门户网站标题居中加大,后端开发技术,手机网站加百度地图,网站备案幕布SpringSecurity的高级用法#xff0c;包括自定义loginUrl携带参数#xff0c;自定义认证校验逻辑#xff0c;自定义权限校验逻辑。 示例项目 https://github.com/qihaiyan/springcamp/tree/master/spring-advanced-security
一、概述
在项目实际开发过程中#xff0c;Spr…SpringSecurity的高级用法包括自定义loginUrl携带参数自定义认证校验逻辑自定义权限校验逻辑。 示例项目 https://github.com/qihaiyan/springcamp/tree/master/spring-advanced-security
一、概述
在项目实际开发过程中SpringSecurity默认的认证和权限校验逻辑不能实现很高的业务复杂度这种情况下我们需要自定义这些逻辑包括自定义loginUrl携带参数自定义认证校验逻辑自定义权限校验逻辑。
二、自定义loginUrl携带参数
SpringSecurity在跳转login页面时虽然可以指定login的url但是无法让url中携带动态参数不如跳转到login?paramfoo其中foo需要根据特定条件动态变化要实现这种效果我们需要通过exceptionHandling指定自定义LoginUrlAuthenticationEntryPoint。
public class CustomLoginUrlAuthenticationEntryPoint extends LoginUrlAuthenticationEntryPoint {private final RedirectStrategy redirectStrategy new DefaultRedirectStrategy();public CustomLoginUrlAuthenticationEntryPoint(String loginFormUrl) {super(loginFormUrl);}Overridepublic void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)throws IOException, ServletException {if (!super.isUseForward()) {String redirectUrl this.buildRedirectUrlToLoginPage(request, response, authException);// change login urlredirectUrl redirectUrl ?paramtest;this.redirectStrategy.sendRedirect(request, response, redirectUrl);} else {String redirectUrl null;if (super.isForceHttps() http.equals(request.getScheme())) {redirectUrl this.buildHttpsRedirectUrlForRequest(request);}if (redirectUrl ! null) {this.redirectStrategy.sendRedirect(request, response, redirectUrl);} else {String loginForm this.determineUrlToUseForThisRequest(request, response, authException);RequestDispatcher dispatcher request.getRequestDispatcher(loginForm);dispatcher.forward(request, response);}}}
}以上代码自定义CustomLoginUrlAuthenticationEntryPoint在commence方法中我们可以按照业务需要实现自己的跳转逻辑通过修改redirectUrl实现。
在SpringSecurity配置中通过exceptionHandling引用CustomLoginUrlAuthenticationEntryPoint
exceptionHandling(customizer -customizer.authenticationEntryPoint(new CustomLoginUrlAuthenticationEntryPoint(/login)))三、自定义认证校验逻辑
SpringSecurity默认的认证逻辑是校验用户名密码是否合法如果想增加其它的校验逻辑需要实现AuthenticationProvider然后在authenticationManager中指定我们自己实现的AuthenticationProvider。
public class CustomAuthenticationProvider extends DaoAuthenticationProvider {Autowiredprivate CustomUserDetailsService customUserDetailsService;PostConstructpublic void init() {this.setUserDetailsService(customUserDetailsService);}Overrideprotected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) {super.additionalAuthenticationChecks(userDetails, authentication);HttpServletRequest req ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();String username userDetails.getUsername();// 自定义认证校验逻辑if (username.equals(need approval)) {log.info(invalid request is: {}, req);throw new AuthenticationServiceException(Your account is pending approval for access);}}
}在上面自定义的CustomAuthenticationProvider中通过重写additionalAuthenticationChecks方法进行自定义认证逻辑的实现。
然后在authenticationManager中指定CustomAuthenticationProvider
Bean
public AuthenticationManager authenticationManager() {return new ProviderManager(customAuthenticationProvider);
}四、自定义权限校验逻辑
SpringSecurity可以通过在配置中通过requestMatchers指定较为灵活的权限校验策略但是缺少一些动态特性比如对 /foo/{param} 这种rest风格的带变量的url就处理不了 这种情况我们可以通过自定义AuthorizationManager来实现然后在requestMatchers中通过access方法来指定我们自定义的AuthorizationManager。
public class MyRequestAuthorizationManager implements AuthorizationManagerRequestAuthorizationContext {private final SecurityExpressionHandlerRequestAuthorizationContext expressionHandler new DefaultHttpSecurityExpressionHandler();public MyRequestAuthorizationManager() {}// 自定义授权校验逻辑Overridepublic AuthorizationDecision check(SupplierAuthentication authentication, RequestAuthorizationContext context) {EvaluationContext ctx this.expressionHandler.createEvaluationContext(authentication, context);String checkParam Optional.ofNullable(ctx.lookupVariable(param)).map(String::valueOf).orElse(null);// the /public url doesnt need authenticationif (checkParam ! null (checkParam.equals(public))) {return new AuthorizationDecision(true);}return new AuthorizationDecision(!ObjectUtils.isEmpty(authentication.get().getCredentials()));}
}在MyRequestAuthorizationManager中通过重写check方法来实现自定义权限校验rest风格的带变量的url中的变量可以通过EvaluationContext的lookupVariable方法获取变量值。
指定自定义AuthorizationManager:
MyRequestAuthorizationManager myRequestAuthorizationManager new MyRequestAuthorizationManager();
http.authorizeHttpRequests(authorize - authorize.requestMatchers(/{param}).access(myRequestAuthorizationManager))
