秒懂SpringBoot之全網最易懂的Spring Security教程
SpringBoot整合Spring-Security 認證篇(保姆級教程)
SpringBoot整合Spring Security【超詳細教程】
spring security 超詳細使用教程(接入springboot、前后端分離)
Security 自定義 UsernamePasswordAuthenticationFilter 替換原攔截器
SpringSecurity自定義UsernamePasswordAuthenticationFilter
自定義過濾器替換 UsernamePasswordAuthenticationFilter
Spring Security 實戰干貨:必須掌握的一些內置 Filter
Spring Security權限控制框架使用指南
你真的了解 Cookie 和 Session 嗎?
Session 、Cookie和Token三者的關系和區別
簡單使用 Spring Security
pom.xml
<dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><!--springSecurity--><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency>
</dependencies>
啟動類
@SpringBootApplication
public class SpringBootSecurityApplication {public static void main(String[] args) {SpringApplication.run(SpringBootSecurityApplication.class, args);}
}
配置文件
server:port: 8001spring:security:user:name: adminpassword: 123456
controller
@RestController
@RequestMapping("/auth")
public class TestController {@GetMapping("/hello")public String sayHello(){return "hello security";}
}
啟動項目
訪問 http://localhost:8001/auth/hello 會出現登錄頁面
輸入賬號密碼 正常輸出
如果沒有配置賬號密碼
username:user
password:隨機生成,會打印在你的控制臺日志上。
Spring Security 代碼執行流程
一個請求過來Spring Security會按照下圖的步驟處理:
進入到Filter中 UsernamePasswordAuthenticationFilter
進入 UsernamePasswordAuthenticationFilter
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)throws IOException, ServletException {HttpServletRequest request = (HttpServletRequest) req;HttpServletResponse response = (HttpServletResponse) res;if (!requiresAuthentication(request, response)) {chain.doFilter(request, response);return;}if (logger.isDebugEnabled()) {logger.debug("Request is to process authentication");}Authentication authResult;try {authResult = attemptAuthentication(request, response);if (authResult == null) {return;}//此處底層會設置 JSESSIONID 并存儲 JSESSIONIDsessionStrategy.onAuthentication(authResult, request, response);}catch (InternalAuthenticationServiceException failed) {//失敗處理unsuccessfulAuthentication(request, response, failed);return;}catch (AuthenticationException failed) {//失敗處理unsuccessfulAuthentication(request, response, failed);return;}// Authentication successif (continueChainBeforeSuccessfulAuthentication) {chain.doFilter(request, response);}//成功后處理successfulAuthentication(request, response, chain, authResult);
}//UsernamePasswordAuthenticationFilter.java
public Authentication attemptAuthentication(HttpServletRequest request,HttpServletResponse response) throws AuthenticationException {...String username = obtainUsername(request);String password = obtainPassword(request);...UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);...//this.getAuthenticationManager() 默認為 ProviderManagerreturn this.getAuthenticationManager().authenticate(authRequest);
}
進入 ProviderManager
循環執行 AuthenticationProvider 的 authenticate 方法
//ProviderManager.java
public Authentication authenticate(Authentication authentication)throws AuthenticationException {...for (AuthenticationProvider provider : getProviders()) {...result = provider.authenticate(authentication);if (result != null) {if (eraseCredentialsAfterAuthentication&& (result instanceof CredentialsContainer)) {...//此處會將密碼設置為空((CredentialsContainer) result).eraseCredentials();}...return result;}...}...
