七、Spring Boot集成Spring Security之前后分离认证最佳实现 ...

南飓风  金牌会员 | 2024-11-6 20:26:05 | 显示全部楼层 | 阅读模式
打印 上一主题 下一主题
楼主

主题 878|帖子 878|积分 2634

二、自定义用户名密码认证过滤器RestfulUsernamePasswordAuthenticationFilter

1、注册过滤器方式


  • 使用httpSecurity.addFilter/addFilterBefore/addFilterAfter向过滤器链中添加过滤器,此中addFilter只能添加内置的过滤器,序次已在过滤器序次注册器(FilterOrderRegistration)中设置;addFilterBefore/addFilterAfter可以添加自定义过滤器,添加在指定的过滤器之前/之后。该方式优点是使用简单,缺点是无法使用spring security内置的组件,与RestfulUsernamePasswordAuthenticationFilter需要使用AuthenticationManager组件辩论,故不使用该方式。
  • 使用SecurityConfigurer通过配置类的方式向过滤器链中添加过滤器,官方使用的方式。该方式优点是可以使用spring security内置的组件,缺点是实现较为笨重,而且只能注册过滤器序次注册器(FilterOrderRegistration)中设定的过滤器。该方式可以使用spring security内置的组件,所以采用本方式,需要修改过滤器序次注册器添加自定义的过滤器。
2、修改并覆盖过滤器序次注册器


