官方原话“Spring Security is a framework that provides authentication, authorization, and protection against common attacks”即"Spring Security 是一个提供身份验证、授权和防止常见攻击的框架"。它是Spring提供的一个安全框架,可以根据使用者需要定制相关验证授权操作,配合Spring Boot可以快速开发一套完善的权限系统。
org.springframework.boot
spring-boot-starter-security
org.springframework.boot
spring-boot-starter-web
复制代码
若是正确启动了,可以看到 Spring Security 生成了一段默认密码。
...
2022-09-13 23:56:07.841 WARN 19924 --- [ main] .s.s.UserDetailsServiceAutoConfiguration :
Using generated security password: 70a36ac6-70c1-4f72-822c-71165988c56e
...
复制代码
Srping Security主要解决的问题是安全访问控制,其实现原理是通过Filter对进入系统的请求进行拦截。当初始化Spring Security时,它创建了一个名为 springSecurityFilterChain的Servlet 过滤器,负责程序中的所以安全控制。
从必要知识里我们知道了Filter的工作原理,在Spring中使用自定义的Filter有个问题那就是Filter必须在Servlet容器启动前就注册好,但是Spring使用ContextLoaderListener来加载Spring Bean,于是设计了DelegatingFilterProxy。本质上来说DelegatingFilterProxy就是一个Filter,其间接实现了Filter接口,它嵌入在Servlet Filter Chain中,但是在doFilter中其实调用的从Spring 容器中获取到的代理Filter的实现类delegate。
FilterChainProxy 是 Spring Security 提供的一个特殊 Filter,DelegatingFilterProxy并不是直接实例化和调用Spring Security Filter,而是构建了一个FilterChainProxy,当有请求进来就会去执行doFilter方法调用SecurityFilterChain所包含的各个Filter,同时 这些Filter作为Bean被Spring管理,它是Spring Security使用的核心。
此外,SecurityFilterChain 提供了更大的灵活性,Servlet容器中,仅根据URL调用过滤器。 但是,FilterChainProxy可以利用RequestMatcher接口,根据HttpServletRequest中的任何内容确定调用,比原生的Servlet更灵活,此外,FilterChainProxy可以构建多条SecurityFilterChain,你的应用程序可以为不同的情况提供完全独立的配置,如下图所示。
以上示例在未授权的情况下访问会经过以下安全过滤器:
Security filter chain: [
DisableEncodeUrlFilter
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
CsrfFilter
LogoutFilter
UsernamePasswordAuthenticationFilter
DefaultLoginPageGeneratingFilter
DefaultLogoutPageGeneratingFilter
BasicAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
复制代码
当没有登录的时候默认是anonymousUser匿名用户,经过一些列过滤器处理后,最后由FilterSecurityInterceptor进行权限校验授权,AccessDecisionManager进行授权投票,匿名用户不允许访问该接口,请求被拒绝重定向到登录页面,接着由DefaultLoginPageGeneratingFilter(自定义表单则不会初始化这个Filter)生成默认登录界面输出到浏览器。登录时经过UsernamePasswordAuthenticationFilter,只要用户请求满足该过滤器要求,则认证成功,接着是授权成功访问通过。
每个过滤器都有不同的功能,组织在一起形成了强大的安全体系,你可以在过滤链中自定义过滤器,里面的逻辑我就不一一细说了没啥好讲的,官方文档中都有介绍。下面讲讲我自己的一些实现吧。
背景:拓展Spring Security实现基于Token的API认证授权基础程序
采用的广为熟知的RBAC 模型,基于角色的访问控制(Role-Based Access Control)
拓展点:
开发调试可以设置一下日志输出级别,这样能助于我们更快地分析和排查问题:
logging:
level:
org.springframework.web: trace
org.springframework.security: trace
复制代码
另外 @EnableWebSecurity 这个注解debug属性设置为true也能看到更多的日志信息,这对我们很有帮助。
@EnableWebSecurity(debug = false)
public class SecurityConfiguration {
private final AppUserDetailsService userDetailsService;
private final AbstractStringCacheStore cacheStore;
private final AuthenticationTokenFilter authenticationTokenFilter;
private final PermissionAuthorizationManager permissionAuthorizationManager;
public SecurityConfiguration(AppUserDetailsService userDetailsService, AbstractStringCacheStore cacheStore, PermissionAuthorizationManager permissionAuthorizationManager) {
this.userDetailsService = userDetailsService;
this.cacheStore = cacheStore;
this.permissionAuthorizationManager = permissionAuthorizationManager;
this.authenticationTokenFilter = new AuthenticationTokenFilter(cacheStore, userDetailsService);
}
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring()
