• Spring Security6 用户身份认证

    前提

    1.  你需要先拜读 [Spring Security 6 官方文档](https://docs.spring.io/spring-security/reference/servlet/authentication/architecture.html#servlet-authentication-authenticationmanager)
    2.  你需要弄清楚身份认证(Authentication)和鉴权(Authorization)是两个概念,其中本文只涉及身份认证

    身份认证需要做哪些事情

    1. 要弄清楚每次请求,客户端的具体身份是谁
    2. 根据不同的接口类型,启用不同的认证机制

    Show me your code

    • 添加 POM.xml
    1. "1.0" encoding="UTF-8"?>
    2. <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    3. 	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    4. 	<modelVersion>4.0.0modelVersion>
    5. 	<parent>
    6. 		<groupId>org.springframework.bootgroupId>
    7. 		<artifactId>spring-boot-starter-parentartifactId>
    8. 		<version>3.1.5version>
    9. 		<relativePath/> 
    10. 	parent>
    11. 	<groupId>com.examplegroupId>
    12. 	<artifactId>demoartifactId>
    13. 	<version>0.0.1-SNAPSHOTversion>
    14. 	<name>demoname>
    15. 	<description>Demo project for Spring Bootdescription>
    16. 	<properties>
    17. 		<java.version>21java.version>
    18. 	properties>
    19. 	<dependencies>
    20. 		<dependency>
    21. 			<groupId>org.springframework.bootgroupId>
    22. 			<artifactId>spring-boot-starter-securityartifactId>
    23. 		dependency>
    24. 		<dependency>
    25. 			<groupId>org.springframework.bootgroupId>
    26. 			<artifactId>spring-boot-starter-webartifactId>
    27. 		dependency>
    28.  
    29. 		<dependency>
    30. 			<groupId>org.springframework.bootgroupId>
    31. 			<artifactId>spring-boot-starter-testartifactId>
    32. 			<scope>testscope>
    33. 		dependency>
    34. 		<dependency>
    35. 			<groupId>org.springframework.securitygroupId>
    36. 			<artifactId>spring-security-testartifactId>
    37. 			<scope>testscope>
    38. 		dependency>
    39. 	dependencies>
    40.  
    41. 	<build>
    42. 		<plugins>
    43. 			<plugin>
    44. 				<groupId>org.springframework.bootgroupId>
    45. 				<artifactId>spring-boot-maven-pluginartifactId>
    46. 				<configuration>
    47. 					<image>
    48. 						<builder>paketobuildpacks/builder-jammy-base:latestbuilder>
    49. 					image>
    50. 				configuration>
    51. 			plugin>
    52. 		plugins>
    53. 	build>
    54.  
    55. project>
    • 自定义过滤器
    1. /**
    2.  * 
    3.  */
    4. package com.example.demo;
    5.  
    6. import java.io.IOException;
    7.  
    8. import org.springframework.security.authentication.BadCredentialsException;
    9. import org.springframework.security.authentication.InternalAuthenticationServiceException;
    10. import org.springframework.security.authentication.ProviderManager;
    11. import org.springframework.security.core.Authentication;
    12. import org.springframework.security.core.AuthenticationException;
    13. import org.springframework.security.core.context.SecurityContextHolder;
    14. import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
    15. import org.springframework.security.web.util.matcher.RequestMatcher;
    16.  
    17. import jakarta.servlet.FilterChain;
    18. import jakarta.servlet.ServletException;
    19. import jakarta.servlet.ServletRequest;
    20. import jakarta.servlet.ServletResponse;
    21. import jakarta.servlet.http.HttpServletRequest;
    22. import jakarta.servlet.http.HttpServletResponse;
    23.  
    24. /**
    25.  * 
    26.  */
    27. public class AuthenticationBuilderFilter extends AbstractAuthenticationProcessingFilter {
    28.  
    29. 	
    30. 	protected AuthenticationBuilderFilter() {
    31. 		super(new RequestMatcher() {
    32. 			@Override
    33. 			public boolean matches(HttpServletRequest request) {
    34. 				return true;
    35. 			}
    36. 		});
    37. 		super.setAuthenticationManager(new ProviderManager(new WebAuthenticationProvider()));
    38. 	}
    39.  
    40. 	@Override
    41. 	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
    42. 			throws AuthenticationException, IOException, ServletException {
    43. 		Authentication auth = new WebAuthentication(request);
    44. 		return getAuthenticationManager().authenticate(auth);
    45. 	}
    46.  
    47. 	@Override
    48. 	public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
    49. 			throws IOException, ServletException {
    50. 		HttpServletRequest request = (HttpServletRequest) req;
    51. 		HttpServletResponse response = (HttpServletResponse) res;
    52. 		if (!requiresAuthentication(request, response)) {
    53. 			chain.doFilter(request, response);
    54. 			return;
    55. 		}
    56. 		try {
    57. 			Authentication authenticationResult = attemptAuthentication(request, response);
    58. 			if (authenticationResult == null) {
    59. 				throw new BadCredentialsException("没有身份信息");
    60. 			}
    61. 			SecurityContextHolder.getContext().setAuthentication(authenticationResult);
    62. 			chain.doFilter(request, response);
    63. 		}
    64. 		catch (InternalAuthenticationServiceException failed) {
    65. 			this.logger.error("An internal error occurred while trying to authenticate the user.", failed);
    66. 			unsuccessfulAuthentication(request, response, failed);
    67. 		}
    68. 		catch (AuthenticationException ex) {
    69. 			// Authentication failed
    70. 			unsuccessfulAuthentication(request, response, ex);
    71. 		}
    72. 	}
    73.  
    74.  
    75. }

