spring-security配置 handle

原创 已于 2022-05-16 23:03:18 修改 · 890 阅读 · 0 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#spring-security

于 2022-05-16 23:02:16 首次发布

SecurityConfig:

package com.sdkj.security.oauth.config;

import com.sdkj.security.oauth.handle.MyAccessDeniedHandler;
import com.sdkj.security.oauth.handle.MyAuthenticationFailureHandler;
import com.sdkj.security.oauth.handle.MyAuthenticationSuccessHandler;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Bean
    public PasswordEncoder getPasswordEncoder(){
        return new BCryptPasswordEncoder();
    }

    @Autowired
    private MyAccessDeniedHandler myAccessDeniedHandler;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.formLogin()
                //登录成功处理器,不能和failureForwardUrl共存
                //请求或页面
                .failureHandler(new MyAuthenticationFailureHandler("/error.html"))
                //登录成功处理器,不能和successForwardUrl共存
                .successHandler(new MyAuthenticationSuccessHandler("http://www.baidu.com"))
                //当发现/login时认为是登录,必须和表单提交的地址一样,接下来才会执行UserDetailsServiceImpl
                .loginProcessingUrl("/login")
                //自定义登录界面
                .loginPage("/login.html");

        http.authorizeRequests()
                //放行静态资源
                .antMatchers("/js/**","/css/**","/images/**").permitAll()
                //error.html不需要进行认证
                .antMatchers("/error.html").permitAll()
                //login.html不需要进行认证
                .antMatchers("/login.html").permitAll()
                //所有请求都必须被认证,必须登录之后被访问
                .anyRequest().authenticated();

        //异常处理对象
        http.exceptionHandling()
                .accessDeniedHandler(myAccessDeniedHandler);

        //退出登录
        http.logout()
                //退出登录跳转页面
                .logoutSuccessUrl("/login.html");

        //关闭csrf防护
        http.csrf().disable();
    }


}

TestController:

package com.sdkj.security.oauth.controller;

import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;

@Controller
public class TestController {

    @RequestMapping("/toMain")
    public String toMain()
    {
        return "redirect:main.html";
    }

    @RequestMapping("/toError")
    public String toError()
    {
        return "redirect:error.html";
    }

    @PreAuthorize("hasAuthority('admin1')")
    @ResponseBody
    @RequestMapping("/cc")
    public String cc()
    {
        return "hello world";
    }
}

AuthenticationEvents:
package com.sdkj.security.oauth.handle;

import org.springframework.context.event.EventListener;
import org.springframework.security.authentication.event.AbstractAuthenticationFailureEvent;
import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
import org.springframework.stereotype.Component;

@Component
public class AuthenticationEvents {

    @EventListener
    public void onSuccess(AuthenticationSuccessEvent authenticationSuccessEvent){
        String username = authenticationSuccessEvent.getAuthentication().getName();
        System.out.println("登录成功,用户名:"+username);
    }

    @EventListener
    public void onFailure(AbstractAuthenticationFailureEvent failureDisabledEvent){
        String username = failureDisabledEvent.getAuthentication().getName();
        System.out.println("登录失败,用户名:"+username);
    }

}

MyAccessDeniedHandler:

package com.sdkj.security.oauth.handle;

import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.stereotype.Component;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;

//权限不足403处理类
@Component
public class MyAccessDeniedHandler implements AccessDeniedHandler {

    @Override
    public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException e) throws IOException, ServletException {
        httpServletResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);
        httpServletResponse.setHeader("Content-Type","application/json;charset=utf-8");
        PrintWriter write = httpServletResponse.getWriter();
        write.write("{\"status\":\"error\",\"msg\":\"权限不足,请联系管理员\"}");
        write.flush();
        write.close();
    }

}

MyAuthenticationSuccessHandler:

package com.sdkj.security.oauth.handle;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class MyAuthenticationSuccessHandler implements AuthenticationSuccessHandler {

    private String url;

    public MyAuthenticationSuccessHandler(String urls) {
        url = urls;
    }

    @Override
    public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
        User user = (User) authentication.getPrincipal();
        System.out.println("getUsername==>"+user.getUsername());
        System.out.println("getAuthorities==>"+user.getAuthorities());
        httpServletResponse.sendRedirect(url);
    }
}

MyAuthenticationFailureHandler:

package com.sdkj.security.oauth.handle;

import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class MyAuthenticationFailureHandler implements AuthenticationFailureHandler {

    private String url;

    public MyAuthenticationFailureHandler(String urls) {
        url = urls;
    }



    @Override
    public void onAuthenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
        System.out.println("-->"+httpServletRequest.getAttribute("SPRING_SECURITY_LAST_USERNAME_KEY"));;
        System.out.println("-->"+httpServletRequest.getAttribute("SPRING_SECURITY_LAST_USERNAME"));;
        httpServletResponse.sendRedirect(url);
    }
}

UserDetailServiceImpl:

package com.sdkj.security.oauth.service;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Service;

