Springboot之security框架 登录安全验证授权流程

一、只进行用户验证，不验证密码（UserDetailsService）

　　1、导入security依赖（在前端html页面进行一些判断  需导入xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4"）

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

<dependency>
    <groupId>org.thymeleaf.extras</groupId>
    <artifactId>thymeleaf-extras-springsecurity5</artifactId>
    <version>3.0.4.RELEASE</version>
</dependency>

　　2、配置安全认证类

import org.springframework.beans.factory.annotation.Autowired;  2 import org.springframework.context.annotation.Bean;  3 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;  4 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;  5 import org.springframework.security.config.annotation.web.builders.HttpSecurity;  6 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;  7 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;  8 import org.springframework.security.core.userdetails.UserDetailsService;  9 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; 10 import org.springframework.security.crypto.password.PasswordEncoder; 11 import top.xiaoyl.service.CustomUserDetailService; 12 
@EnableWebSecurity 14 @EnableGlobalMethodSecurity(prePostEnabled = true) 15 public class MySecurityConfig extends WebSecurityConfigurerAdapter { 16 
 @Override 18     protected void configure(HttpSecurity http) throws Exception { 19         //super.configure(http); 20         //定制请求的授权规则
        http.authorizeRequests().antMatchers("/admin/**","/js/**","/css/**","/images/*","/fonts/**","/**/*.png","/**/*.jpg").permitAll() 22                 .antMatchers("/","/index.html").permitAll() 23                .antMatchers("/report").hasRole("USER") 24  .and() 25                 .csrf().ignoringAntMatchers("/druid/*"); 26 

        /*
 * 开启自动配置的登陆功能，效果，如果没有登陆，没有权限就会来到登陆页面 30  * 1、login来到登陆页 31  * 2、重定向到/login?error表示登陆失败 32  * 3、更多详细规定 33  * 4、默认post形式的 /login代表处理登陆 34  * 5、一但定制loginPage；那么 loginPage的post请求就是登陆 35          */
        http.formLogin().usernameParameter("username").passwordParameter("password") 37                 .loginPage("/login"); 38 

        /*
 * 开启自动配置的注销功能 42  * 1、访问 /logout 表示用户注销，清空session 43  * 注销成功会返回 /login?logout 页面； 44  * 注销成功以后来到首页 45          */
        http.logout().logoutSuccessUrl("/"); 47 

        /*
 * 开启记住我功能 51  * 登陆成功以后，将cookie发给浏览器保存，以后访问页面带上这个cookie，只要通过检查就可以免登录 52  * 点击注销会删除cookie 53          */
        http.rememberMe().rememberMeParameter("remember");
 } 58 
    @Bean 60 UserDetailsService customUserDetailService() { // 注册UserDetailsService 的bean 61 return new CustomUserDetailService(); 62 }

    /**
 * 认证信息管理 66  * spring5中摒弃了原有的密码存储格式，官方把spring security的密码存储格式改了 67  * 68      */
 @Autowired 70     public void configure(AuthenticationManagerBuilder auth) throws Exception { 71         auth.userDetailsService(customUserDetailService()) //认证信息存储(自定义)
 .passwordEncoder(passwordEncoder()); 73 //
// auth.inMemoryAuthentication() //认证信息存储到内存中 75 // .passwordEncoder(passwordEncoder()) 76 // .withUser("user").password(passwordEncoder().encode("123")).roles("USER");

 } 79 
    private PasswordEncoder passwordEncoder() { 81         return new BCryptPasswordEncoder(); 82  } 83 
}

　　3、自定义用户验证类实现UserDetailsService接口，进行授权验证

@Service  2 public class CustomUserDetailService implements UserDetailsService {  3 
 @Autowired  5     private UserService userService;  6 
 @Autowired  8  HttpServletRequest request;  9 
 @Override 11     public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { 12         HttpSession session = request.getSession(); 13         User user = userService.getUserByUsername(username); 14         if(user==null){ 15             session.setAttribute("loginMsg","用户名"+username+"不存在"); 16             throw new UsernameNotFoundException("用户名"+username+"不存在"); 17  } 18         List<SimpleGrantedAuthority> authorities = new ArrayList<>(); 19         authorities.add(new SimpleGrantedAuthority("USER")); 20         return new org.springframework.security.core.userdetails.User(user.getUsername(),user.getPassword(),authorities); 21  } 22 }

二、进行用户密码验证（AbstractUserDetailsAuthenticationProvider）

　　第一种方法虽然也能认证授权，但是问题显而易见，没有进行密码验证，主要用户名对了  就给权限  这很危险

　　流程跟一基本一样

　　1、导入依赖

　　2、配置安全认证类，需要报红色的地方修改一下

@Bean  2     AbstractUserDetailsAuthenticationProvider customAuthenticationProvide() { // 注册AbstractUserDetailsAuthenticationProvider的bean
        return new CustomAuthenticationProvider();  4  }  5  
@Autowired  7     public void configure(AuthenticationManagerBuilder auth) throws Exception {  8         auth.authenticationProvider(customAuthenticationProvide()); //认证信息存储(自定义)  9 //
// auth.inMemoryAuthentication() //认证信息存储到内存中 11 // .passwordEncoder(passwordEncoder()) 12 // .withUser("user").password(passwordEncoder().encode("123")).roles("USER");

    }

　　3、自定义用户验证类实现AbstractUserDetailsAuthenticationProvider类，进行授权验证

import org.springframework.beans.factory.annotation.Autowired;  2 import org.springframework.security.authentication.BadCredentialsException;  3 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;  4 import org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider;  5 import org.springframework.security.core.AuthenticationException;  6 import org.springframework.security.core.authority.SimpleGrantedAuthority;  7 import org.springframework.security.core.userdetails.UserDetails;  8 import org.springframework.security.core.userdetails.UsernameNotFoundException;  9 import org.springframework.stereotype.Service; 10 import top.xiaoyl.entities.User; 11 
import javax.servlet.http.HttpServletRequest; 13 import javax.servlet.http.HttpSession; 14 import java.util.ArrayList; 15 import java.util.List; 16 
@Service 18 public class CustomAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider { 19 
 @Autowired 21     private UserService userService; 22 
 @Autowired 24     private HttpServletRequest request; 25 
 @Override 27     protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException { 28 
 } 30 
 @Override 32     protected UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException { 33         System.out.println("retrieveUser"); 34         HttpSession session = request.getSession(); 35         if(username==null || username.length()==0){ 36             session.setAttribute("loginMsg","用户名不能为空"); 37             throw new UsernameNotFoundException("用户名不能为空"); 38  } 39         User user = userService.getUserByUsername(username); 40         if(user==null){ 41             session.setAttribute("loginMsg","用户名"+username+"不存在"); 42             throw new UsernameNotFoundException("用户名"+username+"不存在"); 43  } 44         if(!authentication.getCredentials().toString().equals(user.getPassword())){ 45             session.setAttribute("loginMsg","密码不正确"); 46             throw new BadCredentialsException("密码不正确"); 47  } 48         List<SimpleGrantedAuthority> authorities = new ArrayList<>(); 49         authorities.add(new SimpleGrantedAuthority("USER")); 50         return new org.springframework.security.core.userdetails.User(user.getUsername(),user.getPassword(),authorities); 51  } 52 }