oauth2授权,配置springSecurity web认证
2019-07-28 00:50
218 查看
版权声明:本文为博主原创文章,遵循 CC 4.0 by-sa 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_40250122/article/details/97576067
一 继承WebSecurityConfigurerAdapter抽象类
package com.xy.uums.auth.config;
import com.xy.uums.auth.security.service.AuthUserDetailsService;
import com.xy.uums.core.security.CustomAccessDeniedHandler;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.password.PasswordEncoder;
/**
* oauth2 权限控制
*
*/
@Configuration
public class OAuth2SecurityConfigurer extends WebSecurityConfigurerAdapter {
@Autowired
private AuthUserDetailsService userDetailsService;
@Autowired
private CustomAccessDeniedHandler accessDeniedHandler;
@Autowired
private PasswordEncoder passwordEncoder;//定义在这里-> CoreBeanConfigurer.java
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
/**
* 配置 user-detail 服务
*
* @param auth
* @throws Exception
* @since 2018-03-22
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) {
auth.authenticationProvider
3ff7
(daoAuthenticationProvider());
auth.eraseCredentials(true); //登录完成后清除密码
}
@Bean
public AuthenticationProvider daoAuthenticationProvider() {
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setUserDetailsService(userDetailsService);
provider.setHideUserNotFoundExceptions(false);
provider.setPasswordEncoder(passwordEncoder);
return provider;
}
/**
* 配置 spring security 的 custom 链
*
* @param web
* @throws Exception
*/
@Override
public void configure(WebSecurity web) {
web.debug(false);
web.ignoring().antMatchers(
"/image/**",
//静态资源
"/view/**",
"/public/**",
"/**/*.ico",
"/**/*.js",
"/**/*.css",
"/**/*.tff",
"/**/*.eot",
"/**/*.woff",
"/**/*.svg",
"/**/*.woff2",
"/**/*.css.map",
"/**/*.jpg",
"/**/*.gif",
"/**/*.bmp",
"/**/*.png"
);
}
/**
* 配置 如何通过拦截器保护请求
*
* @param http
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.exceptionHandling()
.accessDeniedHandler(accessDeniedHandler)
.authenticationEntryPoint(accessDeniedHandler);
http.authorizeRequests()
.anyRequest()
.authenticated();
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
spring security大体上是由一堆Filter(所以才能在spring mvc前拦截请求)实现的,Filter有几个,登出Filter(LogoutFilter),用户名密码验证Filter(UsernamePasswordAuthenticationFilter)之类的,Filter再交由其他组件完成细分的功能,例如最常用的UsernamePasswordAuthenticationFilter会持有一个AuthenticationManager引用,AuthenticationManager顾名思义,验证管理器,负责验证的,但AuthenticationManager本身并不做具体的验证工作,AuthenticationManager持有一个AuthenticationProvider集合,AuthenticationProvider才是做验证工作的组件,AuthenticationManager和AuthenticationProvider的工作机制可以大概看一下这两个的java doc,然后成功失败都有相对应该Handler 。大体的spring security的验证工作流程就是这样了。
需要一个数据库认证的AuthenticationProvider,我们可以直接用spring security提供的DaoAuthenticationProvider,设置一下UserServiceDetails和PasswordEncoder就可以了
然后 配置拦截器保护请求已经不需要权限的资源
以上的
@Autowired private PasswordEncoder passwordEncoder; //这里使用以下的密码加密器, 默认的不安全
/**
* 密码加密器
*
*/
@Bean
public PasswordEncoder passwordEncoder() {
String encodingId = "bcrypt";
Map<String, PasswordEncoder> encoders = new HashMap<>();
encoders.put(encodingId, new BCryptPasswordEncoder());
encoders.put("ldap", new org.springframework.security.crypto.password.LdapShaPasswordEncoder());
encoders.put("MD4", new org.springframework.security.crypto.password.Md4PasswordEncoder());
encoders.put("MD5", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("MD5"));
encoders.put("noop", org.springframework.security.crypto.password.NoOpPasswordEncoder.getInstance());
encoders.put("pbkdf2", new Pbkdf2PasswordEncoder());
encoders.put("scrypt", new SCryptPasswordEncoder());
encoders.put("SHA-1", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-1"));
encoders.put("SHA-256", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-256"));
encoders.put("sha256", new org.springframework.security.crypto.password.StandardPasswordEncoder());
return new DelegatingPasswordEncoder(encodingId, encoders);
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- SpringSecurityOAuth2.0授权类型配置
- Spring Shiro配置实现用户认证和授权
- XenApp_XenDesktop_7.6实战篇之二十二:RDS授权配置
- 网站出现 HTTP 错误 401.2 - 未经授权:访问由于服务器配置被拒绝
- debian8.4(jessie)配置nginx1.10.0+LDAP来授权
- IIS7 授权配置错误
- OAuth授权过程
- ActiveMQ的activemq.xml配置(内存设置、策略配置、流控、协议、认证授权)
- 通用社区登陆组件技术分享(开源)上篇:OAuth 授权登陆介绍
- Java-微信公众号开发-正式号-网页授权域名配置
- 微信订阅号里实现oauth授权登录,并获取用户信息 (完整篇)
- springSecurity安全框架配置详解
- PHP Oauth授权和本地加密实现方法
- 解析微信JS-SDK配置授权,实现分享接口
- 授权认证 OAuth
- SpringSecurity | 源码分析篇 (二) 授权过程
- Oauth2认证模式之授权码模式实现
- CentOS7.0 MariaDB 安装配置后使用远程工具SQLyog 错误1130(远程连接mysql 授权)
- 收集IIS配置错误-- 您未被授权查看该页
- #warning: 尚未配置新浪微博URL Scheme:, 无法使用SSO授权, 将以Web方式进行授权。