新版SpringSecurity安全配置说明
作者:卑微小钟
这篇文章主要介绍了新版SpringSecurity安全配置说明,在 Spring Security 5.7.0-M2 中,我们弃用了WebSecurityConfigurerAdapter,因为我们鼓励用户转向基于组件的安全配置,需要的朋友可以参考下
新版SpringSecurityConfig
在使用SpringBoot2.7或者SpringSecurity5.7以上版本时,会提示:
在 Spring Security 5.7.0-M2 中,我们弃用了
WebSecurityConfigurerAdapter,因为我们鼓励用户转向基于组件的安全配置。
所以之前那种通过继承WebSecurityConfigurerAdapter的方式的配置组件是不行的。
同时也会遇到很多问题,例如:
在向SpringSecurity过滤器链中添加过滤器时(例如:JWT支持,第三方验证),我们需要注入AuthenticationManager对象等问题。
故在此记录一下SpringSecurity的一些基础配置项:
1 网络安全配置,忽略部分路径(如静态文件路径)
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().antMatchers("/ignore1", "/ignore2");
}2 设置中文配置
@Bean
public ReloadableResourceBundleMessageSource messageSource() {
ReloadableResourceBundleMessageSource messageSource = new ReloadableResourceBundleMessageSource();
// 设置中文配置
messageSource.setBasename("classpath:org/springframework/security/messages_zh_CN");
return messageSource;
}3 设置密码编码器
@Bean
@ConditionalOnMissingBean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}4 取消ROLE_ prefix
@Bean
@ConditionalOnMissingBean
public GrantedAuthorityDefaults grantedAuthorityDefaults() {
// Remove the ROLE_ prefix
return new GrantedAuthorityDefaults("");
}5 暴露本地认证管理器(AuthenticationManager)
/**
* 认证管理器,登录的时候参数会传给 authenticationManager
*/
@Bean(name = BeanIds.AUTHENTICATION_MANAGER)
public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
return authenticationConfiguration.getAuthenticationManager();
}6 其他配置
import com.example.websocket.chat.security.filer.CustomUsernamePasswordAuthenticationFilter;
import com.example.websocket.chat.security.filer.JwtAuthenticationFilter;
import com.example.websocket.chat.security.handler.*;
import com.example.websocket.chat.security.service.JwtStoreService;
import com.example.websocket.chat.security.service.impl.UserDetailsServiceImpl;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Lazy;
import org.springframework.context.support.ReloadableResourceBundleMessageSource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.BeanIds;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.config.core.GrantedAuthorityDefaults;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import javax.annotation.Resource;
/**
* @author zhong
*/
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SpringSecurityConfig {
@Resource
private CustomAuthenticationSuccessHandler customAuthenticationSuccessHandler;
@Resource
private CustomAuthenticationFailureHandler customAuthenticationFailureHandler;
@Resource
private CustomAuthenticationEntryPoint customAuthenticationEntryPoint;
@Resource
private CustomLogoutHandler customLogoutHandler;
@Resource
private CustomLogoutSuccessHandler customLogoutSuccessHandler;
@Resource
private CustomAccessDeniedHandler customAccessDeniedHandler;
@Resource
private SecurityProperties securityProperties;
@Resource
private JwtStoreService jwtStoreService;
@Resource
private UserDetailsServiceImpl userDetailsService;
@Resource
private AuthenticationConfiguration authenticationConfiguration;
/**
* 静态文件放行
*/
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().antMatchers(securityProperties.getStaticPaths());
}
/**
* 取消ROLE_前缀
*/
@Bean
public GrantedAuthorityDefaults grantedAuthorityDefaults() {
// Remove the ROLE_ prefix
return new GrantedAuthorityDefaults("");
}
/**
* 设置密码编码器
*/
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
/**
* 设置中文配置
*/
@Bean
public ReloadableResourceBundleMessageSource messageSource() {
ReloadableResourceBundleMessageSource messageSource = new ReloadableResourceBundleMessageSource();
messageSource.setBasename("classpath:org/springframework/security/messages_zh_CN");
return messageSource;
}
/**
* 认证管理器,登录的时候参数会传给 authenticationManager
*/
@Bean
public AuthenticationManager authenticationManager() throws Exception {
return authenticationConfiguration.getAuthenticationManager();
}
/**
* 设置默认认证提供
*/
@Bean
public DaoAuthenticationProvider daoAuthenticationProvider() {
final DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(userDetailsService);
authenticationProvider.setPasswordEncoder(passwordEncoder());
return authenticationProvider;
}
/**
* 安全配置
*/
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http, AuthenticationConfiguration authenticationConfiguration) throws Exception {
// 表单
http.formLogin()
// 登录成功处理器
.successHandler(customAuthenticationSuccessHandler)
// 登录错误处理器
.failureHandler(customAuthenticationFailureHandler)
.and()
//添加登录逻辑拦截器,不使用默认的UsernamePasswordAuthenticationFilter
.addFilterBefore(
new CustomUsernamePasswordAuthenticationFilter(
authenticationManager(),
customAuthenticationSuccessHandler,
customAuthenticationFailureHandler
)
, UsernamePasswordAuthenticationFilter.class)
//添加token验证过滤器
.addFilterBefore(new JwtAuthenticationFilter(jwtStoreService), LogoutFilter.class);
//退出
http
.logout()
// URL
.logoutUrl("/user/logout")
// 登出处理
.addLogoutHandler(customLogoutHandler)
// 登出成功处理
.logoutSuccessHandler(customLogoutSuccessHandler);
//拦截设置
http
.authorizeRequests()
//公开以下urls
.antMatchers(securityProperties.getPublicPaths()).permitAll()
//其他路径必须验证
.anyRequest().authenticated();
//异常处理
http
.exceptionHandling()
// 未登录处理
.authenticationEntryPoint(customAuthenticationEntryPoint)
// 无权限处理
.accessDeniedHandler(customAccessDeniedHandler);
//关闭session
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// 关闭cors
http.cors().disable();
// 关闭csrf
http.csrf().disable();
// 关闭headers
http.headers().frameOptions().disable();
return http.build();
}
}到此这篇关于新版SpringSecurity安全配置说明的文章就介绍到这了,更多相关SpringSecurity安全配置内容请搜索脚本之家以前的文章或继续浏览下面的相关文章希望大家以后多多支持脚本之家!