传统的应用是将Session放在应用服务器上,而将生成的JSESSIONID放在用户浏览器的Cookie中,而这种模式在前后端分离中就会出现以下问题

    1,开发繁琐。

    2,安全性和客户体验差

    3,有些前端技术不支持Cookie,如微信小程序

  这种情况下,前后端之间使用Token(令牌)进行通信就完美的解决上面的问题。

⒈添加pom依赖

         <dependency>

             <groupId>org.springframework.boot</groupId>

             <artifactId>spring-boot-starter-security</artifactId>

         </dependency>

         <dependency>

             <groupId>org.springframework.boot</groupId>

             <artifactId>spring-boot-starter-web</artifactId>

         </dependency>

         <dependency>

             <groupId>org.springframework.security.oauth</groupId>

             <artifactId>spring-security-oauth2</artifactId>

             <version>2.3.5.RELEASE</version>

         </dependency>

         <dependency>

             <groupId>commons-collections</groupId>

             <artifactId>commons-collections</artifactId>

             <version>3.2.2</version>

         </dependency>

         <dependency>

             <groupId>org.springframework.boot</groupId>

             <artifactId>spring-boot-starter-test</artifactId>

             <scope>test</scope>

         </dependency>

         <dependency>

             <groupId>org.springframework.security</groupId>

             <artifactId>spring-security-test</artifactId>

             <scope>test</scope>

         </dependency>

⒉编写AuthenticationSuccessHandler的实现

 package cn.coreqi.handler;

 import com.fasterxml.jackson.databind.ObjectMapper;

 import org.apache.commons.codec.binary.StringUtils;

 import org.apache.commons.collections.MapUtils;

 import org.slf4j.Logger;

 import org.slf4j.LoggerFactory;

 import org.springframework.beans.factory.annotation.Autowired;

 import org.springframework.security.authentication.BadCredentialsException;

 import org.springframework.security.core.Authentication;

 import org.springframework.security.oauth2.common.OAuth2AccessToken;

 import org.springframework.security.oauth2.common.exceptions.UnapprovedClientAuthenticationException;

 import org.springframework.security.oauth2.provider.*;

 import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;

 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;

 import org.springframework.stereotype.Component;

 import javax.servlet.ServletException;

 import javax.servlet.http.HttpServletRequest;

 import javax.servlet.http.HttpServletResponse;

 import java.io.IOException;

 import java.util.Base64;

 @Component("coreqiAuthenticationSuccessHandler")

 public class CoreqiAuthenticationSuccessHandler implements AuthenticationSuccessHandler {

     private Logger logger = LoggerFactory.getLogger(getClass());

     @Autowired

     private ClientDetailsService clientDetailsService;

     @Autowired

     private AuthorizationServerTokenServices authorizationServerTokenServices;

     @Autowired

     private ObjectMapper objectMapper;  //将对象转换为Json的工具类,SpringMVC在启动的时候会自动为我们注册ObjectMapper

     /**

      * @param request    不知道

      * @param response   不知道

      * @param authentication   Authentication接口是SpringSecurity的一个核心接口,它的作用是封装我们的认证信息,包含认证请求中的一些信息,包括认证请求的ip,Session是什么,以及认证用户的信息等等。

      * @throws IOException

      * @throws ServletException

      */

     @Override

     public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {

         //1.从请求参数中拿到ClientId

         String header = request.getHeader("Authorization");

         if (header == null && !header.toLowerCase().startsWith("basic ")) {

             throw new UnapprovedClientAuthenticationException("请求头中无client信息!");

         }

         String[] tokens = this.extractAndDecodeHeader(header, request);

         assert tokens.length == 2;

         String clientId = tokens[0];

         String clientSecret = tokens[1];

         //2.通过ClientId拿到ClientDetails

         ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId);

         if(clientDetails == null){

             throw new UnapprovedClientAuthenticationException("clientId对应的配置信息不存在:" + clientId);

         }else if(!StringUtils.equals(clientDetails.getClientSecret(),clientSecret)){

             throw new UnapprovedClientAuthenticationException("clientSecret不匹配:" + clientId);

         }

         //3.创建TokenRequest

         TokenRequest tokenRequest = new TokenRequest(MapUtils.EMPTY_MAP,clientId,clientDetails.getScope(),"custom");

         //4.构建OAuth2Request

         OAuth2Request oAuth2Request = tokenRequest.createOAuth2Request(clientDetails);

         //5.构建OAuth2Authentication

         OAuth2Authentication oAuth2Authentication = new OAuth2Authentication(oAuth2Request,authentication);

         //6.构建OAuth2AccessToken

         OAuth2AccessToken token = authorizationServerTokenServices.createAccessToken(oAuth2Authentication);

