接着上节的讲,在添加了@EnableWebSecurity注解后,如果需要自定义一些配置,则需要和继承WebSecurityConfigurerAdapter后,覆盖某些方法。

我们来看一下WebSecurityConfigurerAdapter中哪些方法可以重写,需要重写。

(1)WebSecurity

默认是一个空方法,一般也不会再重写。

    public void configure(WebSecurity web) throws Exception { }

(2)HttpSecurity

默认的父类代码默认任何request都需要认证,使用默认的login page基于表单认证,使用HTTP基本认证。

    protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin().and()
.httpBasic();
}

下面是一些自定义写法。

    @Override
protected void configure(HttpSecurity http) throws Exception {
//@formatter:off
http.authorizeRequests()
// all users have access to these urls
.antMatchers("/resources/**", "/signup", "/about").permitAll()
// Any URL that starts with "/admin/" will be restricted to users who have the role "ROLE_ADMIN"
.antMatchers("/admin/**").hasRole("ADMIN")
// Any URL that starts with "/db/" requires the user to have both "ROLE_ADMIN" and "ROLE_DBA"
.antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')")
// Any URL that starts with "/group_a/" requires the user to have both "ROLE_ADMIN" or "ROLE_GROUP_A"
.antMatchers("/admin/**").hasAnyRole("ADMIN", "GROUP_A")
// Any URL that has not already been matched on only requires that the user be authenticated
.anyRequest().authenticated()
.and().formLogin()
// all users have access to custom login page
.loginPage("/login").permitAll()
.and().logout()
// customize logout url
.logoutUrl("/my/logout")
// customize logout success url
.logoutSuccessUrl("/my/index")
// specify a custom LogoutSuccessHandler. If this is specified, logoutSuccessUrl() is ignored
.logoutSuccessHandler(logoutSuccessHandler)
// invalidate the HttpSession at the time of logout. This is true by default
.invalidateHttpSession(true)
// Adds a LogoutHandler. SecurityContextLogoutHandler is added as the last LogoutHandler by default
.addLogoutHandler(logoutHandler)
// Allows specifying the names of cookies to be removed on logout success
.deleteCookies()
.and().rememberMe()
// Add remember me function and valid date.
.key("uniqueAndSecret")
.tokenValiditySeconds(60 * 60 * 24 * 7);
//@formatter:on
}

(3)AuthenticationManagerBuilder

默认是这样写的:

    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
this.disableLocalConfigureAuthenticationBldr = true;
}

由上一节分析可知,它其实默认使用DefaultPasswordEncoderAuthenticationManagerBuilder这个Builder及自动配置的UserDetails和UserDetailsService。

    protected AuthenticationManager authenticationManager() throws Exception {
if (!authenticationManagerInitialized) {
// [1]如果覆盖configure()方法,则disableLocalConfigureAuthenticationBldr为false
// [2]如果是默认的configure()方法,disableLocalConfigureAuthenticationBldr还是true
configure(localConfigureAuthenticationBldr);
if (disableLocalConfigureAuthenticationBldr) {
authenticationManager = authenticationConfiguration
.getAuthenticationManager(); // [2]
}
else {
authenticationManager = localConfigureAuthenticationBldr.build(); // [1]
}
authenticationManagerInitialized = true;
}
return authenticationManager;
}

如果被覆盖,虽然还是使用的DefaultPasswordEncoderAuthenticationManagerBuilder,但是我们可以使用UserDetailsManagerConfigurer(的两个子类InMemoryUserDetailsManagerConfigurer,JdbcUserDetailsManagerConfigurer)来构建UserDetailsService及UserDetails。以InMemoryUserDetailsManagerConfigurer为例,下面是自定义的写法。