  • FilterOrderRegistration类为final类且未提供开放的注册自定义过滤器的方式,所以只能重写该类,并添加自定义过滤器的序次
  1. package org.springframework.security.config.annotation.web.builders;
  3. import com.yu.demo.spring.filter.RestfulUsernamePasswordAuthenticationFilter;
  4. import org.springframework.security.web.access.ExceptionTranslationFilter;
  5. import org.springframework.security.web.access.channel.ChannelProcessingFilter;
  6. import org.springframework.security.web.access.intercept.AuthorizationFilter;
  7. import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
  8. import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
  9. import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
  10. import org.springframework.security.web.authentication.logout.LogoutFilter;
  11. import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
  12. import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
  13. import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter;
  14. import org.springframework.security.web.authentication.switchuser.SwitchUserFilter;
  15. import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
  16. import org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter;
  17. import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
  18. import org.springframework.security.web.authentication.www.DigestAuthenticationFilter;
  19. import org.springframework.security.web.context.SecurityContextHolderFilter;
  20. import org.springframework.security.web.context.SecurityContextPersistenceFilter;
  21. import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
  22. import org.springframework.security.web.csrf.CsrfFilter;
  23. import org.springframework.security.web.header.HeaderWriterFilter;
  24. import org.springframework.security.web.jaasapi.JaasApiIntegrationFilter;
  25. import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
  26. import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
  27. import org.springframework.security.web.session.ConcurrentSessionFilter;
  28. import org.springframework.security.web.session.DisableEncodeUrlFilter;
  29. import org.springframework.security.web.session.ForceEagerSessionCreationFilter;
  30. import org.springframework.security.web.session.SessionManagementFilter;
  31. import org.springframework.web.filter.CorsFilter;
  33. import javax.servlet.Filter;
  34. import java.util.HashMap;
  35. import java.util.Map;
  37. final class FilterOrderRegistration {
  40.     private static final int INITIAL_ORDER = 100;
  42.     private static final int ORDER_STEP = 100;
  44.     private final Map<String, Integer> filterToOrder = new HashMap<>();
  46.     FilterOrderRegistration() {
  47.         Step order = new Step(INITIAL_ORDER, ORDER_STEP);
  48.         put(DisableEncodeUrlFilter.class, order.next());
  49.         put(ForceEagerSessionCreationFilter.class, order.next());
  50.         put(ChannelProcessingFilter.class, order.next());
  51.         order.next(); // gh-8105
  52.         put(WebAsyncManagerIntegrationFilter.class, order.next());
  53.         put(SecurityContextHolderFilter.class, order.next());
  54.         put(SecurityContextPersistenceFilter.class, order.next());
  55.         put(HeaderWriterFilter.class, order.next());
  56.         put(CorsFilter.class, order.next());
  57.         put(CsrfFilter.class, order.next());
  58.         put(LogoutFilter.class, order.next());
  59.         this.filterToOrder.put(
  60.                 "org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter",
  61.                 order.next());
  62.         this.filterToOrder.put(
  63.                 "org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter",
  64.                 order.next());
  65.         put(X509AuthenticationFilter.class, order.next());
  66.         put(AbstractPreAuthenticatedProcessingFilter.class, order.next());
  67.         this.filterToOrder.put("org.springframework.security.cas.web.CasAuthenticationFilter", order.next());
  68.         this.filterToOrder.put("org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter",
  69.                 order.next());
  70.         this.filterToOrder.put(
  71.                 "org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter",
  72.                 order.next());
  73.         //添加自定义过滤器
  74.         put(RestfulUsernamePasswordAuthenticationFilter.class, order.next());
  75.         put(UsernamePasswordAuthenticationFilter.class, order.next());
  76.         order.next(); // gh-8105
  77.         this.filterToOrder.put("org.springframework.security.openid.OpenIDAuthenticationFilter", order.next());
  78.         put(DefaultLoginPageGeneratingFilter.class, order.next());
  79.         put(DefaultLogoutPageGeneratingFilter.class, order.next());
  80.         put(ConcurrentSessionFilter.class, order.next());
  81.         put(DigestAuthenticationFilter.class, order.next());
  82.         this.filterToOrder.put(
  83.                 "org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter",
  84.                 order.next());
  85.         put(BasicAuthenticationFilter.class, order.next());
  86.         put(RequestCacheAwareFilter.class, order.next());
  87.         put(SecurityContextHolderAwareRequestFilter.class, order.next());
  88.         put(JaasApiIntegrationFilter.class, order.next());
  89.         put(RememberMeAuthenticationFilter.class, order.next());
  90.         put(AnonymousAuthenticationFilter.class, order.next());
  91.         this.filterToOrder.put("org.springframework.security.oauth2.client.web.OAuth2AuthorizationCodeGrantFilter",
  92.                 order.next());
  93.         put(SessionManagementFilter.class, order.next());
  94.         put(ExceptionTranslationFilter.class, order.next());
  95.         put(FilterSecurityInterceptor.class, order.next());
  96.         put(AuthorizationFilter.class, order.next());
  97.         put(SwitchUserFilter.class, order.next());
  98.     }
  100.     /**
  101.      * Register a {@link Filter} with its specific position. If the {@link Filter} was
  102.      * already registered before, the position previously defined is not going to be
  103.      * overriden
  104.      *
  105.      * @param filter   the {@link Filter} to register
  106.      * @param position the position to associate with the {@link Filter}
  107.      */
  108.     void put(Class<? extends Filter> filter, int position) {
  109.         String className = filter.getName();
  110.         if (this.filterToOrder.containsKey(className)) {
  111.             return;
  112.         }
  113.         this.filterToOrder.put(className, position);
  114.     }
  116.     /**
  117.      * Gets the order of a particular {@link Filter} class taking into consideration
  118.      * superclasses.
  119.      *
  120.      * @param clazz the {@link Filter} class to determine the sort order
  121.      * @return the sort order or null if not defined
  122.      */
  123.     Integer getOrder(Class<?> clazz) {
  124.         while (clazz != null) {
  125.             Integer result = this.filterToOrder.get(clazz.getName());
  126.             if (result != null) {
  127.                 return result;
  128.             }
  129.             clazz = clazz.getSuperclass();
  130.         }
  131.         return null;
  132.     }
  134.     private static class Step {
  136.         private final int stepSize;
  137.         private int value;
  139.         Step(int initialValue, int stepSize) {
  140.             this.value = initialValue;
  141.             this.stepSize = stepSize;
  142.         }
  144.         int next() {
  145.             int value = this.value;
  146.             this.value += this.stepSize;
  147.             return value;
  148.         }
  150.     }
  152. }
复制代码
3、创建RestfulUsernamePasswordAuthenticationFilter