         //7.将生成的Token返回给请求

         response.setContentType("application/json;charset=UTF-8");

         response.getWriter().write(objectMapper.writeValueAsString(token));

     }

     /**

      * 从请求头中解析用户名密码

      * @param header

      * @param request

      * @return

      * @throws IOException

      */

     private String[] extractAndDecodeHeader(String header, HttpServletRequest request) throws IOException {

         byte[] base64Token = header.substring(6).getBytes("UTF-8");

         byte[] decoded;

         try {

             decoded = Base64.getDecoder().decode(base64Token);

         } catch (IllegalArgumentException var7) {

             throw new BadCredentialsException("Failed to decode basic authentication token");

         }

         String token = new String(decoded, "UTF-8");

         int delim = token.indexOf(":");

         if (delim == -1) {

             throw new BadCredentialsException("Invalid basic authentication token");

         } else {

             return new String[]{token.substring(0, delim), token.substring(delim + 1)};

         }

     }

 }

⒊配置Security

 package cn.coreqi.config;

 import org.springframework.context.annotation.Bean;

 import org.springframework.security.authentication.AuthenticationManager;

 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;

 import org.springframework.security.config.annotation.web.builders.HttpSecurity;

 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;

 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

 import org.springframework.security.crypto.password.NoOpPasswordEncoder;

 import org.springframework.security.crypto.password.PasswordEncoder;

 @EnableWebSecurity

 public class CoreqiWebSecurityConfig extends WebSecurityConfigurerAdapter {

     @Override

     @Bean

     public AuthenticationManager authenticationManagerBean() throws Exception {

         return super.authenticationManagerBean();

     }

     @Override

     protected void configure(HttpSecurity http) throws Exception {

         http.httpBasic()

                 .and()

                 .authorizeRequests()

                 .antMatchers("/oauth/token","/login").permitAll()

                 .anyRequest().authenticated()  //任何请求都需要身份认证

                 .and().csrf().disable();    //禁用CSRF

     }

     @Override

     protected void configure(AuthenticationManagerBuilder auth) throws Exception {

         auth.inMemoryAuthentication()

                 .withUser("fanqi").password("admin").roles("admin");

     }

     @Bean

     public PasswordEncoder passwordEncoder()

     {

         return NoOpPasswordEncoder.getInstance();

     }

 }

⒋配置OAuth2

 package cn.coreqi.config;

 import org.springframework.beans.factory.annotation.Autowired;

 import org.springframework.beans.factory.annotation.Qualifier;

 import org.springframework.context.annotation.Configuration;

 import org.springframework.security.authentication.AuthenticationManager;

 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;

 import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;

 import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;

 import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;

 import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;

 @Configuration

 @EnableAuthorizationServer  //开启认证服务器

 public class CoreqiAuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

     @Autowired

     @Qualifier("authenticationManagerBean")

     private AuthenticationManager authenticationManager;

     @Autowired

     private AuthenticationConfiguration authenticationConfiguration;

     /**

      * password模式需要提供一个AuthenticationManager到AuthorizationServerEndpointsConfigurer

      * @param authorizationServerEndpointsConfigurer

      * @throws Exception

      */

     @Override

     public void configure(AuthorizationServerEndpointsConfigurer authorizationServerEndpointsConfigurer) throws Exception {

         authorizationServerEndpointsConfigurer.authenticationManager(authenticationConfiguration.getAuthenticationManager());

     }

     @Override

     public void configure(ClientDetailsServiceConfigurer clientDetailsServiceConfigurer) throws Exception {

         clientDetailsServiceConfigurer.inMemory()

                 .withClient("coreqi")

                 .secret("coreqiSecret")

                 .redirectUris("https://www.baidu.com")

                 .scopes("ALL")

                 .authorities("COREQI_READ")

                 .authorizedGrantTypes("authorization_code","password");

     }

 }

⒌配置资源服务器

 package cn.coreqi.config;

 import cn.coreqi.handler.CoreqiAuthenticationSuccessHandler;

 import org.springframework.beans.factory.annotation.Autowired;

 import org.springframework.context.annotation.Configuration;

 import org.springframework.security.config.annotation.web.builders.HttpSecurity;

 import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;

 import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;

 import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;

 @Configuration

 @EnableResourceServer   //开启资源服务器

 public class CoreqiResourceServerConfig extends ResourceServerConfigurerAdapter {

     @Autowired

     private CoreqiAuthenticationSuccessHandler coreqiAuthenticationSuccessHandler;

     @Override

     public void configure(HttpSecurity http) throws Exception {

         http.formLogin()

                 .successHandler(coreqiAuthenticationSuccessHandler)

             .and()

             .authorizeRequests()

                 .antMatchers("/oauth/token","/login").permitAll()

                 .anyRequest().authenticated()  //任何请求都需要身份认证

             .and()

