java

关注公众号 jb51net

关闭
首页 > 软件编程 > java > springsecurity6自定义路径身份认证

springsecurity6配置自定义路径身份认证的实现

作者:qq_43746935

本文主要介绍了springsecurity6配置自定义路径身份认证的实现,通过使用自定义的AuthorizationManager和MyService,可以实现更灵活的访问控制,感兴趣的可以了解一下

Spring Security 6 作为最新版本,引入了许多新特性和改进,例如对 Spring Framework 6 的支持、新的默认密码编码器、更简洁的配置方式等。

springsecurity6配置自定义路径身份认证 .anyRequest().authenticated()替换成
.anyRequest().access(new CustomAuthorizationManager(myService))

CustomAuthorizationManager

package com.example.springscuritydemo.config;

import com.example.springscuritydemo.service.MyService;
import jakarta.servlet.http.HttpServletRequest;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.access.intercept.RequestAuthorizationContext;

import java.util.function.Supplier;

public class CustomAuthorizationManager implements AuthorizationManager<RequestAuthorizationContext> {

    private final MyService myService;

    public CustomAuthorizationManager(MyService myService) {
        this.myService = myService;
    }

    @Override
    public AuthorizationDecision check(Supplier<Authentication> authentication, RequestAuthorizationContext context) {
        HttpServletRequest request = context.getRequest();
        Authentication auth = authentication.get();
        if (auth == null) {
            return new AuthorizationDecision(false);
        }
        return new AuthorizationDecision(myService.hasPermission(request, auth));
    }
}

MyService

package com.example.springscuritydemo.service;

import jakarta.servlet.http.HttpServletRequest;
import org.springframework.security.core.Authentication;

public interface MyService {
    boolean hasPermission(HttpServletRequest request, Authentication authentication);
}

MyServiceImpl

package com.example.springscuritydemo.service.impl;

import com.example.springscuritydemo.service.MyService;
import jakarta.servlet.http.HttpServletRequest;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Service;

import java.util.Collection;
@Service
public class MyserviceImpl implements MyService {
    @Override
    public boolean hasPermission(HttpServletRequest request, Authentication authentication) {
        Object obj = authentication.getPrincipal();
        if (obj instanceof UserDetails) {
            UserDetails userDetails = (UserDetails) obj;
            Collection<? extends GrantedAuthority> authorities = userDetails.getAuthorities();
            boolean contains = authorities.contains(new SimpleGrantedAuthority(request.getRequestURI()));
            return contains;
        }
        return false;
    }
}

package com.example.springscuritydemo.config;

import com.example.springscuritydemo.handle.MyAccessDeniedHandler;
import com.example.springscuritydemo.handle.MyAuthenticationSuccessHandler;
import com.example.springscuritydemo.service.MyService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.expression.WebExpressionAuthorizationManager;

@EnableWebSecurity
@Configuration
public class SecurityConfig{
    @Autowired
    private MyAccessDeniedHandler myAccessDeniedHandler;
//    @Autowired
//    private MyAuthenticationFailureHandler myAuthenticationFailureHandler;
    private final MyService myService;

    public SecurityConfig(MyService myService) {
        this.myService = myService;
    }
    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

        return  http
                .formLogin(formLogin -> formLogin.loginPage("/login.html")

                        .loginProcessingUrl("/login")
                        //.successForwardUrl("/toMain")
                        .successHandler(new MyAuthenticationSuccessHandler("/main.html"))
                         .failureUrl("/toError")
                        //.failureHandler(new MyAuthenticationFailureHandler("/error.html"))

                )
                .authorizeHttpRequests(auth -> auth.requestMatchers("/toError","/login.html","/error.html").permitAll()
                                //需要认证才能访问,是security的认证。不是jwt的认证登录后访问
                                
                        .requestMatchers("/js/**","/css/**","/img/**").permitAll()

                        .requestMatchers("main1.html")
                        .access(new WebExpressionAuthorizationManager("isAuthenticated() and hasIpAddress('192.168.10.6')"))

                        //其他路径需要身份认证
//                        .anyRequest().authenticated()
                                .anyRequest().access(new CustomAuthorizationManager(myService))
                )
                .csrf(httpSecurityCsrfConfigurer -> httpSecurityCsrfConfigurer.disable())
                // 构建并返回安全过滤链
                .build();
    }

}

到此这篇关于springsecurity6配置自定义路径身份认证的实现的文章就介绍到这了,更多相关springsecurity6自定义路径身份认证内容请搜索脚本之家以前的文章或继续浏览下面的相关文章希望大家以后多多支持脚本之家! 

您可能感兴趣的文章:
阅读全文