SpringSecurity5（14-Gateway整合）

MVC 与 WebFlux 关系

SpringSecurity 设置要采用响应式配置，基于 WebFlux 中 WebFilter 实现，与 Spring MVC 的 Security 是通过 Servlet 的 Filter 实现雷同，也是一系列 filter 组成的过滤链。
Reactor 与传统 MVC 配置对应：
webfluxmvc作用@EnableWebFluxSecurity@EnableWebSecurity开启 security 配置ServerAuthenticationSuccessHandlerAuthenticationSuccessHandler登录乐成 HandlerServerAuthenticationFailureHandlerAuthenticationFailureHandler登录失败 HandlerServerLogoutSuccessHandlerLogoutSuccessHandler注销乐成HandlerServerSecurityContextRepositorySecurityContextHolder认证信息存储管理ReactiveUserDetailsServiceUserDetailsService用户登录逻辑处置惩罚ReactiveAuthenticationManagerAuthorizationManager认证管理ReactiveAuthorizationManagerAccessDecisionManager鉴权管理ServerAuthenticationEntryPointAuthenticationEntryPoint未认证 HandlerServerAccessDeniedHandlerAccessDeniedHandler鉴权失败 HandlerAuthenticationWebFilterFilterSecurityInterceptor拦截器快速入门

1. <dependency>
2.     <groupId>org.springframework.cloud</groupId>
3.     <artifactId>spring-cloud-starter-security</artifactId>
4.     <version>2.2.5.RELEASE</version>
5. </dependency>
6. <dependency>
7.     <groupId>org.springframework.cloud</groupId>
8.     <artifactId>spring-cloud-starter-gateway</artifactId>
9.     <version>2.2.6.RELEASE</version>
10. </dependency>
11. <dependency>
12.     <groupId>com.alibaba</groupId>
13.     <artifactId>fastjson</artifactId>
14.     <version>2.0.38</version>
15. </dependency>
16. <dependency>
17.     <groupId>org.projectlombok</groupId>
18.     <artifactId>lombok</artifactId>
19. </dependency>

复制代码

内存管理用户信息

1. @EnableWebFluxSecurity
2. @Configuration
3. public class SecurityConfig {
5.     @Bean
6.     public SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
7.        http.httpBasic()
8.                .and()
9.                .authorizeExchange()
10.                .anyExchange()
11.                .authenticated();
12.         return http.build();
13.     }
15.     /**
16.      * 内存管理用户信息
17.      */
18.     @Bean
19.     public MapReactiveUserDetailsService userDetailsService() {
20.         UserDetails user = User.withDefaultPasswordEncoder()
21.                 .username("user")
22.                 .password("password")
23.                 .roles("USER")
24.                 .build();
25.         return new MapReactiveUserDetailsService(user);
26.     }
27. }

复制代码

自定义登录、注销处置惩罚器

• 自定义登录乐成处置惩罚器
  

1. @Component
2. public class LoginSuccessHandler implements ServerAuthenticationSuccessHandler {
4.     @Override
5.     public Mono<Void> onAuthenticationSuccess(WebFilterExchange webFilterExchange, Authentication authentication) {
6.         return Mono.defer(() -> Mono.just(webFilterExchange.getExchange().getResponse()).flatMap(response -> {
7.             DataBufferFactory dataBufferFactory = response.bufferFactory();
8.             DataBuffer dataBuffer = dataBufferFactory.wrap("登录成功".getBytes());
9.             return response.writeWith(Mono.just(dataBuffer));
10.         }));
11.     }
12. }

复制代码

• 自定义登录失败处置惩罚器
  

1. @Component
2. public class LoginFailHandler implements ServerAuthenticationFailureHandler {
4.     @Override
5.     public Mono<Void> onAuthenticationFailure(WebFilterExchange webFilterExchange, AuthenticationException exception) {
6.         return Mono.defer(() -> Mono.just(webFilterExchange.getExchange().getResponse()).flatMap(response -> {
7.             DataBufferFactory dataBufferFactory = response.bufferFactory();
8.             DataBuffer dataBuffer = dataBufferFactory.wrap("登录失败".getBytes());
9.             return response.writeWith(Mono.just(dataBuffer));
10.         }));
11.     }
12. }

复制代码

• 自定义注销乐成处置惩罚器
  

1. @Component
2. public class LogoutSuccessHandler implements ServerLogoutSuccessHandler {
4.     @Override
5.     public Mono<Void> onLogoutSuccess(WebFilterExchange exchange, Authentication authentication) {
6.         return Mono.defer(() -> Mono.just(exchange.getExchange().getResponse()).flatMap(response -> {
7.             DataBufferFactory dataBufferFactory = response.bufferFactory();
8.             DataBuffer dataBuffer = dataBufferFactory.wrap("logout success".getBytes());
9.             return response.writeWith(Mono.just(dataBuffer));
10.         }));
11.     }
12. }