}
默認執行 DaoAuthenticationProvider 的 authenticate
//AbstractUserDetailsAuthenticationProvider.java
public Authentication authenticate(Authentication authentication)throws AuthenticationException {...// Determine usernameString username = (authentication.getPrincipal() == null) ? "NONE_PROVIDED": authentication.getName();...//獲取用戶信息user = retrieveUser(username,(UsernamePasswordAuthenticationToken) authentication);...try {//校驗用戶密碼additionalAuthenticationChecks(user,(UsernamePasswordAuthenticationToken) authentication);}...return createSuccessAuthentication(principalToReturn, authentication, user);
}SessionId 處理
sessionStrategy.onAuthentication 最終回執行到
//設置 Set-Cookie
// sessionStrategy.onAuthentication 最終回執行到
//org.apache.catalina.connector.Request
public String changeSessionId() {Session session = this.getSessionInternal(false);if (session == null) {throw new IllegalStateException(sm.getString("coyoteRequest.changeSessionId"));}// StandardManagerManager manager = this.getContext().getManager();//獲取新的 SessionIdString newSessionId = manager.rotateSessionId(session);//將 SessionId 設置到 response 中this.changeSessionId(newSessionId);return newSessionId;
}- 獲取新 SessionId 并將 SessionId 存儲
manager.rotateSessionId 會生成新的 SessionId 并將 SessionId 存儲到 StandardManager(父級 ManagerBase) 的
protected Map<String, Session> sessions = new ConcurrentHashMap<>()
中
@Override
public String rotateSessionId(Session session) {String newId = generateSessionId();changeSessionId(session, newId, true, true);return newId;
}protected void changeSessionId(Session session, String newId,boolean notifySessionListeners, boolean notifyContainerListeners) {String oldId = session.getIdInternal();session.setId(newId, false);session.tellChangedSessionId(newId, oldId,notifySessionListeners, notifyContainerListeners);
}@Override
public void setId(String id, boolean notify) {if ((this.id != null) && (manager != null))manager.remove(this);this.id = id;if (manager != null)manager.add(this);if (notify) {tellNew();}
}@Override
public void add(Session session) {sessions.put(session.getIdInternal(), session);int size = getActiveSessions();if( size > maxActive ) {synchronized(maxActiveUpdateLock) {if( size > maxActive ) {maxActive = size;}}}
}
- 重設 需要返回的 SessionId
public void changeSessionId(String newSessionId) {...if (response != null) {Cookie newCookie = ApplicationSessionCookieConfig.createSessionCookie(context,newSessionId, isSecure());response.addSessionCookieInternal(newCookie);}
}public void addSessionCookieInternal(final Cookie cookie) {if (isCommitted()) {return;}String name = cookie.getName();final String headername = "Set-Cookie";...if (!set) {addHeader(headername, header);}
}
登錄時session 校驗
通過斷點可發現 最終回執行到 StandardManager(父級 ManagerBase) 的 findSession 中
剛好使用了 上面生成的 sessionId
//ManagerBase.java
@Override
public Session findSession(String id) throws IOException {if (id == null) {return null;}return sessions.get(id);
}
獲取用戶信息
//DaoAuthenticationProvider.java
protected final UserDetails retrieveUser(String username,UsernamePasswordAuthenticationToken authentication)throws AuthenticationException {...UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username);if (loadedUser == null) {throw new InternalAuthenticationServiceException("UserDetailsService returned null, which is an interface contract violation");}return loadedUser;...
}
執行 getUserDetailsService(UserDetailsService) 獲取 用戶信息
默認執行到 InMemoryUserDetailsManager 中的 loadUserByUsername方法
// InMemoryUserDetailsManager.java
public UserDetails loadUserByUsername(String username)throws UsernameNotFoundException {UserDetails user = users.get(username.toLowerCase());if (user == null) {throw new UsernameNotFoundException(username);}return new User(user.getUsername(), user.getPassword(), user.isEnabled(),user.isAccountNonExpired(), user.isCredentialsNonExpired(),user.isAccountNonLocked(), user.getAuthorities());
}
校驗用戶密碼是否正確
//DaoAuthenticationProvider.java
