oauth2授权,配置springSecurity web认证
2019-07-28 00:50
218 查看
版权声明:本文为博主原创文章,遵循 CC 4.0 by-sa 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_40250122/article/details/97576067
一 继承WebSecurityConfigurerAdapter抽象类
package com.xy.uums.auth.config; import com.xy.uums.auth.security.service.AuthUserDetailsService; import com.xy.uums.core.security.CustomAccessDeniedHandler; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.authentication.dao.DaoAuthenticationProvider; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.crypto.password.PasswordEncoder; /** * oauth2 权限控制 * */ @Configuration public class OAuth2SecurityConfigurer extends WebSecurityConfigurerAdapter { @Autowired private AuthUserDetailsService userDetailsService; @Autowired private CustomAccessDeniedHandler accessDeniedHandler; @Autowired private PasswordEncoder passwordEncoder;//定义在这里-> CoreBeanConfigurer.java @Override @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } /** * 配置 user-detail 服务 * * @param auth * @throws Exception * @since 2018-03-22 */ @Override protected void configure(AuthenticationManagerBuilder auth) { auth.authenticationProvider 3ff7 (daoAuthenticationProvider()); auth.eraseCredentials(true); //登录完成后清除密码 } @Bean public AuthenticationProvider daoAuthenticationProvider() { DaoAuthenticationProvider provider = new DaoAuthenticationProvider(); provider.setUserDetailsService(userDetailsService); provider.setHideUserNotFoundExceptions(false); provider.setPasswordEncoder(passwordEncoder); return provider; } /** * 配置 spring security 的 custom 链 * * @param web * @throws Exception */ @Override public void configure(WebSecurity web) { web.debug(false); web.ignoring().antMatchers( "/image/**", //静态资源 "/view/**", "/public/**", "/**/*.ico", "/**/*.js", "/**/*.css", "/**/*.tff", "/**/*.eot", "/**/*.woff", "/**/*.svg", "/**/*.woff2", "/**/*.css.map", "/**/*.jpg", "/**/*.gif", "/**/*.bmp", "/**/*.png" ); } /** * 配置 如何通过拦截器保护请求 * * @param http * @throws Exception */ @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable(); http.exceptionHandling() .accessDeniedHandler(accessDeniedHandler) .authenticationEntryPoint(accessDeniedHandler); http.authorizeRequests() .anyRequest() .authenticated(); http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); } }
spring security大体上是由一堆Filter(所以才能在spring mvc前拦截请求)实现的,Filter有几个,登出Filter(LogoutFilter),用户名密码验证Filter(UsernamePasswordAuthenticationFilter)之类的,Filter再交由其他组件完成细分的功能,例如最常用的UsernamePasswordAuthenticationFilter会持有一个AuthenticationManager引用,AuthenticationManager顾名思义,验证管理器,负责验证的,但AuthenticationManager本身并不做具体的验证工作,AuthenticationManager持有一个AuthenticationProvider集合,AuthenticationProvider才是做验证工作的组件,AuthenticationManager和AuthenticationProvider的工作机制可以大概看一下这两个的java doc,然后成功失败都有相对应该Handler 。大体的spring security的验证工作流程就是这样了。
需要一个数据库认证的AuthenticationProvider,我们可以直接用spring security提供的DaoAuthenticationProvider,设置一下UserServiceDetails和PasswordEncoder就可以了
然后 配置拦截器保护请求已经不需要权限的资源
以上的
@Autowired private PasswordEncoder passwordEncoder; //这里使用以下的密码加密器, 默认的不安全
/** * 密码加密器 * */ @Bean public PasswordEncoder passwordEncoder() { String encodingId = "bcrypt"; Map<String, PasswordEncoder> encoders = new HashMap<>(); encoders.put(encodingId, new BCryptPasswordEncoder()); encoders.put("ldap", new org.springframework.security.crypto.password.LdapShaPasswordEncoder()); encoders.put("MD4", new org.springframework.security.crypto.password.Md4PasswordEncoder()); encoders.put("MD5", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("MD5")); encoders.put("noop", org.springframework.security.crypto.password.NoOpPasswordEncoder.getInstance()); encoders.put("pbkdf2", new Pbkdf2PasswordEncoder()); encoders.put("scrypt", new SCryptPasswordEncoder()); encoders.put("SHA-1", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-1")); encoders.put("SHA-256", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-256")); encoders.put("sha256", new org.springframework.security.crypto.password.StandardPasswordEncoder()); return new DelegatingPasswordEncoder(encodingId, encoders); }
相关文章推荐
- SpringSecurityOAuth2.0授权类型配置
- Spring Shiro配置实现用户认证和授权
- XenApp_XenDesktop_7.6实战篇之二十二:RDS授权配置
- 网站出现 HTTP 错误 401.2 - 未经授权:访问由于服务器配置被拒绝
- debian8.4(jessie)配置nginx1.10.0+LDAP来授权
- IIS7 授权配置错误
- OAuth授权过程
- ActiveMQ的activemq.xml配置(内存设置、策略配置、流控、协议、认证授权)
- 通用社区登陆组件技术分享(开源)上篇:OAuth 授权登陆介绍
- Java-微信公众号开发-正式号-网页授权域名配置
- 微信订阅号里实现oauth授权登录,并获取用户信息 (完整篇)
- springSecurity安全框架配置详解
- PHP Oauth授权和本地加密实现方法
- 解析微信JS-SDK配置授权,实现分享接口
- 授权认证 OAuth
- SpringSecurity | 源码分析篇 (二) 授权过程
- Oauth2认证模式之授权码模式实现
- CentOS7.0 MariaDB 安装配置后使用远程工具SQLyog 错误1130(远程连接mysql 授权)
- 收集IIS配置错误-- 您未被授权查看该页
- #warning: 尚未配置新浪微博URL Scheme:, 无法使用SSO授权, 将以Web方式进行授权。