替代UsernamePasswordAuthenticationFilter
  81.                 .addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
  82.  
  83.         return httpSecurity.build();
  84.     }
  85.  
  86.  
  87.  
  88.     @Bean
  89.     public CorsFilter corsFilter() {
  90.         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
  91.         CorsConfiguration config = new CorsConfiguration();
  92.         // 允许所有域名进行跨域调用
  93.         config.addAllowedOrigin("*");
  94.         // 放行全部原始头信息
  95.         config.addAllowedHeader("*");
  96.         // 允许所有请求方法跨域调用
  97.         config.addAllowedMethod("OPTIONS");
  98.         config.addAllowedMethod("GET");
  99.         config.addAllowedMethod("POST");
  100.         config.addAllowedMethod("PUT");
  101.         config.addAllowedMethod("DELETE");
  102.         source.registerCorsConfiguration("/**", config);
  103.         return new CorsFilter(source);
  104.  
  105.     }
  106.     @Bean
  107.     public UserDetailsService userDetailsService() {
  108.         return username -> userDetailsService.loadUserByUsername(username);
  109.     }
  110.  
  111.     @Bean
  112.     public PasswordEncoder passwordEncoder() {
  113.         return new BCryptPasswordEncoder();
  114.     }
  115.  
  116.     @Bean
  117.     public AuthenticationProvider authenticationProvider() {
  118.         DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
  119.         authProvider.setUserDetailsService(userDetailsService());
  120.         // 设置密码编辑器
  121.         authProvider.setPasswordEncoder(passwordEncoder());
  122.         return authProvider;
  123.     }
  124.  
  125. }

