首页 > 基础资料 博客日记
新版SpringSecurity配置(SpringBoot>2.7&SpringSecurity>5.7)
2023-07-24 14:28:45基础资料围观391次
本篇文章分享新版SpringSecurity配置(SpringBoot>2.7&SpringSecurity>5.7),对你有帮助的话记得收藏一下,看Java资料网收获更多编程知识
新版SpringSecurityConfig
在使用SpringBoot2.7或者SpringSecurity5.7以上版本时,会提示:
在 Spring Security 5.7.0-M2 中,我们弃用了
WebSecurityConfigurerAdapter,因为我们鼓励用户转向基于组件的安全配置。
所以之前那种通过继承WebSecurityConfigurerAdapter的方式的配置组件是不行的。
同时也会遇到很多问题,例如:
在向SpringSecurity过滤器链中添加过滤器时(例如:JWT支持,第三方验证),我们需要注入AuthenticationManager对象等问题。
故在此记录一下SpringSecurity的一些基础配置项:
1 网络安全配置,忽略部分路径(如静态文件路径)
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().antMatchers("/ignore1", "/ignore2");
}
2 设置中文配置
@Bean
public ReloadableResourceBundleMessageSource messageSource() {
ReloadableResourceBundleMessageSource messageSource = new ReloadableResourceBundleMessageSource();
// 设置中文配置
messageSource.setBasename("classpath:org/springframework/security/messages_zh_CN");
return messageSource;
}
3 设置密码编码器
@Bean
@ConditionalOnMissingBean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
4 取消ROLE_ prefix
@Bean
@ConditionalOnMissingBean
public GrantedAuthorityDefaults grantedAuthorityDefaults() {
// Remove the ROLE_ prefix
return new GrantedAuthorityDefaults("");
}
5 暴露本地认证管理器(AuthenticationManager)
/**
* 认证管理器,登录的时候参数会传给 authenticationManager
*/
@Bean(name = BeanIds.AUTHENTICATION_MANAGER)
public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
return authenticationConfiguration.getAuthenticationManager();
}
6 其他配置
import com.example.websocket.chat.security.filer.CustomUsernamePasswordAuthenticationFilter;
import com.example.websocket.chat.security.filer.JwtAuthenticationFilter;
import com.example.websocket.chat.security.handler.*;
import com.example.websocket.chat.security.service.JwtStoreService;
import com.example.websocket.chat.security.service.impl.UserDetailsServiceImpl;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Lazy;
import org.springframework.context.support.ReloadableResourceBundleMessageSource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.BeanIds;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.config.core.GrantedAuthorityDefaults;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import javax.annotation.Resource;
/**
* @author zhong
*/
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SpringSecurityConfig {
@Resource
private CustomAuthenticationSuccessHandler customAuthenticationSuccessHandler;
@Resource
private CustomAuthenticationFailureHandler customAuthenticationFailureHandler;
@Resource
private CustomAuthenticationEntryPoint customAuthenticationEntryPoint;
@Resource
private CustomLogoutHandler customLogoutHandler;
@Resource
private CustomLogoutSuccessHandler customLogoutSuccessHandler;
@Resource
private CustomAccessDeniedHandler customAccessDeniedHandler;
@Resource
private SecurityProperties securityProperties;
@Resource
private JwtStoreService jwtStoreService;
@Resource
private UserDetailsServiceImpl userDetailsService;
@Resource
private AuthenticationConfiguration authenticationConfiguration;
/**
* 静态文件放行
*/
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring().antMatchers(securityProperties.getStaticPaths());
}
/**
* 取消ROLE_前缀
*/
@Bean
public GrantedAuthorityDefaults grantedAuthorityDefaults() {
// Remove the ROLE_ prefix
return new GrantedAuthorityDefaults("");
}
/**
* 设置密码编码器
*/
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
/**
* 设置中文配置
*/
@Bean
public ReloadableResourceBundleMessageSource messageSource() {
ReloadableResourceBundleMessageSource messageSource = new ReloadableResourceBundleMessageSource();
messageSource.setBasename("classpath:org/springframework/security/messages_zh_CN");
return messageSource;
}
/**
* 认证管理器,登录的时候参数会传给 authenticationManager
*/
@Bean
public AuthenticationManager authenticationManager() throws Exception {
return authenticationConfiguration.getAuthenticationManager();
}
/**
* 设置默认认证提供
*/
@Bean
public DaoAuthenticationProvider daoAuthenticationProvider() {
final DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(userDetailsService);
authenticationProvider.setPasswordEncoder(passwordEncoder());
return authenticationProvider;
}
/**
* 安全配置
*/
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http, AuthenticationConfiguration authenticationConfiguration) throws Exception {
// 表单
http.formLogin()
// 登录成功处理器
.successHandler(customAuthenticationSuccessHandler)
// 登录错误处理器
.failureHandler(customAuthenticationFailureHandler)
.and()
//添加登录逻辑拦截器,不使用默认的UsernamePasswordAuthenticationFilter
.addFilterBefore(
new CustomUsernamePasswordAuthenticationFilter(
authenticationManager(),
customAuthenticationSuccessHandler,
customAuthenticationFailureHandler
)
, UsernamePasswordAuthenticationFilter.class)
//添加token验证过滤器
.addFilterBefore(new JwtAuthenticationFilter(jwtStoreService), LogoutFilter.class);
//退出
http
.logout()
// URL
.logoutUrl("/user/logout")
// 登出处理
.addLogoutHandler(customLogoutHandler)
// 登出成功处理
.logoutSuccessHandler(customLogoutSuccessHandler);
//拦截设置
http
.authorizeRequests()
//公开以下urls
.antMatchers(securityProperties.getPublicPaths()).permitAll()
//其他路径必须验证
.anyRequest().authenticated();
//异常处理
http
.exceptionHandling()
// 未登录处理
.authenticationEntryPoint(customAuthenticationEntryPoint)
// 无权限处理
.accessDeniedHandler(customAccessDeniedHandler);
//关闭session
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// 关闭cors
http.cors().disable();
// 关闭csrf
http.csrf().disable();
// 关闭headers
http.headers().frameOptions().disable();
return http.build();
}
}
文章来源:https://blog.csdn.net/zhongjianboy/article/details/130721399
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若内容造成侵权/违法违规/事实不符,请联系邮箱:jacktools123@163.com进行投诉反馈,一经查实,立即删除!
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若内容造成侵权/违法违规/事实不符,请联系邮箱:jacktools123@163.com进行投诉反馈,一经查实,立即删除!
标签:
相关文章
最新发布
点击排行
本站推荐