  • 参考UsernamePasswordAuthenticationFilter
  • 将参数获取方式从request.getParameter改为从body体中
  • 创建UsernamePasswordAuthenticationToken
  • 设置细节
  • 调用getAuthenticationManager()的authenticate方法获取认证信息
  1. package com.yu.demo.spring.filter;
  3. import com.yu.demo.util.SpringUtil;
  4. import org.springframework.http.HttpMethod;
  5. import org.springframework.security.authentication.AuthenticationServiceException;
  6. import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
  7. import org.springframework.security.core.Authentication;
  8. import org.springframework.security.core.AuthenticationException;
  9. import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
  10. import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
  12. import javax.servlet.http.HttpServletRequest;
  13. import javax.servlet.http.HttpServletResponse;
  14. import java.io.IOException;
  15. import java.util.Map;
  17. /**
  18. * 自定义前后端分离/restful方式的用户名密码认证过滤器
  19. * 参考UsernamePasswordAuthenticationFilter
  20. */
  21. public class RestfulUsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
  22.     //是否只支持post方法
  23.     private final boolean postOnly;
  24.     private final String username;
  25.     private final String password;
  27.     public RestfulUsernamePasswordAuthenticationFilter(String username, String password, String loginUrl, String httpMethod) {
  28.         super(new AntPathRequestMatcher(loginUrl, httpMethod));
  29.         postOnly = HttpMethod.POST.name().equals(httpMethod);
  30.         this.username = username;
  31.         this.password = password;
  32.     }
  34.     @Override
  35.     public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException {
  36.         if (this.postOnly && !request.getMethod().equals(HttpMethod.POST.name())) {
  37.             throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
  38.         } else {
  39.             Map<String, String> body = SpringUtil.rawBodyToMap(request);
  40.             String name = body.get(username);
  41.             String pswd = body.get(password);
  42.             UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(name, pswd);
  43.             setDetails(request, authRequest);
  44.             return getAuthenticationManager().authenticate(authRequest);
  45.         }
  46.     }
  48.     protected void setDetails(HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest) {
  49.         authRequest.setDetails(this.authenticationDetailsSource.buildDetails(request));
  50.     }
  52. }
复制代码
4、创建自定义用户名密码认证过滤器配置类RestfulLoginConfigurer


  • 参考FormLoginConfigurer
  • 注册自定义用户名密码认证过滤器RestfulUsernamePasswordAuthenticationFilter
  • 设置登录地址和哀求方式
  1. package com.yu.demo.spring.filter;
  3. import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
  4. import org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer;
  5. import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
  6. import org.springframework.security.web.util.matcher.RequestMatcher;
  8. /**
  9. * 自定义前后端分离/restful方式的用户名密码验证过滤器配置器,用于注册认证过滤器
  10. * 参考FormLoginConfigurer
  11. */
  12. public class RestfulLoginConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractAuthenticationFilterConfigurer<H, RestfulLoginConfigurer<H>, RestfulUsernamePasswordAuthenticationFilter> {
  13.     private final String loginMethod;
  15.     public RestfulLoginConfigurer(RestfulUsernamePasswordAuthenticationFilter authenticationFilter, String defaultLoginProcessingUrl, String loginMethod) {
  16.         super(authenticationFilter, defaultLoginProcessingUrl);
  17.         this.loginMethod = loginMethod;
  18.     }
  20.     @Override
  21.     public RestfulLoginConfigurer<H> loginPage(String loginPage) {
  22.         return super.loginPage(loginPage);
  23.     }
  25.     @Override
  26.     public void init(H http) throws Exception {
  27.         super.init(http);
  28.     }
  30.     @Override
  31.     protected RequestMatcher createLoginProcessingUrlMatcher(String loginProcessingUrl) {
  32.         return new AntPathRequestMatcher(loginProcessingUrl, loginMethod);
  33.     }
  34. }
复制代码
三、自定义安全上下文仓库SecurityContextRepositoryImpl