复制代码

1. @EnableWebFluxSecurity
2. @Configuration
3. public class SecurityConfig {
5.     @Resource
6.     private LoginSuccessHandler loginSuccessHandler;
7.     @Resource
8.     private LoginFailHandler loginFailHandler;
9.     @Resource
10.     private LogoutSuccessHandler logoutSuccessHandler;
12.     @Bean
13.     public SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
14.         http.httpBasic()
15.                 .and()
16.                 .authorizeExchange()
17.                 .anyExchange()
18.                 .authenticated();
20.         http.formLogin()
21.             .authenticationSuccessHandler(loginSuccessHandler)
22.             .authenticationFailureHandler(loginFailHandler)
23.             .and()
24.             .logout()
25.             .logoutSuccessHandler(logoutSuccessHandler);
26.         return http.build();
27.     }
29.     /**
30.      * 内存管理用户信息
31.      */
32.     @Bean
33.     public MapReactiveUserDetailsService userDetailsService() {
34.         UserDetails user = User.withDefaultPasswordEncoder()
35.                 .username("user")
36.                 .password("password")
37.                 .roles("USER")
38.                 .build();
39.         return new MapReactiveUserDetailsService(user);
40.     }
41. }

复制代码

自定义用户信息

• 仿照 MapReactiveUserDetailsService 编写获取用户认证类
  

1. @Component
2. public class UserDetailService implements ReactiveUserDetailsService, ReactiveUserDetailsPasswordService {
4.     private final Map<String, UserDetails> users = new HashMap<>();
6.     @Resource
7.     private PasswordEncoder passwordEncoder;
9.     @Override
10.     public Mono<UserDetails> findByUsername(String username) {
11.         User user = null;
12.         if ("user".equals(username)) {
13.             user = new User("user", passwordEncoder.encode("123456"), true, true, true, true, new ArrayList<>());
14.         }
15.         return Mono.justOrEmpty(user);
16.     }
18.     @Override
19.     public Mono<UserDetails> updatePassword(UserDetails user, String newPassword) {
20.         return Mono.just(user)
21.                 .map(u ->
22.                         User.withUserDetails(u)
23.                                 .password(newPassword)
24.                                 .build()
25.                 )
26.                 .doOnNext(u -> {
27.                     this.users.put(user.getUsername().toLowerCase(), u);
28.                 });
29.     }
30. }

复制代码

• 仿照 AbstractUserDetailsReactiveAuthenticationManager 编写用户认证管理类
  

1. @Component
2. public class UserAuthenticationManager extends AbstractUserDetailsReactiveAuthenticationManager {
4.     @Resource
5.     private PasswordEncoder passwordEncoder;
6.     @Resource
7.     private ReactiveUserDetailsService userDetailService;
8.     @Resource
9.     private ReactiveUserDetailsPasswordService userDetailsPswService;
11.     private Scheduler scheduler = Schedulers.boundedElastic();
13.     private UserDetailsChecker preAuthenticationChecks = user -> {
14.         if (!user.isAccountNonLocked()) {
15.             logger.debug("User account is locked");
17.             throw new LockedException(this.messages.getMessage(
18.                     "AbstractUserDetailsAuthenticationProvider.locked",
19.                     "User account is locked"));
20.         }
22.         if (!user.isEnabled()) {
23.             logger.debug("User account is disabled");
25.             throw new DisabledException(this.messages.getMessage(
26.                     "AbstractUserDetailsAuthenticationProvider.disabled",
27.                     "User is disabled"));
28.         }
30.         if (!user.isAccountNonExpired()) {
31.             logger.debug("User account is expired");
33.             throw new AccountExpiredException(this.messages.getMessage(
34.                     "AbstractUserDetailsAuthenticationProvider.expired",
35.                     "User account has expired"));
36.         }
37.     };
39.     private UserDetailsChecker postAuthenticationChecks = user -> {
40.         if (!user.isCredentialsNonExpired()) {
41.             logger.debug("User account credentials have expired");
43.             throw new CredentialsExpiredException(this.messages.getMessage(
44.                     "AbstractUserDetailsAuthenticationProvider.credentialsExpired",
45.                     "User credentials have expired"));
46.         }
47.     };
50.     @Override
51.     public Mono<Authentication> authenticate(Authentication authentication) {
52.         final String username = authentication.getName();
53.         final String presentedPassword = (String) authentication.getCredentials();
54.         return retrieveUser(username)
55.                 .doOnNext(this.preAuthenticationChecks::check)
56.                 .publishOn(this.scheduler)
57.                 .filter(u -> this.passwordEncoder.matches(presentedPassword, u.getPassword()))
58.                 .switchIfEmpty(Mono.defer(() -> Mono.error(new BadCredentialsException("Invalid Credentials"))))
59.                 .flatMap(u -> {
60.                     boolean upgradeEncoding = this.userDetailsPswService != null
61.                             && this.passwordEncoder.upgradeEncoding(u.getPassword());
62.                     if (upgradeEncoding) {
63.                         String newPassword = this.passwordEncoder.encode(presentedPassword);
64.                         return this.userDetailsPswService.updatePassword(u, newPassword);
65.                     }
66.                     return Mono.just(u);
67.                 })
68.                 .doOnNext(this.postAuthenticationChecks::check)
69.                 .map(u -> new UsernamePasswordAuthenticationToken(u, u.getPassword(), u.getAuthorities()) );
70.     }
73.     @Override
74.     protected Mono<UserDetails> retrieveUser(String username) {
75.         return userDetailService.findBysername(username);
76.     }
77. }

