Spring Security2

P轴

发布于 2022-11-18 15:02:01

1920

发布于 2022-11-18 15:02:01

文章被收录于专栏：P轴

# 6. 登录异常处理

使用过滤器 .failureForwardUrl("/login/error");

此前放在session里面，更新后放在了request里面下载java源码后可以在源码上打断点了。 AuthenticationException 注意包名是import org.springframework.security.core.AuthenticationException;

@RequestMapping("/login/error")
public void loginError(HttpServletResponse response, HttpServletRequest request){
    response.setCharacterEncoding("utf-8");
    AuthenticationException authenticationException = (AuthenticationException)request.getAttribute("SPRING_SECURITY_LAST_EXCEPTION");
    try {
        response.getWriter().write(authenticationException.getMessage());
    }catch (IOException e){
        e.printStackTrace();
    }
}

效果 url还是http://127.0.0.1:8080/login，网页内容 Bad credentials

# 7. 前后端分离方案重点

枚举类构造方法，统一错误代码统一JSON返回格式，JsonResult(大袋子) 设置返回的格式为json

# 自定义登录成功返回

Spring Security自带一个login Controller

package com.zr.handler;

import com.alibaba.fastjson.JSON;
import com.zr.common.JsonResult;
import org.springframework.http.MediaType;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.stereotype.Component;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@Component
public class LoginSuccessHandler implements AuthenticationSuccessHandler {

    @Override
    public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
        httpServletResponse.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
        httpServletResponse.getWriter().write(JSON.toJSONString(JsonResult.success()));
    }
}

添加：.successHandler(loginSuccessHandler); 移除：.defaultSuccessUrl("/home") // .failureForwardUrl("/login/error");

# 自定义登录失败处理

@Component
public class LoginFailureHandler implements AuthenticationFailureHandler {
    @Override
    public void onAuthenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
        httpServletResponse.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
        httpServletResponse.getWriter().write(JSON.toJSONString(JsonResult.fail(e.getMessage())));
    }
}

# 用户未登录

public class UnLoginAuthentication implements AuthenticationEntryPoint {
    @Override
    public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
        httpServletResponse.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
        httpServletResponse.getWriter().write(JSON.toJSONString(JsonResult.fail(ResultCode.USER_NOT_LOGIN)));
    }
}

# 自定义权限不足处理方案

继承

JsonResult.fail()可以直接接收枚举

@Component
public class UrlAccessDeniedHandler implements AccessDeniedHandler {
    @Override
    public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException e) throws IOException, ServletException {
        httpServletResponse.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
        httpServletResponse.getWriter().write(JSON.toJSONString(JsonResult.fail(ResultCode.NO_PERMISSION)));
    }
}

    .passwordParameter("password")
    .successHandler(loginSuccessHandler)
    .failureHandler(loginFailureHandler)
    .and()
    .exceptionHandling()
    .authenticationEntryPoint(unLoginAuthentication)
    .accessDeniedHandler(urlAccessDeniedHandler);

# 自定义注销成功方案

自带controller，.logoutUrl("/logout")配置访问路径

@Component
public class UrlLogoutSuccessHandler implements LogoutSuccessHandler {
    @Override
    public void onLogoutSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
        httpServletResponse.setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
        httpServletResponse.getWriter().write(JSON.toJSONString(JsonResult.success()));
    }
}

.and()
.logout()
.permitAll()
.logoutUrl("/logout")
.logoutSuccessHandler(urlLogoutSuccessHandler);

# 8. Method表达式安全控制重点

参考 https://blog.csdn.net/ChineseSoftware/article/details/118414906

# 开启注解

启动类上添加注解 //开启security的方法权限校验 @EnableGlobalMethodSecurity(prePostEnabled = true)
controller方法上添加注解

@PostMapping("/list")
@PreAuthorize("hasAnyAuthority('sys:user:list')")
public JsonResult list(@RequestBody SysUser sysUser){
    return JsonResult.success("查询成功");
}

@PostMapping("/add")
@PreAuthorize("hasAnyRole('ROLE_user')")
public JsonResult add(@RequestBody SysUser sysUser){

    return JsonResult.success("新增成功");
}

# 9. 与JWT整合

导包关闭session

.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);

权限不写在payload里面，存储在redis里面

需要每次请求时携带jwt

package com.zr.filter;

import com.alibaba.fastjson.JSON;
import com.zr.utils.JWTUtil;
import com.zr.utils.RedisUtil;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@Component
public class JwtAuthorizationTokenFilter extends OncePerRequestFilter {

    @Value("${jwt.token-header-key}")
    private String tokenHeaderKey;

    @Autowired
    private JWTUtil jwtUtil;

    @Autowired
    private RedisUtil redisUtil;

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        String token = request.getHeader(tokenHeaderKey);
        if(token == null){
            filterChain.doFilter(request, response);
        }else{
            String loginKey = jwtUtil.getRedisToken(token);
            String data = redisUtil.get(loginKey);
            if(data == null){
                //超时处理。。。
                filterChain.doFilter(request, response);
            }else{
                User user = JSON.parseObject(data, User.class);
                UsernamePasswordAuthenticationToken tokenBean = new UsernamePasswordAuthenticationToken(user.getUsername(), null, user.getAuthorities());
                SecurityContextHolder.getContext().setAuthentication(tokenBean);
                filterChain.doFilter(request, response);
            }
        }
    }
}

本文参与腾讯云自媒体同步曝光计划，分享自作者个人站点/博客。

如有侵权请联系 cloudcommunity@tencent.com 删除

spring

本文分享自作者个人站点/博客前往查看

如有侵权，请联系 cloudcommunity@tencent.com 删除。

本文参与腾讯云自媒体同步曝光计划，欢迎热爱写作的你一起参与！

spring

登录后参与评论

0 条评论

热度