  • 基于分布式缓存实现安全上下文仓库
  • 获取上下文时从哀求头中获取token,通过token从缓存中获取上下文,不存在时返回空值安全上下文
  • 保存上下文时从哀求头或者登任命户信息中获取token,将token和上下文保存到缓存中
1、分布式缓存接口和实现
  1. package com.yu.demo.manager;
  3. import org.springframework.security.core.context.SecurityContext;
  5. public interface CacheManager {
  7.     /**
  8.      * 通过token获取认证信息
  9.      *
  10.      * @param token token
  11.      * @return 认证信息
  12.      */
  13.     SecurityContext getSecurityContext(String token);
  15.     /**
  16.      * 是否包含token
  17.      *
  18.      * @param token token
  19.      * @return 是否包含token
  20.      */
  21.     boolean contains(String token);
  23.     /**
  24.      * 通过token添加认证信息
  25.      *
  26.      * @param token           token
  27.      * @param securityContext 认证信息
  28.      */
  29.     void addSecurityContext(String token, SecurityContext securityContext);
  31.     /**
  32.      * 通过token删除认证信息
  33.      *
  34.      * @param token token
  35.      */
  36.     void deleteSecurityContext(String token);
  38. }
复制代码
为演示方便,这里采用过期Map,实际使用将map改为redis或者其他分布式缓存即可
  1. package com.yu.demo.manager.impl;
  3. import com.yu.demo.manager.CacheManager;
  4. import net.jodah.expiringmap.ExpirationPolicy;
  5. import net.jodah.expiringmap.ExpiringMap;
  6. import org.springframework.security.core.context.SecurityContext;
  7. import org.springframework.stereotype.Component;
  9. import javax.annotation.PostConstruct;
  10. import java.util.concurrent.TimeUnit;
  12. @Component
  13. public class CacheManagerImpl implements CacheManager {
  15.     private static ExpiringMap<String, SecurityContext> SECURITY_CONTEXT_CACHE;
  17.     @PostConstruct
  18.     public void init() {
  19.         SECURITY_CONTEXT_CACHE = ExpiringMap.builder().maxSize(200).expiration(30, TimeUnit.MINUTES).expirationPolicy(ExpirationPolicy.ACCESSED).variableExpiration().build();
  20.     }
  22.     @Override
  23.     public SecurityContext getSecurityContext(String token) {
  24.         return SECURITY_CONTEXT_CACHE.get(token);
  25.     }
  27.     @Override
  28.     public boolean contains(String token) {
  29.         return SECURITY_CONTEXT_CACHE.containsKey(token);
  30.     }
  32.     @Override
  33.     public void addSecurityContext(String token, SecurityContext securityContext) {
  34.         SECURITY_CONTEXT_CACHE.put(token, securityContext);
  35.     }
  37.     @Override
  38.     public void deleteSecurityContext(String token) {
  39.         SECURITY_CONTEXT_CACHE.remove(token);
  40.     }
  41. }
复制代码
2、创建SecurityContextRepositoryImpl
  1. package com.yu.demo.spring.impl;
  3. import com.yu.demo.entity.UserDetailsImpl;
  4. import com.yu.demo.manager.CacheManager;
  5. import com.yu.demo.util.SecurityUtil;
  6. import org.apache.poi.util.StringUtil;
  7. import org.springframework.beans.factory.annotation.Autowired;
  8. import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
  9. import org.springframework.security.core.context.SecurityContext;
  10. import org.springframework.security.core.context.SecurityContextHolder;
  11. import org.springframework.security.web.context.HttpRequestResponseHolder;
  12. import org.springframework.security.web.context.SecurityContextRepository;
  13. import org.springframework.stereotype.Component;
  15. import javax.servlet.http.HttpServletRequest;
  16. import javax.servlet.http.HttpServletResponse;
  18. @Component
  19. public class SecurityContextRepositoryImpl implements SecurityContextRepository {
  21.     private static final String AUTHENTICATION = "Authentication";
  22.     @Autowired
  23.     private CacheManager cacheManager;
  25.     @Override
  26.     public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder) {
  27.         //获取请求头中的token,未登录访问系统时Token为空
  28.         String token = requestResponseHolder.getRequest().getHeader(AUTHENTICATION);
  29.         if (StringUtil.isNotBlank(token)) {
  30.             SecurityContext securityContext = cacheManager.getSecurityContext(token);
  31.             //securityContext已过期时为空
  32.             if (SecurityUtil.isNotAuthenticated(securityContext)) {
  33.                 return SecurityContextHolder.createEmptyContext();
  34.             }
  35.             UsernamePasswordAuthenticationToken authentication = (UsernamePasswordAuthenticationToken) securityContext.getAuthentication();
  36.             UserDetailsImpl userDetails = (UserDetailsImpl) authentication.getPrincipal();
  37.             if (token.equals(userDetails.getToken())) {
  38.                 //测试过程中伪造的Token(不修改header和body,只修改signature部分字符)有概率出现可以解析成功的情况,可能是secret太短的原因,未深究,所以这里在验证下输入的Token和缓存中的token
  39.                 return securityContext;
  40.             }
  41.         }
  42.         return SecurityContextHolder.createEmptyContext();