protected void additionalAuthenticationChecks(UserDetails userDetails,UsernamePasswordAuthenticationToken authentication)throws AuthenticationException {if (authentication.getCredentials() == null) {logger.debug("Authentication failed: no credentials provided");throw new BadCredentialsException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials","Bad credentials"));}String presentedPassword = authentication.getCredentials().toString();//判斷密碼是否正確if (!passwordEncoder.matches(presentedPassword, userDetails.getPassword())) {logger.debug("Authentication failed: password does not match stored value");throw new BadCredentialsException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials","Bad credentials"));}
}
根據以上執行流程 可針對相應步驟自定義內容
自定義配置相關步驟
自定義 UserDetailsService
默認是 InMemoryUserDetailsManager
@Service
public class UserDetailService implements UserDetailsService {@Overridepublic UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();SysUser sysUser = new SysUser();sysUser.setUsername("admin");sysUser.setPassword(bCryptPasswordEncoder.encode("13579"));Map<String, SysUser> map = new HashMap<>();map.put(sysUser.getUsername(), sysUser);return map.get(username);}
}
用自定義的 UserDetailsService 時 需設置加密方式
@Bean
public BCryptPasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();
}
也可通過在 config 中配置對應的實現類
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {//配置對應的權限相關對象}
}
自定義 AuthenticationProvider
默認是 DaoAuthenticationProvider
@Component
public class MyAuthenticationProvider implements AuthenticationProvider {@Autowiredprivate UserDetailService userDetailService;@Overridepublic Authentication authenticate(Authentication authentication) throws AuthenticationException {String username = authentication.getName();String presentedPassword = (String) authentication.getCredentials();// 根據用戶名獲取用戶信息UserDetails userDetails = this.userDetailService.loadUserByUsername(username);if (StringUtils.isEmpty(userDetails)) {throw new BadCredentialsException("用戶名不存在");} else {//校驗 將輸入的密碼presentedPassword加密 和 數據庫中的密碼userDetails.getPassword() 校驗是否一致UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(userDetails, authentication.getCredentials(), userDetails.getAuthorities());result.setDetails(authentication.getDetails());return result;}}@Overridepublic boolean supports(Class<?> authentication) {return true;}
}
自定義 AuthenticationManager
默認是 ProviderManager
@Beanprotected AuthenticationManager authenticationManager() throws Exception {ProviderManager manager = new ProviderManager(Arrays.asList(myAuthenticationProvider));return manager;}
自定義 Filter, 重寫 UsernamePasswordAuthenticationFilter
public class LoginFilter extends UsernamePasswordAuthenticationFilter {private AuthenticationManager authenticationManager;public LoginFilter(AuthenticationManager authenticationManager) {this.authenticationManager = authenticationManager;}//這個方法是用來去嘗試驗證用戶的@Overridepublic Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {try {String username = request.getParameter("username");String password = request.getParameter("password");return authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));} catch (Exception e) {try {response.setContentType("application/json;charset=utf-8");response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);PrintWriter out = response.getWriter();Map<String, Object> map = new HashMap<>();map.put("code", HttpServletResponse.SC_UNAUTHORIZED);map.put("message", "賬號或密碼錯誤!");out.write(new ObjectMapper().writeValueAsString(map));out.flush();out.close();} catch (Exception e1) {e1.printStackTrace();}throw new RuntimeException(e);}}//成功之后執行的方法@Overridepublic void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {SysUser sysUser = new SysUser();sysUser.setUsername(authResult.getName());String token = JwtToolUtils.tokenCreate(authResult.getName(), 600);response.addHeader("Authorization", "RobodToken " + token); //將Token信息返回給用戶try {//登錄成功時,返回json格式進行提示response.setContentType("application/json;charset=utf-8");response.setStatus(HttpServletResponse.SC_OK);PrintWriter out = response.getWriter();Map<String, Object> map = new HashMap<String, Object>(4);map.put("code", HttpServletResponse.SC_OK);map.put("message", "登陸成功!");out.write(new ObjectMapper().writeValueAsString(map));out.flush();out.close();} catch (Exception e1) {e1.printStackTrace();}//執行父級流程//super.successfulAuthentication(request, response, chain, authResult);}
