Spring Security(学习笔记) --Json登录的两种方式！

重点标识

Json登录。
Security默认是key-value的形式的。

前后端分离，Json处理比较方便。

Security默认是通过request.getpartmater这种方式获取，所以不支持。

自定义登录接口（方法一）

上一篇已经说过了，Spring容器里面是没有AuhtenticationManager，但是有AuhtenticationManagerBuilder。

创建一个登录接口：


@Controller
public class LoginController {@AutowiredAuthenticationManager authenticationManager;@PostMapping("/login")@ResponseBodypublic String login(@RequestBody User user, HttpSession session){//未认证令牌，参考UsernamePasswordAuthenticationFilter这个来写就行了try {UsernamePasswordAuthenticationToken authRequest = UsernamePasswordAuthenticationToken.unauthenticated(user.getUsername(), user.getPassword());Authentication auth = authenticationManager.authenticate(authRequest);//这里还有一点要注意，我们一般都是从SecurityContextHolder取到用户信息的，那这里也别忘了给他放进去SecurityContextHolder.getContext().setAuthentication(auth);//还有一点要注意，新版的Security是从session中获取的，那本次会话的下次请求想要拿到，也需要丢到session中去session.setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY,SecurityContextHolder.getContext());return auth.getName();} catch (AuthenticationException e) {//throw new RuntimeException(e);//如果出现错误，这里简单点，就不封装了，直接返回好了return e.getMessage();}}
}

向Spring容器中注入一个AuthenticationManager 。


@Configuration
public class SecurityConfig {UserDetailsService userDetailsService(){InMemoryUserDetailsManager inMemoryUserDetailsManager = new InMemoryUserDetailsManager();inMemoryUserDetailsManager.createUser(User.withUsername("admin").password("{noop}123").build());return inMemoryUserDetailsManager;}@BeanAuthenticationManager authenticationManager(){DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();daoAuthenticationProvider.setUserDetailsService(userDetailsService());ProviderManager providerManager = new ProviderManager(daoAuthenticationProvider);return providerManager;}@BeanSecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {http.authorizeHttpRequests(a->a.requestMatchers("/login").permitAll().anyRequest().authenticated()).csrf(c->c.disable());return http.build();}}

User类也给大家


public class User {private String username;private String password;public String getUsername() {return username;}public void setUsername(String username) {this.username = username;}public String getPassword() {return password;}public void setPassword(String password) {this.password = password;}
}

看一下测试结果：

在这里插入图片描述
再看一下，同一个会话中，另一个请求能不能获取到用户信息：

在这里插入图片描述
ok ,都没问题，实际上，像我们之前写的验证码，如果不想采用过滤器的形式，也可以通过自定义登录这种方式，写在authenticate之前，try里面，这样验证错误被捕捉，也可以直接返回。

修改过滤器UsernamePasswordAuthenticationFilter（方法二）

准备一个过滤器，继承自UsernamePasswordAuthenticationFilter，在它的基础上，改一改就行了。


public class JsonFilter extends UsernamePasswordAuthenticationFilter {@Overridepublic Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {if (!request.getMethod().equals("POST")) {throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());} else {String contentType = request.getContentType();if (contentType.equalsIgnoreCase(MediaType.APPLICATION_JSON_VALUE) || contentType.equalsIgnoreCase(MediaType.APPLICATION_JSON_UTF8_VALUE)) {//json请求String username = null;String password = null;try {User user = new ObjectMapper().readValue(request.getInputStream(), User.class);username = user.getUsername();username = username != null ? username.trim() : "";password = user.getPassword();password = password != null ? password : "";} catch (IOException e) {throw new RuntimeException(e);}UsernamePasswordAuthenticationToken authRequest = UsernamePasswordAuthenticationToken.unauthenticated(username, password);this.setDetails(request, authRequest);return this.getAuthenticationManager().authenticate(authRequest);} else {//key -valuereturn super.attemptAuthentication(request, response);}}}
}

然后，配置一下。


@Configuration
public class SecurityConfig {@BeanJsonFilter jsonFilter(){JsonFilter jsonFilter = new JsonFilter();jsonFilter.setFilterProcessesUrl("/login");jsonFilter.setAuthenticationSuccessHandler(((request, response, authentication) -> {response.getWriter().write(authentication.getName());}));jsonFilter.setAuthenticationFailureHandler(((request, response, exception) -> {response.setContentType("text/html;charset=utf-8");response.getWriter().write(exception.getMessage());}));jsonFilter.setAuthenticationManager(authenticationManager());//配置Security的存储策略，如果我们没有定义jsonFilter，系统会给UsernamePasswordAuthenticationFilter设置SecurityContextRepository//这个说白了，就是，同一个会话的后续请求认证也要存上jsonFilter.setSecurityContextRepository(new HttpSessionSecurityContextRepository());return jsonFilter;}UserDetailsService userDetailsService(){InMemoryUserDetailsManager inMemoryUserDetailsManager = new InMemoryUserDetailsManager();inMemoryUserDetailsManager.createUser(User.withUsername("admin").password("{noop}123").build());return inMemoryUserDetailsManager;}@BeanAuthenticationManager authenticationManager(){DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();daoAuthenticationProvider.setUserDetailsService(userDetailsService());ProviderManager providerManager = new ProviderManager(daoAuthenticationProvider);return providerManager;}@BeanSecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {http.authorizeHttpRequests(a->a.anyRequest().authenticated())//.addFilter()  添加一个过滤器，但是自动排序，一般不用这个//添加一个过滤器，在某一个过滤器前面.addFilterBefore(jsonFilter(), UsernamePasswordAuthenticationFilter.class).csrf(c->c.disable());return http.build();}}