    @Bean
PasswordEncoder passwordEncoder() {
return PasswordEncoderFactories.createDelegatingPasswordEncoder();
} @Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//@formatter:off
// returns InMemoryUserDetailsManagerConfigurer
PasswordEncoder encoder = new BCryptPasswordEncoder();
auth.inMemoryAuthentication()
// create a UserDetailsBuilder and add to userBuilders
.withUser("user").password("{bcrypt}" + encoder.encode("pass")).roles("USER")
// returns InMemoryUserDetailsManagerConfigurer
.and()
// create a UserDetailsBuilder again and add to userBuilders
.withUser("admin").password("{bcrypt}" + encoder.encode("pass")).roles("USER", "ADMIN");
//@formatter:on
}

[注] 框架要求密码必须加密,所以这里加了有关password encode的支持。

那么这段代码如何生成UserDetailsService及UserDetails的呢?流程如下:

[1] 调用AuthenticationManagerBuilder的inMemoryAuthentication()方法创建InMemoryUserDetailsManagerConfigurer,调用InMemoryUserDetailsManagerConfigurer的构造器时则会创建InMemoryUserDetailsManager(即UserDetailsService的实现类),最终经过层层父类(InMemoryUserDetailsManagerConfigurer -> UserDetailsManagerConfigurer -> UserDetailsServiceConfigurer -> AbstractDaoAuthenticationConfigurer)设定到AbstractDaoAuthenticationConfigurer中。

    public InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder> inMemoryAuthentication()
throws Exception {
return apply(new InMemoryUserDetailsManagerConfigurer<>());
}
    public InMemoryUserDetailsManagerConfigurer() {
super(new InMemoryUserDetailsManager(new ArrayList<>()));
}
    protected AbstractDaoAuthenticationConfigurer(U userDetailsService) {
this.userDetailsService = userDetailsService;
provider.setUserDetailsService(userDetailsService);
if (userDetailsService instanceof UserDetailsPasswordService) {
this.provider.setUserDetailsPasswordService((UserDetailsPasswordService) userDetailsService);
}
}

[2] 调用AuthenticationManagerBuilder的apply()方法设定defaultUserDetailsService为[1]的InMemoryUserDetailsManager并且把[1]的InMemoryUserDetailsManagerConfigurer加到父类AbstractConfiguredSecurityBuilder的configurers list中

    private <C extends UserDetailsAwareConfigurer<AuthenticationManagerBuilder, ? extends UserDetailsService>> C apply(
C configurer) throws Exception {
this.defaultUserDetailsService = configurer.getUserDetailsService();
return (C) super.apply(configurer);
}

[3] 调用InMemoryUserDetailsManagerConfigurer的父类UserDetailsManagerConfigurer的withUser()方法生成多个UserDetailsBuilder放在userBuilders list中

    public final UserDetailsBuilder withUser(String username) {
UserDetailsBuilder userBuilder = new UserDetailsBuilder((C) this);
userBuilder.username(username);
this.userBuilders.add(userBuilder);
return userBuilder;
}

[4] 当调用DefaultPasswordEncoderAuthenticationManagerBuilder的build()方法时,则会调用

[4.1] 调用UserDetailsServiceConfigurer的configure()方法

    @Override
public void configure(B builder) throws Exception {
initUserDetailsService();
super.configure(builder);
}

[4.2] 调用UserDetailsManagerConfigurer的initUserDetailsService()方法通过[3]的userBuilders创建User对象(UserDetails的实现类,并且从[1]中的AbstractDaoAuthenticationConfigurer获取UserDetailsService,并把UserDetails放到UserDetailsService中。

    @Override
protected void initUserDetailsService() throws Exception {
for (UserDetailsBuilder userBuilder : userBuilders) {
getUserDetailsService().createUser(userBuilder.build());
}
for (UserDetails userDetails : this.users) {
getUserDetailsService().createUser(userDetails);
}
}

下面是一些自定义写法:

    @Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//@formatter:off
// returns InMemoryUserDetailsManagerConfigurer
auth.inMemoryAuthentication()
// create a UserBuilder and add to userBuilders
.withUser("user").password("password").roles("USER")
// returns InMemoryUserDetailsManagerConfigurer
.and()
// create a UserBuilder again and add to userBuilders
.withUser("admin").password("password").roles("USER", "ADMIN");
//@formatter:on
}

