Shulou(Shulou.com)06/03 Report--

This article focuses on "how to use SpringSecurity extension and configuration", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to use SpringSecurity extension and configuration.

Brief introduction

SpringSecurity principle (1)-- preliminary study on SpringSecurity principle (2)-- Authentication SpringSecurity principle (3)-- Authorization SpringSecurity principle (4)-- filter SpringSecurity principle (5)-- extension and configuration

Custom extension Custom Filter

Custom Filter should be the most common requirement. For example, in order to block most violent logins, we usually give a CAPTCHA when logging in, but UsernamePasswordAuthenticationFilter does not provide CAPTCHA verification, so we can customize a Filter to handle CAPTCHA.

For example, for front-end separation projects, we use Token more than Session, and we can also use Filter to deal with the verification and renewal of Token.

There are many ways to customize Filter:

Directly implement Filter

Inherit GenericFilterBean

Inherit OncePerRequestFilter and rewrite doFilterInternal

Inherit BasicAuthenticationFilter and rewrite doFilterInternal

Inherit AbstractAuthenticationProcessingFilter and rewrite attemptAuthentication

Inherit UsernamePasswordAuthenticationFilter and rewrite attemptAuthentication

……

The last three are Filter related to authentication.

Because of problems such as forwarding redefinition, a request Filter may be called more than once, and OncePerRequestFilter is designed to solve this problem by ensuring that the Filter that inherits it for a request will only be called once.

BasicAuthenticationFilter inherits OncePerRequestFilter, so you don't have to deal with multiple calls to Filter caused by forwarding and so on.

AbstractAuthenticationProcessingFilter adds processing such as authentication failure, authentication success, etc., but it does not deal with the problem that a single request may be called multiple times.

For form authentication, if you want to be lazy, you can inherit UsernamePasswordAuthenticationFilter, for example, inherit UsernamePasswordAuthenticationFilter, deal with the CAPTCHA problem first, and then call UsernamePasswordAuthenticationFilter's attemptAuthentication method if the verification is successful.

Anyway, custom Filter is very flexible, according to your own preferences.

How to configure the customized Filter?

In the easiest way, the custom configuration class overrides the configure method of WebSecurityConfigurerAdapter:

@ Overrideprotected void configure (HttpSecurity http) {http.addFilter (zzzFilter) .addFilterAfter (aaaFilter) .addFilterBefore (yyyFilter, UsernamePasswordAuthenticationFilter.class) .addFilterAt (xxxFilter,UsernamePasswordAuthenticationFilter.class);}

AddFilter is added to the last, but not the last, because other Filter will be added later in the process.

AddFilterAfter, added after the specified Filter

AddFilterBefore, added before the specified Filter

AddFilterAt, which is added before the specified Filter, will not overwrite or delete the specified Filter. It feels like addFilterBefore.

Of course, you can also use the SecurityConfigurerAdapter method:

Public class JwtConfigurer extends SecurityConfigurerAdapter {@ Override public void configure (HttpSecurity http) {JwtAuthenticationFilter filter = new JwtAuthenticationFilter (); http.addFilterBefore (filter, UsernamePasswordAuthenticationFilter.class);} @ Configuration@EnableWebSecurity@EnableGlobalMethodSecurity (prePostEnabled = true, securedEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter {@ Override protected void configure (HttpSecurity http) throws Exception {http.authorizeRequests ((requests)-> requests.anyRequest (). Authenticated ()); http.formLogin () Http.httpBasic (); http.apply (new JwtConfigurer ());}} Custom Logout success Handler

Implement the LogoutSuccessHandler interface and generally return json data so that the prompt can be given at the front end.

Public class JwtLogoutSuccessHandler implements LogoutSuccessHandler {@ Override public void onLogoutSuccess (HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {if (authentication! = null) {new SecurityContextLogoutHandler (). Logout (request, response, authentication);} response.setContentType ("application/json;charset=UTF-8"); ServletOutputStream outputStream = response.getOutputStream () OutputStream.write ("jwt loginout success") .getBytes ("UTF-8"); outputStream.flush (); outputStream.close ();}}

Configuration method:

Protected void configure (HttpSecurity http) {http..logout () .logoutSuccessHandler (new JwtLogoutSuccessHandler ());} Authentication failed processor

When you implement the AuthenticationFailureHandler interface, you usually return json data, and then the frontend decides to prompt and jump based on the returned data.

