spring security权限与认证（一）之配置篇

导入包：spring-boot-starter-security（注意导入spring统一的版本）
导入这个包之后，就会启动认证功能，凡是未认证的访问都会转到login页面去，并且这个页面不是我们自己写的，是security它内置的

配置开始

1、配置基本配置类SecurityConfig【放入ioc容器中，自定义类】 继承WebSecurityConfigurerAdapter
重写其中的configure方法

package com.neuedu.security;

import com.neuedu.security.RestNoToken;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

import javax.annotation.Resource;

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
     
    @Resource
    RestNoToken restNoToken;
    @Resource
    JWTAuthentication jwtAuthentication;
    @Override
    protected void configure(HttpSecurity http) throws Exception {
     
        //注册器 registry
        ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry = http.authorizeRequests();
       //.antMatchers(METHOD.post,"/user/login") 
       //.permitAll()    //指定什么方法下的什么请求
        registry.antMatchers("/index")    //不用验证
                .permitAll()                //获取所有
                .anyRequest()            //任何请求
                .authenticated();        //开启验证
        //前后分离特殊设置
        registry.and()        //返回一个httpSecurity
                .csrf()
                .disable()            
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);  //让csrf和httpSession都不可用
        // 自定义没有认证返回的内容 配置完自定义类之后，在这里启动下
        registry.and()
                .exceptionHandling()
                .authenticationEntryPoint(restNoToken);
        // 自定义验证
        registry.and()
                .addFilterBefore(jwtAuthentication, UsernamePasswordAuthenticationFilter.class);

    }
}

2、自定义当没有权限时候返回的内容【自定义、放入ioc】
写完这个类RestNoToken之后，要在基本配置类【1】中的方法设置启用这个类

package com.neuedu.security;

import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.stereotype.Component;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@Component
public class RestNoToken implements AuthenticationEntryPoint {
     
    @Override
    public void commence(HttpServletRequest httpServletRequest, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException {
     
        response.setHeader("Access-Control-Allow-Origin","*");
        response.setCharacterEncoding("UTF-8");
        response.setContentType("text/html;charset=utf-8");
        response.getWriter().write("notoken");
    }
}

3、自定义实现认证的方式（怎样才算认证通过？）
自定义类JWTAuthentication【自定义、放入ioc】，实际是过滤器，继承父类重写方法
之后同样需要在基本配置类中启用这个类

package com.neuedu.security;

import com.neuedu.pojo.UmsUser;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
//这里强行通过验证了
@Component
public class JWTAuthentication extends OncePerRequestFilter {
     
    @Override
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
     
        System.out.println("进入过滤器");
        UmsUser user = new UmsUser(); //pojo中的bean
        user.setUsername("admin");
        user.setPassword("123456");
        UserDetails details = new UmsUserDetails(user);  //需要新建类实现这个UserDetails接口 这个里面有用户详细信息（包括配置）
		//用户名密码权限认证
        UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(details,null,details.getAuthorities()); //参数1：用户信息  参数3：权限列表
        SecurityContextHolder.getContext().setAuthentication(token);//有这句就表示有身份认证了
        filterChain.doFilter(httpServletRequest,httpServletResponse);//传出去给下面servlet/controller
    }
}

4、 上面需要自定义类实现UserDetails接口，同时要重写其中的所有方法（一键生成）；这个是用户的详细信息以及一些配置，需要传pojo中user对象。

package com.neuedu.security;

import com.neuedu.pojo.UmsUser;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

import java.util.Collection;

@Data
@NoArgsConstructor
@AllArgsConstructor
public class UmsUserDetails implements UserDetails {
     
    private static final long serialVersionUID = 1643942226986503464L;
    private UmsUser umsUser;

    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
     
        return null;
    }

    @Override
    public String getPassword() {
     
        return umsUser.getPassword();
    }

    @Override
    public String getUsername() {
     
        return umsUser.getUsername();
    }

    @Override
    public boolean isAccountNonExpired() {
     
        return false;
    }

    @Override
    public boolean isAccountNonLocked() {
     
        return false;
    }

    @Override
    public boolean isCredentialsNonExpired() {
     
        return false;
    }

    @Override
    public boolean isEnabled() {
     
        return false;
    }
}

最后建成了这四个类，注意他们要放到跟Controller同级或者子包下