Spring Security实现用户名密码验证的原理
title: Spring Security
date: 2019-08-05 16:40:27
categories:
- 后端
tags: - 后端
- 权限管理
Spring Security
- Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架(简单说是对访问权限进行控制嘛)。它提供了一组可以在Spring应用上下文中配置的Bean,充分利用了Spring IoC,DI(控制反转Inversion of Control ,DI:Dependency Injection 依赖注入)和AOP(面向切面编程)功能,为应用系统提供声明式的安全访问控制功能,减少了为企业系统安全控制编写大量重复代码的工作。
- 核心:认证和授权
- RBAC基于角色的访问控制
- 安全配置类,集成WebSecurityConfigurerAdapter
package com.waylau.spring.boot.blog.config;import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;/*** Spring Security 配置类.* * @since 1.0.0 2017年3月8日* @author <a href="https://waylau.com">Way Lau</a>*/
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true) // 启用方法安全设置
public class SecurityConfig extends WebSecurityConfigurerAdapter {private static final String KEY = "waylau.com";@Autowiredprivate UserDetailsService userDetailsService;@Autowiredprivate PasswordEncoder passwordEncoder;@Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); // 使用 BCrypt 加密} @Bean public AuthenticationProvider authenticationProvider() { DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();authenticationProvider.setUserDetailsService(userDetailsService);authenticationProvider.setPasswordEncoder(passwordEncoder); // 设置密码加密方式return authenticationProvider; } /*** 自定义配置,设置访问路径,并且静止h2控制台的csrf防护*/@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/css/**", "/js/**", "/fonts/**", "/index").permitAll() // 都可以访问.antMatchers("/h2-console/**").permitAll() // 都可以访问.antMatchers("/admins/**").hasRole("ADMIN") // 需要相应的角色才能访问.and().formLogin() //基于 Form 表单登录验证.loginPage("/login").failureUrl("/login-error") // 自定义登录界面.and().rememberMe().key(KEY) // 启用 remember me.and().exceptionHandling().accessDeniedPage("/403"); // 处理异常,拒绝访问就重定向到 403 页面http.csrf().ignoringAntMatchers("/h2-console/**"); // 禁用 H2 控制台的 CSRF 防护http.headers().frameOptions().sameOrigin(); // 允许来自同一来源的H2 控制台的请求}/*** 认证信息管理* @param auth* @throws Exception*/@Autowiredpublic void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(userDetailsService);auth.authenticationProvider(authenticationProvider());}
}
html代码示例
<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"xmlns:th="http://www.thymeleaf.org"xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4"> <head> </head> <body><div sec:authorize="isAuthenticated()">这里就是判断是否认证的样子<p>已登录</p><p>登录名:<span sec:authentication="name"></span></p><p>Password:<span sec:authentication="principal.password"></span></p><div sec:authentication="principal.authorities"></div> <!-- works fine --><p>Email :<span sec:authentication="principal.email"></span></p><p>Name:<span sec:authentication="principal.username"></span></p><p>Status:<span sec:authentication="principal.status"></span></p><p>拥有的角色:<span sec:authorize="hasRole('ROLE_ADMIN')">管理员</span><span sec:authorize="hasRole('ROLE_USER')">用户</span></p></div><div sec:authorize="isAnonymous"><p>未登录</p></div> </body> </html>
有一个问题需要注意,如果你是ADMIN,在数据库里面必须储存ROLE_ADMIN,其他云云。
同时,在security中,角色和权限共用GrantedAuthorty接口,唯一不同就是角色有个前缀ROLE_,
package org.springframework.security.core.authority;import org.springframework.security.core.GrantedAuthority; import org.springframework.util.Assert;public final class SimpleGrantedAuthority implements GrantedAuthority {private static final long serialVersionUID = 500L;private final String role;public SimpleGrantedAuthority(String role) {Assert.hasText(role, "A granted authority textual representation is required");this.role = role;}public String getAuthority() {return this.role;}public boolean equals(Object obj) {if (this == obj) {return true;} else {return obj instanceof SimpleGrantedAuthority ? this.role.equals(((SimpleGrantedAuthority)obj).role) : false;}}public int hashCode() {return this.role.hashCode();}public String toString() {return this.role;} }
实例操作,假如用户和权限分开
