您的位置:上海毫米网络优化公司 > 网站优化分享 >
相关推荐recommended
- iSH使用与优化全网整合教程【持续更新】【精华】
- 14.网络爬虫—数据提取2-正则表达式规则详讲
- nginx输出日志配置与查看
- IntelliJ IDEA 2024.1安装与激活[破解]
- 用Python手把手教你实现一个爬虫(含前端界面)
- 【Review+预测】测试架构演进的曲折之路
- Mac清理软件cleanmymac x4.14.4破解版,2024年有
- Golang入门基础
- Gitlab CICD 自动化打包部署前端(vue)项目
- springboot + vue 前后端加密传输 RSA互相加解密、加
- Spring Boot如何彻底解决跨域问题,五种方案来看看吧
- 23、Lua 学习笔记之一(初阶话题)
- Java实战:Spring Boot集成Swagger3
- 【粉丝福利社】 Node.js从入门到精通(软件开发视频大讲堂)(文末
- 基于springboot的酒店管理系统论文
- vanna:基于RAG的text2sql框架
- 2024年第十七届 认证杯 网络挑战赛 (D题)| AI图片判断 |
- 23 | 负载均衡:选择Nginx还是OpenResty?
- 【数据库】数据库的介绍、分类、作用和特点,AI人工智能数据如何存储
- 新零售门店、商品、会员管理指标体系总览
- spring boot相关漏洞之零散笔记
- Nginx + Lua 程序脚本开发的一些配置基础及代码示例 以及 使
- 【mysql】mysql命令使用大全,你想要的都在这里
- 云计算——ACA学习 阿里云云计算服务概述
- org.springframework.boot.web.server
- error @achrinzanode-ipc@9.2.5: The
- 分割一切?手把手教你部署SAM+LabelStudio实现自动标注
- 毕业设计——基于网络爬虫的电影数据可视化分析系统的设计与实现(综述+爬
- 链表基础知识详解(非常详细简单易懂)
- 前端(四)——vue.js、vue、vue2、vue3
【工作记录】基于springboot3+springsecurity6实现多种登录方式(一)
作者:mmseoamin日期:2024-03-20
前言
springboot3已经推出有一段时间了,近期公司里面的小项目使用的都是springboot3版本的,安全框架还是以springsecurity为主,毕竟亲生的。
本文针对基于springboot3和springsecurity实现用户登录认证访问以及异常处理做个记录总结,也希望能帮助到需要的朋友。
目标
- 需要提供登录接口,支持用户名+密码和手机号+验证码两种方式,当然后续可以根据实际需要进行扩展
- 登录成功后返回一个token用于后续接口访问凭证
- 请求时如果是需要校验认证的接口没有传递指定请求头返回401
- 请求时如果用户权限不足,返回403
- 如果认证通过且权限满足,正常返回数据
准备工作
1. 新建项目
pom.xml (供参考)
4.0.0 com.zjtx.tech.security security_demo 1.0-SNAPSHOT org.springframework.boot spring-boot-starter-parent 3.1.2 20 20 UTF-8 org.springframework.boot spring-boot-starter-web org.springframework.boot spring-boot-starter-security org.projectlombok lombok
相对来说比较简单:
- 引入了spring-boot-starter-web
- 引入了spring-boot-starter-security
- 引入了lombok
注意:
- springboot3要求使用的jdk版本在17+,本文使用的是openjdk20版本,springboot使用的是3.1.2版本。
- 我们第一个版本先采用模拟数据实现功能,后续再补充实际逻辑,再根据需要调整pom文件
2. 准备基础类
主要包含统一响应、统一异常处理、自定义异常类等。
统一响应类-Result.java
package com.zjtx.tech.security.demo.common; import java.io.Serial; import java.io.Serializable; public class Resultimplements Serializable { @Serial private static final long serialVersionUID = 1L; // 状态码 private int code; // 消息描述 private String msg; // 数据内容 private T data; public Result() {} public Result(int code, String msg, T data) { this.code = code; this.msg = msg; this.data = data; } // 成功响应构造器 public static Result ok(T data) { return new Result<>(200, "success", data); } // 失败响应构造器 public static Result fail(int code, String msg) { return new Result<>(code, msg, null); } // 错误响应构造器 public static Result error(String errorMessage) { return new Result<>(500, errorMessage, null); } // getters and setters public int getCode() { return code; } public void setCode(int code) { this.code = code; } public String getMsg() { return msg; } public void setMsg(String msg) { this.msg = msg; } public T getData() { return data; } public void setData(T data) { this.data = data; } }
JSON转换工具类-JsonUtil.java
package com.zjtx.tech.security.demo.util;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.JavaType;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.util.List;
public class JsonUtil {
private static final ObjectMapper objectMapper = new ObjectMapper();
/**
* 将Java对象转换为JSON字符串
* @param obj 需要转换的Java对象
* @return JSON格式的字符串
*/
public static String toJson(Object obj) {
try {
return objectMapper.writeValueAsString(obj);
} catch (JsonProcessingException e) {
throw new RuntimeException("Failed to convert object to JSON", e);
}
}
/**
* 将JSON字符串转换为指定类型的Java对象
* @param jsonStr JSON格式的字符串
* @param clazz 目标对象的Class类型
* @param 泛型类型
