本篇文章给大家分享的是有关怎么在SpringSecurity中自定义过滤器,小编觉得挺实用的,因此分享给大家学习,希望大家阅读完这篇文章后可以有所收获,话不多说,跟着小编一起来看看吧。
一、创建自己定义的Filter
我们先在web包下创建好几个包并定义如下几个类
CustomerAuthFilter:
package com.bdqn.lyrk.security.study.web.filter; import com.bdqn.lyrk.security.study.web.authentication.UserJoinTimeAuthentication; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; public class CustomerAuthFilter extends AbstractAuthenticationProcessingFilter { private AuthenticationManager authenticationManager; public CustomerAuthFilter(AuthenticationManager authenticationManager) { super(new AntPathRequestMatcher("/login", "POST")); this.authenticationManager = authenticationManager; } @Override public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException { String username = request.getParameter("username"); UserJoinTimeAuthentication usernamePasswordAuthenticationToken =new UserJoinTimeAuthentication(username); Authentication authentication = this.authenticationManager.authenticate(usernamePasswordAuthenticationToken); if (authentication != null) { super.setContinueChainBeforeSuccessfulAuthentication(true); } return authentication; } }
该类继承AbstractAuthenticationProcessingFilter,这个filter的作用是对最基本的用户验证的处理,我们必须重写attemptAuthentication方法。Authentication接口表示授权接口,通常情况下业务认证通过时会返回一个这个对象。super.setContinueChainBeforeSuccessfulAuthentication(true) 设置成true的话,会交给其他过滤器处理。
二、定义UserJoinTimeAuthentication
package com.bdqn.lyrk.security.study.web.authentication; import org.springframework.security.authentication.AbstractAuthenticationToken; public class UserJoinTimeAuthentication extends AbstractAuthenticationToken { private String username; public UserJoinTimeAuthentication(String username) { super(null); this.username = username; } @Override public Object getCredentials() { return null; } @Override public Object getPrincipal() { return username; } }
自定义授权方式,在这里接收username的值处理,其中getPrincipal我们可以用来存放登录名,getCredentials可以存放密码,这些方法来自于Authentication接口
三、定义AuthenticationProvider
package com.bdqn.lyrk.security.study.web.authentication; import com.bdqn.lyrk.security.study.app.pojo.Student; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import java.util.Date; /** * 基本的验证方式 * * @author chen.nie * @date 2018/6/12 **/ public class UserJoinTimeAuthenticationProvider implements AuthenticationProvider { private UserDetailsService userDetailsService; public UserJoinTimeAuthenticationProvider(UserDetailsService userDetailsService) { this.userDetailsService = userDetailsService; } /** * 认证授权,如果jointime在当前时间之后则认证通过 * @param authentication * @return * @throws AuthenticationException */ @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { String username = (String) authentication.getPrincipal(); UserDetails userDetails = this.userDetailsService.loadUserByUsername(username); if (!(userDetails instanceof Student)) { return null; } Student student = (Student) userDetails; if (student.getJoinTime().after(new Date())) return new UserJoinTimeAuthentication(username); return null; } /** * 只处理UserJoinTimeAuthentication的认证 * @param authentication * @return */ @Override public boolean supports(Class<?> authentication) { return authentication.getName().equals(UserJoinTimeAuthentication.class.getName()); } }
AuthenticationManager会委托AuthenticationProvider进行授权处理,在这里我们需要重写support方法,该方法定义Provider支持的授权对象,那么在这里我们是对UserJoinTimeAuthentication处理。
四、WebSecurityConfig
package com.bdqn.lyrk.security.study.app.config; import com.bdqn.lyrk.security.study.app.service.UserService; import com.bdqn.lyrk.security.study.web.authentication.UserJoinTimeAuthenticationProvider; import com.bdqn.lyrk.security.study.web.filter.CustomerAuthFilter; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; /** * spring-security的相关配置 * * @author chen.nie * @date 2018/6/7 **/ @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UserService userService; @Override protected void configure(HttpSecurity http) throws Exception { /* 1.配置静态资源不进行授权验证 2.登录地址及跳转过后的成功页不需要验证 3.其余均进行授权验证 */ http. authorizeRequests().antMatchers("/static/**").permitAll(). and().authorizeRequests().antMatchers("/user/**").hasRole("7022"). and().authorizeRequests().anyRequest().authenticated(). and().formLogin().loginPage("/login").successForwardUrl("/toIndex").permitAll() .and().logout().logoutUrl("/logout").invalidateHttpSession(true).deleteCookies().permitAll() ; http.addFilterBefore(new CustomerAuthFilter(authenticationManager()), UsernamePasswordAuthenticationFilter.class); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { //设置自定义userService auth.userDetailsService(userService); auth.authenticationProvider(new UserJoinTimeAuthenticationProvider(userService)); } @Override public void configure(WebSecurity web) throws Exception { super.configure(web); } }
以上就是怎么在SpringSecurity中自定义过滤器,小编相信有部分知识点可能是我们日常工作会见到或用到的。希望你能通过这篇文章学到更多知识。更多详情敬请关注亿速云行业资讯频道。
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。