spring security实践

November 12, 2018
spring security security

引言

Spring家族庞大,每一块都像教科书般典范,这篇文章旨在学习和了解spring security,内容逐渐补充。

1 spring security概念

spring security有一块比较大的内容,23大章的内容可不是盖的。 最新5.1.1的官方文档在这里 ,各种版本可以看这里

2 spring security应用

初步应用看起来比较简单,在springboot下,只要引入一个maven依赖:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

然后准备一个config类:

package com.seaever.qingdu.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.access.AccessDeniedHandler;

import javax.sql.DataSource;

//https://www.cnblogs.com/softidea/p/5991897.html
//https://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-security.html
//https://docs.spring.io/spring-security/site/docs/5.1.1.RELEASE/reference/htmlsingle/#jc-method
@Configuration
@EnableGlobalMethodSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Autowired AccessDeniedHandler accessDeniedHandler;

    @Autowired private DataSource dataSource;

    public static void main(String[] args) {
        BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();
        //加密"0"
        String encode = bCryptPasswordEncoder.encode("admin");
        System.out.println(encode);
        //结果:$2a$10$/eEV4X7hXPzYGzOLXfCizu6h7iRisp7I116wPA3P9uRcHAKJyY4TK
    }

//https://stackoverflow.com/questions/24174884/spring-security-jdbcauthentication-default-scheme-error-on-postgresql
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .jdbcAuthentication()
                .dataSource(dataSource)
                //https://www.jianshu.com/p/9e7792d767b2
                .passwordEncoder(new BCryptPasswordEncoder())
                //.withDefaultSchema()
                .usersByUsernameQuery(
                        "select username,password, enabled from users where username=?")
                .authoritiesByUsernameQuery(
                        "select username, role from user_roles where username=?");

                //.withUser(User.withDefaultPasswordEncoder().username("user").password("password").roles("USER"));
    }

//    @Override
//    public void configure(WebSecurity web) throws Exception {
//        getHttp()
//                .csrf().disable()
//                .exceptionHandling()
//                //.authenticationEntryPoint(unauthorizedHandler)
//                .accessDeniedHandler(accessDeniedHandler)
//                .and()
//                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
//                .and()
//                .authorizeRequests()
//                .antMatchers("/actuator/**").permitAll()
//                .antMatchers("/actuator/**").hasAuthority("ADMIN")
//                .antMatchers(
//                        HttpMethod.GET,
//                        "/v2/api-docs"
//                        ,"/swagger-resources/**"
//                        ,"/swagger-ui.html**"
//                        //,"/webjars/**"
//                        //, "favicon.ico"
//                ).permitAll()
//                .antMatchers("/auth/**").permitAll()
//               //.anyRequest().authenticated()
//        ;
//
////        http
////                .addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class)
////                .headers()
////                .cacheControl();
//    }
}

这里用的是mysql数据库来存储用户信息,需要用到两个表:

CREATE TABLE `users` (
  `username` varchar(20) NOT NULL,
  `password` varchar(60) NOT NULL,
  `enabled` tinyint(1) NOT NULL,
  PRIMARY KEY (`username`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE `user_roles` (
  `username` varchar(20) NOT NULL,
  `role` varchar(20) NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

数据表中的password内容是一个通过BCryptPasswordEncoder运算的加密串。user_roles没有主键,username一对多也没问题,如果这个表里没记录, 权限马上会失效,比如刷新页面:http://localhost:8080/swagger-ui.html,莫不是每次都会查数据库?

现在权限验证通过了,如果配置哪些需要验证,一直没生效,待了解。下列跳过的配置有效:

@Override
public void configure(WebSecurity web)  {
    web.ignoring()
            .antMatchers(                    
                    "/swagger-resources/**"
                    ,"/swagger-ui.html**"                   
            );
}

官方的测试示例


loading