* @return 转换后的Java对象实例
*/
public static T toObject(String jsonStr, Class clazz) {
try {
return objectMapper.readValue(jsonStr, clazz);
} catch (JsonProcessingException e) {
throw new RuntimeException("Failed to convert JSON string to object", e);
}
}
/**
* 将JSON字符串转换为指定类型的Java List对象
* @param jsonStr JSON格式的字符串
* @param elementType 列表中元素的Class类型
* @param 泛型类型
* @return 转换后的Java List对象实例
*/
public static List jsonToList(String jsonStr, Class elementType) {
try {
JavaType javaType = objectMapper.getTypeFactory().constructParametricType(List.class, elementType);
return objectMapper.readValue(jsonStr, javaType);
} catch (JsonProcessingException e) {
throw new RuntimeException("Failed to convert JSON string to list", e);
}
}
}
自定义异常类-AuthorizationExceptionEx.java
package com.zjtx.tech.security.demo.exceptions;
import org.springframework.security.core.AuthenticationException;
public class AuthorizationExceptionEx extends AuthenticationException {
public AuthorizationExceptionEx(String msg, Throwable cause) {
super(msg, cause);
}
public AuthorizationExceptionEx(String msg) {
super(msg);
}
}
自定义异常类-ServerException.java
package com.zjtx.tech.security.demo.exceptions;
public class ServerException extends RuntimeException {
public ServerException(String message) {
super(message);
}
public ServerException(String message, Throwable cause) {
super(message, cause);
}
}
全局异常捕获处理-GlobalExceptionHandler.java
package com.zjtx.tech.security.demo.exceptions;
import com.zjtx.tech.security.demo.common.Result;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RestControllerAdvice;
@RestControllerAdvice
public class GlobalExceptionHandler {
@ExceptionHandler(AuthorizationExceptionEx.class)
public Result authorizationExceptionHandling(AuthorizationExceptionEx ex) {
System.out.println("authorizationExceptionHandling = " + ex);
return Result.fail(1000, ex.getMessage());
}
// handling specific exception
@ExceptionHandler(ServerException.class)
public Result serverExceptionHandling(ServerException ex) {
System.out.println("serverExceptionHandling = " + ex);
return Result.fail(6000, ex.getMessage());
}
@ExceptionHandler(AccessDeniedException.class)
public Result accessDeniedExceptionHandling(AccessDeniedException ex) {
System.out.println("accessDeniedExceptionHandling = " + ex);
return Result.fail(403, "权限不足");
}
// handling global exception
@ExceptionHandler(Exception.class)
public Result exceptionHandling(Exception ex) {
System.out.println("exceptionHandling = " + ex);
return Result.fail(500, "服务器内部异常,请稍后重试");
}
}
开始
编写springsecurity配置类
MySecurityConfigurer.java
package com.zjtx.tech.security.demo.config;
import com.zjtx.tech.security.demo.provider.MobilecodeAuthenticationProvider;
import com.zjtx.tech.security.demo.provider.MyAuthenticationEntryPoint;
import jakarta.annotation.Resource;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.DelegatingPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.crypto.password.Pbkdf2PasswordEncoder;
import org.springframework.security.crypto.scrypt.SCryptPasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@EnableMethodSecurity
@EnableWebSecurity
@Configuration
public class MySecurityConfigurer {
@Resource
private MyAuthenticationEntryPoint myAuthenticationEntryPoint;
@Resource
private UserDetailsService customUserDetailsService;
@Resource
private PasswordEncoder passwordEncoder;
@Resource
private TokenAuthenticationFilter tokenAuthenticationFilter;
@Bean
public MobilecodeAuthenticationProvider mobilecodeAuthenticationProvider() {
