当前位置: 首页 > news >正文

Spring Security6 用户身份认证

news 2025/8/25 0:24:23

前提

  1.  你需要先拜读 [Spring Security 6 官方文档](https://docs.spring.io/spring-security/reference/servlet/authentication/architecture.html#servlet-authentication-authenticationmanager)
  2.  你需要弄清楚身份认证(Authentication)和鉴权(Authorization)是两个概念,其中本文只涉及身份认证

身份认证需要做哪些事情

  1. 要弄清楚每次请求,客户端的具体身份是谁
  2. 根据不同的接口类型,启用不同的认证机制

Show me your code

  • 添加 POM.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>3.1.5</version><relativePath/> <!-- lookup parent from repository --></parent><groupId>com.example</groupId><artifactId>demo</artifactId><version>0.0.1-SNAPSHOT</version><name>demo</name><description>Demo project for Spring Boot</description><properties><java.version>21</java.version></properties><dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-test</artifactId><scope>test</scope></dependency><dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-test</artifactId><scope>test</scope></dependency></dependencies><build><plugins><plugin><groupId>org.springframework.boot</groupId><artifactId>spring-boot-maven-plugin</artifactId><configuration><image><builder>paketobuildpacks/builder-jammy-base:latest</builder></image></configuration></plugin></plugins></build></project>
  • 自定义过滤器
/*** */
package com.example.demo;import java.io.IOException;import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.util.matcher.RequestMatcher;import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;/*** */
public class AuthenticationBuilderFilter extends AbstractAuthenticationProcessingFilter {protected AuthenticationBuilderFilter() {super(new RequestMatcher() {@Overridepublic boolean matches(HttpServletRequest request) {return true;}});super.setAuthenticationManager(new ProviderManager(new WebAuthenticationProvider()));}@Overridepublic Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)throws AuthenticationException, IOException, ServletException {Authentication auth = new WebAuthentication(request);return getAuthenticationManager().authenticate(auth);}@Overridepublic void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)throws IOException, ServletException {HttpServletRequest request = (HttpServletRequest) req;HttpServletResponse response = (HttpServletResponse) res;if (!requiresAuthentication(request, response)) {chain.doFilter(request, response);return;}try {Authentication authenticationResult = attemptAuthentication(request, response);if (authenticationResult == null) {throw new BadCredentialsException("没有身份信息");}SecurityContextHolder.getContext().setAuthentication(authenticationResult);chain.doFilter(request, response);}catch (InternalAuthenticationServiceException failed) {this.logger.error("An internal error occurred while trying to authenticate the user.", failed);unsuccessfulAuthentication(request, response, failed);}catch (AuthenticationException ex) {// Authentication failedunsuccessfulAuthentication(request, response, ex);}}}

这里有几个地方需要注意(敲黑板啦~~

  1. 第 37 行,可以根据需要,添加多个provider
  2. 第 43 行,后续可以根据实际需要,构建不同的 Authentication ,框架会根据 Authentication 的类型,选择认证 provider(这个是精髓)
  • 自定义 Authentication —— WebAuthentication,可以在构造函数内自己根据需要(比如从 requestHeader、cookie等地方,获取 token)组装 Authentication
/*** */
package com.example.demo;import java.util.Collection;import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;import jakarta.servlet.http.HttpServletRequest;/*** */
public class WebAuthentication implements Authentication{public WebAuthentication() {}public WebAuthentication(HttpServletRequest request) {}/*** */private static final long serialVersionUID = -1705541938861263059L;@Overridepublic String getName() {return null;}@Overridepublic Collection<? extends GrantedAuthority> getAuthorities() {return null;}@Overridepublic Object getCredentials() {return null;}@Overridepublic Object getDetails() {return null;}@Overridepublic Object getPrincipal() {return null;}@Overridepublic boolean isAuthenticated() {return false;}@Overridepublic void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {}
}
  • 写认证逻辑 ,下面例子认证逻辑被我简化了,大家根据实际需要进行补充
/*** */
package com.example.demo;import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;/*** */
public class WebAuthenticationProvider implements AuthenticationProvider {@Overridepublic Authentication authenticate(Authentication authentication) throws AuthenticationException {authentication.setAuthenticated(true);return authentication;}@Overridepublic boolean supports(Class<?> authentication) {return authentication.equals(WebAuthentication.class);}}
  • 配置过滤链
/*** */
package com.example.demo;import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.csrf.CsrfFilter;/*** */
@Configuration
public class SecurityConfig {@BeanSecurityFilterChain filterChain(HttpSecurity http) throws Exception {http.csrf(csrf ->csrf.disable()).addFilterAfter(new AuthenticationBuilderFilter(), CsrfFilter.class);return http.build();}
}

http://www.lryc.cn/news/237614.html

相关文章:

  • 钩子函数-hook
  • 拉链表-spark版本
  • 【笔记1-2】Qt系列:QkeyEvent 键盘事件 设定快捷键
  • adb突然获取不到华为/荣耀手机。。。
  • layui的layer.confirm获取按钮焦点
  • 【HarmonyOS】鸿蒙应用开发基础认证题目
  • Mocha
  • Java详解I/O
  • 数据处理生产环境_spark获取df列当前日期的前一天日期
  • 第四代智能井盖传感器,实时守护井盖位安全
  • 【前端知识】Node——文件流的读写操作
  • 解决证书加密问题:OpenSSL与urllib3的兼容性与优化
  • #gStore-weekly | gAnswer源码解析 调用NE模块流程
  • vscode 配置 lua
  • vscode设置代码模板
  • 用css实现原生form中radio单选框和input的hover已经focus的样式
  • uniapp:录音权限检查,录音功能
  • Rust开发——切片(slice)类型
  • 如何给shopify motion主题的产品系列添加description
  • 力扣刷题-二叉树-二叉树最小深度
  • 注解方式优雅的实现 Redisson 分布式锁
  • PHP/Laravel通过经纬度计算距离获取附近商家
  • grafana面板介绍
  • 实验三 循环结构程序设计(Python)
  • Flutter笔记:目录与文件存储以及在Flutter中的使用(上)
  • 注意了!申请流量卡时地址一定不要填写学校,不好下卡哦!
  • minio使用shell上传文件
  • LeetCode538. Convert BST to Greater Tree
  • iPaaS和RPA,企业自动化应该如何选择?
  • AI实践与学习1_Milvus向量数据库实践与原理分析