// Spring Security should completely ignore URLs starting with /resources/
.antMatchers("/resources/**");
}
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.antMatchers("/").permitAll()
.antMatchers("/user/info").authenticated() // 需要认证
.anyRequest().access(permissionAuthorizationManager) // 动态权限认证
.and()
.userDetailsService(userDetailsService)
.formLogin()
.permitAll()
.successHandler(new CustomizeAuthenticationSuccessHandler(cacheStore))
.failureHandler(new AuthenticationEntryPointFailureHandler(new CustomizeAuthenticationEntryPoint()))
.and()
.logout()
.logoutSuccessHandler(new CustomizeLogoutSuccessHandler(cacheStore))
.and()
.exceptionHandling()
.authenticationEntryPoint(new CustomizeAuthenticationEntryPoint())
.accessDeniedHandler(new CustomizeAccessDeniedHandler())
.and()
.csrf().disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(authenticationTokenFilter, LogoutFilter.class);
return http.build();
}
复制代码
释义: AuthenticationTokenFilter-Token认证过滤器(除了自定义开放的接口外都会被调用) PermissionAuthorizationManager-动态权限授权管理器(基于角色与资源权限表) CustomizeAuthenticationSuccessHandler-登录处理器(登录成功后被调用用于生成Token)
CustomizeLogoutSuccessHandler-注销处理器(注销成功后被调用用于清除Toekn) CustomizeAuthenticationEntryPoint-认证失败处理器(认证出现异常被调用) CustomizeAccessDeniedHandler-授权失败处理器(授权出现异常被调用,如权限不足以访问某接口) AbstractStringCacheStore-缓存类(用于缓存Token)
@Slf4j
public class CustomizeAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
private final AbstractStringCacheStore cacheStore;
/**
* Expired seconds.
*/
private static final int ACCESS_TOKEN_EXPIRED_SECONDS = 24 * 3600;
private static final int REFRESH_TOKEN_EXPIRED_DAYS = 30;
public CustomizeAuthenticationSuccessHandler(AbstractStringCacheStore cacheStore) {
this.cacheStore = cacheStore;
}
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException {
AppUserDetails userDetails = (AppUserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
// Generate new token
AuthToken token = new AuthToken();
token.setAccessToken(BottleUtils.randomUUIDWithoutDash());
token.setExpiredIn(ACCESS_TOKEN_EXPIRED_SECONDS);
token.setRefreshToken(BottleUtils.randomUUIDWithoutDash());
// Cache those tokens, just for clearing
cacheStore.putAny(SecurityUtils.buildAccessTokenKey(userDetails), token.getAccessToken(),
ACCESS_TOKEN_EXPIRED_SECONDS, TimeUnit.SECONDS);
cacheStore.putAny(SecurityUtils.buildRefreshTokenKey(userDetails), token.getRefreshToken(),
REFRESH_TOKEN_EXPIRED_DAYS, TimeUnit.DAYS);
// Cache those tokens with user id
cacheStore.putAny(SecurityUtils.buildTokenAccessKey(token.getAccessToken()), userDetails.getUserId(),
ACCESS_TOKEN_EXPIRED_SECONDS, TimeUnit.SECONDS);
cacheStore.putAny(SecurityUtils.buildTokenRefreshKey(token.getRefreshToken()), userDetails.getUserId(),
REFRESH_TOKEN_EXPIRED_DAYS, TimeUnit.DAYS);
response.setCharacterEncoding("utf-8");
response.setStatus(HttpServletResponse.SC_OK);
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
response.getWriter().write(JsonUtils.objectToJson(BaseResponse.ok("登录成功!", token)));
}
复制代码
@Slf4j
public class CustomizeLogoutSuccessHandler implements LogoutSuccessHandler {
private final AbstractStringCacheStore cacheStore;
public CustomizeLogoutSuccessHandler(AbstractStringCacheStore cacheStore) {
this.cacheStore = cacheStore;
}
@Override