MobilecodeAuthenticationProvider mobilecodeAuthenticationProvider = new MobilecodeAuthenticationProvider();
mobilecodeAuthenticationProvider.setUserDetailsService(customUserDetailsService);
return mobilecodeAuthenticationProvider;
}
@Bean
public DaoAuthenticationProvider daoAuthenticationProvider() {
DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
daoAuthenticationProvider.setPasswordEncoder(passwordEncoder);
daoAuthenticationProvider.setUserDetailsService(customUserDetailsService);
daoAuthenticationProvider.setHideUserNotFoundExceptions(false);
return daoAuthenticationProvider;
}
/**
* 定义认证管理器AuthenticationManager
* @return AuthenticationManager
*/
@Bean
public AuthenticationManager authenticationManager() {
List authenticationProviders = new ArrayList<>();
authenticationProviders.add(mobilecodeAuthenticationProvider());
authenticationProviders.add(daoAuthenticationProvider());
return new ProviderManager(authenticationProviders);
}
@Bean
@Order(2)
public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http)
throws Exception {
http
.authorizeHttpRequests((authorize) ->
authorize.requestMatchers(new AntPathRequestMatcher("/login/**")).permitAll()
.anyRequest().authenticated())
.cors(Customizer.withDefaults())
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.addFilterBefore(tokenAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
.exceptionHandling(configure -> {
configure.authenticationEntryPoint(myAuthenticationEntryPoint);
})
.csrf(AbstractHttpConfigurer::disable);
return http.build();
}
}
这个类是springsecurity的统一配置类,不仅包含了AuthorizationProvider这个关键认证bean的定义,同时还定义了访问策略以及异常处理策略等信息。其中使用了springsecurity6中相对较新的语法,参考价值相对较高。
里面涉及到几个关键的bean,如下:
- MyAuthenticationEntryPoint 自定义的异常处理类,用于处理认证异常及访问被拒绝异常
- UserDetailsService springsecurity提供的获取用户信息的一个接口,需要使用者自行完善
- PasswordEncoder 密码加密方法类,由使用者自行扩展
- TokenAuthenticationFilter 自定义的请求token校验过滤器
- MobilecodeAuthenticationProvider 手机号验证码身份源 用于校验用户手机号和验证码相关信息,实现可参考Springsecurity自带的DaoAuthorizationProvider.java类
上面这些关键类我们接下来都会一一给出示例代码。
编写身份认证源类
MobilecodeAuthenticationProvider.java
package com.zjtx.tech.security.demo.provider;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import java.util.HashMap;
import java.util.Map;
public class MobilecodeAuthenticationProvider implements AuthenticationProvider {
private UserDetailsService userDetailsService;
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
MobilecodeAuthenticationToken mobilecodeAuthenticationToken = (MobilecodeAuthenticationToken) authentication;
String phone = mobilecodeAuthenticationToken.getPhone();
String mobileCode = mobilecodeAuthenticationToken.getMobileCode();
System.out.println("登陆手机号:" + phone);
System.out.println("手机验证码:" + mobileCode);
// 模拟从redis中读取手机号对应的验证码及其用户名
Map dataFromRedis = new HashMap<>();
dataFromRedis.put("code", "6789");
dataFromRedis.put("username", "admin");
// 判断验证码是否一致
if (!mobileCode.equals(dataFromRedis.get("code"))) {
throw new BadCredentialsException("验证码错误");
}
// 如果验证码一致,从数据库中读取该手机号对应的用户信息
CustomUserDetails loadedUser = (CustomUserDetails) userDetailsService.loadUserByUsername(dataFromRedis.get("username"));
if (loadedUser == null) {
throw new UsernameNotFoundException("用户不存在");
}
return new MobilecodeAuthenticationToken(loadedUser, null, loadedUser.getAuthorities());
}
@Override
public boolean supports(Class aClass) {
return MobilecodeAuthenticationToken.class.isAssignableFrom(aClass);
}
public void setUserDetailsService(UserDetailsService userDetailsService) {
this.userDetailsService = userDetailsService;