package com.waylau.spring.boot.blog.domain;import javax.persistence.Column; import javax.persistence.Entity; import javax.persistence.GeneratedValue; import javax.persistence.GenerationType; import javax.persistence.Id;import org.springframework.security.core.GrantedAuthority;/*** 权限.*/ @Entity // 实体 public class Authority implements GrantedAuthority {private static final long serialVersionUID = 1L;@Id // 主键@GeneratedValue(strategy = GenerationType.IDENTITY) // 自增长策略private Long id; // 用户的唯一标识@Column(nullable = false) // 映射为字段,值不能为空private String name;public Long getId() {return id;}public void setId(Long id) {this.id = id;}/** (non-Javadoc)* * @see org.springframework.security.core.GrantedAuthority#getAuthority()*/@Overridepublic String getAuthority() {return name;}public void setName(String name) {this.name = name;} } package com.waylau.spring.boot.blog.domain;import java.io.Serializable; import java.util.ArrayList; import java.util.Collection; import java.util.List;import javax.persistence.CascadeType; import javax.persistence.Column; import javax.persistence.Entity; import javax.persistence.FetchType; import javax.persistence.GeneratedValue; import javax.persistence.GenerationType; import javax.persistence.Id; import javax.persistence.JoinColumn; import javax.persistence.JoinTable; import javax.persistence.ManyToMany; import javax.validation.constraints.Size;import org.hibernate.validator.constraints.Email; import org.hibernate.validator.constraints.NotEmpty; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder;/*** User 实体* * @since 1.0.0 2017年3月5日* @author <a href="https://waylau.com">Way Lau</a>*/ @Entity // 实体 public class User implements UserDetails, Serializable { //springsecurity要求的实现方法private static final long serialVersionUID = 1L;@Id // 主键@GeneratedValue(strategy = GenerationType.IDENTITY) // 自增长策略private Long id; // 用户的唯一标识@NotEmpty(message = "姓名不能为空")@Size(min=2, max=20)@Column(nullable = false, length = 20) // 映射为字段,值不能为空private String name;@NotEmpty(message = "邮箱不能为空")@Size(max=50)@Email(message= "邮箱格式不对" ) @Column(nullable = false, length = 50, unique = true)private String email;@NotEmpty(message = "账号不能为空")@Size(min=3, max=20)@Column(nullable = false, length = 20, unique = true)private String username; // 用户账号,用户登录时的唯一标识@NotEmpty(message = "密码不能为空")@Size(max=100)@Column(length = 100)private String password; // 登录时密码@Column(length = 200)private String avatar; // 头像图片地址 //用户和权限的关系,必须把他们连接在一起@ManyToMany(cascade = CascadeType.DETACH, fetch = FetchType.EAGER)@JoinTable(name = "user_authority", joinColumns = @JoinColumn(name = "user_id", referencedColumnName = "id"), inverseJoinColumns = @JoinColumn(name = "authority_id", referencedColumnName = "id"))private List<Authority> authorities;protected User() { // JPA 的规范要求无参构造函数;设为 protected 防止直接使用}public User(String name, String email,String username,String password) {this.name = name;this.email = email;this.username = username;this.password = password;}public Long getId() {return id;}public void setId(Long id) {this.id = id;}public String getName() {return name;}public void setName(String name) {this.name = name;}public String getEmail() {return email;}public void setEmail(String email) {this.email = email;}//用户权限实现信息public Collection<? extends GrantedAuthority> getAuthorities() {// 需将 List<Authority> 转成 List<SimpleGrantedAuthority>,否则前端拿不到角色列表名称List<SimpleGrantedAuthority> simpleAuthorities = new ArrayList<>();for(GrantedAuthority authority : this.authorities){simpleAuthorities.add(new SimpleGrantedAuthority(authority.getAuthority()));}return simpleAuthorities;}public void setAuthorities(List<Authority> authorities) {this.authorities = authorities;}@Overridepublic String getUsername() {return username;}public void setUsername(String username) {this.username = username;}@Overridepublic String getPassword() {return password;}public void setPassword(String password) {this.password = password;}public void setEncodePassword(String password) {PasswordEncoder encoder = new BCryptPasswordEncoder();String encodePasswd = encoder.encode(password);this.password = encodePasswd;}public String getAvatar() {return avatar;}public void setAvatar(String avatar) {this.avatar = avatar;} //改成true方法,@Overridepublic boolean isAccountNonExpired() {return true;}@Overridepublic boolean isAccountNonLocked() {return true;}@Overridepublic boolean isCredentialsNonExpired() {return true;}@Overridepublic boolean isEnabled() {return true;}@Overridepublic String toString() {return String.format("User[id=%d, username='%s', name='%s', email='%s', password='%s']", id, username, name, email,password);} } 请看User实现了UserDetail方法里面有很多方法,有获得用户名和密码的方法,还有权限方法,所以推测UserDetails的实现类就是验证对的方式