Public class LoginFailureHandler implements AuthenticationFailureHandler {@ Override public void onAuthenticationFailure (HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {response.setContentType ("application/json;charset=UTF-8"); ServletOutputStream outputStream = response.getOutputStream (); outputStream.write (JSONUtil.toJsonStr ("login failure"). GetBytes ("UTF-8"); outputStream.flush () OutputStream.close ();}} AuthenticationSuccessHandler

Implement the AuthenticationSuccessHandler interface, which can be put in it if there is logic for generating token.

Public class LoginSuccessHandler implements AuthenticationSuccessHandler {@ Override public void onAuthenticationSuccess (HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {response.setContentType ("application/json;charset=UTF-8"); ServletOutputStream outputStream = response.getOutputStream (); / / Logic such as generating and saving jwt can be put here on outputStream.write (JSONUtil.toJsonStr ("login successful") .getBytes ("UTF-8")) OutputStream.flush (); outputStream.close ();}}

Of course, it can also be done by inheriting SimpleUrlAuthenticationSuccessHandler.

Configuration is also the old way:

@ Overrideprotected void configure (HttpSecurity http) throws Exception {http.formLogin () .authentication Handler (loginSuccessHandler) .failureHandler (loginFailureHandler)} Authentication exception Jump entry

Implement the AuthenticationEntryPoint interface, which is called after the Filter of ExceptionTranslationFilter intercepts the authentication exception. It is usually used to jump to the login page. For more information, please see: LoginUrlAuthenticationEntryPoint.

Public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {@ Override public void commence (HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {response.setContentType ("application/json;charset=UTF-8"); response.setStatus (HttpServletResponse.SC_UNAUTHORIZED); ServletOutputStream outputStream = response.getOutputStream (); outputStream.write (JSONUtil.toJsonStr ("wrong username or password") .getBytes ("UTF-8")) OutputStream.flush (); outputStream.close ();}} Authorization exception handler

Implements the AccessDeniedHandler interface, which is called after the authorization exception intercepted by ExceptionTranslationFilter.

Public class JwtAccessDeniedHandler implements AccessDeniedHandler {@ Override public void handle (HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {response.setContentType ("application/json;charset=UTF-8"); response.setStatus (HttpServletResponse.SC_FORBIDDEN); ServletOutputStream outputStream = response.getOutputStream () OutputStream.write (JSONUtil.toJsonStr ("you do not have permission to operate, please contact the administrator") .getBytes ("UTF-8"); outputStream.flush (); outputStream.close ();}} custom authentication credentials

You can either implement Authentication or inherit AbstractAuthenticationToken. Generally not required, unless you want to customize the authenticator.

Import org.springframework.security.authentication.AbstractAuthenticationToken;import org.springframework.security.core.GrantedAuthority;import java.util.Collection;public class JwtAuthenticationToken extends AbstractAuthenticationToken {public JwtAuthenticationToken (Collection authentication) {/ / support verifying which authentication certificate return authentication.isAssignableFrom (JwtAuthenticationToken.class);}} custom voter

You can implement the AccessDecisionVoter interface, or you can directly inherit things like WebExpressionVoter. Depending on the specific requirements, you generally don't need it, unless you have to design a new authorization system.

Public class MyExpressionVoter extends WebExpressionVoter {@ Override public int vote (Authentication authentication, FilterInvocation fi, Collection attributes) {return 1; / /-1 opposes, 0 abstains, 1 agrees}} configuration configuration WebSecurity

WebSecurity is generally configured to ignore static resource verification.

@ Configuration@EnableWebSecurity@EnableGlobalMethodSecurity (prePostEnabled = true, securedEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter {@ Override public void configure (WebSecurity web) {web.ignoring () .antMatchers ("/ * * / * .html", "/ public/**/*.js", "/ public/**/*.css", "/ public/**/*.png" "/ * * / * .gif", "/ * * / * .png", "/ * * / * .jpg", "/ * / * .ico") }}

The matching rule uses: AntPathRequestMatcher

Configure HttpSecurity

There are so many things that HttpSecurity can configure. Here is an example for reference. Note that many of them repeat unnecessary configurations, just to show what can be configured.

@ Configuration@EnableWebSecurity@EnableGlobalMethodSecurity (prePostEnabled = true, securedEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter {public AccessDecisionManager accessDecisionManager () {List

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.