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
if (Objects.isNull(authentication)) {
return;
}
AppUserDetails userDetails = (AppUserDetails) authentication.getPrincipal();
// Clear access token
cacheStore.getAny(SecurityUtils.buildAccessTokenKey(userDetails), String.class)
.ifPresent(accessToken -> {
// Delete token
cacheStore.delete(SecurityUtils.buildTokenAccessKey(accessToken));
cacheStore.delete(SecurityUtils.buildAccessTokenKey(userDetails));
});
// Clear refresh token
cacheStore.getAny(SecurityUtils.buildRefreshTokenKey(userDetails), String.class)
.ifPresent(refreshToken -> {
cacheStore.delete(SecurityUtils.buildTokenRefreshKey(refreshToken));
cacheStore.delete(SecurityUtils.buildRefreshTokenKey(userDetails));
});
response.setCharacterEncoding("utf-8");
response.setStatus(HttpServletResponse.SC_OK);
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
response.getWriter().write(JsonUtils.objectToJson(BaseResponse.ok("登出成功!", null)));
log.info("You have been logged out, looking forward to your next visit!");
}
}
复制代码
@Slf4j
public class AuthenticationTokenFilter extends OncePerRequestFilter {
private static final String AUTHENTICATION_SCHEME_BEARER = "Bearer";
private final AbstractStringCacheStore cacheStore;
private final AppUserDetailsService appUserDetailsService;
public AuthenticationTokenFilter(AbstractStringCacheStore cacheStore, AppUserDetailsService appUserDetailsService) {
this.cacheStore = cacheStore;
this.appUserDetailsService = appUserDetailsService;
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
// Get token from request header
String accessToken = request.getHeader(HttpHeaders.AUTHORIZATION);
if (!StringUtils.hasText(accessToken)) {
// Do filter
filterChain.doFilter(request, response);
return;
}
if (!StringUtils.startsWithIgnoreCase(accessToken, AUTHENTICATION_SCHEME_BEARER)) {
throw new BadCredentialsException("Token 必须以bearer开头");
}
if (accessToken.equalsIgnoreCase(AUTHENTICATION_SCHEME_BEARER)) {
throw new BadCredentialsException("Token 不能为空");
}
// Get token body
accessToken = accessToken.substring(AUTHENTICATION_SCHEME_BEARER.length() + 1);
Optional optionalUserId = cacheStore.getAny(SecurityUtils.buildTokenAccessKey(accessToken), Long.class);
if (!optionalUserId.isPresent()) {
log.debug("Token 已过期或不存在 [{}]", accessToken);
filterChain.doFilter(request, response);
return;
}
UserDetails userDetails = appUserDetailsService.loadUserById(optionalUserId.get());
UsernamePasswordAuthenticationToken authentication =
new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(authentication);
// Do filter
filterChain.doFilter(request, response);
}
}
复制代码
@Slf4j
public class CustomizeAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
BaseResponse
public class CustomizeAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
BaseResponse errorDetail = new BaseResponse<>();
errorDetail.setStatus(HttpStatus.FORBIDDEN.value());
errorDetail.setMessage("禁止访问");
response.setCharacterEncoding("utf-8");
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
response.getWriter().write(JsonUtils.objectToJson(errorDetail));
}
}
复制代码
@Slf4j
@Component
public class PermissionAuthorizationManager implements AuthorizationManager {
private final AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
