上一批博客 介绍了用 xml配置的方式来使用spring security
现在改造成完全使用注解的方式进行 定制 spring security
编程方式替换 在web.xml中定义的spring 的 filterChain
<!-- spring security --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- end -->
用java 代码来实现是:定义一个 SecurityWebApplicationInitializer 类来继承AbstractSecurityWebApplicationInitializer
/** * @Title: SecurityWebApplicationInitializer.java * @Package com.ninelephas.whale.springsecurity.configuration * @Description: TODO * Copyright: Copyright (c) 2016 * Company:九象网络科技(上海)有限公司 * * @author roamerxv * @date 2016年9月6日 下午7:04:47 * @version V1.0.0 */ package com.ninelephas.whale.springsecurity.configuration; import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer; /** * @ClassName: SecurityWebApplicationInitializer * @Description: TODO * @author Comsys-roamerxv * @date 2016年9月6日 下午7:04:47 * */ public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer { }
编程方式实现在 applicationContext-security.xml 中定义的 http 部分
<http auto-config="false"> <intercept-url pattern="/" access="permitAll" /> <intercept-url pattern="/admin**" access="hasRole('ADMIN')" /> <intercept-url pattern="/workflow/***" access="hasRole('ADMIN')" /> 自定义登录的界面 <form-login login-page="/views/login.jsp" username-parameter="username" password-parameter="password"/> 自定登录的filter <custom-filter before="FORM_LOGIN_FILTER" ref="customUsernamePasswordAuthenticationFilter" /> 自定退出的filter <custom-filter before="LOGOUT_FILTER" ref="customLogoutFilter" /> </http>
用java 代码来实现是:定义一个 SecurityConfiguration 类来继承WebSecurityConfigurerAdapter
“`
/**- @Title: SecurityConfiguration.java
- @Package com.ninelephas.whale.springsecurity.configuration
- @Description: TODO
- Copyright: Copyright (c) 2016
- Company:九象网络科技(上海)有限公司
-
- @author roamerxv
- @date 2016年9月7日 下午12:17:47
- @version V1.0.0
*/
package com.ninelephas.whale.springsecurity.configuration;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.LogManager;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import com.ninelephas.whale.springsecurity.CustomLoginSuccessHandler;
import com.ninelephas.whale.springsecurity.CustomLogoutFilter;
import com.ninelephas.whale.springsecurity.CustomUsernamePasswordAuthenticationFilter;
/**
* @ClassName: SecurityConfiguration
* @Description: TODO
* @author Comsys-roamerxv
* @date 2016年9月7日 下午12:17:47
*
*/
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
/**
* Logger for this class
*/
private static final Logger logger = LogManager.getLogger(SecurityConfiguration.class.getName());
@Autowired
CustomUsernamePasswordAuthenticationFilter customUsernamePasswordAuthenticationFilter;
// @Autowired
// CustomLogoutFilter customLogoutFilter;
@Autowired
CustomLoginSuccessHandler customLoginSuccessHandler;
// 这里要分配注入一个 AuthenticationManagerBuilder的实例
@Autowired
AuthenticationManagerBuilder authenticationManagerBuilder;
// 这里要注入这个方法。
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
logger.debug("configureGlobal(AuthenticationManagerBuilder) - start"); //$NON-NLS-1$
this.authenticationManagerBuilder.inMemoryAuthentication().withUser("user").password("user").roles("USER");
this.authenticationManagerBuilder.inMemoryAuthentication().withUser("admin").password("admin").roles("ADMIN");
logger.debug("configureGlobal(AuthenticationManagerBuilder) - end"); //$NON-NLS-1$
}
@Override
protected void configure(HttpSecurity http) throws Exception {
logger.debug("configure(HttpSecurity) - start"); //$NON-NLS-1$
http.authorizeRequests()
.antMatchers("/").access("permitAll")
.antMatchers("/admin**").access("hasRole('ADMIN')")
.antMatchers("/workflow/***").access("hasRole('ADMIN')")
.and().formLogin().loginPage("/views/login.jsp").successHandler(customLoginSuccessHandler)
.usernameParameter("username").passwordParameter("password")
.and().csrf()
.and().exceptionHandling()
.and().addFilterBefore(customUsernamePasswordAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
//.addFilterBefore(customLogoutFilter, LogoutFilter.class);
logger.debug("configure(HttpSecurity) - end"); //$NON-NLS-1$
}
// 这里要用@Bean注解这个方法,以便容器调用获取实例 AuthenticationManager 实例
@Bean
public AuthenticationManager authenticationManager() throws Exception {
logger.debug("authenticationManager() - start"); //$NON-NLS-1$
logger.debug("authenticationManager() - end"); //$NON-NLS-1$
return this.authenticationManagerBuilder.build();
}
}
```
3. 编程方式实现在 applicationContext-security.xml 中定义的 指定登录filter的实现类
<beans:bean id="customUsernamePasswordAuthenticationFilter" class="com.ninelephas.whale.springsecurity.CustomUsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
用java 代码来实现是:定义一个 CustomUsernamePasswordAuthenticationFilter 类来实现UsernamePasswordAuthenticationFilter
```
/**
* @Title: CustomLoginFilter.java
* @Package com.ninelephas.whale.springsecurity
* @Description: TODO
* Copyright: Copyright (c) 2016
* Company:九象网络科技(上海)有限公司
*
* @author roamerxv
* @date 2016年9月6日 上午11:23:31
* @version V1.0.0
*/
package com.ninelephas.whale.springsecurity;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.stereotype.Component;
/**
* @ClassName: CustomLoginFilter
* @Description: TODO
* @author Comsys-roamerxv
* @date 2016年9月6日 上午11:23:31
*
*/
@Component
public class CustomUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
