springsecurity6配置自定义路径身份认证的实现
作者:qq_43746935
本文主要介绍了springsecurity6配置自定义路径身份认证的实现,通过使用自定义的AuthorizationManager和MyService,可以实现更灵活的访问控制,感兴趣的可以了解一下
Spring Security 6 作为最新版本,引入了许多新特性和改进,例如对 Spring Framework 6 的支持、新的默认密码编码器、更简洁的配置方式等。
springsecurity6配置自定义路径身份认证 .anyRequest().authenticated()替换成
.anyRequest().access(new CustomAuthorizationManager(myService))
CustomAuthorizationManager
package com.example.springscuritydemo.config; import com.example.springscuritydemo.service.MyService; import jakarta.servlet.http.HttpServletRequest; import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationManager; import org.springframework.security.core.Authentication; import org.springframework.security.web.access.intercept.RequestAuthorizationContext; import java.util.function.Supplier; public class CustomAuthorizationManager implements AuthorizationManager<RequestAuthorizationContext> { private final MyService myService; public CustomAuthorizationManager(MyService myService) { this.myService = myService; } @Override public AuthorizationDecision check(Supplier<Authentication> authentication, RequestAuthorizationContext context) { HttpServletRequest request = context.getRequest(); Authentication auth = authentication.get(); if (auth == null) { return new AuthorizationDecision(false); } return new AuthorizationDecision(myService.hasPermission(request, auth)); } }
MyService
package com.example.springscuritydemo.service; import jakarta.servlet.http.HttpServletRequest; import org.springframework.security.core.Authentication; public interface MyService { boolean hasPermission(HttpServletRequest request, Authentication authentication); }
MyServiceImpl
package com.example.springscuritydemo.service.impl; import com.example.springscuritydemo.service.MyService; import jakarta.servlet.http.HttpServletRequest; import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.stereotype.Service; import java.util.Collection; @Service public class MyserviceImpl implements MyService { @Override public boolean hasPermission(HttpServletRequest request, Authentication authentication) { Object obj = authentication.getPrincipal(); if (obj instanceof UserDetails) { UserDetails userDetails = (UserDetails) obj; Collection<? extends GrantedAuthority> authorities = userDetails.getAuthorities(); boolean contains = authorities.contains(new SimpleGrantedAuthority(request.getRequestURI())); return contains; } return false; } }
package com.example.springscuritydemo.config; import com.example.springscuritydemo.handle.MyAccessDeniedHandler; import com.example.springscuritydemo.handle.MyAuthenticationSuccessHandler; import com.example.springscuritydemo.service.MyService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.access.expression.WebExpressionAuthorizationManager; @EnableWebSecurity @Configuration public class SecurityConfig{ @Autowired private MyAccessDeniedHandler myAccessDeniedHandler; // @Autowired // private MyAuthenticationFailureHandler myAuthenticationFailureHandler; private final MyService myService; public SecurityConfig(MyService myService) { this.myService = myService; } @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Bean SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { return http .formLogin(formLogin -> formLogin.loginPage("/login.html") .loginProcessingUrl("/login") //.successForwardUrl("/toMain") .successHandler(new MyAuthenticationSuccessHandler("/main.html")) .failureUrl("/toError") //.failureHandler(new MyAuthenticationFailureHandler("/error.html")) ) .authorizeHttpRequests(auth -> auth.requestMatchers("/toError","/login.html","/error.html").permitAll() //需要认证才能访问,是security的认证。不是jwt的认证登录后访问 .requestMatchers("/js/**","/css/**","/img/**").permitAll() .requestMatchers("main1.html") .access(new WebExpressionAuthorizationManager("isAuthenticated() and hasIpAddress('192.168.10.6')")) //其他路径需要身份认证 // .anyRequest().authenticated() .anyRequest().access(new CustomAuthorizationManager(myService)) ) .csrf(httpSecurityCsrfConfigurer -> httpSecurityCsrfConfigurer.disable()) // 构建并返回安全过滤链 .build(); } }
到此这篇关于springsecurity6配置自定义路径身份认证的实现的文章就介绍到这了,更多相关springsecurity6自定义路径身份认证内容请搜索脚本之家以前的文章或继续浏览下面的相关文章希望大家以后多多支持脚本之家!