需要先增加一個自定義的Filter去繼承 UsernamePasswordAuthenticationFilter 或者 AbstractAuthenticationProcessingFilter
然后在自定義的Filter里面指定登錄的Url . 設置過濾器的時候,必須為過濾器指定一個 authenticationManager ,並且初始化構造函數的時候,要傳入該manager.
再編寫一個Provider , 把自定義的UserDetailService傳給該provider.
具體實現過程如下:
添加配置:
@Override protected void configure(AuthenticationManagerBuilder auth) { //增加自定義的UserDetailService userDetailsAuthenticationProvider.setUserDetailsService(userDetailsService); //設置一個Provider auth.authenticationProvider(userDetailsAuthenticationProvider); }
關鍵配置:
@Override protected void configure(HttpSecurity http) throws Exception { //手動實現的權限驗證管理器 movieAuthorizeConfigProviderManager.configure(http.authorizeRequests()); //添加前台登錄驗證過濾器與userDetailService,不同的登錄處理URL需要在Filter里面指定 UserAuthenticationFilter userAuthenticationFilter = new UserAuthenticationFilter(); //每個Filter必須指定一個authenticationManager userAuthenticationFilter.setAuthenticationManager(authenticationManager()); //設置登錄成功處理事件 userAuthenticationFilter.setAuthenticationSuccessHandler(movieAuthenticationSuccessHandler); //設置登錄失敗處理事件 userAuthenticationFilter.setAuthenticationFailureHandler(movieAuthenticationFailureHandler); http.addFilterBefore(userAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
}
完整配置:
自定義過濾器:
public class MyAuthenticationFilter extends UsernamePasswordAuthenticationFilter { public static final String POST = "POST"; public MyAuthenticationFilter() { this.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher("/user/login/check", "POST")); this.setAuthenticationManager(getAuthenticationManager()); } @Override public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException { if (!request.getMethod().equals(POST)) { throw new AuthenticationServiceException( "Authentication method not supported: " + request.getMethod()); } String username = obtainUsername(request); String password = obtainPassword(request); if (username == null) { username = ""; } if (password == null) { password = ""; } username = username.trim(); //主要通過這個token來決定使用哪個userDetailService.
//UserDetailsAuthenticationProvider里面有個supports方法,主要用來驗證指定的token是否符合.
//可以通過指定不同類型的token來決定使用哪個userDetailService. UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken( username, password); // Allow subclasses to set the "details" property setDetails(request, authRequest); return this.getAuthenticationManager().authenticate(authRequest); } }
Provider:
@Component public class UserDetailsAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider { private volatile String userNotFoundEncodedPassword; private static final String USER_NOT_FOUND_PASSWORD = "userNotFoundPassword"; @Autowired private PasswordEncoder passwordEncoder; private UserDetailsService userDetailsService; @Override protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException { if (authentication.getCredentials() == null) { throw new BadCredentialsException(messages.getMessage( "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials")); } String presentedPassword = authentication.getCredentials().toString(); if (!passwordEncoder.matches(presentedPassword, userDetails.getPassword())) { logger.debug("Authentication failed: password does not match stored value"); throw new BadCredentialsException(messages.getMessage( "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials")); } } @Override protected UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException { prepareTimingAttackProtection(); try { UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username); if (loadedUser == null) { throw new InternalAuthenticationServiceException( "UserDetailsService returned null, which is an interface contract violation"); } return loadedUser; } catch (UsernameNotFoundException ex) { mitigateAgainstTimingAttack(authentication); throw ex; } catch (InternalAuthenticationServiceException ex) { throw ex; } catch (Exception ex) { throw new InternalAuthenticationServiceException(ex.getMessage(), ex); } } private void prepareTimingAttackProtection() { if (this.userNotFoundEncodedPassword == null) { this.userNotFoundEncodedPassword = this.passwordEncoder.encode(USER_NOT_FOUND_PASSWORD); } } private void mitigateAgainstTimingAttack(UsernamePasswordAuthenticationToken authentication) { if (authentication.getCredentials() != null) { String presentedPassword = authentication.getCredentials().toString(); this.passwordEncoder.matches(presentedPassword, this.userNotFoundEncodedPassword); } } public UserDetailsService getUserDetailsService() { return userDetailsService; } public void setUserDetailsService(UserDetailsService userDetailsService) { this.userDetailsService = userDetailsService; } }
UserDetailService:
@Component @Slf4j @Qualifier("normalUserDetailService") public class UserDetailServiceImpl implements UserDetailsService { private final IUserDao userDao; public UserDetailServiceImpl(IUserDao userDao) { this.userDao = userDao; } @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { club.cearnach.movie.entity.User user = userDao.findByAccount(username) .orElseThrow(() -> new UsernameNotFoundException("找不到指定的用戶")); List<GrantedAuthority> authorities = AuthorityUtils .commaSeparatedStringToAuthorityList( MovieSecurityConstants.ROLE_PREFIX.concat(user.getRole().getName())); return new User(user.getAccount(), user.getPassword(), authorities); } }
第二個UserDetailService的實現:
@Component @Qualifier("adminDetailService") public class AdminUserDetailServiceImpl implements UserDetailsService { private final IAdminService adminService; public AdminUserDetailServiceImpl(IAdminService adminService) { this.adminService = adminService; } @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { Admin admin = adminService.findByAccount(username) .orElseThrow(() -> new UsernameNotFoundException(AdminException.ADMIN_CAN_NOT_FOUNT)); List<GrantedAuthority> authorities = AuthorityUtils.commaSeparatedStringToAuthorityList( MovieSecurityConstants.ROLE_PREFIX.concat(admin.getRole().getName())); return new User(admin.getAccount(), admin.getPassword(), authorities); } }