    这里有几个地方需要注意(敲黑板啦~~

    1. 第 37 行,可以根据需要,添加多个provider
    2. 第 43 行,后续可以根据实际需要,构建不同的 Authentication ,框架会根据 Authentication 的类型,选择认证 provider(这个是精髓)
    • 自定义 Authentication —— WebAuthentication,可以在构造函数内自己根据需要(比如从 requestHeader、cookie等地方,获取 token)组装 Authentication
    1. /**
    2.  * 
    3.  */
    4. package com.example.demo;
    5.  
    6. import java.util.Collection;
    7.  
    8. import org.springframework.security.core.Authentication;
    9. import org.springframework.security.core.GrantedAuthority;
    10.  
    11. import jakarta.servlet.http.HttpServletRequest;
    12.  
    13. /**
    14.  * 
    15.  */
    16. public class WebAuthentication implements Authentication{
    17. 	
    18. 	public WebAuthentication() {
    19. 		
    20. 	}
    21. 	
    22. 	public WebAuthentication(HttpServletRequest request) {
    23. 		
    24. 	}
    25.  
    26. 	/**
    27. 	 * 
    28. 	 */
    29. 	private static final long serialVersionUID = -1705541938861263059L;
    30.  
    31. 	@Override
    32. 	public String getName() {
    33. 		return null;
    34. 	}
    35.  
    36. 	@Override
    37. 	public Collectionextends GrantedAuthority> getAuthorities() {
    38. 		return null;
    39. 	}
    40.  
    41. 	@Override
    42. 	public Object getCredentials() {
    43. 		return null;
    44. 	}
    45.  
    46. 	@Override
    47. 	public Object getDetails() {
    48. 		return null;
    49. 	}
    50.  
    51. 	@Override
    52. 	public Object getPrincipal() {
    53. 		return null;
    54. 	}
    55.  
    56. 	@Override
    57. 	public boolean isAuthenticated() {
    58. 		return false;
    59. 	}
    60.  
    61. 	@Override
    62. 	public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
    63. 		
    64. 	}
    65. }
    • 写认证逻辑 ,下面例子认证逻辑被我简化了,大家根据实际需要进行补充
    1. /**
    2.  * 
    3.  */
    4. package com.example.demo;
    5.  
    6. import org.springframework.security.authentication.AuthenticationProvider;
    7. import org.springframework.security.core.Authentication;
    8. import org.springframework.security.core.AuthenticationException;
    9.  
    10. /**
    11.  * 
    12.  */
    13. public class WebAuthenticationProvider implements AuthenticationProvider {
    14.  
    15. 	@Override
    16. 	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    17. 		authentication.setAuthenticated(true);
    18. 		return authentication;
    19. 	}
    20.  
    21. 	@Override
    22. 	public boolean supports(Class authentication) {
    23. 		return authentication.equals(WebAuthentication.class);
    24. 	}
    25.  
    26. }
    • 配置过滤链
    1. /**
    2.  * 
    3.  */
    4. package com.example.demo;
    5.  
    6. import org.springframework.context.annotation.Bean;
    7. import org.springframework.context.annotation.Configuration;
    8. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    9. import org.springframework.security.web.SecurityFilterChain;
    10. import org.springframework.security.web.csrf.CsrfFilter;
    11.  
    12. /**
    13.  * 
    14.  */
    15. @Configuration
    16. public class SecurityConfig {
    17. 	
    18.     @Bean
    19.     SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    20.         http
    21.                 .csrf(csrf ->csrf.disable())
    22.                 .addFilterAfter(new AuthenticationBuilderFilter(), CsrfFilter.class)
    23.                 ;
    24.         return http.build();
    25.     }
    26. }

  • 相关阅读:
    VPN简介
    相似度系列—2传统方法BLEU:BLEU: a Method for Automatic Evaluation of Machine Translation
    三、Spring Boot 整合视图层技术
    企业销售额和客户服务有关系吗?
    【杂七杂八】Huawei Gt runner手表系统降级
    Web 安全之时序攻击 Timing Attack 详解
    伙伴云表格强势升级!Pro版,更非凡!
    数据库表设计优化
    Remove和RemoveLast用法
    IS420ESWBH3A GE 附加配置文件和I/O组件中的单独标签
  • 原文地址:https://blog.csdn.net/luyangbin01/article/details/134525284