复制代码

1. @EnableWebFluxSecurity
2. @Configuration
3. public class SecurityConfig {
5.     @Resource
6.     private LoginSuccessHandler loginSuccessHandler;
7.     @Resource
8.     private LoginFailHandler loginFailHandler;
9.     @Resource
10.     private LogoutSuccessHandler logoutSuccessHandler;
11.     @Resource
12.     private UserAuthenticationManager userAuthenticationManager;
14.     @Bean
15.     public SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
16.         http.httpBasic()
17.                 .and()
18.                 .authorizeExchange()
19.                 .anyExchange()
20.                 .authenticated();
22.         http.formLogin()
23.                 .authenticationManager(authenticationManager())
24.                 .authenticationSuccessHandler(loginSuccessHandler)
25.                 .authenticationFailureHandler(loginFailHandler)
26.                                 .and()
27.                 .logout()
28.                 .logoutSuccessHandler(logoutSuccessHandler);
29.         return http.build();
30.     }
32.     /**
33.      * 注册用户信息验证管理器，可按需求添加多个按顺序执行
34.      */
35.     @Bean
36.     public ReactiveAuthenticationManager authenticationManager() {
37.         LinkedList<ReactiveAuthenticationManager> managers = new LinkedList<>();
38.         managers.add(userAuthenticationManager);
39.         return new DelegatingReactiveAuthenticationManager(managers);
40.     }
42.     @Bean
43.     public PasswordEncoder passwordEncoder() {
44.         return new BCryptPasswordEncoder();
45.     }
46. }

复制代码

权限注解

1. @EnableWebFluxSecurity
2. @EnableReactiveMethodSecurity
3. @Configuration
4. public class SecurityConfig {
5.         // ....
6. }

复制代码

1. @RestController
2. public class TestController {
4.     /**
5.      * 无效
6.      */
7.     @Secured({"ROLE_ADMIN"})
8.     @RequestMapping(value = "/test")
9.     public Mono<String> test() {
10.         return Mono.just("test");
11.     }
13.     /**
14.      * 有效
15.      */
16.     @PreAuthorize("hasRole('ADMIN')")
17.     @RequestMapping(value = "/test1")
18.     public Mono<String> test1() {
19.         return Mono.just("test1");
20.     }
22.     @Secured({"ROLE_TEST"})
23.     @RequestMapping(value = "/test2")
24.     public Mono<String> test2() {
25.         return Mono.just("test2");
26.     }
27. }

复制代码

自定义权限处置惩罚器

1. @Component
2. public class AccessDeniedHandler implements ServerAccessDeniedHandler {
4.     @Override
5.     public Mono<Void> handle(ServerWebExchange exchange, AccessDeniedException denied) {
6.         return Mono.defer(() -> Mono.just(exchange.getResponse()).flatMap(response -> {
7.             DataBufferFactory dataBufferFactory = response.bufferFactory();
8.             DataBuffer dataBuffer = dataBufferFactory.wrap("permission denied".getBytes());
9.             return response.writeWith(Mono.just(dataBuffer));
10.         }));
11.     }
12. }