@Service
public class UserDetailServiceImpl implements UserDetailsService {

    @Autowired
    private PasswordEncoder passwordEncoder;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        String password = passwordEncoder.encode("123456");
        return new User(username,password, AuthorityUtils.commaSeparatedStringToAuthorityList("admin,normal"));
    }

}

SecurityOauthApplication:

package com.sdkj.security.oauth;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;

@EnableGlobalMethodSecurity(prePostEnabled = true)
@SpringBootApplication
public class SecurityOauthApplication {

    public static void main(String[] args) {
        SpringApplication.run(SecurityOauthApplication.class, args);
    }

}

error.html:

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
<head>
    <meta charset="UTF-8">
    <title>登录失败</title>
</head>

<body>
<div class="login-container">
    登录失败
</div>
</body>
</html>

login.html:

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
<head>
    <meta charset="UTF-8">
    <title>登录</title>
</head>

<style>
    .login-container {
        margin: 50px;
        width: 100%;
    }

    .form-container {
        margin: 0px auto;
        width: 50%;
        text-align: center;
        box-shadow: 1px 1px 10px #888888;
        height: 300px;
        padding: 5px;
    }

    input {
        margin-top: 10px;
        width: 350px;
        height: 30px;
        border-radius: 3px;
        border: 1px #E9686B solid;
        padding-left: 2px;

    }


    .btn {
        width: 350px;
        height: 35px;
        line-height: 35px;
        cursor: pointer;
        margin-top: 20px;
        border-radius: 3px;
        background-color: #E9686B;
        color: white;
        border: none;
        font-size: 15px;
    }

    .title{
        margin-top: 5px;
        font-size: 18px;
        color: #E9686B;
    }
</style>
<body>
<div class="login-container">
    <div class="form-container">
        <form class="form-signin" method="post" action="/login">
            <h2 class="form-signin-heading">用户登录</h2>
            <p>
                <label for="username" class="sr-only">用户名</label>
                <input type="text" id="username" name="username" class="form-control" placeholder="用户名" required autofocus>
            </p>
            <p>
                <label for="password" class="sr-only">密码</label>
                <input type="password" id="password" name="password" class="form-control" placeholder="密码" required>
            </p>
            <button class="btn btn-lg btn-primary btn-block" type="submit">登 &nbsp;&nbsp; 录</button>
        </form>
    </div>
</div>
</body>
</html>

main.html:

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
<head>
    <meta charset="UTF-8">
    <title>登录成功</title>
</head>

<body>
<div class="login-container">
    登录成功
</div>
</body>
</html>

pom:

