spring-security (一):基本流程

1.基本概念:

  Spring Security is a framework that provides authentication, authorization, and protection against common attacks. With first class support for both imperative and reactive applications, it is the de-facto standard for securing Spring-based applications.

  主要就是做安全管理、权限认证,可以和spring很好的结合,目前新版可以结合springwebflux,原理主要是基于filter。

  (一)简单示例

      新建一个springboot的项目,引入如下依赖:

      <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

     新建userDetailService,用来实现加载用户(可以从任何自己想要的源来如:数据库、redis等)

@Service
public class UserDetailService implements UserDetailsService {
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        return new User("username","password", AuthorityUtils.commaSeparatedStringToAuthorityList("admin"));
    }
}    

    添加配置类:

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailService userDetailService;

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.formLogin()
//                .loginPage("/")  //可以指定自定义的登录页面
//                .successForwardUrl("/")  //指定登录成功后的跳转页面
            .and()
            .authorizeRequests()
                .anyRequest().authenticated()//任何请求都需要权限
//            .and()
//                .addFilter() //添加自定义的filter可用于做自己的验证逻辑
            ;
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailService)
//                .passwordEncoder(new BCryptPasswordEncoder()); //正常应该使用加密的方式
                .passwordEncoder(new MyPasswordEncode());

    }

    class MyPasswordEncode implements PasswordEncoder{

        @Override
        public String encode(CharSequence rawPassword) {
            return rawPassword.toString();
        }

        @Override
        public boolean matches(CharSequence rawPassword, String encodedPassword) {
            return encodedPassword.equals(rawPassword);
        }
    }

}

    然后启动访问:http://localhost:8080/                    

    (二) 主要的filter介绍及作用

     SecurityContextPersistenceFilter         securtiyContext 持久化相关的filter,用于后续filter使用该对象,同时负责将认证成功后的securtiyContext 保存

                      同时也可以在controller中获取(SecurityContextHolder.getContext())

     RememberMeAuthenticationFilter        记住用户名及密码功能支持

     UsernamePasswordAuthenticationFilter    表单登录请求处理,具体的验证用户的逻辑

     AbstractAuthenticationProcessingFilter   大部分filter的父类,UsernamePasswordAuthenticationFilter 也是其子类

     AbstractSecurityInterceptor   管理权限认证相关,使用AccessDecisionManager判断是否拥有对应权限。

2.验证流程:

   (一)简单过程:

    1.SecurityContextPersistenceFilter

   UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);



 


 


3.图形验证码和短信验证的验证


4.思维导图







            

            
posted @ 
2019-05-18 14:37 
fantastiLi 
阅读(206) 
评论(0) 
 
收藏 
举报