}
}
说明如下:
上面类中比较关键的就是authenticate和support方法,如果看过一点源码的话可以知道这里会存在多个Provider,通过support方法来确定使用哪个Provider的实现类。
authenticate就是具体的认证逻辑,如判断验证码是否正确,根据手机号查找用户信息等。
authenticate方法中的参数就是在用户登录时组装和传递进来的。
其中涉及到UserDetailService的实现类如下:
package com.zjtx.tech.security.demo.provider;
import jakarta.annotation.Resource;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Service;
import java.util.ArrayList;
import java.util.Collection;
@Service
public class MyUserDetailsService implements UserDetailsService {
@Resource
private PasswordEncoder passwordEncoder;
private static final Collection authorities = new ArrayList<>();
static {
GrantedAuthority defaultRole = new SimpleGrantedAuthority("common");
GrantedAuthority xxlJobRole = new SimpleGrantedAuthority("xxl-job");
authorities.add(defaultRole);
authorities.add(xxlJobRole);
}
@Override
public UserDetails loadUserByUsername(String username) throws AuthenticationException {
CustomUserDetails userDetails;
// 这里模拟从数据库中获取用户信息
if (username.equals("admin")) {
//这里的admin用户拥有common和xxl-job两个权限
userDetails = new CustomUserDetails("admin", passwordEncoder.encode("123456"), authorities);
userDetails.setAge(25);
userDetails.setSex(1);
userDetails.setAddress("xxxx小区");
return userDetails;
} else {
throw new UsernameNotFoundException("用户不存在");
}
}
}
目前这个类中采用的是模拟数据,后续我们会在这个基础上接入真实数据及实现。
还涉及到MobilecodeAuthenticationToken.java这个类,如下:
package com.zjtx.tech.security.demo.provider;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import java.util.Collection;
/**
* 手机验证码认证信息,在UsernamePasswordAuthenticationToken的基础上添加属性 手机号、验证码
*/
public class MobilecodeAuthenticationToken extends AbstractAuthenticationToken {
private static final long serialVersionUID = 530L;
private Object principal;
private Object credentials;
private String phone;
private String mobileCode;
public MobilecodeAuthenticationToken(String phone, String mobileCode) {
super(null);
this.phone = phone;
this.mobileCode = mobileCode;
this.setAuthenticated(false);
}
public MobilecodeAuthenticationToken(Object principal, Object credentials, Collection authorities) {
super(authorities);
this.principal = principal;
this.credentials = credentials;
super.setAuthenticated(true);
}
public Object getCredentials() {
return this.credentials;
}
public Object getPrincipal() {
return this.principal;
}
public String getPhone() {
return phone;
}
public String getMobileCode() {
return mobileCode;
}
public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
if (isAuthenticated) {
throw new IllegalArgumentException("Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
} else {
super.setAuthenticated(false);
}
}
public void eraseCredentials() {
super.eraseCredentials();
this.credentials = null;
}
}
涉及到的用户信息类如下:
package com.zjtx.tech.security.demo.provider;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.User;
import java.util.Collection;
import java.util.List;
public class CustomUserDetails extends User {
private int age;
private int sex;
private String address;
private String phone;
private List roles;
public CustomUserDetails(String username, String password, Collection authorities) {
super(username, password, authorities);
}
public CustomUserDetails(String username, String password, boolean enabled, boolean accountNonExpired, boolean credentialsNonExpired, boolean accountNonLocked, Collection authorities) {
super(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
}
public int getAge() {
return age;
}
public void setAge(int age) {
this.age = age;
}
public int getSex() {
