本文阅读量 次
1. Spring Security -- 认证(Authentication)部分¶
1.1 包含模块¶
- spring-security-core.jar
- spring-security-remoting.jar
- spring-security-web.jar
- spring-security-config.jar
- spring-security-ldap.jar *
- spring-security-oauth2-core.jar
- spring-security-oauth2-client.jar
- spring-security-oauth2-jose.jar
- spring-security-oauth2-resource-server.jar
- spring-security-acl.jar
- spring-security-cas.jar
- spring-security-test.jar
- spring-security-taglibs.jar
1.2 异常处理¶
1.2.1 根据 url 配置不同的异常处理¶
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
AntPathRequestMatcher matcher1 = new AntPathRequestMatcher("/qq/**");
AntPathRequestMatcher matcher2 = new AntPathRequestMatcher("/wx/**");
http.authorizeRequests()
.antMatchers("/wx/**").hasRole("wx")
.antMatchers("/qq/**").hasRole("qq")
.anyRequest().authenticated()
.and()
.exceptionHandling()
.defaultAuthenticationEntryPointFor((request, response, authException) -> {
response.setContentType("text/html;charset=utf-8");
response.setStatus(HttpStatus.UNAUTHORIZED.value());
response.getWriter().write("请登录, QQ用户");
}, matcher1)
.defaultAuthenticationEntryPointFor((request, response, accessDeniedException) -> {
response.setContentType("text/html;charset=utf-8");
response.setStatus(HttpStatus.UNAUTHORIZED.value());
response.getWriter().write("请登录, WX用户");
}, matcher2)
.defaultAccessDeniedHandlerFor((request, response, accessDeniedException) -> {
response.setContentType("text/html;charset=utf-8");
response.setStatus(HttpStatus.FORBIDDEN.value());
response.getWriter().write("权限不足, QQ用户");
}, matcher1)
.defaultAccessDeniedHandlerFor((request, response, accessDeniedException) -> {
response.setContentType("text/html;charset=utf-8");
response.setStatus(HttpStatus.FORBIDDEN.value());
response.getWriter().write("权限不足, WX用户");
}, matcher2)
.and()
.formLogin()
.and()
.csrf().disable();
}
}
1.3 Spring Security 教程¶
介绍官方基本概念及使用
- https://louisjj.medium.com/spring-security-for-dummies-en-version-8f20c9c1e82e ⧉
- https://www.marcobehler.com/guides/spring-security ⧉
- https://developer.okta.com/blog/2022/06/17/simple-crud-react-and-spring-boot ⧉
- https://jstobigdata.com/spring-security/controlling-sessions-with-spring-security/ ⧉
1.3.1 Security Session¶
1.3.2 异常处理¶
- Spring Security 实战干货:自定义异常处理 https://www.cnblogs.com/felordcn/p/12142514.html ⧉
- 一系列 Spring Security 相关教程 https://felord.cn/categories/spring-security/ ⧉
1.4 Spring 教程¶
1.5 HowTo¶
1.5.1 支持多个 HttpSecurity¶
@Configuration
@EnableWebSecurity
public class MultiHttpSecurityConfig {
@Bean
public UserDetailsService userDetailsService() throws Exception {
// ensure the passwords are encoded properly
UserBuilder users = User.withDefaultPasswordEncoder();
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(users.username("user").password("password").roles("USER").build());
manager.createUser(users.username("admin").password("password").roles("USER","ADMIN").build());
return manager;
}
@Bean
@Order(1)
public SecurityFilterChain apiFilterChain(HttpSecurity http) throws Exception {
http
.securityMatcher("/api/**")
.authorizeHttpRequests(authorize -> authorize
.anyRequest().hasRole("ADMIN")
)
.httpBasic(withDefaults());
return http.build();
}
@Bean
public SecurityFilterChain formLoginFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated()
)
.formLogin(withDefaults());
return http.build();
}
}
1.6 开源项目参考¶
1.7 参考¶
- https://auth0.com/docs/get-started/auth0-overview ⧉
- Spring-Security | 过滤器注册脉络梳理 https://zhuanlan.zhihu.com/p/514053222 ⧉