JwtAuthenticationTokenFilter
  1.  
  2.  
  3. /**
  4.  * JWT登录授权过滤器
  5.  */
  6.  
  7. @Component
  8. public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
  9.  
  10.     @Override
  11.     protected void doFilterInternal(@NonNull HttpServletRequest request, @NonNull HttpServletResponse response,
  12.                                     @NonNull FilterChain chain) throws ServletException, IOException {
  13.         String authorization = request.getHeader("Authorization");
  14.         response.setCharacterEncoding("utf-8");
  15.         if (null == authorization){
  16.             // 没有token
  17.             chain.doFilter(request, response);
  18.             return;
  19.         }
  20.         try{
  21.             if (!authorization.startsWith("Bearer ")){
  22.                 // token格式不正确
  23.                 response.sendError(HttpServletResponse.SC_BAD_REQUEST, "token格式不正确");
  24.                 return;
  25.             }
  26.             boolean verify = MyJWTUtil.verify(authorization);
  27.             if(!verify){
  28.                 // token格式不正确
  29.                 response.sendError(HttpServletResponse.SC_BAD_REQUEST, "token验证失败");
  30.                 return;
  31.             }
  32.         }catch (Exception e){
  33.             // token格式不正确
  34.             response.sendError(HttpServletResponse.SC_BAD_REQUEST, "token验证失败");
  35.             return;
  36.         }
  37.         JWT jwt = MyJWTUtil.parseToken(authorization);
  38.         Object uid = jwt.getPayload("uid");
  39.         
  40.         // todo 解析JWT获取用户信息
  41.         LoginUser loginUser = new LoginUser();
  42.  
  43.         UsernamePasswordAuthenticationToken authenticationToken =
  44.                 new UsernamePasswordAuthenticationToken(loginUser,null,null);
  45.         SecurityContextHolder.getContext().setAuthentication(authenticationToken);
  46.  
  47.         chain.doFilter(request, response);
  48.     }
  49.  
  50. }
RestAuthenticationEntryPoint:
  1.  
  2.  
  3.  
  4. /**
  5.  * 认证失败处理类
  6.  */
  7.  
  8. @Component
  9. public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint {
  10.  
  11.     @Override
  12.     public void commence(HttpServletRequest request, HttpServletResponse response,
  13.                          AuthenticationException authException) throws IOException {
  14.         response.setHeader("Access-Control-Allow-Origin", "*");
  15.         response.setHeader("Cache-Control", "no-cache");
  16.         response.setContentType("application/json");
  17.         response.setCharacterEncoding("UTF-8");
  18.         response.setStatus(HttpStatus.UNAUTHORIZED.value());
  19.         response.getWriter().println(authException == null? "Unauthorized" : "需要先认证才能访问");
  20.         response.getWriter().flush();
  21.  
  22.     }
  23.  
  24. }
RestAccessDeniedHandler:
  1.  
  2.  
  3. /**
  4.  * 自定义无权访问处理类
  5.  */
  6. @Component
  7. public class RestAccessDeniedHandler implements AccessDeniedHandler {
  8.  
  9.     @Override
  10.     public void handle(HttpServletRequest request, HttpServletResponse response,
  11.                        AccessDeniedException accessDeniedException) throws IOException {
  12.         response.setHeader("Access-Control-Allow-Origin", "*");
  13.         response.setHeader("Cache-Control", "no-cache");
  14.         response.setContentType("application/json");
  15.         response.setCharacterEncoding("UTF-8");
  16.         response.setStatus(HttpStatus.FORBIDDEN.value());
  17. //        response.getWriter()
  18. //                .println(accessDeniedException==null?"AccessDenied":accessDeniedException.getMessage());
  19.         response.getWriter().println(accessDeniedException == null? "AccessDenied" : "没有访问权限");
  20.         response.getWriter().flush();
  21.     }
  22.  
  23. }
AnonymousAccess:
  1.  
  2.  
  3. /**
  4.  * 用于标记匿名访问方法
  5.  */
  6. @Target(ElementType.METHOD)
  7. @Retention(RetentionPolicy.RUNTIME)
  8. public @interface AnonymousAccess {
  9.  
  10. }
MyJWTUtil:
  1.  
  2.  
  3. /**
  4.  * JWT工具类
  5.  */
  6. public class MyJWTUtil extends JWTUtil {
  7.  
  8.  
  9.     /**
  10.      * 解析JWT Token
  11.      *
  12.      * @param token token
  13.      * @return {@link JWT}
  14.      */
  15.     public static boolean verify(String token) {
  16.         return verify(token, "LOGIN_TOKEN_KEY_20240410".getBytes());
  17.     }
  18.  
  19.     /**
  20.      * 解析JWT Token
  21.      *
  22.      * @param token token
  23.      * @return {@link JWT}
  24.      */
  25.     public static boolean verify(String token, byte[] key) {
  26.         if(StrUtil.isNotEmpty(token)){
  27.             if(token.startsWith("Bearer ")){
  28.                 token = token.split("Bearer ")[1].trim();
  29.             }
  30.         }
  31.         return JWT.of(token).setKey(key).verify();
  32.     }
  33.  
  34.     /**
  35.      * 解析JWT Token
  36.      *
  37.      * @param token token
  38.      * @return {@link JWT}
  39.      */
  40.     public static JWT parseToken(String token) {
  41.         if(StrUtil.isNotEmpty(token)){
  42.             if(token.startsWith("Bearer ")){
  43.                 token = token.split("Bearer ")[1].trim();
  44.             }
  45.         }
  46.         return JWT.of(token);
  47.     }
  48.  
  49.     public static String getToken(HttpServletRequest request) {
  50.         final String requestHeader = request.getHeader("Authorization");
  51.         if (requestHeader != null && requestHeader.startsWith("Bearer ")) {
  52.             return requestHeader.substring(7);
  53.         }
  54.         return null;
  55.     }
  56.  
  57.     public static String createToken(String userId) {
  58.         Map<String, Object> payload = new HashMap<>(4);
  59.         payload.put("uid", userId);
  60.         payload.put("expire_time", System.currentTimeMillis() + 1000 * 60 * 60 * 8);
  61.         return createToken(payload, "LOGIN_TOKEN_KEY_20240410".getBytes());
  62.     }
  63. }

DemoController:
  1.  
  2.  
  3. @RestController
  4. public class DemoController {
  5.  
  6.  
  7.     @GetMapping("anonymous")
  8.     @AnonymousAccess
  9.     public String loadCondition() {
  10.         return "anonymous";
  11.     }
  12.  
  13.     @GetMapping("security")
  14.     public String security() {
  15.         return "security";
  16.     }
  17.  
  18. }

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/笔触狂放9/article/detail/599792
推荐阅读