}
自定義 Filter, 添加在 UsernamePasswordAuthenticationFilter 之前
@Component
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException, ServletException, IOException {//獲取tokenString token = request.getHeader("token");if (!StringUtils.hasText(token)) {//token為空的話, 就不管它, 讓SpringSecurity中的其他過濾器處理請求//請求放行filterChain.doFilter(request, response);return;}//jwt 解析token 后的用戶信息SysUser securityUser = new SysUser();securityUser.setUsername("aa");securityUser.setPassword("123");//將用戶安全信息存入SecurityContextHolder, 在之后SpringSecurity的過濾器就不會攔截UsernamePasswordAuthenticationToken authenticationToken =new UsernamePasswordAuthenticationToken(securityUser, null, null);SecurityContextHolder.getContext().setAuthentication(authenticationToken);//放行filterChain.doFilter(request, response);}
}
配置自定義的過濾器
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {@AutowiredJwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;//配置SpringSecurity Http 相關信息@Overridepublic void configure(HttpSecurity http) throws Exception {http.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);}
}
項目啟動相關初始化
Security 賬號密碼加載
UserDetailsServiceAutoConfiguration 加載時
獲取 SecurityProperties 配置文件中配置的賬號密碼, 如果密碼是默認的隨機生成的,將密碼輸入到控制臺
//UserDetailsServiceAutoConfiguration.java
@Bean
@ConditionalOnMissingBean(type = "org.springframework.security.oauth2.client.registration.ClientRegistrationRepository")
@Lazy
public InMemoryUserDetailsManager inMemoryUserDetailsManager(SecurityProperties properties,ObjectProvider<PasswordEncoder> passwordEncoder) {SecurityProperties.User user = properties.getUser();List<String> roles = user.getRoles();return new InMemoryUserDetailsManager(User.withUsername(user.getName()).password(getOrDeducePassword(user, passwordEncoder.getIfAvailable())).roles(StringUtils.toStringArray(roles)).build());
}private String getOrDeducePassword(SecurityProperties.User user, PasswordEncoder encoder) {String password = user.getPassword();//如果是默認動態生成的,輸出到控制臺if (user.isPasswordGenerated()) {logger.info(String.format("%n%nUsing generated security password: %s%n", user.getPassword()));}if (encoder != null || PASSWORD_ALGORITHM_PATTERN.matcher(password).matches()) {return password;}return NOOP_PASSWORD_PREFIX + password;
}
SecurityProperties.java
默認賬號 user
默認密碼隨機生成
passwordGenerated 設置密碼是否是隨機生成的。 默認為true, 當配置的密碼不為空時,置為false
public class SecurityProperties {...private User user = new User();...public static class User {private String name = "user";private String password = UUID.randomUUID().toString();private boolean passwordGenerated = true;...public void setPassword(String password) {if (!StringUtils.hasLength(password)) {return;}this.passwordGenerated = false;this.password = password;}...}
}
設置默認的用戶賬號信息(users)
public InMemoryUserDetailsManager(UserDetails... users) {for (UserDetails user : users) {createUser(user);}
}
public void createUser(UserDetails user) {Assert.isTrue(!userExists(user.getUsername()), "user should not exist");users.put(user.getUsername().toLowerCase(), new MutableUser(user));
}
WebSecurityConfiguration 加載
涉及到的Configuration
ReactiveUserDetailsServiceAutoConfiguration@AutoConfigureAfterRSocketMessagingAutoConfigurationSecurityAutoConfiguration#importSpringBootWebSecurityConfigurationWebSecurityEnablerConfiguration@EnableWebSecurity #importWebSecurityConfigurationSpringWebMvcImportSelectorOAuth2ImportSelector@EnableGlobalAuthenticationAuthenticationConfiguration@ImportObjectPostProcessorConfigurationSecurityDataConfigurationSecurityFilterAutoConfiguration UserDetailsServiceAutoConfiguration
加載流程
當未配置自定義的 WebSecurityConfigurerAdapter 時
@Configuration(proxyBeanMethods = false)
@ConditionalOnClass(WebSecurityConfigurerAdapter.class)
@ConditionalOnMissingBean(WebSecurityConfigurerAdapter.class)
@ConditionalOnWebApplication(type = Type.SERVLET)