  43.     }
  45.     @Override
  46.     public void saveContext(SecurityContext securityContext, HttpServletRequest request, HttpServletResponse response) {
  47.         //获取请求头中的token(登出时有,登录时没有)
  48.         String token = request.getHeader(AUTHENTICATION);
  49.         UsernamePasswordAuthenticationToken authentication = (UsernamePasswordAuthenticationToken) securityContext.getAuthentication();
  50.         if (StringUtil.isBlank(token) && SecurityUtil.isNotAuthenticated(securityContext)) {
  51.             //未登录、验证码、用户名密码校验失败
  52.             return;
  53.         }
  54.         //第一次登录时Token为空
  55.         if (StringUtil.isBlank(token)) {
  56.             UserDetailsImpl userDetails = (UserDetailsImpl) authentication.getPrincipal();
  57.             //登录成功
  58.             cacheManager.addSecurityContext(userDetails.getToken(), securityContext);
  59.             return;
  60.         }
  61.         //退出或token过期(缓存中设置token过期时间)
  62.         if (SecurityUtil.isNotAuthenticated(securityContext)) {
  63.             cacheManager.deleteSecurityContext(token);
  64.             return;
  65.         }
  66.         //更新Token
  67.         cacheManager.addSecurityContext(token, securityContext);
  68.     }
  70.     @Override
  71.     public boolean containsContext(HttpServletRequest request) {
  72.         //本版本的Spring Security只有SessionManagementFilter中调用该方法
  73.         //已禁用SessionManagementFilter,该方法不会被调用
  74.         String token = request.getHeader(AUTHENTICATION);
  75.         if (StringUtil.isBlank(token)) {
  76.             return false;
  77.         }
  78.         if (StringUtil.isBlank(token)) {
  79.             return false;
  80.         }
  81.         return cacheManager.contains(token);
  82.     }
  84. }
复制代码
四、自定义用户详情UserDetailsImpl
  1. package com.yu.demo.entity;
  3. import lombok.Getter;
  4. import lombok.Setter;
  5. import lombok.ToString;
  6. import org.springframework.security.core.GrantedAuthority;
  7. import org.springframework.security.core.userdetails.UserDetails;
  9. import java.util.Collection;
  10. import java.util.Set;
  12. @Setter
  13. @Getter
  14. @ToString
  15. public class UserDetailsImpl implements UserDetails {
  16.     private String password;
  17.     private final String username;
  18.     private final Set<GrantedAuthority> authorities;
  19.     private final boolean accountNonExpired;
  20.     private final boolean accountNonLocked;
  21.     private final boolean credentialsNonExpired;
  22.     private final boolean enabled;
  23.     /**
  24.      * token
  25.      */
  26.     private String token;
  28.     public UserDetailsImpl(String username, String password, boolean accountNonExpired, boolean credentialsNonExpired, boolean accountNonLocked, boolean enabled, Set<GrantedAuthority> grantedAuthorities) {
  29.         this.username = username;
  30.         this.password = password;
  31.         this.enabled = enabled;
  32.         this.accountNonExpired = accountNonExpired;
  33.         this.credentialsNonExpired = credentialsNonExpired;
  34.         this.accountNonLocked = accountNonLocked;
  35.         this.authorities = grantedAuthorities;
  36.     }
  38.     @Override
  39.     public Collection<? extends GrantedAuthority> getAuthorities() {
  40.         return authorities;
  41.     }
  43.     @Override
  44.     public String getPassword() {
  45.         return password;
  46.     }
  48.     @Override
  49.     public String getUsername() {
  50.         return username;
  51.     }
  53.     /**
  54.      * 账号是否未过期
  55.      *
  56.      * @return true:是,false:否
  57.      */
  58.     @Override
  59.     public boolean isAccountNonExpired() {
  60.         return accountNonExpired;
  61.     }
  63.     /**
  64.      * 账号是否未锁定
  65.      *
  66.      * @return true:是,false:否
  67.      */
  68.     @Override
  69.     public boolean isAccountNonLocked() {
  70.         return accountNonLocked;
  71.     }
  73.     /**
  74.      * 密码是否未过期
  75.      *
  76.      * @return true:是,false:否
  77.      */
  78.     @Override
  79.     public boolean isCredentialsNonExpired() {
  80.         return credentialsNonExpired;
  81.     }
  83.     /**
  84.      * 账号是否启用
  85.      *
  86.      * @return true:是,false:否
  87.      */
  88.     @Override
  89.     public boolean isEnabled() {
  90.         return enabled;
  91.     }
  92. }
复制代码
九、案例源码获取


免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
回复

使用道具 举报

0 个回复

倒序浏览
返回列表

快速回复

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 or 立即注册

本版积分规则

南飓风

金牌会员
这个人很懒什么都没写!

楼主热帖

标签云

挺好的 服务器
微信订阅号
微信服务号
微信客服
小程序
H5
关于我们 商务合作 网站地图
©Copyright 2022-2024 杭州祥升科技有限公司 版权所有 浙ICP备20004199号
快速回复 返回顶部 返回列表