我們系統中的認證場景通常比較復雜,比如說用戶被鎖定無法登錄,限制登錄ip等。而springsecuriy最基本的是基于用戶與密碼的形式進行認證,由此可知它的一套驗證規范根本無法滿足業務需要,因此擴展勢在必行。那么我們可以考慮自己定義filter添加至springsecurity的過濾器棧當中,來實現我們自己的驗證需要。
本例中,基于前篇的數據庫的student表來模擬一個簡單的例子:當student的jointime在當天之后,那么才允許登錄
一、創建自己定義的filter
我們先在web包下創建好幾個包并定義如下幾個類
customerauthfilter:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
package com.bdqn.lyrk.security.study.web.filter;import com.bdqn.lyrk.security.study.web.authentication.userjointimeauthentication;import org.springframework.security.authentication.authenticationmanager;import org.springframework.security.core.authentication;import org.springframework.security.core.authenticationexception;import org.springframework.security.web.authentication.abstractauthenticationprocessingfilter;import org.springframework.security.web.util.matcher.antpathrequestmatcher;import javax.servlet.servletexception;import javax.servlet.http.httpservletrequest;import javax.servlet.http.httpservletresponse;import java.io.ioexception;public class customerauthfilter extends abstractauthenticationprocessingfilter { private authenticationmanager authenticationmanager; public customerauthfilter(authenticationmanager authenticationmanager) { super(new antpathrequestmatcher("/login", "post")); this.authenticationmanager = authenticationmanager; } @override public authentication attemptauthentication(httpservletrequest request, httpservletresponse response) throws authenticationexception, ioexception, servletexception { string username = request.getparameter("username"); userjointimeauthentication usernamepasswordauthenticationtoken =new userjointimeauthentication(username); authentication authentication = this.authenticationmanager.authenticate(usernamepasswordauthenticationtoken); if (authentication != null) { super.setcontinuechainbeforesuccessfulauthentication(true); } return authentication; }} |
該類繼承abstractauthenticationprocessingfilter,這個filter的作用是對最基本的用戶驗證的處理,我們必須重寫attemptauthentication方法。authentication接口表示授權接口,通常情況下業務認證通過時會返回一個這個對象。super.setcontinuechainbeforesuccessfulauthentication(true) 設置成true的話,會交給其他過濾器處理。
二、定義userjointimeauthentication
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
package com.bdqn.lyrk.security.study.web.authentication;import org.springframework.security.authentication.abstractauthenticationtoken;public class userjointimeauthentication extends abstractauthenticationtoken { private string username; public userjointimeauthentication(string username) { super(null); this.username = username; } @override public object getcredentials() { return null; } @override public object getprincipal() { return username; }} |
自定義授權方式,在這里接收username的值處理,其中getprincipal我們可以用來存放登錄名,getcredentials可以存放密碼,這些方法來自于authentication接口
三、定義authenticationprovider
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
package com.bdqn.lyrk.security.study.web.authentication;import com.bdqn.lyrk.security.study.app.pojo.student;import org.springframework.security.authentication.authenticationprovider;import org.springframework.security.core.authentication;import org.springframework.security.core.authenticationexception;import org.springframework.security.core.userdetails.userdetails;import org.springframework.security.core.userdetails.userdetailsservice;import java.util.date;/** * 基本的驗證方式 * * @author chen.nie * @date 2018/6/12 **/public class userjointimeauthenticationprovider implements authenticationprovider { private userdetailsservice userdetailsservice; public userjointimeauthenticationprovider(userdetailsservice userdetailsservice) { this.userdetailsservice = userdetailsservice; } /** * 認證授權,如果jointime在當前時間之后則認證通過 * @param authentication * @return * @throws authenticationexception */ @override public authentication authenticate(authentication authentication) throws authenticationexception { string username = (string) authentication.getprincipal(); userdetails userdetails = this.userdetailsservice.loaduserbyusername(username); if (!(userdetails instanceof student)) { return null; } student student = (student) userdetails; if (student.getjointime().after(new date())) return new userjointimeauthentication(username); return null; } /** * 只處理userjointimeauthentication的認證 * @param authentication * @return */ @override public boolean supports(class<?> authentication) { return authentication.getname().equals(userjointimeauthentication.class.getname()); }} |
authenticationmanager會委托authenticationprovider進行授權處理,在這里我們需要重寫support方法,該方法定義provider支持的授權對象,那么在這里我們是對userjointimeauthentication處理。
四、websecurityconfig
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
package com.bdqn.lyrk.security.study.app.config;import com.bdqn.lyrk.security.study.app.service.userservice;import com.bdqn.lyrk.security.study.web.authentication.userjointimeauthenticationprovider;import com.bdqn.lyrk.security.study.web.filter.customerauthfilter;import org.springframework.beans.factory.annotation.autowired;import org.springframework.security.config.annotation.authentication.builders.authenticationmanagerbuilder;import org.springframework.security.config.annotation.web.builders.httpsecurity;import org.springframework.security.config.annotation.web.builders.websecurity;import org.springframework.security.config.annotation.web.configuration.enablewebsecurity;import org.springframework.security.config.annotation.web.configuration.websecurityconfigureradapter;import org.springframework.security.web.authentication.usernamepasswordauthenticationfilter;/** * spring-security的相關配置 * * @author chen.nie * @date 2018/6/7 **/@enablewebsecuritypublic class websecurityconfig extends websecurityconfigureradapter { @autowired private userservice userservice; @override protected void configure(httpsecurity http) throws exception { /* 1.配置靜態資源不進行授權驗證 2.登錄地址及跳轉過后的成功頁不需要驗證 3.其余均進行授權驗證 */ http. authorizerequests().antmatchers("/static/**").permitall(). and().authorizerequests().antmatchers("/user/**").hasrole("7022"). and().authorizerequests().anyrequest().authenticated(). and().formlogin().loginpage("/login").successforwardurl("/toindex").permitall() .and().logout().logouturl("/logout").invalidatehttpsession(true).deletecookies().permitall() ; http.addfilterbefore(new customerauthfilter(authenticationmanager()), usernamepasswordauthenticationfilter.class); } @override protected void configure(authenticationmanagerbuilder auth) throws exception { //設置自定義userservice auth.userdetailsservice(userservice); auth.authenticationprovider(new userjointimeauthenticationprovider(userservice)); } @override public void configure(websecurity web) throws exception { super.configure(web); }} |
在這里面我們通過httpsecurity的方法來添加我們自定義的filter,一定要注意先后順序。在authenticationmanagerbuilder當中還需要添加我們剛才定義的authenticationprovider
啟動成功后,我們將student表里的jointime值改為早于今天的時間,進行登錄可以發現:
以上就是本文的全部內容,希望對大家的學習有所幫助,也希望大家多多支持服務器之家。
原文鏈接:https://www.cnblogs.com/niechen/p/9174096.html