public class SpringBootWebSecurityConfiguration {@Configuration(proxyBeanMethods = false)@Order(SecurityProperties.BASIC_AUTH_ORDER)static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter {}
}@Configuration(proxyBeanMethods = false)
@ConditionalOnClass(AuthenticationManager.class)
@ConditionalOnBean(ObjectPostProcessor.class)
@ConditionalOnMissingBean(value = { AuthenticationManager.class, AuthenticationProvider.class, UserDetailsService.class },type = { "org.springframework.security.oauth2.jwt.JwtDecoder","org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector" })
public class UserDetailsServiceAutoConfiguration {private static final String NOOP_PASSWORD_PREFIX = "{noop}";private static final Pattern PASSWORD_ALGORITHM_PATTERN = Pattern.compile("^\\{.+}.*$");private static final Log logger = LogFactory.getLog(UserDetailsServiceAutoConfiguration.class);@Bean@ConditionalOnMissingBean(type = "org.springframework.security.oauth2.client.registration.ClientRegistrationRepository")@Lazypublic InMemoryUserDetailsManager inMemoryUserDetailsManager(SecurityProperties properties,ObjectProvider<PasswordEncoder> passwordEncoder) {SecurityProperties.User user = properties.getUser();List<String> roles = user.getRoles();return new InMemoryUserDetailsManager(User.withUsername(user.getName()).password(getOrDeducePassword(user, passwordEncoder.getIfAvailable())).roles(StringUtils.toStringArray(roles)).build());}private String getOrDeducePassword(SecurityProperties.User user, PasswordEncoder encoder) {String password = user.getPassword();if (user.isPasswordGenerated()) {logger.info(String.format("%n%nUsing generated security password: %s%n", user.getPassword()));}if (encoder != null || PASSWORD_ALGORITHM_PATTERN.matcher(password).matches()) {return password;}return NOOP_PASSWORD_PREFIX + password;}}@Configuration(proxyBeanMethods = false)
@Import(ObjectPostProcessorConfiguration.class)
public class AuthenticationConfiguration {@Autowired(required = false)public void setGlobalAuthenticationConfigurers(List<GlobalAuthenticationConfigurerAdapter> configurers) {configurers.sort(AnnotationAwareOrderComparator.INSTANCE);this.globalAuthConfigurers = configurers;}
}WebSecurityConfiguration 中的 setFilterChainProxySecurityConfigurer 加載會 獲取所有 SecurityConfigurer 的實現類 對 獲取到的 SecurityConfigurer 集合排序循環執行 webSecurity.apply(webSecurityConfigurer) 將 webSecurityConfigurer 添加到 webSecurity 的 configurers 中設置 this.webSecurityConfigurers = webSecurityConfigurers;@Configuration(proxyBeanMethods = false)
public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAware {@Autowired(required = false)public void setFilterChainProxySecurityConfigurer(ObjectPostProcessor<Object> objectPostProcessor,@Value("#{@autowiredWebSecurityConfigurersIgnoreParents.getWebSecurityConfigurers()}") List<SecurityConfigurer<Filter, WebSecurity>> webSecurityConfigurers)throws Exception {webSecurity = objectPostProcessor.postProcess(new WebSecurity(objectPostProcessor));if (debugEnabled != null) {webSecurity.debug(debugEnabled);}webSecurityConfigurers.sort(AnnotationAwareOrderComparator.INSTANCE);Integer previousOrder = null;Object previousConfig = null;for (SecurityConfigurer<Filter, WebSecurity> config : webSecurityConfigurers) {Integer order = AnnotationAwareOrderComparator.lookupOrder(config);if (previousOrder != null && previousOrder.equals(order)) {throw new IllegalStateException("@Order on WebSecurityConfigurers must be unique. Order of "+ order + " was already used on " + previousConfig + ", so it cannot be used on "+ config + " too.");}previousOrder = order;previousConfig = config;}for (SecurityConfigurer<Filter, WebSecurity> webSecurityConfigurer : webSecurityConfigurers) {webSecurity.apply(webSecurityConfigurer);}this.webSecurityConfigurers = webSecurityConfigurers;}@Bean@DependsOn(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)public SecurityExpressionHandler<FilterInvocation> webSecurityExpressionHandler() {return webSecurity.getExpressionHandler();}@Bean(name = AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)public Filter springSecurityFilterChain() throws Exception {boolean hasConfigurers = webSecurityConfigurers != null&& !webSecurityConfigurers.isEmpty();if (!hasConfigurers) {WebSecurityConfigurerAdapter adapter = objectObjectPostProcessor.postProcess(new WebSecurityConfigurerAdapter() {});webSecurity.apply(adapter);}return webSecurity.build();}