复制代码

1. @EnableWebFluxSecurity
2. @EnableReactiveMethodSecurity
3. @Configuration
4. public class SecurityConfig {
6.     @Resource
7.     private LoginSuccessHandler loginSuccessHandler;
8.     @Resource
9.     private LoginFailHandler loginFailHandler;
10.     @Resource
11.     private LogoutSuccessHandler logoutSuccessHandler;
12.     @Resource
13.     private UserAuthenticationManager userAuthenticationManager;
14.     @Resource
15.     private AccessDeniedHandler accessDeniedHandler;
17.     @Bean
18.     public SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
19.         http.httpBasic()
20.                 .and()
21.                 .authorizeExchange()
22.                 .anyExchange()
23.                 .authenticated();
25.         http.formLogin()
26.                 .authenticationManager(authenticationManager())
27.                 .authenticationSuccessHandler(loginSuccessHandler)
28.                 .authenticationFailureHandler(loginFailHandler)
29.                 .and()
30.                 .logout()
31.                 .logoutSuccessHandler(logoutSuccessHandler)
32.                 .and()
33.                 .exceptionHandling()
34.                 .accessDeniedHandler(accessDeniedHandler);
35.         return http.build();
36.     }
38.     /**
39.      * 注册用户信息验证管理器，可按需求添加多个按顺序执行
40.      */
41.     @Bean
42.     public ReactiveAuthenticationManager authenticationManager() {
43.         LinkedList<ReactiveAuthenticationManager> managers = new LinkedList<>();
44.         managers.add(userAuthenticationManager);
45.         return new DelegatingReactiveAuthenticationManager(managers);
46.     }
48.     @Bean
49.     public PasswordEncoder passwordEncoder() {
50.         return new BCryptPasswordEncoder();
51.     }
52. }

复制代码

自定义认证处置惩罚器

1. @Component
2. public class AuthenticationEntryPoint implements ServerAuthenticationEntryPoint {
4.     @Override
5.     public Mono<Void> commence(ServerWebExchange exchange, AuthenticationException e) {
6.         return Mono.defer(() -> Mono.just(exchange.getResponse()).flatMap(response -> {
7.             DataBufferFactory dataBufferFactory = response.bufferFactory();
8.             DataBuffer dataBuffer = dataBufferFactory.wrap("Authentication fail".getBytes());
9.             return response.writeWith(Mono.just(dataBuffer));
10.         }));
11.     }
12. }

复制代码

1. @EnableWebFluxSecurity
2. @EnableReactiveMethodSecurity
3. @Configuration
4. public class SecurityConfig {
6.     @Resource
7.     private LoginSuccessHandler loginSuccessHandler;
8.     @Resource
9.     private LoginFailHandler loginFailHandler;
10.     @Resource
11.     private LogoutSuccessHandler logoutSuccessHandler;
12.     @Resource
13.     private UserAuthenticationManager userAuthenticationManager;
14.     @Resource
15.     private AccessDeniedHandler accessDeniedHandler;
16.     @Resource
17.     private AuthenticationEntryPoint authenticationEntryPoint;
19.     @Bean
20.     public SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
21.         http.httpBasic()
22.                 .and()
23.                 .authorizeExchange()
24.                 .anyExchange()
25.                 .authenticated();
27.         http.formLogin()
28.                 .authenticationManager(authenticationManager())
29.                 .authenticationSuccessHandler(loginSuccessHandler)
30.                 .authenticationFailureHandler(loginFailHandler)
31.                 .and()
32.                 .logout()
33.                 .logoutSuccessHandler(logoutSuccessHandler)
34.                 .and()
35.                 .exceptionHandling()
36.                 .accessDeniedHandler(accessDeniedHandler)
37.                 .authenticationEntryPoint(authenticationEntryPoint);
38.         return http.build();
39.     }
41.     /**
42.      * 注册用户信息验证管理器，可按需求添加多个按顺序执行
43.      */
44.     @Bean
45.     public ReactiveAuthenticationManager authenticationManager() {
46.         LinkedList<ReactiveAuthenticationManager> managers = new LinkedList<>();
47.         managers.add(userAuthenticationManager);
48.         return new DelegatingReactiveAuthenticationManager(managers);
49.     }
51.     @Bean
52.     public PasswordEncoder passwordEncoder() {
53.         return new BCryptPasswordEncoder();
54.     }
55. }

复制代码

自定义鉴权处置惩罚器

[code]@Slf4j@Componentpublic class AuthorizeConfigManager implements ReactiveAuthorizationManager {    private final AntPathMatcher antPathMatcher = new AntPathMatcher();    @Override    public Mono check(Mono authentication,                                             AuthorizationContext authorizationContext) {        return authentication.map(auth -> {            ServerWebExchange exchange = authorizationContext.getExchange();            ServerHttpRequest request = exchange.getRequest();            Collection