详细原理
主要类,用来验证密码的类
public void configure(AuthenticationManagerBuilder auth) throws Exception {if (auth.isConfigured()) {return;}UserDetailsService userDetailsService = getBeanOrNull(UserDetailsService.class);if (userDetailsService == null) {return;}PasswordEncoder passwordEncoder = getBeanOrNull(PasswordEncoder.class);DaoAuthenticationProvider provider = new DaoAuthenticationProvider();provider.setUserDetailsService(userDetailsService);if (passwordEncoder != null) {provider.setPasswordEncoder(passwordEncoder);}auth.authenticationProvider(provider);}
config类示例
package com.waylau.spring.boot.blog.config;import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.authentication.dao.DaoAuthenticationProvider; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder;/*** Spring Security 配置类.* * @since 1.0.0 2017年3月8日* @author <a href="https://waylau.com">Way Lau</a>*/ @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) // 启用方法安全设置 public class SecurityConfig extends WebSecurityConfigurerAdapter {private static final String KEY = "waylau.com";@Autowiredprivate UserDetailsService userDetailsService;@Autowiredprivate PasswordEncoder passwordEncoder;@Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); // 使用 BCrypt 加密} @Bean public AuthenticationProvider authenticationProvider() { DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();authenticationProvider.setUserDetailsService(userDetailsService);authenticationProvider.setPasswordEncoder(passwordEncoder); // 设置密码加密方式return authenticationProvider; } /*** 自定义配置*///实际上的登录表单提交按钮,最终提交的是在这个地方@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/css/**", "/js/**", "/fonts/**", "/index").permitAll() // 都可以访问.antMatchers("/h2-console/**").permitAll() // 都可以访问.antMatchers("/admins/**").hasRole("ADMIN") // 需要相应的角色才能访问.and().formLogin() //基于 Form 表单登录验证.loginPage("/login").failureUrl("/login-error") // 自定义登录界面,失败后重定向到这里.and().rememberMe().key(KEY) // 启用 remember me.and().exceptionHandling().accessDeniedPage("/403"); // 处理异常,拒绝访问就重定向到 403 页面http.csrf().ignoringAntMatchers("/h2-console/**"); // 禁用 H2 控制台的 CSRF 防护http.headers().frameOptions().sameOrigin(); // 允许来自同一来源的H2 控制台的请求}/*** 认证信息管理* @param auth* @throws Exception*/@Autowiredpublic void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {auth.userDetailsService(userDetailsService);auth.authenticationProvider(authenticationProvider());} }
Spring Security实现用户名密码验证的原理相关推荐
- 如何使用Spring Security和Basic身份验证保护Jersey REST服务
在我之前的博客文章" 检查REST API是否有效的快速方法–从清单文件中获取GET详细信息"中 ,我展示了如何开发REST资源以轻松检查开发的REST API是否可用. 在本文中 ...
- 使用Spring Security添加RememberMe身份验证
我在" 将社交登录添加到Jiwhiz博客"中提到,RememberMe功能不适用于Spring Social Security. 好吧,这是因为该应用程序现在不通过用户名和密码对用 ...
- 使用Spring Security进行自动登录验证
** 原文来自师兄的博客 **: http://blog.csdn.net/df19900725/article/details/78085152 http://www.datalearner.com ...
- Spring Boot+Spring Security+JWT 实现token验证
Spring Boot+Spring Security+JWT 实现token验证 什么是JWT? JWT的工作流程 JWT的主要应用场景 JWT的结构 SpringBoot+Spring Secur ...
- 使用Spring Security进行简单身份验证
朋友不允许朋友写用户身份验证. 厌倦了管理自己的用户? 立即尝试Okta的API和Java SDK. 在几分钟之内即可对任何应用程序中的用户进行身份验证,管理和保护. 身份验证对于除了最基本的Web应 ...
- hive 配置用户名_配置HiveServer2的安全策略之自定义用户名密码验证
具体从网上看 http://doc.mapr.com/display/MapR/Using+HiveServer2#UsingHiveServer2-ConfiguringCustomAuthenti ...
- Spring Security中的密码安全
Spring Security中的密码安全 PasswordEncoder 接口 在 Spring Security 中,PasswordEncoder 接口代表的是一种密码编码器,其核心作用在于指定 ...
- es带用户名密码验证并配置elasticsearch-head连接
一.搭建es,带用户名密码验证 Elastic 安全是非常重要的.没有这个我们的数据可以被任何的人进行访问,串改,删除.Elastic Stack 的安全是由 x-pack 所提供的.在 Elasti ...
- Open***2.4.3 基于用户名密码验证方式(实战)
安装部署参考"Open'×××安装部署文档" 基于用户名密码验证: 1.修改server.conf: tls-auth ta.key 0 # This file is secret ...
最新文章
- python控制手机发短信_python-在python3中使用容联云通讯发送短信验证码
- LeedCode: 计算器专场
- 计蒜客 时间复杂度 (模拟) 洛谷 P3952 时间复杂度
- 从进程说起:容器到底是怎么一回事儿?
- SQL Server 堆heap 非聚集索引 Nonclustered index 行号键查找RID loopup结合执行计划过程详解
- GDI+有Bitmap类。
- 最近ubuntu+gpu装机记录
- 火眼:利用FTA 服务器0day攻击全球百家企业的是 FIN11
- linux里netstat与ps,理解proc目录与linux进程、ps命令、netstat命令的关系
- 用条码软件来制作证书
- iTextSharp快速使用指南
- python pyhook_python pyHook安装
- 按照特定名字批量创建文件夹
- 串口(串行接口)相关概念
- 基于神经网络的指纹识别,指纹比对技术何时出现
- TextView 的 StaticLayout,比你想象中复杂点!
- LBM学习讨论群推荐
- js 实现经纬度转 城市-区县-街道
- Excel批量替换成强制換行
- 6 年 Java 老兵 BAT 面试心经