Ele*_*ian 2 authentication spring spring-security spring-boot
自从 Spring Security 更新后,我必须对代码进行一些更改。这是我现在的配置类。
public class SecurityConfig {
private final UserDetailsServiceImpl userDetailsService;
private final UserRepository userRepository;
public SecurityConfig(UserDetailsServiceImpl userDetailsService, UserRepository userRepository) {
this.userDetailsService = userDetailsService;
this.userRepository = userRepository;
}
@Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
return authenticationConfiguration.getAuthenticationManager();
}
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.addFilter(new CustomAuthenticationFilter(authenticationManager()))
.addFilter(new CustomAuthorizationFilter(authenticationManager(), userRepository))
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/user/users/save").permitAll()
.antMatchers(HttpMethod.POST, "/login").permitAll()
.antMatchers(HttpMethod.POST, "/users//register").permitAll()
.antMatchers("/**").permitAll() // Only for testing purposes
.antMatchers("/user/**").hasAuthority("ADMIN")
.antMatchers("/user/**").authenticated();
return http.build();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
但是,由于我已将配置方法和身份验证管理器更改为 beans,因此我无法将身份验证管理器传递给我的过滤器。看起来像这样。
public class CustomAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
private final AuthenticationManager authenticationManager;
@Value("${security.key}")
private String secretKey;
public CustomAuthenticationFilter(AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
LoginRequest loginRequest = null;
try {
loginRequest = new ObjectMapper().readValue(request.getInputStream(), LoginRequest.class);
} catch (IOException e) {
throw new IllegalArgumentException();
}
String username = loginRequest.getUsername();
String password = loginRequest.getPassword();
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(username, password);
return authenticationManager.authenticate(authenticationToken);
}
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authentication) throws IOException, ServletException {
UserDetailsImpl user = (UserDetailsImpl) authentication.getPrincipal();
Algorithm algorithm = HMAC512(secretKey.getBytes());
List<String> list = user.getAuthorities().stream().map(GrantedAuthority::getAuthority).collect(Collectors.toList());
String accessToken = JWT.create()
.withSubject(user.getUsername())
.withExpiresAt(new Date(System.currentTimeMillis()+10*60*1000))
.withClaim("authorities", list)
.sign(algorithm);
response.addHeader("authorization","Bearer " + accessToken);
}
}
如何将authenticationManager注入到我的过滤器中?
推荐的访问方法AuthenticationManager是使用自定义 DSL。这实际上就是 Spring Security 在内部实现HttpSecurity.authorizeRequests().
public class MyCustomDsl extends AbstractHttpConfigurer<MyCustomDsl, HttpSecurity> {
@Override
public void configure(HttpSecurity http) throws Exception {
AuthenticationManager authenticationManager = http.getSharedObject(AuthenticationManager.class);
http.addFilter(new CustomAuthenticationFilter(authenticationManager));
}
public static MyCustomDsl customDsl() {
return new MyCustomDsl();
}
}
然后可以在构建时应用自定义 DSL SecurityFilterChain:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// ...
http.apply(customDsl());
return http.build();
}
这在关于从 迁移出来的博客文章WebSecurityConfigurerAdapter的“访问本地 AuthenticationManager”部分中进行了描述。
| 归档时间: |
|
| 查看次数: |
5536 次 |
| 最近记录: |