}WebSecurityConfiguration 中的 webSecurityExpressionHandler 加載 @DependsOn 依賴 springSecurityFilterChainWebSecurityConfiguration 中的 springSecurityFilterChain 加載1、判斷是否有定義的 webSecurityConfigurers2、執行 webSecurity.build()執行到 AbstractSecurityBuilder 中的 build 方法執行到 AbstractConfiguredSecurityBuilder 中的 doBuild 方法@Overrideprotected final O doBuild() throws Exception {synchronized (configurers) {buildState = BuildState.INITIALIZING;beforeInit();init();buildState = BuildState.CONFIGURING;beforeConfigure();configure();buildState = BuildState.BUILDING;O result = performBuild();buildState = BuildState.BUILT;return result;}}整體執行流程1、beforeInit();2、init(); 循環執行 configurers 的 init 方法執行到 WebSecurityConfigurerAdapter 中的 init 方法public void init(final WebSecurity web) throws Exception {final HttpSecurity http = getHttp();web.addSecurityFilterChainBuilder(http).postBuildAction(() -> {FilterSecurityInterceptor securityInterceptor = http.getSharedObject(FilterSecurityInterceptor.class);web.securityInterceptor(securityInterceptor);});}protected final HttpSecurity getHttp() throws Exception {if (http != null) {return http;}AuthenticationEventPublisher eventPublisher = getAuthenticationEventPublisher();localConfigureAuthenticationBldr.authenticationEventPublisher(eventPublisher);AuthenticationManager authenticationManager = authenticationManager();authenticationBuilder.parentAuthenticationManager(authenticationManager);Map<Class<?>, Object> sharedObjects = createSharedObjects();http = new HttpSecurity(objectPostProcessor, authenticationBuilder,sharedObjects);...configure(http);return http;}authenticationManager(); 獲取 AuthenticationManager protected AuthenticationManager authenticationManager() throws Exception {...authenticationManager = authenticationConfiguration.getAuthenticationManager();...}public AuthenticationManager getAuthenticationManager() throws Exception {...for (GlobalAuthenticationConfigurerAdapter config : globalAuthConfigurers) {authBuilder.apply(config);}authenticationManager = authBuilder.build();...}globalAuthConfigurers 獲取 GlobalAuthenticationConfigurerAdapter 的實現類 //TODO 循環執行 authBuilder.apply(config) 將 GlobalAuthenticationConfigurerAdapter 添加到 authBuilder 的 configurers 中authBuilder.build();public final O build() throws Exception {if (this.building.compareAndSet(false, true)) {this.object = doBuild();return this.object;}throw new AlreadyBuiltException("This object has already been built");}執行到 AbstractSecurityBuilder 中的 build 方法執行到 AbstractConfiguredSecurityBuilder 中的 doBuild 方法執行流程同上InitializeUserDetailsManagerConfigurerpublic void configure(AuthenticationManagerBuilder auth) throws Exception {if (auth.isConfigured()) {return;}UserDetailsService userDetailsService = getBeanOrNull(UserDetailsService.class);if (userDetailsService == null) {return;}PasswordEncoder passwordEncoder = getBeanOrNull(PasswordEncoder.class);UserDetailsPasswordService passwordManager = getBeanOrNull(UserDetailsPasswordService.class);DaoAuthenticationProvider provider = new DaoAuthenticationProvider();provider.setUserDetailsService(userDetailsService);if (passwordEncoder != null) {provider.setPasswordEncoder(passwordEncoder);}if (passwordManager != null) {provider.setUserDetailsPasswordService(passwordManager);}provider.afterPropertiesSet();auth.authenticationProvider(provider);}1、獲取 UserDetailsService (InMemoryUserDetailsManager)2、獲取 PasswordEncoder 為空3、獲取 UserDetailsPasswordService (InMemoryUserDetailsManager)4、DaoAuthenticationProvider provider = new DaoAuthenticationProvider();public DaoAuthenticationProvider() {setPasswordEncoder(PasswordEncoderFactories.createDelegatingPasswordEncoder());}public static PasswordEncoder createDelegatingPasswordEncoder() {String encodingId = "bcrypt";Map<String, PasswordEncoder> encoders = new HashMap<>();encoders.put(encodingId, new BCryptPasswordEncoder());encoders.put("ldap", new org.springframework.security.crypto.password.LdapShaPasswordEncoder());encoders.put("MD4", new org.springframework.security.crypto.password.Md4PasswordEncoder());encoders.put("MD5", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("MD5"));encoders.put("noop", org.springframework.security.crypto.password.NoOpPasswordEncoder.getInstance());encoders.put("pbkdf2", new Pbkdf2PasswordEncoder());encoders.put("scrypt", new SCryptPasswordEncoder());encoders.put("SHA-1", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-1"));encoders.put("SHA-256", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-256"));encoders.put("sha256", new org.springframework.security.crypto.password.StandardPasswordEncoder());encoders.put("argon2", new Argon2PasswordEncoder());return new DelegatingPasswordEncoder(encodingId, encoders);}設置加密方式5、設置對應的 UserDetailsService、PasswordEncoder、UserDetailsPasswordService6、執行 afterPropertiesSet7、auth.authenticationProvider 往 AuthenticationManagerBuilder 的 authenticationProviders 中添加數據會執行到 AuthenticationManagerBuilder@Overrideprotected ProviderManager performBuild() throws Exception {if (!isConfigured()) {logger.debug("No authenticationProviders and no parentAuthenticationManager defined. Returning null.");return null;}ProviderManager providerManager = new ProviderManager(authenticationProviders,parentAuthenticationManager);if (eraseCredentials != null) {providerManager.setEraseCredentialsAfterAuthentication(eraseCredentials);}if (eventPublisher != null) {providerManager.setAuthenticationEventPublisher(eventPublisher);}providerManager = postProcess(providerManager);return providerManager;}為 http 的 configurers 添加對應的 configurerconfigure(http);protected void configure(HttpSecurity http) throws Exception {logger.debug("Using default configure(HttpSecurity). If subclassed this will potentially override subclass configure(HttpSecurity).");http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();}public FormLoginConfigurer<HttpSecurity> formLogin() throws Exception {return getOrApply(new FormLoginConfigurer<>());}public FormLoginConfigurer() {super(new UsernamePasswordAuthenticationFilter(), null);usernameParameter("username");passwordParameter("password");}// 調用 login 接口才會進入 UsernamePasswordAuthenticationFilter過濾器public UsernamePasswordAuthenticationFilter() {super(new AntPathRequestMatcher("/login", "POST"));}protected AbstractAuthenticationFilterConfigurer(F authenticationFilter,String defaultLoginProcessingUrl) {this();this.authFilter = authenticationFilter;if (defaultLoginProcessingUrl != null) {loginProcessingUrl(defaultLoginProcessingUrl);}}addSecurityFilterChainBuilder(http)//為 WebSecurity 的 securityFilterChainBuilders 中添加數據public WebSecurity addSecurityFilterChainBuilder(SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder) {this.securityFilterChainBuilders.add(securityFilterChainBuilder);return this;}3、beforeConfigure();4、configure(); 循環執行 configurers 的 configure 方法執行 自定義的 configure 方法5、performBuild();@Overrideprotected Filter performBuild() throws Exception {...for (SecurityBuilder<? extends SecurityFilterChain> securityFilterChainBuilder : securityFilterChainBuilders) {securityFilterChains.add(securityFilterChainBuilder.build());}...Filter result = filterChainProxy;postBuildAction.run();return result;}此時的 securityFilterChainBuilders 是 HttpSecuritysecurityFilterChainBuilder.build()循環執行 securityFilterChainBuilder 中的 configurers執行 FormLoginConfigurer 的 configure 方法 // AbstractAuthenticationFilterConfigurer.class@Overridepublic void configure(B http) throws Exception {PortMapper portMapper = http.getSharedObject(PortMapper.class);if (portMapper != null) {authenticationEntryPoint.setPortMapper(portMapper);}RequestCache requestCache = http.getSharedObject(RequestCache.class);if (requestCache != null) {this.defaultSuccessHandler.setRequestCache(requestCache);}authFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class));authFilter.setAuthenticationSuccessHandler(successHandler);authFilter.setAuthenticationFailureHandler(failureHandler);if (authenticationDetailsSource != null) {authFilter.setAuthenticationDetailsSource(authenticationDetailsSource);}SessionAuthenticationStrategy sessionAuthenticationStrategy = http.getSharedObject(SessionAuthenticationStrategy.class);if (sessionAuthenticationStrategy != null) {authFilter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy);}RememberMeServices rememberMeServices = http.getSharedObject(RememberMeServices.class);if (rememberMeServices != null) {authFilter.setRememberMeServices(rememberMeServices);}F filter = postProcess(authFilter);http.addFilter(filter);}//authFilter 為 UsernamePasswordAuthenticationFilter.java將 filter 添加到 HttpSecurity 中, 在過濾器中使用過濾器鏈
FilterComparator() {Step order = new Step(INITIAL_ORDER, ORDER_STEP);put(ChannelProcessingFilter.class, order.next());put(ConcurrentSessionFilter.class, order.next());put(WebAsyncManagerIntegrationFilter.class, order.next());put(SecurityContextPersistenceFilter.class, order.next());put(HeaderWriterFilter.class, order.next());put(CorsFilter.class, order.next());put(CsrfFilter.class, order.next());put(LogoutFilter.class, order.next());filterToOrder.put("org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter",order.next());filterToOrder.put("org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter",order.next());put(X509AuthenticationFilter.class, order.next());put(AbstractPreAuthenticatedProcessingFilter.class, order.next());filterToOrder.put("org.springframework.security.cas.web.CasAuthenticationFilter",order.next());filterToOrder.put("org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter",order.next());filterToOrder.put("org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter",order.next());put(UsernamePasswordAuthenticationFilter.class, order.next());put(ConcurrentSessionFilter.class, order.next());filterToOrder.put("org.springframework.security.openid.OpenIDAuthenticationFilter", order.next());put(DefaultLoginPageGeneratingFilter.class, order.next());put(DefaultLogoutPageGeneratingFilter.class, order.next());put(ConcurrentSessionFilter.class, order.next());put(DigestAuthenticationFilter.class, order.next());filterToOrder.put("org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter", order.next());put(BasicAuthenticationFilter.class, order.next());put(RequestCacheAwareFilter.class, order.next());put(SecurityContextHolderAwareRequestFilter.class, order.next());put(JaasApiIntegrationFilter.class, order.next());put(RememberMeAuthenticationFilter.class, order.next());put(AnonymousAuthenticationFilter.class, order.next());filterToOrder.put("org.springframework.security.oauth2.client.web.OAuth2AuthorizationCodeGrantFilter",order.next());put(SessionManagementFilter.class, order.next());put(ExceptionTranslationFilter.class, order.next());put(FilterSecurityInterceptor.class, order.next());put(SwitchUserFilter.class, order.next());}
異常問題處理過程
1、通過 postman 訪問登錄接口異常
未配置自定義的 WebSecurityConfigurerAdapter 時
通過 postman 訪問頁面登錄的接口, 獲取 JSESSIONID 失敗
curl --location 'http://localhost:8001/login' \
--header 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: JSESSIONID=24E4E66AD4D606C8F98022A30ABD49F9' \
--data-urlencode 'username=admin' \
--data-urlencode 'password=2'
是因為 CsrfFilter 中 doFilterInternal 有個 !csrfToken.getToken().equals(actualToken) 導致獲取失敗
protected void doFilterInternal(HttpServletRequest request,HttpServletResponse response, FilterChain filterChain)throws ServletException, IOException {request.setAttribute(HttpServletResponse.class.getName(), response);CsrfToken csrfToken = this.tokenRepository.loadToken(request);...if (!csrfToken.getToken().equals(actualToken)) {...}filterChain.doFilter(request, response);
}
處理方式
-
1、需要在 headers 中增加 X-CSRF-TOKEN 參數
-
2、禁用 csrf
參照 WebSecurityConfigurerAdapter 的配置 增加 禁用 csrf
@Override
protected void configure(HttpSecurity http) throws Exception {http.csrf().disable().authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();
}
