前言
上一篇文章已经搭好了基本框架,现在进行spring-security结合的讲解
核心内容
上面一张图是我基于debug模式跑的,有什么不足的地方,请多多指正。
- 配置SecurityConfig
1package com.wyl.springbootjwt.security;
2
3import lombok.extern.slf4j.Slf4j;
4import org.springframework.context.annotation.Bean;
5import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
6import org.springframework.security.config.annotation.web.builders.HttpSecurity;
7import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
8import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
9import org.springframework.security.config.core.GrantedAuthorityDefaults;
10import org.springframework.security.config.http.SessionCreationPolicy;
11import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
12import org.springframework.security.crypto.password.PasswordEncoder;
13import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
14
15import javax.annotation.Resource;
16
17/**
18 * @Description SecurityConfig 安全配置
19 * @Author YiLong Wu
20 * @Date 2020/2/28 14:51
21 * @Version 1.0.0
22 */
23@EnableWebSecurity
24@Slf4j
25@EnableGlobalMethodSecurity(prePostEnabled = true) // 开启方法权限控制
26public class SecurityConfig extends WebSecurityConfigurerAdapter {
27
28 @Resource(name = "tokenExceptionHandler")
29 private TokenExceptionHandler tokenExceptionHandler;
30
31 @Resource(name = "accessDeniedException")
32 private AccessDeniedException accessDeniedException;
33
34 @Resource(name = "jwtAuthenticationFilter")
35 private JwtAuthenticationFilter jwtAuthenticationFilter;
36
37 @Resource(name = "myUserDetailsService")
38 private MyUserDetailsService myUserDetailsService;
39
40 @Resource(name = "myAuthenticationSuccessHandler")
41 private MyAuthenticationSuccessHandler myAuthenticationSuccessHandler;
42
43 @Resource(name = "myAuthenticationFailHandler")
44 private MyAuthenticationFailHandler myAuthenticationFailHandler;
45
46 @Bean
47 public PasswordEncoder passwordEncoder() {
48 return new BCryptPasswordEncoder();
49 }
50
51 @Bean
52 GrantedAuthorityDefaults grantedAuthorityDefaults() {
53 return new GrantedAuthorityDefaults(""); // 移除ROLE_后缀
54 }
55
56 @Override
57 protected void configure(HttpSecurity http) throws Exception {
58 http
59 // 表示前端必须使用form表单的提交形式
60 .formLogin()
61 .successHandler(myAuthenticationSuccessHandler)
62 .failureHandler(myAuthenticationFailHandler)
63 .and()
64 // 让跨域配置被使用
65 .cors()
66 .and()
67 .csrf().disable()
68 // 添加异常处理
69 .exceptionHandling()
70 .authenticationEntryPoint(tokenExceptionHandler)
71 .accessDeniedHandler(accessDeniedException)
72 .and()
73 //关闭session
74 .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
75 .and()
76 // 拦截所有请求
77 .authorizeRequests().anyRequest().authenticated();
78 // 替换过滤器
79 http.addFilterAt(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
80 }
81}
相关解析:
TokenExceptionHandler: 用户认证失异常理器
AccessDeniedException:访问控制异常处理器
JwtAuthenticationFilter:认证过滤器
**MyUserDetailsService **:自定义UserDatailsService用于返回UserDetails
**MyAuthenticationSuccessHandler **: 登录成功处理器
MyAuthenticationFailHandler:登录失败处理器
PasswordEncoder: 密码编码器,这个可以自定义
GrantedAuthorityDefaults:因为角色权限控制会带用前缀,因此可以使用这个bean去掉
后面的就是拦截配置了,有注释。
关于前端
其他的就不一一列出来了,有关代码请在我的github上下载查看即可。