(4)authenticationManagerBean()

我们覆盖了configure(AuthenticationManagerBuilder auth)后,我们使用了AuthenticationManagerBuilder 的实现类DefaultPasswordEncoderAuthenticationManagerBuilder,通过InMemoryUserDetailsManagerConfigurer创建自己的UserDetailsService的实现类InMemoryUserDetailsManager及User,系统还会默认给我们创建AuthenticationProvider的实现类DaoAuthenticationProvider。但是我们发现,这些对象并不是Spring Bean。所以我们可以通过覆盖该方法并且声明为一个Bean,这样就可以在项目中注入并使用这个Bean了。

    @Bean(name = "myAuthenticationManager")
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}

通过父类的源码可以看到,实际上在调用时,创建了一个AuthenticationManager代理。

    public AuthenticationManager authenticationManagerBean() throws Exception {
return new AuthenticationManagerDelegator(authenticationBuilder, context);
}

(5)userDetailsServiceBean()

和(4)类似,Override this method to expose a UserDetailsService created from configure(AuthenticationManagerBuilder) as a bean. In general only thefollowing override should be done of this method:

    @Bean(name = "myUserDetailsService")
@Override
public UserDetailsService userDetailsServiceBean() throws Exception {
return super.userDetailsServiceBean();
}

(6) UserDetailsService

还记得第三章的UserDetailsService实现类是如何生成的吗?这里做一个简述:

[1] AuthenticationConfiguration中创建InitializeUserDetailsBeanManagerConfigurer Bean。

[2] build时调用InitializeUserDetailsBeanManagerConfigurer的内部类InitializeUserDetailsManagerConfigurer的configure()方法。

[3] 在ApplicationContext中获取UserDetailsService(by type),如果没有找到自定义的UserDetailsService Bean,则UserDetailsServiceAutoConfiguration生效,会lazy load一个InMemoryUserDetailsManager;反之,则使用我们自定义的UserDetailsService Bean。

在WebSecurityConfigurerAdapter中,userDetailsServiceBean()和userDetailsService()两个方法内容实际上都是一样的。都是获取当前环境中(自定义的或系统生成的InMemoryUserDetailsManager)的UserDetailsService的代理类。所以,该类一般不需要重写,如果想自定义自己的UserDetailsService,可以直接实现UserDetailsService接口,并且把该类声明为一个Spring Bean:

@Service
public class MyUserDetailsService implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
// TODO Auto-generated method stub
return null;
}
}

当然你也可以直接覆盖该方法并声明为一个Bean:

    @Bean
@Override
public UserDetailsService userDetailsService() {
return (username) -> {
AppUser user = appUserRepository.findOneByUsername(username);
if (user == null) {
throw new UsernameNotFoundException("Incorrect username or password.");
}
return user;
};
}

需要注意的是,我们也要有UserDetails的实现类供UserDetailsService处理。

Spring Security(4):自定义配置的更多相关文章

  1. Spring Security基于Java配置

    Maven依赖 <dependencies> <!-- ... other dependency elements ... --> <dependency> < ...

  2. CAS Spring Security 3 整合配置(转)

    一般来说, Web 应用的安全性包括用户认证( Authentication )和用户授权( Authorization )两个部分.用户认证指的是验证某个用户是否为系统中的合法主体,也就是说用户能否 ...

  3. spring boot rest 接口集成 spring security(2) - JWT配置

    Spring Boot 集成教程 Spring Boot 介绍 Spring Boot 开发环境搭建(Eclipse) Spring Boot Hello World (restful接口)例子 sp ...

  4. Spring Security(三) —— 核心配置解读

    摘要: 原创出处 https://www.cnkirito.moe/spring-security-3/ 「老徐」欢迎转载,保留摘要,谢谢! 3 核心配置解读 上一篇文章<Spring Secu ...

  5. Spring Cloud Feign 自定义配置(重试、拦截与错误码处理) 实践

    Spring Cloud Feign 自定义配置(重试.拦截与错误码处理) 实践 目录 Spring Cloud Feign 自定义配置(重试.拦截与错误码处理) 实践 引子 FeignClient的 ...