return sex;
}
public void setSex(int sex) {
this.sex = sex;
}
public String getAddress() {
return address;
}
public void setAddress(String address) {
this.address = address;
}
public String getPhone() {
return phone;
}
public void setPhone(String phone) {
this.phone = phone;
}
}
继承了org.springframework.security.core.userdetails.User这个类同时添加了一些自定义属性,可自行扩展。
编写认证异常处理类
上面在安全配置类中用到了这个异常处理类,主要处理认证异常和访问被拒绝。
MyAuthenticationEntryPoint.java
package com.zjtx.tech.security.demo.provider;
import com.zjtx.tech.security.demo.common.Result;
import com.zjtx.tech.security.demo.util.JsonUtil;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.stereotype.Component;
import java.io.IOException;
@Component
public class MyAuthenticationEntryPoint implements AuthenticationEntryPoint, AccessDeniedHandler {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response,
AuthenticationException authException) throws IOException {
Result result = Result.fail(401, "用户未登录或已过期");
response.setContentType("text/json;charset=utf-8");
response.getWriter().write(JsonUtil.toJson(result));
}
@Override
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
Result result = Result.fail(403, "权限不足");
response.setContentType("text/json;charset=utf-8");
response.getWriter().write(JsonUtil.toJson(result));
}
}
比较简单,实现了两个接口,返回不同的json数据。JsonUtil比较简单,就不在此列出了。
编写认证过滤器类
过滤器在认证中扮演者非常重要的角色,我们也定义了一个用于token校验的filter,如下:
package com.zjtx.tech.security.demo.config;
import com.zjtx.tech.security.demo.provider.CustomUserDetails;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.annotation.WebFilter;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.lang.NonNull;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
@Component
@WebFilter
public class TokenAuthenticationFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(@NonNull HttpServletRequest servletRequest, @NonNull HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException, ServletException {
String token = getToken(servletRequest);
// 如果没有token,跳过该过滤器
if (StringUtils.hasText(token)) {
// 模拟redis中的数据
Map map = new HashMap<>();
//这里放入了两个示例token 仅供测试
map.put("test_token1", new CustomUserDetails("admin", new BCryptPasswordEncoder().encode("123456"), AuthorityUtils.createAuthorityList("common", "xxl-job")));
map.put("test_token2", new CustomUserDetails("root", new BCryptPasswordEncoder().encode("123456"), AuthorityUtils.createAuthorityList("common")));
// 这里模拟从redis获取token对应的用户信息
CustomUserDetails customUserDetail = map.get(token);
if (customUserDetail != null) {
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(customUserDetail, null, customUserDetail.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(authRequest);
}
}
filterChain.doFilter(servletRequest, httpServletResponse);
}
/**
* 从请求中获取token
* @param servletRequest 请求对象
* @return 获取到的token值 可以为null
*/
private String getToken(HttpServletRequest servletRequest) {
//先从请求头中获取
String headerToken = servletRequest.getHeader("Authorization");
if(StringUtils.hasText(headerToken)) {
return headerToken;
}
//再从请求参数里获取
String paramToken = servletRequest.getParameter("accessToken");
if(StringUtils.hasText(paramToken)) {
return paramToken;
}
return null;
}
}
主要完成的工作就是从请求头或者请求参数中获取token,与redis或其他存储介质中的进行比对,如果存在对应用户则正常访问,否则执行其他策略或者抛出异常。
这里内置了两个token,分别拥有不同权限。
编写密码加密及比对器
springsecurity中提供了一个PasswordEncoder接口,用于对密码进行加密和比对,我们也定义这样一个bean
package com.zjtx.tech.security.demo.config;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.DelegatingPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.crypto.password.Pbkdf2PasswordEncoder;
