springboot之springSecurity

登录流程

1. 注册SecurityConfig类，继承自 WebSecurityConfigurerAdapter 实现方法

   @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
   public class SecurityConfig extends WebSecurityConfigurerAdapter
   {
       /**
        * 自定义用户认证逻辑
        */
       @Autowired
       private UserDetailsService userDetailsService;
       
       /**
        * 认证失败处理类
        */
       @Autowired
       private AuthenticationEntryPointImpl unauthorizedHandler;
   
       /**
        * 退出处理类
        */
       @Autowired
       private LogoutSuccessHandlerImpl logoutSuccessHandler;
   
       /**
        * token认证过滤器
        */
       @Autowired
       private JwtAuthenticationTokenFilter authenticationTokenFilter;
   
       /**
        * 跨域过滤器
        */
       @Autowired
       private CorsFilter corsFilter;
       
       /**
        * 解决 无法直接注入 AuthenticationManager
        *
        * @return
        * @throws Exception
        */
       @Bean
       @Override
       public AuthenticationManager authenticationManagerBean() throws Exception
       {
           return super.authenticationManagerBean();
       }
   
       /**
        * anyRequest          |   匹配所有请求路径
        * access              |   SpringEl表达式结果为true时可以访问
        * anonymous           |   匿名可以访问
        * denyAll             |   用户不能访问
        * fullyAuthenticated  |   用户完全认证可以访问（非remember-me下自动登录）
        * hasAnyAuthority     |   如果有参数，参数表示权限，则其中任何一个权限可以访问
        * hasAnyRole          |   如果有参数，参数表示角色，则其中任何一个角色可以访问
        * hasAuthority        |   如果有参数，参数表示权限，则其权限可以访问
        * hasIpAddress        |   如果有参数，参数表示IP地址，如果用户IP和参数匹配，则可以访问
        * hasRole             |   如果有参数，参数表示角色，则其角色可以访问
        * permitAll           |   用户可以任意访问
        * rememberMe          |   允许通过remember-me登录的用户访问
        * authenticated       |   用户登录后可访问
        */
       @Override
       protected void configure(HttpSecurity httpSecurity) throws Exception
       {
           httpSecurity
                   // CSRF禁用，因为不使用session
                   .csrf().disable()
                   // 认证失败处理类
                   .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
                   // 基于token，所以不需要session
                   .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                   // 过滤请求
                   .authorizeRequests()
                   // 对于登录login 验证码captchaImage 允许匿名访问
                   .antMatchers("/login", "/captchaImage").anonymous()
                   .antMatchers(
                           HttpMethod.GET,
                           "/*.html",
                           "/**/*.html",
                           "/**/*.css",
                           "/**/*.js"
                   ).permitAll()
                   .antMatchers("/profile/**").anonymous()
                   .antMatchers("/common/download**").anonymous()
                   .antMatchers("/common/download/resource**").anonymous()
                   .antMatchers("/swagger-ui.html").anonymous()
                   .antMatchers("/swagger-resources/**").anonymous()
                   .antMatchers("/webjars/**").anonymous()
                   .antMatchers("/*/api-docs").anonymous()
                   .antMatchers("/druid/**").anonymous()
                   // 除上面外的所有请求全部需要鉴权认证
                   .anyRequest().authenticated()
                   .and()
                   .headers().frameOptions().disable();
           httpSecurity.logout().logoutUrl("/logout").logoutSuccessHandler(logoutSuccessHandler);
           // 添加JWT filter
           httpSecurity.addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
           // 添加CORS filter
           httpSecurity.addFilterBefore(corsFilter, JwtAuthenticationTokenFilter.class);
           httpSecurity.addFilterBefore(corsFilter, LogoutFilter.class);
       }
   
       
       /**
        * 强散列哈希加密实现
        */
       @Bean
       public BCryptPasswordEncoder bCryptPasswordEncoder()
       {
           return new BCryptPasswordEncoder();
       }
   
       /**
        * 身份认证接口
        */
       @Override
       protected void configure(AuthenticationManagerBuilder auth) throws Exception
       {
           auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder());
       }
   }
   

2. 系统 用户类LoginUser实现security接口，UserDetails，实现一系列方法，根据需求实现

   public interface UserDetails extends Serializable {
       Collection getAuthorities();
   
       String getPassword();
   
       String getUsername();
   
       boolean isAccountNonExpired();
   
       boolean isAccountNonLocked();
   
       boolean isCredentialsNonExpired();
   
       boolean isEnabled();
   }
   

3. 创建系统用户查询服务类 UserDetailsServiceImpl 实现接口UserDetailService，实现方法，loadUSerByUsername在其中进行逻辑判断，查询成功返回上一步的 UserDetails对象,并将该类添加@service注解注册到IOC容器

public interface UserDetailsService {
    UserDetails loadUserByUsername(String var1) throws UsernameNotFoundException;
}

3.在系统需要登录的地方注入securityConfig提供的认证管理类 AuthenticationManager，并且调用该类的 authenticate方法传入UsernamePasswordAuthenticationToken对象进行认证，调用该方法，会自动去调用上一步创建的UserDetailServiceImpl中的loadUserByUsername方法，认证成功会返回Authentication对象，该对象中包含了第一步创建的用户类实例对象

@Resource
private AuthenticationManager authenticationManager;

Authentication authentication = authenticationManager
                    .authenticate(new UsernamePasswordAuthenticationToken(username, password));
LoginUser loginUser = (LoginUser) authentication.getPrincipal();

认证流程

ProviderManager实现AuthenticationManager，实现方法authenticate，其中调用具有资格的AuthenticationProvider进行认证

AbstractUserDetailsAuthenticationProvider实现了AuthenticationProvider并且实现方法authenticate，该方法其中调用 retrieveUser

retrieveUser中调用了getUserDetailsService().loadUserByUsername(username)，该方法为我们我们实现UserDetailService的类中的方法

protected final UserDetails retrieveUser(String username,
      UsernamePasswordAuthenticationToken authentication)
      throws AuthenticationException {
   prepareTimingAttackProtection();
   try {
      UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username);
      if (loadedUser == null) {
         throw new InternalAuthenticationServiceException(
               "UserDetailsService returned null, which is an interface contract violation");
      }
      return loadedUser;
   }
   catch (UsernameNotFoundException ex) {
      mitigateAgainstTimingAttack(authentication);
      throw ex;
   }
   catch (InternalAuthenticationServiceException ex) {
      throw ex;
   }
   catch (Exception ex) {
      throw new InternalAuthenticationServiceException(ex.getMessage(), ex);
   }
}

ProviderManager 何时被加入容器中

1.WebSecurityConfigurerAdapter中init方法调用了getHttp方法

2.getHttp方法中AuthenticationManager authenticationManager = this.authenticationManager();

3.authenticationManager()方法中this.authenticationManager = (AuthenticationManager)this.localConfigureAuthenticationBldr.build();

4.build()方法:调用doBuild(),doBuild()调用this.performBuild()

5.this.performBuild()方法中 ProviderManager providerManager = new ProviderManager(this.authenticationProviders, this.parentAuthenticationManager);

自此返回到WebsecurityAdapter中