       <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

Spring Security系列之Handler
lonelymanontheway的博客
06-08 1249
AuthenticationSuccessHandler、AuthenticationFailureHandler、LogoutHandler、LogoutSuccessHandler、AccessDeniedHandler、CsrfTokenRequestHandler、RequestRejectedHandler、Server对应的6个Handler类
spring-security【2022-3-18更新】
m0_53964515的博客
03-14 4952
话不多说导包本质上主要是使用了AOP 和 拦截器! 导包 <!-- spring security 包含下面两个注释掉的包 --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <!-- &l
Spring 拦截器——HandlerInterceptor
东方一号蓝的博客
09-23 688
介绍Spring拦截器——HandlerInterceptor的简单使用。采用注解的方式。
Spring Boot 项目整合Spring Security 进行身份验证
最新发布
维基框架,分享技术,开源框架,开源软件。
06-16 924
该抽象类需要应用服务端实现/*** @Description: java类作用描述*/@Component/*** 查询用户信息* @param username 用户名* @return 返回用户信息* @throws UsernameNotFoundException 用户未找到异常信息*/@Override以上只是博主自己在实际项目中总结出来,然后在将其实封成工具分享给大家。相关源码在:维基框架Gitee:如果喜欢博主的分享记得给博主点点小星星。
SpringSecurity实现自定义控制器Handler
m0_52931616的博客
08-30 697
自定义控制器Handler
Spring Security处理器
张普的专栏
07-02 923
Spring Security中我们可以定义自己的Handler帮我们完成一些功能,例如登陆成功之后将用户信息放入到Session中、改变执行流的方向等,在这里列举两个Handler:AuthenticationSuccessHandler(登陆成功处理器)、AccessDeniedHandler(拒绝访问处理器),接下来分别自定义这两个处理器。               public c
springSecurity
09-04
系统详细介绍spring security使用的样例。
OAuth2与spring-security-oauth2
dev3932的博客
12-24 755
OAuth2与spring-security-oauth2OAuth2OAuth2是什么OAuth2中4种授权模式spring-security-oauth2spring-security-oauth2是什么搭建spring-security-oauth2案例环境版本pom.xmlapplication.yml目录结构密码模式获取token访问受保护的资源授权码模式获取code获取token访问受保护的资源结语 OAuth2 OAuth2是什么 关于这块概念可以参考: https://www.jianshu
Spring-Security(二)OAuth2认证详解(持续更新)
lbmydream的博客
06-06 2676
深入了解Spring Oauth2.0 认证流程及自定义扩展
SpringBoot集成Spring security 2024.10(Spring Security 6.3.3)
m0_74824483的博客
12-02 1214
Spring Security是一个功能强大且高度可定制的身份验证和访问控制框架。它是保护基于Spring的应用程序的事实标准。Spring Security是一个专注于为Java应用程序提供身份验证和授权的框架。/*** @Description: 用户登录控制器*/@Autowired/*** 定义登录页面* @return*//*** 跳转主页main。
java:spring-security的简单例子
陈鸿圳的专栏
06-23 972
再次访问【http://localhost:8080/security/hello】,可以看到虽然已经登录成功了,但还是被重定向到了登录页面【http://localhost:8080/security/login】。访问【http://localhost:8080/security/hello】 ,可以看到被重定向到登录页面【http://localhost:8080/security/login】用户名输入【user】,密码输入【123】,点击【Sign In】登录。可以看到访问成功了。
Spring Security中successHandler和failureHandler使用
热门推荐
白小纯的博客
06-11 1万+
前言 successHandler和failureHandler是Spring Security中两个较为强大的用来处理登录成功和失败的回调函数,通过它们两个我们就可以自定义一些前后端数据的交互。 successHandler 该方法有三个参数 req:相当与HttpServletRequest res:相当与HttpServletRespose authentication:这里保存了我们登录后的用户信息 进行如下配置 .successHandler((req, resp, authentication
Spring中拦截器(HandlerInterceptor/HandlerInterceptorAdapter )的使用
Jaemon
11-09 1283
Spring中拦截器(HandlerInterceptor/HandlerInterceptorAdapter )的使用
SpringMVC HandlerInterceptorAdapter登陆验证拦截器
YouXu
01-07 8145
SpringMVC HandlerInterceptorAdapter拦截器,方便,实用性大。 Spring MVC的拦截器不仅可实现Filter的所有功能,还可以更精确的控制拦截精度。
springboot -- 拦截器(HandlerInterceptor
sky
01-10 463
前言 拦截器一般用于检测用户是否有登录, 防止未登录时用户直接输入映射地址跳转到需要登录的页面 正文 package com.atguigu.springboot.component; import org.springframework.web.servlet.HandlerInterceptor; import org.springframework.web.servlet.ModelAnd...
史上最简单的Spring Security教程(八):用户登出成功LogoutSuccessHandler高级用法
银河架构师的博客
07-01 1万+
​大多数业务场景下,自定义登出成功页面也满足不了一些要求,更别提默认的登出成功页面。这时候,就需要别的方案支持,幸运的是,Spring Security框架还真就非常贴心的提供了这样一个接口LogoutSuccessHandler, 专门用于处理用户登出成功请求。当然了,对于LogoutSuccessHandler接口,Spring Security框架有一些默认的实现,也可以自行扩展。 同用户登录成功的业务场景,在用户登出成功后,我们也要通过邮件、短信、微信,来通知用户,在什么时间,什么...
基于SpringSecurity自定义权限表达式
CNchangan的博客
07-04 596
基于SpringSecurity自定义权限表达式
Spring拦截器:HandlerInterceptor使用
учёба
04-05 1534
有时候我们需要进行一些和,或者是。
spring-boot工程中添加spring mvc拦截器 HandlerInterceptorAdapter
to_real的博客
09-15 455
1. 认识拦截器 Spring MVC的拦截器(Interceptor)不是Filter,同样可以实现请求的预处理、后处理。使用拦截器仅需要两个步骤: 实现拦截器 注册拦截器 1.1 实现拦截器 实现拦截器可以自定义实现HandlerInterceptor接口,也可以通过继承HandlerInterceptorAdapter类,后者是前者的实现类。下面是拦截器的一个实现的例子,目的是判断用户是否登录。如果preHandle方法return true,则继续后续处理。 public class L
spring-security-oauth2-autoconfigure
04-03
Spring Security OAuth2 Autoconfigure is a module in the Spring Security framework that simplifies the configuration of OAuth2 authentication and authorization for RESTful web services. It provides pre-configured Spring Security OAuth2 components that can be easily customized to fit specific use cases. Using Spring Security OAuth2 Autoconfigure, developers can quickly set up OAuth2 authentication and authorization for their applications without having to write complex configuration code. The module supports a variety of OAuth2 providers, including Google, Facebook, GitHub, and more. Spring Security OAuth2 Autoconfigure also provides support for JSON Web Tokens (JWTs), which can be used to authenticate and authorize users in a stateless manner. This allows developers to build scalable, secure RESTful web services that can handle a large number of requests without compromising security. Overall, Spring Security OAuth2 Autoconfigure is a powerful tool that simplifies the process of integrating OAuth2 authentication and authorization into Spring-based applications.
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

javachen__

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值