import org.springframework.security.crypto.scrypt.SCryptPasswordEncoder;
import java.util.HashMap;
import java.util.Map;
@Configuration
public class PasswordEncoderConfig {
/**
* 获取密码编码方式
*/
@Value("${password.encode.key:bcrypt}")
private String passwordEncodeKey;
/**
* 获取密码编码器
* @return 密码编码器
*/
@Bean
public PasswordEncoder passwordEncoder() {
Map encoders = new HashMap<>();
encoders.put("bcrypt", new BCryptPasswordEncoder());
encoders.put("pbkdf2", Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_8());
encoders.put("scrypt", new SCryptPasswordEncoder(4,8, 1,32, 16));
return new DelegatingPasswordEncoder(passwordEncodeKey, encoders);
}
}
这里采用的实现类是DelegatingPasswordEncoder,一个好处是它可以兼容多种加密方式,区分的办法是根据加密后的字符串前缀,如bcrypt加密后的结果前缀就是{bcrypt},方便配置和扩展,不做过多阐述。
编写测试和登录用的controller
登录接口
package com.zjtx.tech.security.demo.controller;
import com.zjtx.tech.security.demo.common.Result;
import com.zjtx.tech.security.demo.provider.MobilecodeAuthenticationToken;
import jakarta.annotation.Resource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import java.util.UUID;
@RestController
@RequestMapping("/login")
public class LoginController {
@Resource
private AuthenticationManager authenticationManager;
/**
* 用户名密码登录
* @param username 用户名
* @param password 密码
* @return 返回登录结果
*/
@GetMapping("/usernamePwd")
public Result usernamePwd(String username, String password) {
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(username, password);
try {
authenticationManager.authenticate(usernamePasswordAuthenticationToken);
} catch (BadCredentialsException | UsernameNotFoundException e) {
throw new ServerException(e.getMessage());
}
String token = UUID.randomUUID().toString().replace("-", "");
return Result.ok(token);
}
/**
* 手机验证码登录
* @param phone 手机号
* @param mobileCode 验证码
* @return 返回登录结果
*/
@GetMapping("/mobileCode")
public Result mobileCode(String phone, String mobileCode) {
MobilecodeAuthenticationToken mobilecodeAuthenticationToken = new MobilecodeAuthenticationToken(phone, mobileCode);
Authentication authenticate;
try {
authenticate = authenticationManager.authenticate(mobilecodeAuthenticationToken);
} catch (Exception e) {
e.printStackTrace();
return Result.error("验证码错误");
}
System.out.println(authenticate);
String token = UUID.randomUUID().toString().replace("-", "");
return Result.ok(token);
}
}
可以看到这个controller提供了用户名+密码登录和手机号+验证码登录两个接口。
测试用的接口:
package com.zjtx.tech.security.demo.controller;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
@RequestMapping("test")
public class TestController {
@GetMapping("demo")
@PreAuthorize("hasAuthority('xxl-job')")
public String demo(){
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
System.out.println("authentication = " + authentication);
return "hello world";
}
}
这个controller定义了一个方法,这个方法需要用户拥有xxl-job的权限。
期望结果
结合我们之前定义的一些类,猜测期望结果应该是这样的:
- 使用用户名+密码登录时 如果是admin + 123456 可以正常登录 其他提示6000 登录失败
- 使用手机号+验证码登录时 如果是xxx + 6789 可以正常登录 其他提示6000 验证码错误
- 使用Authorization: test_token1访问demo接口时用户拥有common和xxl-job权限,可以正常访问demo接口
- 使用Authorization: test_token2访问demo接口时用户拥有common权限,访问demo接口时提示403 权限不足
- 使用其他token访问demo接口时提示401 用户未登录或token已过期
验证
启动项目,默认端口8080,使用postman模拟请求进行简单测试。
- 验证登录
- 验证接口访问
结论
经验证,结果符合预期。
总结
本文中我们完成了基于springboot3+springsecurity实现用户认证登录及鉴权访问的简单demo, 接下来我们会继续把获取及验证用户、生成token、校验token做个完善。
作为记录的同时也希望能帮助到需要的朋友。
创作不易,欢迎一键三连。
- 关注我们
- 扫描二维码
- 获取更多信息
- 精彩一手掌握
Copyright © 2014-2019 seo,上海网站优化_网络制作_网站seo排名_网站建设推广_上海网络公司 版权所有
沪ICP备19022315号
沪ICP备19022315号 
