1、創建SecurityUser類,需要實現UserDetails接口
import lombok.Data;
import lombok.EqualsAndHashCode;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import java.io.Serializable;
import java.util.Collection;
import java.util.Date;
/**
*
* 封裝登陸用戶的信息
*/
@Data
public class SecurityUser implements UserDetails {
private String uid;
private String username;
private String password;
private Integer sex;
private String description;
private Integer age;
private String birthday;
private Integer isDeleted;
private Integer status;//1未禁用0禁用
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return null;
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
2、編寫UserAuthenticationFilter過濾器,這里需要繼承UsernamePasswordAuthenticationFilter
原因:
通過查看UsernamePasswordAuthenticationFilter獲取用戶名和密碼的實現方法可以看到,默認只能獲取form表單提供的數據,無法獲得請求體中的數據。所以,要想獲得請求體中的數據,需要自定義過濾器。
這里有兩種方式獲得用戶名和密碼
- 直接重寫
obtainPassword和obtainUsername - 查看
attemptAuthentication這個方法我們可以發現,用戶名和密碼是在這個方法里面獲得並且使用的,因此我們可以直接重寫這個方法。(這里使用的第二種方式)
import com.background.modules.security.bean.SecurityUser;
import com.fasterxml.jackson.databind.ObjectMapper;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Slf4j
public class UserAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
throws AuthenticationException {
try {
SecurityUser user = new ObjectMapper().readValue(req.getInputStream(), SecurityUser.class);
return authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(user.getUsername(), user.getPassword()));
} catch (IOException e) {
throw new RuntimeException(e.getMessage());
}
}
}
3、編寫UserDetailsServiceImpl,並且實現UserDetailsService
這里只需要實現loadUserByUsername方法,驗證用戶是否存在、是否被禁用
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.background.modules.security.bean.SecurityUser;
import com.background.modules.user.bean.User;
import com.background.modules.user.service.UserService;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.BeanUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component;
@Component
@Slf4j
public class UserDetailsServiceImpl implements UserDetailsService {
@Autowired
private UserService userService;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userService.getOne(new QueryWrapper<User>().eq("username", username));
if(user==null){
throw new BadCredentialsException("用戶不存在");
}
if(user.getStatus()==0){
throw new BadCredentialsException("用戶被禁用");
}
SecurityUser userInfo = new SecurityUser();
BeanUtils.copyProperties(user,userInfo);
return userInfo;
}
}
4、編寫UserLoginAuthenticationProvider,繼承DaoAuthenticationProvider
通過繼承DaoAuthenticationProvider,可以自定義用戶密碼驗證並查看異常信息。
具體效果
若不實現該類,拋出的異常信息會都變成Bad credentials
具體效果
import com.background.modules.security.service.UserDetailsServiceImpl;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Component;
@Component
public class UserLoginAuthenticationProvider extends DaoAuthenticationProvider {
@Autowired
private UserDetailsServiceImpl detailsService;
@Autowired
private PasswordEncoder encoder;
/**
* 找到容器中的detailsService,並執行setUserDetailsService方法,完成賦值
*
* 必須要給UserDetailsService賦值,否則會出現UnsatisfiedDependencyException
*/
@Autowired
private void setDetailsService() {
setUserDetailsService(detailsService);
}
@Override
protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
String presentedPassword = authentication.getCredentials().toString();
if (!encoder.matches(presentedPassword, userDetails.getPassword())) {
throw new BadCredentialsException(messages.getMessage("badCredentials", "用戶密碼錯誤"));
}
}
}
5、編寫主配置類SecurityConfig,繼承自WebSecurityConfigurerAdapter
import com.alibaba.fastjson.JSON;
import com.background.modules.security.filter.UserAuthenticationFilter;
import com.background.modules.security.provider.UserLoginAuthenticationProvider;
import com.common.util.R;
import lombok.extern.slf4j.Slf4j;
import org.apache.http.HttpStatus;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.SpringBootConfiguration;
import org.springframework.context.annotation.Bean;
import org.springframework.http.MediaType;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
/**
* Created by X on 2020/7/22 16:30
*/
@Slf4j
@SpringBootConfiguration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserLoginAuthenticationProvider loginAuthenticationProvider;
/**
* 密碼加密
* @return
*/
@Bean
public PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
/**
* 請求攔截、映射
* @param http
* @throws Exception
*/
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests(auth->{
//開放swagger、登陸頁面的訪問權限
auth.antMatchers("/swagger-ui.html").permitAll()
.antMatchers("/swagger-resources/**").permitAll()
.antMatchers("/webjars/**").permitAll()
.antMatchers("/v2/**").permitAll()
.antMatchers("/api/**").permitAll()
.antMatchers("/background/login").permitAll()
.anyRequest().authenticated();
});
//啟用自定義的過濾器
http.addFilterAt(userAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
http.cors();//啟用跨域
http.csrf().disable();//關閉跨站攻擊
}
/**
* 用戶認證
* @param auth
* @throws Exception
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//使用自定義的Provider,進行數據校驗
auth.authenticationProvider(loginAuthenticationProvider);
}
/**
* 解決無法直接注入 AuthenticationManager
* @return
* @throws Exception
*/
@Bean
@Override
public AuthenticationManager authenticationManager() throws Exception
{
return super.authenticationManager();
}
/**
* 自定義成功回調、失敗回調、登陸url地址等
*
* 可以在自定義UserAuthenticationFilter里面直接重寫對應方法,
* 例 成功回調:
* @Override
* public void setAuthenticationSuccessHandler(AuthenticationSuccessHandler successHandler) {
* super.setAuthenticationSuccessHandler(successHandler);
* }
* @return
* @throws Exception
*/
@Bean
public UserAuthenticationFilter userAuthenticationFilter() throws Exception {
UserAuthenticationFilter filter = new UserAuthenticationFilter();
//設置驗證成功后的回調
filter.setAuthenticationSuccessHandler((request,response,authentication)->{
log.info("用戶認證成功");
//響應成功狀態碼必須為200
response.setStatus(HttpStatus.SC_OK);
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
response.setCharacterEncoding("utf-8");
//將數據以json的形式返回給前台
response.getWriter().print(JSON.toJSONString(R.ok()));
});
//設置驗證失敗后的回調
filter.setAuthenticationFailureHandler((request, response, exception) ->{
log.info("用戶認證失敗----{}",exception.getMessage());
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
response.setCharacterEncoding("utf-8");
//將數據以json的形式返回給前台
response.getWriter().print(JSON.toJSONString(R.error(exception.getMessage())));
});
//設置用戶發起登陸請求時的url
filter.setFilterProcessesUrl("/background/login");
filter.setAuthenticationManager(authenticationManager());
return filter;
}
}
若沒有實現UserLoginAuthenticationProvider,這需要通過下面的方法實現數據校驗
@Autowired
private UserDetailsServiceImpl userDetailsService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
6、vue開啟請求攜帶cookies
axios.defaults.withCredentials=true//開啟攜帶cookies