spring security
問題描述
某項目後臺管理,既管理後臺賬號,又管理前臺賬號,前臺賬號信息存儲front_account, 後臺賬號信息存儲back_account。這裏通過spring security 既管理後臺賬號的認證,也管理前臺賬號的認證。
分析問題
既然是兩張表,而且爲了適應不同環境,那麼首先我們知道,單個項目內既要實現前臺登錄,又要實現後臺登錄,那麼前後臺的登錄路徑肯定不同,基於路徑的區分,我們需要關心兩點:
1.security是否對路徑做攔截。
2.重寫loadUserByUsername(String username)方法
解決方案
路徑攔截在UsernamePasswordAuthenticationFilter中可以看到new AntPathRequestMatcher("/login", “POST”),這段代碼就是過濾,所以重寫它
loadUserByUsername authenticate#retrieveUser 裏面有調用到loadUserByUsername,所以重寫它
代碼實現
基本套路爲:
config 繼承WebSecurityConfigurerAdapter,重寫configure(HttpSecurity http)
Filter 繼承AbstractAuthenticationProcessingFilter,參考UsernamePasswordAuthenticationFilter 實現路徑過濾和attemptAuthentication(身份驗證)
token 繼承AbstractAuthenticationToken, 參考UsernamePasswordAuthenticationToken
provider 實現AuthenticationProvider,參考DaoAuthenticationProvider 重寫authenticate和retrieveUser方法
Config
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
...//TODO 主要是下面兩個
//後臺過濾
http.addFilterAt(backAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
//前臺過濾
http.addFilterAt(frontAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
BackAuthenticationFilter backAuthenticationFilter() throws Exception {
BackAuthenticationFilter filter = new BackAuthenticationFilter();
filter.setAuthenticationSuccessHandler(new AuthenticationSuccessHandler() {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
LoginUser loginUser = (LoginUser) authentication.getPrincipal();
Token token = tokenService.saveToken(loginUser);
ResponseUtil.responseJson(response, HttpStatus.OK.value(), token);
}
});
filter.setAuthenticationFailureHandler(new AuthenticationFailureHandler() {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
AuthenticationException exception) throws IOException, ServletException {
String msg = null;
if (exception instanceof BadCredentialsException) {
msg = "密碼錯誤";
} else {
msg = exception.getMessage();
}
ResponseUtil.responseJson(response, HttpStatus.UNAUTHORIZED.value(), Result.error(HttpStatus.UNAUTHORIZED.value(), msg));
}
});
filter.setAuthenticationManager(authenticationManagerBean());
return filter;
}
BackAuthenticationFilter
public class BackAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
// ~ Static fields/initializers
// =====================================================================================
public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "username";
public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "password";
private String usernameParameter = SPRING_SECURITY_FORM_USERNAME_KEY;
private String passwordParameter = SPRING_SECURITY_FORM_PASSWORD_KEY;
private boolean postOnly = true;
// ~ Constructors
// ===================================================================================================
public BackAuthenticationFilter() {
//路徑過濾
super(new AntPathRequestMatcher("/back/login", "POST"));
}
// ~ Methods
// ========================================================================================================
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
if (postOnly && !request.getMethod().equals("POST")) {
throw new AuthenticationServiceException(
"Authentication method not supported: " + request.getMethod());
}
String username = obtainUsername(request);
String password = obtainPassword(request);
if (username == null) {
username = "";
}
if (password == null) {
password = "";
}
username = username.trim();
AbstractAuthenticationToken authRequest = new BackAuthenticationToken(
username, password);
// Allow subclasses to set the "details" property
setDetails(request, authRequest);
return this.getAuthenticationManager().authenticate(authRequest);
}
protected String obtainPassword(HttpServletRequest request) {
return request.getParameter(passwordParameter);
}
protected String obtainUsername(HttpServletRequest request) {
return request.getParameter(usernameParameter);
}
protected void setDetails(HttpServletRequest request,
AbstractAuthenticationToken authRequest) {
authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
}
public void setUsernameParameter(String usernameParameter) {
Assert.hasText(usernameParameter, "Username parameter must not be empty or null");
this.usernameParameter = usernameParameter;
}
public void setPasswordParameter(String passwordParameter) {
Assert.hasText(passwordParameter, "Password parameter must not be empty or null");
this.passwordParameter = passwordParameter;
}
public void setPostOnly(boolean postOnly) {
this.postOnly = postOnly;
}
public final String getUsernameParameter() {
return usernameParameter;
}
public final String getPasswordParameter() {
return passwordParameter;
}
}
BackAuthenticationToken
public class BackAuthenticationToken extends AbstractAuthenticationToken {
private final Object principal;
private String credentials;
public BackAuthenticationToken(Object principal, String credentials) {
super(null);
this.principal = principal;
this.credentials = credentials;
setAuthenticated(false);
}
// ~ Methods
// ========================================================================================================
public String getCredentials() {
return this.credentials;
}
public Object getPrincipal() {
return this.principal;
}
public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
if (isAuthenticated) {
throw new IllegalArgumentException(
"Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
}
super.setAuthenticated(false);
}
@Override
public void eraseCredentials() {
super.eraseCredentials();
credentials = null;
}
}
BackAuthenticationProvider
public class BackAuthenticationProvider implements AuthenticationProvider {
@Autowired
@Qualifier("bCryptPasswordEncoder")
private BCryptPasswordEncoder passwordEncoder;
@Autowired
private BackUserDetailsServiceImpl userDetailsService;
/**
* The plaintext password used to perform
* PasswordEncoder#matches(CharSequence, String)} on when the user is
* not found to avoid SEC-2056.
