Spring Security6 用户身份认证

前提

你需要先拜读 [Spring Security 6 官方文档](https://docs.spring.io/spring-security/reference/servlet/authentication/architecture.html#servlet-authentication-authenticationmanager)
你需要弄清楚身份认证（Authentication）和鉴权（Authorization）是两个概念，其中本文只涉及身份认证

身份认证需要做哪些事情

要弄清楚每次请求，客户端的具体身份是谁
根据不同的接口类型，启用不同的认证机制

Show me your code

添加 POM.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>3.1.5</version><relativePath/> <!-- lookup parent from repository --></parent><groupId>com.example</groupId><artifactId>demo</artifactId><version>0.0.1-SNAPSHOT</version><name>demo</name><description>Demo project for Spring Boot</description><properties><java.version>21</java.version></properties><dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-test</artifactId><scope>test</scope></dependency><dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-test</artifactId><scope>test</scope></dependency></dependencies><build><plugins><plugin><groupId>org.springframework.boot</groupId><artifactId>spring-boot-maven-plugin</artifactId><configuration><image><builder>paketobuildpacks/builder-jammy-base:latest</builder></image></configuration></plugin></plugins></build></project>

自定义过滤器

/*** */
package com.example.demo;import java.io.IOException;import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.util.matcher.RequestMatcher;import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;/*** */
public class AuthenticationBuilderFilter extends AbstractAuthenticationProcessingFilter {protected AuthenticationBuilderFilter() {super(new RequestMatcher() {@Overridepublic boolean matches(HttpServletRequest request) {return true;}});super.setAuthenticationManager(new ProviderManager(new WebAuthenticationProvider()));}@Overridepublic Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)throws AuthenticationException, IOException, ServletException {Authentication auth = new WebAuthentication(request);return getAuthenticationManager().authenticate(auth);}@Overridepublic void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)throws IOException, ServletException {HttpServletRequest request = (HttpServletRequest) req;HttpServletResponse response = (HttpServletResponse) res;if (!requiresAuthentication(request, response)) {chain.doFilter(request, response);return;}try {Authentication authenticationResult = attemptAuthentication(request, response);if (authenticationResult == null) {throw new BadCredentialsException("没有身份信息");}SecurityContextHolder.getContext().setAuthentication(authenticationResult);chain.doFilter(request, response);}catch (InternalAuthenticationServiceException failed) {this.logger.error("An internal error occurred while trying to authenticate the user.", failed);unsuccessfulAuthentication(request, response, failed);}catch (AuthenticationException ex) {// Authentication failedunsuccessfulAuthentication(request, response, ex);}}}

这里有几个地方需要注意（敲黑板啦~~）

第 37 行，可以根据需要，添加多个provider
第 43 行，后续可以根据实际需要，构建不同的 Authentication ，框架会根据 Authentication 的类型，选择认证 provider（这个是精髓）

自定义 Authentication —— WebAuthentication，可以在构造函数内自己根据需要（比如从 requestHeader、cookie等地方，获取 token）组装 Authentication

/*** */
package com.example.demo;import java.util.Collection;import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;import jakarta.servlet.http.HttpServletRequest;/*** */
public class WebAuthentication implements Authentication{public WebAuthentication() {}public WebAuthentication(HttpServletRequest request) {}/*** */private static final long serialVersionUID = -1705541938861263059L;@Overridepublic String getName() {return null;}@Overridepublic Collection<? extends GrantedAuthority> getAuthorities() {return null;}@Overridepublic Object getCredentials() {return null;}@Overridepublic Object getDetails() {return null;}@Overridepublic Object getPrincipal() {return null;}@Overridepublic boolean isAuthenticated() {return false;}@Overridepublic void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {}
}

写认证逻辑，下面例子认证逻辑被我简化了，大家根据实际需要进行补充

/*** */
package com.example.demo;import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;/*** */
public class WebAuthenticationProvider implements AuthenticationProvider {@Overridepublic Authentication authenticate(Authentication authentication) throws AuthenticationException {authentication.setAuthenticated(true);return authentication;}@Overridepublic boolean supports(Class<?> authentication) {return authentication.equals(WebAuthentication.class);}}

配置过滤链

/*** */
package com.example.demo;import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.csrf.CsrfFilter;/*** */
@Configuration
public class SecurityConfig {@BeanSecurityFilterChain filterChain(HttpSecurity http) throws Exception {http.csrf(csrf ->csrf.disable()).addFilterAfter(new AuthenticationBuilderFilter(), CsrfFilter.class);return http.build();}
}

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：http://www.mzph.cn/news/153716.shtml

如若内容造成侵权/违法违规/事实不符，请联系多彩编程网进行投诉反馈email:809451989@qq.com，一经查实，立即删除！