             .csrf()

                 .disable();    //禁用CSRF

     }

 }

⒍测试

    

SpringSecurity实现用户名密码登录(Token)的更多相关文章

  1. Python用户名密码登录系统(MD5加密并存入文件,三次输入错误将被锁定)及对字符串进行凯撒密码加解密操作

    # -*- coding: gb2312 -*- #用户名密码登录系统(MD5加密并存入文件)及对字符串进行凯撒密码加解密操作 #作者:凯鲁嘎吉 - 博客园 http://www.cnblogs.co ...

  2. pyhton学习,day1作业,用户名密码登录模块

    要求,通过用户名密码登录,登录错误3次,锁定用户名 # coding=utf-8 # Author: RyAn Bi import os, sys #调用系统自己的库 accounts_file = ...

  3. cassandra根据用户名密码登录cqlsh

     修改conf目录下cassandra.yaml文件 authenticator: PasswordAuthenticator //将authenticator修改为PasswordAuthentic ...

  4. 用户名密码登录小程序及input与raw_input区别。

    一.此次程序需要实现: 1.设定固定的用户名密码 2.用户名密码输入正确打印登录正确信息 3.仅仅运行三次登录 二.本次使用的python版本为: Windows下版本号: C:\Users\dais ...

  5. Spring Security之用户名+密码登录

    自定义用户认证逻辑 处理用户信息获取逻辑 实现UserDetailsService接口 @Service public class MyUserDetailsService implements Us ...

  6. 【Python练习】文件引用用户名密码登录系统

    一.通过txt文件引入用户名密码 1 #coding=utf-8 from selenium import webdriver #from selenium.common.exceptions imp ...

  7. 【转】IIS网站浏览时提示需要用户名密码登录-解决方法

    打开iis,站点右键----属性----目录安全性----编辑----允许匿名访问钩选 IIS连接127.0.0.1要输入用户名密码的解决办法原因很多,请尝试以下操作: 1.查看网站属性——文档看看启 ...

  8. MongoDB 用户名密码登录

    Mongodb enable authentication MongoDB 默认直接连接,无须身份验证,如果当前机器可以公网访问,且不注意Mongodb 端口(默认 27017)的开放状态,那么Mon ...

  9. 亚马逊AWS CentOS7(linux)改为用户名密码登录

    1.进入AWS系统 略 系统为:centos 7 fox.风 2.设置ROOT密码 sudo passwd root 1 3.修改配置文件 sudo vim /etc/ssh/sshd_config ...

随机推荐

  1. mysql全备份脚本速查

    mysql全备份脚本 # 快捷备份方式[root@nb scripts]# cat db.backup.sh #!/bin/bashmysqldump -ubackup -pbackuppwd -P3 ...

  2. bzoj2938 AC自动机 + 拓扑排序找环

    https://www.lydsy.com/JudgeOnline/problem.php?id=2938 题意:给出N个01病毒序列,询问是否存在一个无限长的串不存在病毒序列 正常来说,想要寻找一个 ...

  3. 常用的一些cmd命令

    常用的一些cmd命令总结 ----------- 1.ping主机名字,类似于ping机子的IP地址 2.查看当前用户的dos命令 3.查看机器名 调出计算器命令:calc 调出远程桌面的命令:mst ...

  4. 17.解释器模式(Interpreter Pattern)

    17.解释器模式(Interpreter Pattern)

  5. layui(二)——layer组件常见用法总结

    layer是layui的代表作,功能十分强大,为方便以后快速配置这里对其常见用法做了简单总结 一.常用调用方式 //1.普通消息:alert(content,[options],[yesCallBac ...

  6. golang json序列化

    结构体序列化 func main() { var j = js{ Name: "zhangsan", Age: 16, Sal: 1500.3, Intro: "aiha ...

  7. Tomcat与Web应用

    1.Web是一种分布式应用架构,旨在共享分布 在网络上的各个Web服务器中的所有互相链接的信息.Web使用超级文本技术(HTML)来链接网络上的信息,信息存放在服务器端,客户机通过浏览器查找网络中的各 ...

  8. js 图片压缩上传(纯js的质量压缩,非长宽压缩)

    下面是大神整理的demo,很实用,这里存一下备用,感谢大神! 此demo为大于1M对图片进行压缩上传 若小于1M则原图上传,可以根据自己实际需求更改. demo源码如下 <!DOCTYPE ht ...

  9. eclipse竖向选择快捷键

    eclipse的编辑器自带竖向选择功能,在mac上的开启和关闭方法都是command+option+a,在windows下则为alt+shift+a

  10. Node 体验 事件驱动、非阻塞式 I/O

    https://github.com/nswbmw/N-blog/blob/master/book/2.1%20require.md 全局对象和浏览器中的window类似 1.console.log( ...