*/
private static final String USER_NOT_FOUND_PASSWORD = "userNotFoundPassword";
private MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
private UserCache userCache = new NullUserCache();
private boolean hideUserNotFoundExceptions = true;
/**
* The password used to perform
* {@link PasswordEncoder#matches(CharSequence, String)} on when the user is
* not found to avoid SEC-2056. This is necessary, because some
* {@link PasswordEncoder} implementations will short circuit if the password is not
* in a valid format.
*/
private volatile String userNotFoundEncodedPassword;
public UserCache getUserCache() {
return userCache;
}
public void setUserCache(UserCache userCache) {
this.userCache = userCache;
}
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED" : authentication.getName();
String password = (String) authentication.getCredentials();
if (StringUtils.isEmpty(password)) {
throw new BadCredentialsException("密碼不能爲空");
}
boolean cacheWasUsed = true;
UserDetails user = this.userCache.getUserFromCache(username);
if (user == null) {
cacheWasUsed = false;
try {
user = retrieveUser(username,
(BackAuthenticationToken) authentication);
} catch (UsernameNotFoundException notFound) {
log.debug("User '" + username + "' not found");
if (hideUserNotFoundExceptions) {
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials",
"Bad credentials"));
} else {
throw notFound;
}
}
Assert.notNull(user,
"retrieveUser returned null - a violation of the interface contract");
}
if (null == user) {
throw new BadCredentialsException("用戶不存在");
}
if (!passwordEncoder.matches(password, user.getPassword())) {
throw new BadCredentialsException("用戶名或密碼不正確");
}
if (!cacheWasUsed) {
this.userCache.putUserInCache(user);
}
UsernamePasswordAuthenticationToken result =
new UsernamePasswordAuthenticationToken(user, password, user.getAuthorities());
result.setDetails(authentication.getDetails());
return result;
}
private UserDetails retrieveUser(String username, BackAuthenticationToken authentication) throws AuthenticationException {
prepareTimingAttackProtection();
try {
UserDetails loadedUser = this.userDetailsService.loadUserByUsername(username);
if (loadedUser == null) {
throw new InternalAuthenticationServiceException(
"UserDetailsService returned null, which is an interface contract violation");
}
return loadedUser;
} catch (UsernameNotFoundException ex) {
mitigateAgainstTimingAttack(authentication);
throw ex;
} catch (InternalAuthenticationServiceException ex) {
throw ex;
} catch (Exception ex) {
throw new InternalAuthenticationServiceException(ex.getMessage(), ex);
}
}
private void prepareTimingAttackProtection() {
if (this.userNotFoundEncodedPassword == null) {
this.userNotFoundEncodedPassword = this.passwordEncoder.encode(USER_NOT_FOUND_PASSWORD);
}
}
private void mitigateAgainstTimingAttack(BackAuthenticationToken authentication) {
if (authentication.getCredentials() != null) {
String presentedPassword = authentication.getCredentials();
this.passwordEncoder.matches(presentedPassword, this.userNotFoundEncodedPassword);
}
}
@Override
public boolean supports(Class<?> authentication) {
return (BackAuthenticationToken.class.isAssignableFrom(authentication));
}
}