/**
* Logger for this class
*/
private static final Logger logger = LogManager.getLogger(CustomUsernamePasswordAuthenticationFilter.class.getName());
/*
* <p>Title: setAuthenticationManager</p>
* <p>指定AuthenticationManager</p>
* @param authenticationManager
* @see org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter#setAuthenticationManager(org.springframework.security.authentication.AuthenticationManager)
*/
@Autowired
@Override
public void setAuthenticationManager(AuthenticationManager authenticationManager) {
logger.debug("setAuthenticationManager(AuthenticationManager) - start"); //$NON-NLS-1$
super.setAuthenticationManager(authenticationManager);
logger.debug("setAuthenticationManager(AuthenticationManager) - end"); //$NON-NLS-1$
}
/*
* <p>Title: attemptAuthentication</p>
* <p>登录验证做的出来: </p>
* @param request
* @param response
* @return
* @throws AuthenticationException
* @see org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#attemptAuthentication(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
*/
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
logger.debug("attemptAuthentication(HttpServletRequest, HttpServletResponse) - start"); //$NON-NLS-1$
logger.debug("attemptAuthentication(HttpServletRequest, HttpServletResponse) - end"); //$NON-NLS-1$
return super.attemptAuthentication(request, response);
}
/*
* <p>Title: successfulAuthentication</p>
* <p>登录成功: </p>
* @param request
* @param response
* @param chain
* @param authResult
* @throws IOException
* @throws ServletException
* @see org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter#successfulAuthentication(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.FilterChain, org.springframework.security.core.Authentication)
*/
@Override
protected void successfulAuthentication(HttpServletRequest request,
HttpServletResponse response,
FilterChain chain,
Authentication authResult) throws IOException, ServletException {
logger.debug("successfulAuthentication(HttpServletRequest, HttpServletResponse, FilterChain, Authentication) - start"); //$NON-NLS-1$
super.successfulAuthentication(request, response, chain, authResult);
logger.debug(new StringBuffer("登录成功!用户是:").append(authResult.getName()));
request.getSession().setAttribute("user", authResult.getName());
logger.debug("successfulAuthentication(HttpServletRequest, HttpServletResponse, FilterChain, Authentication) - end"); //$NON-NLS-1$
}
/*
* <p>Title: unsuccessfulAuthentication</p>
* <p>登录失败: </p>
* @param request
* @param response
* @param failed
* @throws IOException
* @throws ServletException
* @see org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter#unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, org.springframework.security.core.AuthenticationException)
*/
@Override
protected void unsuccessfulAuthentication(HttpServletRequest request,
HttpServletResponse response, AuthenticationException failed)
throws IOException, ServletException {
logger.debug("unsuccessfulAuthentication(HttpServletRequest, HttpServletResponse, AuthenticationException) - start"); //$NON-NLS-1$
super.unsuccessfulAuthentication(request, response, failed);
logger.debug("登录失败!");
logger.debug("unsuccessfulAuthentication(HttpServletRequest, HttpServletResponse, AuthenticationException) - end"); //$NON-NLS-1$
}
}
```
* 注意!!! *
在xml配置中customUsernamePasswordAuthenticationFilter 这部分需要指定authenticationManager ,并且 是通过
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="user" password="user" authorities="ROLE_USER" />
<user name="admin" password="admin" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
来指定的。所以在SecurityConfiguration.java 文件中需要注意着几个地方
a. 定义一个
@Autowired
AuthenticationManagerBuilder authenticationManagerBuilder;
变量
b. 在配置的函数里面 设置这个变量
// 这里要注入这个方法。
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
logger.debug("configureGlobal(AuthenticationManagerBuilder) - start"); //$NON-NLS-1$
this.authenticationManagerBuilder.inMemoryAuthentication().withUser("user").password("user").roles("USER");
this.authenticationManagerBuilder.inMemoryAuthentication().withUser("admin").password("admin").roles("ADMIN");
logger.debug("configureGlobal(AuthenticationManagerBuilder) - end"); //$NON-NLS-1$
}
c. 用Bean来注解authenticationManager的方法来返回这个 AuthenticationManager
// 这里要用@Bean注解这个方法,以便容器调用获取实例 AuthenticationManager 实例
@Bean
public AuthenticationManager authenticationManager() throws Exception {
logger.debug("authenticationManager() - start"); //$NON-NLS-1$
AuthenticationManager authenticationManager = this.authenticationManagerBuilder.build();
logger.debug(new StringBuffer("AuthenticationManager设置成功,对象指针是:").append(authenticationManager));
logger.debug("authenticationManager() - end"); //$NON-NLS-1$
return authenticationManager;
}
d. 在CustomUsernamePasswordAuthenticationFilter.java 中设置这个变量
@Autowired
@Override
public void setAuthenticationManager(AuthenticationManager authenticationManager) {
logger.debug("setAuthenticationManager(AuthenticationManager) - start"); //$NON-NLS-1$
super.setAuthenticationManager(authenticationManager);
logger.debug("setAuthenticationManager(AuthenticationManager) - end"); //$NON-NLS-1$
}
-
- 5.