private final PermissionService permissionService;
public PermissionAuthorizationManager(PermissionService permissionService) {
this.permissionService = permissionService;
}
@Override
public AuthorizationDecision check(Supplier authentication, T object) {
// Determines if the current user is authorized by evaluating if the
boolean granted = isGranted(authentication.get());
if (!granted) {
return new AuthorizationDecision(false);
}
Collection<? extends GrantedAuthority> authorities = authentication.get().getAuthorities();
Set authority = authorities
.stream()
.map(GrantedAuthority::getAuthority)
.collect(Collectors.toSet());
log.debug("username [{}] hav roles:[{}]", authentication.get().getName(), authority);
RequestAuthorizationContext requestAuthorizationContext = (RequestAuthorizationContext)object;
String servletPath = requestAuthorizationContext.getRequest().getRequestURI();
log.debug("access url:{}", servletPath);
AppUserDetails userDetails = (AppUserDetails)authentication.get().getPrincipal();
List roleIds = userDetails.getRoles().stream().map(Role::getId).collect(Collectors.toList());
List permissions = permissionService.listByRoleIds(roleIds);
boolean agreeFlag = permissions.stream()
.anyMatch(permission -> isRouter(permission) && permission.getUrl().equals(servletPath));
log.debug("check result:{}", agreeFlag);
return new AuthorizationDecision(agreeFlag);
}
private boolean isGranted(Authentication authentication) {
return authentication != null && isNotAnonymous(authentication) && authentication.isAuthenticated();
}
private boolean isNotAnonymous(Authentication authentication) {
return !this.trustResolver.isAnonymous(authentication);
}
private boolean isRouter(Permission permission) {
return "1".equals(permission.getType());
}
}
复制代码
登录成功
POST /login?username=user&password=123456
Host: localhost:8080
response:
{
"status": 200,
"message": "登录成功!",
"devMessage": null,
"data": {
"access_token": "8430064e7d9b497c8b786a33b0524bc5",
"expired_in": 86400,
"refresh_token": "8d2c6fb3489b47389a65cbf79f732f9a"
}
}
复制代码
POST /login?username=user&password=123
Host: localhost:8080
response:
{
"status": 401,
"message": "用户名或密码错误",
"devMessage": "org.springframework.security.authentication.BadCredentialsException: 用户名或密码错误...",
"data": {
"uri": "/login"
}
}
复制代码
POST /logout
Host: localhost:8080
Authorization: Bearer b6422e3462224126a67f876b5f1b3a1e
response:
{
"status": 200,
"message": "登出成功!",
"devMessage": null,
"data": null
}
复制代码
POST /logout
Host: localhost:8080
Authorization: Bearer b6422e3462224126a67f876b5f1b3a1e
response:
{
"status": 401,
"message": "访问未授权",
"devMessage": "org.springframework.security.authentication.InsufficientAuthenticationException: Full authentication is required to access this resource...",
"data": {
"uri": "/user/info"
}
}
复制代码
GET /admin
Host: localhost:8080
Authorization: Bearer f7a542c4899a4e6ea5039002a8f19110
response:
{
"status": 403,
"message": "禁止访问",
"devMessage": null,
"data": null
}
复制代码
好了,就分享到这里了,希望对大家有所帮助,另外如有理解错误的地方请多多指教。 Spring Security还有很多值得探索的功能,继续学习吧~
页面更新:2024-05-08
本站资料均由网友自行发布提供,仅用于学习交流。如有版权问题,请与我联系,QQ:4156828
© CopyRight 2020-2024 All Rights Reserved. Powered By 71396.com 闽ICP备11008920号-4
闽公网安备35020302034903号