Docker>> hippo>> 返回
项目作者: echozoo

项目描述 :
Permission system
高级语言: Java
项目地址: git://github.com/echozoo/hippo.git
创建时间: 2019-04-10T06:12:07Z
项目社区:https://github.com/echozoo/hippo
开源协议:
下载


spring security

spring boot 整合 security

  1. org.springframework.security.core.userdetails.User
  2. org.springframework.security.core.userdetails.UserDetails

1 . 实现UserDetailsService的loadUserByUsername方法,作用是从数据库获取用户信息

  1. //给自定义认证方式添加加密方式,在userDetailsService将密码交给security去验证,在认证管理中配置密码验证方式
  2.   @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
  3.     return new User(userInfo.getAccount(), userInfo.getPassword(), roles);
  4.   }

2 . 实现AuthenticationProvider的authenticate方法根据UserDetails实现类获取用户信息进行用户密码,状态等相关验证

3 . 告诉security认证方式

  1.     /**
  2.    * 添加自定义登录到认证security管理
  3.    * 
  4.    */
  5.   @Override
  6.   public void configure(AuthenticationManagerBuilder auth) throws Exception {
  7.     //用户认证逻辑
  8.     auth.authenticationProvider(userAuthenticationProvider)
  9.             //获取用户信息
  10.         .userDetailsService(userDetailsService)
  11.         //密码加密方式
  12.         .passwordEncoder(passwordEncoder());
  13.   }

4 . 访问资源控制,http.authorizeRequests()方法有多个子节点,每个macher按照他们的声明顺序执行,路径配置顺序有要求 ,匹配就返回.
hasAnyAuthority(“USER”)需要有USER权限才能访问;
hasAnyRole(“ADMIN”)会自动给ADMIN加上ROLE_前缀,需要有ROLE_ADMIN角色才能访问。

  1.   /**
  2.        * security 拦截路径
  3.        * http.authorizeRequests()方法有多个子节点,每个macher按照他们的声明顺序执行
  4.        * 路径配置顺序有要求 ,匹配就返回
  5.        *
  6.        * @param http
  7.        * @throws Exception
  8.        */
  9.       @Override protected void configure(HttpSecurity http) throws Exception {
  10.         http.csrf().disable()
  11.             .authorizeRequests()
  12.             .antMatchers("/security/login/**").permitAll()
  13.             .antMatchers("/security/user/**").hasAnyAuthority("USER")
  14.             .antMatchers("/security/role/**").hasAnyRole("ADMIN")
  15.             .anyRequest().authenticated()
  16.             .and()
  17.             .rememberMe()
  18.             .key("my-secret")
  19.             .rememberMeCookieName("my-cookie-name")
  20.             .tokenValiditySeconds(24 * 60 * 60)
  21.             .and()
  22.             .formLogin()
  23.             .and()
  24.             .logout()
  25.             .and()
  26.             .httpBasic()
  27.         ;
  28.         // 在 UsernamePasswordAuthenticationFilter 前添加自定义过滤器 BeforeLoginFilter 
  29.         http.addFilterBefore(new BeforeLoginFilter(), UsernamePasswordAuthenticationFilter.class);
  30.       }

整合oauth2

oauth2-security区分了客户端和用户。

5 . 实现ClientDetailsService的loadClientByClientId方法,实现客户端认证

6 . 配置认证server(@EnableAuthorizationServer)通过继承AuthorizationServerConfigurerAdapter配置认证oauth2自定义客户端和用户认证

  1. //client认证
  2. @Override
  3.   public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
  4.     clients.withClientDetails(clientDetailsService);
  5.   }
  7.   @Override
  8.   public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
  9.     endpoints
  10.             //token存储位置
  11.         .tokenStore(new InMemoryTokenStore())
  12.         //将web security配置的authenticationManager
  13.         .authenticationManager(authenticationManager)
  14.         //刷新token会用到userDetailsService
  15.         .userDetailsService(userDetailsService)
  16.         .allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST);
  17.   }
  19.   @Override
  20.   public void configure(AuthorizationServerSecurityConfigurer oauthServer) {
  21.       //允许验证token 接口访问,单点登录会访问这个接口验证token是否有效
  22.     oauthServer.checkTokenAccess("permitAll()");
  23.     //加密方式
  24.     oauthServer.passwordEncoder(passwordEncoder());
  25.     //允许表单认证
  26.     oauthServer.allowFormAuthenticationForClients();
  27.   }

7 . 修改security的资源控制,不拦截oauth2资源

  1. @Override protected void configure(HttpSecurity http) throws Exception {
  2.       http
  3.           .authorizeRequests()
  4.           .antMatchers("/oauth/*").permitAll()
  5.           .and().httpBasic()
  6.       ;
  7.     }
  9.    /**
  10.       * 在这security中,把AuthenticationManager交给Spring,
  11.       * 这一步的配置是必不可少的,否则SpringBoot会自动配置一个AuthenticationManager,覆盖掉内存中的用户
  12.       */
  13.      @Bean
  14.      @Override
  15.      public AuthenticationManager authenticationManagerBean() throws Exception {
  16.        AuthenticationManager manager = super.authenticationManagerBean();
  17.        return manager;
  18.      }

8 . 配置资源server(@EnableResourceServer) 继承ResourceServerConfigurerAdapter配置oauth2资源控制

  1. @Configuration
  2. @EnableResourceServer
  3. class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
  5.   @Override
  6.   public void configure(ResourceServerSecurityConfigurer resources) {
  7.     //资源id和loadClientByClientId查询到的相匹配
  8.     resources.resourceId("API");
  9.   }
  11.   @Override
  12.   public void configure(HttpSecurity http) throws Exception {
  13.     http
  14.         .authorizeRequests()
  15.         //必须认证过后才可以访问
  16.         .antMatchers("/security/user/**").hasAnyAuthority("USER")
  17.         .antMatchers("/security/role/**").hasAnyRole("ADMIN")
  18.         .anyRequest().permitAll()
  19.     ;
  20.   }
  21. }
  1. /**
  2.  * oauth2 几种获取token方式 client 可用basic 方式传递
  3.  * refresh token: http://localhost:8013/oauth/token?grant_type=refresh_token&refresh_token=3680e51e-fbf4-417a-85d9-6a8205c14c0a&client_id=user&client_secret=123456
  4.  * client: http://localhost:8013/oauth/token?client_id=user&client_secret=123456&scope=read&grant_type=client_credentials
  5.  * password: http://localhost:8013/oauth/token?username=zhangsan&password=123456&grant_type=password&scope=read&client_id=user&client_secret=1234567
  6.  * authorization code: http://localhost:8013/oauth/authorize?response_type=code&client_id=code&redirect_uri=http://localhost:8013/security/login&scope=all
  7.  */

整合oauth2 三方登录认证

https://github.com/athc/hippo/blob/master/oauth-third/README.md