  6. spring security 3.2 配置详解(结合数据库)

    没事就来了解下spring security.网上找了很多资料.有过时的,也有不是很全面的.各种问题也算是让我碰了个遍.这样吧.我先把整个流程写下来,之后在各个易混点分析吧. 1.建立几个必要的页面. ...

  7. spring security 3 自定义认证,授权示例

    1,建一个web project,并导入所有需要的lib. 2,配置web.xml,使用Spring的机制装载: <?xml version="1.0" encoding=& ...

  8. spring security使用自定义登录界面后,不能返回到之前的请求界面的问题

    昨天因为集成spring security oauth2,所以对之前spring security的配置进行了一些修改,然后就导致登录后不能正确跳转回被拦截的页面,而是返回到localhost根目录. ...

  9. Spring Security Oauth2 的配置

    使用oauth2保护你的应用,可以分为简易的分为三个步骤 配置资源服务器 配置认证服务器 配置spring security 前两点是oauth2的主体内容,但前面我已经描述过了,spring sec ...

  10. Spring Security之动态配置资源权限

    在Spring Security中实现通过数据库动态配置url资源权限,需要通过配置验证过滤器来实现资源权限的加载.验证.系统启动时,到数据库加载系统资源权限列表,当有请求访问时,通过对比系统资源权限 ...

随机推荐

  1. win10 专业版永久密钥

    激活码/密匙: 1.专业版: W269N-WFGWX-YVC9B-4J6C9-T83GXMH37W-N47XK-V7XM9-C7227-GCQG92X7P3-NGJTH-Q9TJF-8XDP9-T83 ...

  2. 一个ball例程带你进入 Halcon 世界

    * 此例程来自halcon自带例程,请打开 halcon->ctrl+E 打开例程->搜索框中输入ball added by xiejl* ball.hdev: Inspection of ...

  3. linux学习-添加多个硬盘和lvm配置

    原文 一般,服务器会有多个硬盘,一块硬盘分区安装操作系统,另外多块硬盘分区做存储使用.现在测试添加多块硬盘分区,使用lvm进行实现动态磁盘分配. 1.新增硬盘查看 fdisk -l 可以看到新增的两块 ...

  4. [2019HDU多校第一场][HDU 6580][C. Milk]

    题目链接:http://acm.hdu.edu.cn/showproblem.php?pid=6580 题目大意:\(n\times m\)大小的方格上有\(k\)瓶水,喝完每瓶水都需要一定的时间.初 ...

  5. Jquery的toggle()与trigger()方法

    我一直分不清楚toggle()与trigger()两个各自的作用,所以今天抽时间记录一些,以加深印象. 1.toggle() 定义和用法: toggle() 方法切换元素的可见状态.如果被选元素可见, ...

  6. python自动华 (十四)

    Python自动化 [第十四篇]:HTML介绍 本节内容: Html 概述 HTML文档 常用标签 2. CSS 概述 CSS选择器 CSS常用属性 1.HTML 1.1概述 HTML是英文Hyper ...

  7. 003_C/C++笔试题_分享大汇总

    (一)感谢:lhzstudio 01_C++经典面试题全集 50~100道 都附带有参考答案 02_C++开发工程师面试题库 100~150道 03_C++笔试题库之编程.问答题 150~200道 0 ...

  8. .net SerialPort

    虚拟串口并定时向虚拟串口定时发数据 http://scorpiomiracle.iteye.com/blog/653923 C#中如何使用SerialPort控件向单片机发送数据? http://zh ...

  9. Java进阶知识25 Spring与Hibernate整合到一起

    1.概述 1.1.Spring与Hibernate整合关键点 1) Hibernate的SessionFactory对象交给Spring创建.    2) hibernate事务交给spring的声明 ...

  10. Django RestFramework (DRF)

    准备: 下载 pip install djangorestframework 一 APIView源码解析 1 预备知识 CBV(class based view)FBV(function based ...