自定义用户认证逻辑security

package com.imooc.security.browser;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component;

@Component
public class MyUserDetailsService implements UserDetailsService {

	private Logger logger = LoggerFactory.getLogger(MyUserDetailsService.class);
	
	@Override
	public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
		logger.info("登录用户名:"+username);
		//根据用户名查找用户信息
		//这里认证代替security默认的认证
		//参数是从数据库中获取的  username和password是认证  authoriteis是授权  AuthorityUtils将字符串转换成对象
		return new User(username, "123456", AuthorityUtils.commaSeparatedStringToAuthorityList("admin"));
	}

}

说明：这些代码都是在之前写的博客的基础上的,请往回翻。

然后访问页面,随便输入一个用户名,然后输入一个错误的密码会显示：

然后输入正确的密码试试：

ok认证成功,数据返回,到这里再让我们看一下前台输出：

标记的1是第一次密码错误登录日志,2是第二次认证成功日志。跟着我看下边代码和测试很有意思啊:

package com.imooc.security.browser;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component;

@Component
public class MyUserDetailsService implements UserDetailsService {

	private Logger logger = LoggerFactory.getLogger(MyUserDetailsService.class);
	
	@Override
	public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
		logger.info("登录用户名:"+username);
		//根据用户名查找用户信息
		//根据查找到的用户信息判断用户是否被冻结
		
		return new User(username, "123456", 
				true,true,true,false,//依次代表 可用，没过期，密码没过期，没有被锁定为false
				AuthorityUtils.commaSeparatedStringToAuthorityList("admin"));
	}

}

启动后输入正确密码测试：

因为没有被锁定设置的为false则为锁定。

好到这里了,那就再跟着我走：

package com.imooc.security.browser;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
public class BrowserSecurityConfig extends WebSecurityConfigurerAdapter{
   
	@Bean
	public PasswordEncoder passwordEncoder() {
		//这里如果是自己编写的加密 则调用自己的类 方法有编码和解码验证方法
		return new BCryptPasswordEncoder();
	}
	
	@Override
	protected void configure(HttpSecurity http) throws Exception {
		
		http.formLogin()//认证
//		http.httpBasic()
		.and()
		.authorizeRequests()//授权
		.anyRequest()
		.authenticated();
	}
    
}

package com.imooc.security.browser;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Component;

@Component
public class MyUserDetailsService implements UserDetailsService {

	private Logger logger = LoggerFactory.getLogger(MyUserDetailsService.class);
	
	@Autowired
	private PasswordEncoder passwordEncoder;
	
	@Override
	public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
		logger.info("登录用户名:"+username);
		//根据用户名查找用户信息
		//根据查找到的用户信息判断用户是否被冻结
		String password = passwordEncoder.encode("123456");
		logger.info("数据库密码是"+password);
		return new User(username, password,//encode方法是加密的时候用的
				true,true,true,true,//依次代表 可用，没过期，密码没过期，没有被锁定为false
				AuthorityUtils.commaSeparatedStringToAuthorityList("admin"));
	}

}

启动测试结果：

后台输出：

重点是每次登陆,加密后红色线的密码都是不一样的,这样的话哪怕别破解了密码,但是其它还是安全的。