SpringSecurity核心功能
- 認(rèn)證(你是誰(shuí))
- 授權(quán)(你能干什么)
- 攻擊防護(hù)(防止偽造身份)
SpringSecurity基本原理
image.png
自定義用戶認(rèn)證邏輯
- 處理用戶信息獲取邏輯(實(shí)現(xiàn)UserDetailService接口)
@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private MyUserDetailService userDetailService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder());
// springSecurity推薦使用BCrypt加密
auth.userDetailsService(userDetailService).passwordEncoder(new BCryptPasswordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// http.httpBasic()
http.formLogin()
.and()
.authorizeRequests()
.anyRequest()
.authenticated();
super.configure(http);
}
}
@Component
@Slf4j
public class MyUserDetailService implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
log.info("登錄用戶名:{}", s);
// 根據(jù)用戶名查找用戶信息(根據(jù)各自實(shí)際需求來查找用戶密碼、權(quán)限等信息)
return new User(s, new BCryptPasswordEncoder().encode("1234"), AuthorityUtils.commaSeparatedStringToAuthorityList("admin"));
}
}
- 處理用戶校驗(yàn)邏輯(實(shí)現(xiàn)UserDetails接口墨闲,除了判斷密碼是否正確外脑融,判斷用戶賬號(hào)是否過期、凍結(jié)艘包、刪除等等)
@Component
@Slf4j
public class MyUserDetailService implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
log.info("登錄用戶名:{}", s);
// 根據(jù)用戶名查找用戶信息(根據(jù)各自實(shí)際需求來查找用戶密碼寨典、權(quán)限等信息)
// 根據(jù)查找到的用戶信息判斷用戶是否被凍結(jié)
return new User(s, new BCryptPasswordEncoder().encode("1234"),true,true,true,false,AuthorityUtils.commaSeparatedStringToAuthorityList("admin"));
}
}
- 處理密碼加密解密(實(shí)現(xiàn)PasswordEncoder接口房匆,推薦BCrypt加密)
//配置類中注入加密類
@Bean
public PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
@Component
@Slf4j
public class MyUserDetailService implements UserDetailsService {
@Autowired
private PasswordEncoder passwordEncoder;
@Override
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
log.info("登錄用戶名:{}", s);
// 根據(jù)用戶名查找用戶信息(根據(jù)各自實(shí)際需求來查找用戶密碼耸成、權(quán)限等信息)
// 根據(jù)查找到的用戶信息判斷用戶是否被凍結(jié)
String password = passwordEncoder.encode("1234");
return new User(s, password, true, true, true, false, AuthorityUtils.commaSeparatedStringToAuthorityList("admin"));
}
}
