重点标识
Json登录。
Security默认是key-value的形式的。
前后端分离,Json处理比较方便。
Security默认是通过request.getpartmater这种方式获取,所以不支持。
自定义登录接口(方法一)
上一篇已经说过了,Spring容器里面是没有AuhtenticationManager,但是有AuhtenticationManagerBuilder。
创建一个登录接口:
@Controller
public class LoginController {@AutowiredAuthenticationManager authenticationManager;@PostMapping("/login")@ResponseBodypublic String login(@RequestBody User user, HttpSession session){//未认证令牌,参考UsernamePasswordAuthenticationFilter这个来写就行了try {UsernamePasswordAuthenticationToken authRequest = UsernamePasswordAuthenticationToken.unauthenticated(user.getUsername(), user.getPassword());Authentication auth = authenticationManager.authenticate(authRequest);//这里还有一点要注意,我们一般都是从SecurityContextHolder取到用户信息的,那这里也别忘了给他放进去SecurityContextHolder.getContext().setAuthentication(auth);//还有一点要注意,新版的Security是从session中获取的,那本次会话的下次请求想要拿到,也需要丢到session中去session.setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY,SecurityContextHolder.getContext());return auth.getName();} catch (AuthenticationException e) {//throw new RuntimeException(e);//如果出现错误,这里简单点,就不封装了,直接返回好了return e.getMessage();}}
}
向Spring容器中注入一个AuthenticationManager 。
@Configuration
public class SecurityConfig {UserDetailsService userDetailsService(){InMemoryUserDetailsManager inMemoryUserDetailsManager = new InMemoryUserDetailsManager();inMemoryUserDetailsManager.createUser(User.withUsername("admin").password("{noop}123").build());return inMemoryUserDetailsManager;}@BeanAuthenticationManager authenticationManager(){DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();daoAuthenticationProvider.setUserDetailsService(userDetailsService());ProviderManager providerManager = new ProviderManager(daoAuthenticationProvider);return providerManager;}@BeanSecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {http.authorizeHttpRequests(a->a.requestMatchers("/login").permitAll().anyRequest().authenticated()).csrf(c->c.disable());return http.build();}}
User类也给大家
public class User {private String username;private String password;public String getUsername() {return username;}public void setUsername(String username) {this.username = username;}public String getPassword() {return password;}public void setPassword(String password) {this.password = password;}
}
看一下测试结果:
再看一下,同一个会话中,另一个请求能不能获取到用户信息:
ok ,都没问题,实际上,像我们之前写的验证码,如果不想采用过滤器的形式,也可以通过自定义登录这种方式,写在authenticate之前,try里面,这样验证错误被捕捉,也可以直接返回。
修改过滤器UsernamePasswordAuthenticationFilter(方法二)
准备一个过滤器,继承自UsernamePasswordAuthenticationFilter,在它的基础上,改一改就行了。
public class JsonFilter extends UsernamePasswordAuthenticationFilter {@Overridepublic Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {if (!request.getMethod().equals("POST")) {throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());} else {String contentType = request.getContentType();if (contentType.equalsIgnoreCase(MediaType.APPLICATION_JSON_VALUE) || contentType.equalsIgnoreCase(MediaType.APPLICATION_JSON_UTF8_VALUE)) {//json请求String username = null;String password = null;try {User user = new ObjectMapper().readValue(request.getInputStream(), User.class);username = user.getUsername();username = username != null ? username.trim() : "";password = user.getPassword();password = password != null ? password : "";} catch (IOException e) {throw new RuntimeException(e);}UsernamePasswordAuthenticationToken authRequest = UsernamePasswordAuthenticationToken.unauthenticated(username, password);this.setDetails(request, authRequest);return this.getAuthenticationManager().authenticate(authRequest);} else {//key -valuereturn super.attemptAuthentication(request, response);}}}
}
然后,配置一下。
@Configuration
public class SecurityConfig {@BeanJsonFilter jsonFilter(){JsonFilter jsonFilter = new JsonFilter();jsonFilter.setFilterProcessesUrl("/login");jsonFilter.setAuthenticationSuccessHandler(((request, response, authentication) -> {response.getWriter().write(authentication.getName());}));jsonFilter.setAuthenticationFailureHandler(((request, response, exception) -> {response.setContentType("text/html;charset=utf-8");response.getWriter().write(exception.getMessage());}));jsonFilter.setAuthenticationManager(authenticationManager());//配置Security的存储策略,如果我们没有定义jsonFilter,系统会给UsernamePasswordAuthenticationFilter设置SecurityContextRepository//这个说白了,就是,同一个会话的后续请求认证也要存上jsonFilter.setSecurityContextRepository(new HttpSessionSecurityContextRepository());return jsonFilter;}UserDetailsService userDetailsService(){InMemoryUserDetailsManager inMemoryUserDetailsManager = new InMemoryUserDetailsManager();inMemoryUserDetailsManager.createUser(User.withUsername("admin").password("{noop}123").build());return inMemoryUserDetailsManager;}@BeanAuthenticationManager authenticationManager(){DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();daoAuthenticationProvider.setUserDetailsService(userDetailsService());ProviderManager providerManager = new ProviderManager(daoAuthenticationProvider);return providerManager;}@BeanSecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {http.authorizeHttpRequests(a->a.anyRequest().authenticated())//.addFilter() 添加一个过滤器,但是自动排序,一般不用这个//添加一个过滤器,在某一个过滤器前面.addFilterBefore(jsonFilter(), UsernamePasswordAuthenticationFilter.class).csrf(c->c.disable());return http.build();}}
这样就ok了,同理,之前的验证码,也可以在这个过滤器里面实现的。
结语
生命不息,奋斗不止,加油!