挣扎了两周,spring security的cas终于搞出来了,废话不多说,开篇!
1 <?xml version="1.0" encoding="utf-8"?> 2 <project xmlns="http://maven.apache.org/pom/4.0.0" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" 3 xsi:schemalocation="http://maven.apache.org/pom/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 4 <modelversion>4.0.0</modelversion> 5 6 <groupid>com.cas.client1</groupid> 7 <artifactid>cas-client1</artifactid> 8 <version>0.0.1-snapshot</version> 9 <packaging>jar</packaging> 10 11 <name>cas-client1</name> 12 <description>demo project for spring boot</description> 13 14 <parent> 15 <groupid>org.springframework.boot</groupid> 16 <artifactid>spring-boot-starter-parent</artifactid> 17 <version>2.0.4.release</version> 18 <relativepath/> <!-- lookup parent from repository --> 19 </parent> 20 21 <properties> 22 <project.build.sourceencoding>utf-8</project.build.sourceencoding> 23 <project.reporting.outputencoding>utf-8</project.reporting.outputencoding> 24 <java.version>1.8</java.version> 25 </properties> 26 27 <dependencies> 28 <dependency> 29 <groupid>org.springframework.boot</groupid> 30 <artifactid>spring-boot-starter-web</artifactid> 31 </dependency> 32 <dependency> 33 <groupid>org.springframework.boot</groupid> 34 <artifactid>spring-boot-starter-thymeleaf</artifactid> 35 </dependency> 36 37 <dependency> 38 <groupid>org.springframework.boot</groupid> 39 <artifactid>spring-boot-starter-tomcat</artifactid> 40 <scope>provided</scope> 41 </dependency> 42 <dependency> 43 <groupid>junit</groupid> 44 <artifactid>junit</artifactid> 45 <version>4.12</version> 46 <scope>test</scope> 47 </dependency> 48 <dependency> 49 <groupid>org.springframework.boot</groupid> 50 <artifactid>spring-boot-starter-test</artifactid> 51 <scope>test</scope> 52 </dependency> 53 <dependency> 54 <groupid>org.springframework.boot</groupid> 55 <artifactid>spring-boot-starter-security</artifactid> 56 </dependency> 57 <dependency> 58 <groupid>org.springframework.security</groupid> 59 <artifactid>spring-security-test</artifactid> 60 <scope>test</scope> 61 </dependency> 62 <!-- security taglibs --> 63 <dependency> 64 <groupid>org.springframework.security</groupid> 65 <artifactid>spring-security-taglibs</artifactid> 66 </dependency> 67 <dependency> 68 <groupid>org.springframework.security.oauth</groupid> 69 <artifactid>spring-security-oauth2</artifactid> 70 <version>release</version> 71 </dependency> 72 <dependency> 73 <groupid>org.springframework.boot</groupid> 74 <artifactid>spring-boot-starter-data-jpa</artifactid> 75 </dependency> 76 <dependency> 77 <groupid>org.springframework.boot</groupid> 78 <artifactid>spring-boot-starter-jdbc</artifactid> 79 </dependency> 80 <dependency> 81 <groupid>mysql</groupid> 82 <artifactid>mysql-connector-java</artifactid> 83 <version>5.1.46</version> 84 </dependency> 85 <!-- https://mvnrepository.com/artifact/com.alibaba/druid-spring-boot-starter --> 86 <dependency> 87 <groupid>com.alibaba</groupid> 88 <artifactid>druid-spring-boot-starter</artifactid> 89 <version>1.1.10</version> 90 </dependency> 91 <dependency> 92 <groupid>org.springframework.boot</groupid> 93 <artifactid>spring-boot</artifactid> 94 <version>2.0.2.release</version> 95 <scope>compile</scope> 96 </dependency> 97 </dependencies> 98 99 <build> 100 <plugins> 101 <plugin> 102 <groupid>org.springframework.boot</groupid> 103 <artifactid>spring-boot-maven-plugin</artifactid> 104 </plugin> 105 </plugins> 106 </build> 107 108 109 </project>
application.properties:
1 server.port=8083 2 #静态文件访问存放地址 3 spring.resources.static-locations=classpath:/html/ 4 # thymeleaf 模板存放地址 5 spring.thymeleaf.prefix=classpath:/html/ 6 spring.thymeleaf.suffix=.html 7 spring.thymeleaf.mode=legacyhtml5 8 spring.thymeleaf.encoding=utf-8 9 10 # jdbc 配置(驱动类自动从url的mysql识别,数据源类型自动识别) 11 # 或spring.datasource.url= 12 spring.datasource.druid.url=jdbc:mysql://localhost:3306/vhr?useunicode=true&characterencoding=utf8 13 # 或spring.datasource.username= 14 spring.datasource.druid.username=root 15 # 或spring.datasource.password= 16 spring.datasource.druid.password=1234 17 #或 spring.datasource.driver-class-name= 18 #spring.datasource.druid.driver-class-name=com.mysql.jdbc.driver 19 20 #连接池配置(通常来说,只需要修改initialsize、minidle、maxactive 21 # 如果用oracle,则把poolpreparedstatements配置为true,mysql可以配置为false。分库分表较多的数据库,建议配置为false。removeabandoned不建议在生产环境中打开如果用sql server,建议追加配置) 22 spring.datasource.druid.initial-size=1 23 spring.datasource.druid.max-active=20 24 spring.datasource.druid.min-idle=1 25 # 配置获取连接等待超时的时间 26 spring.datasource.druid.max-wait=60000 27 #打开pscache,并且指定每个连接上pscache的大小 28 spring.datasource.druid.pool-prepared-statements=true 29 spring.datasource.druid.max-pool-prepared-statement-per-connection-size=20 30 #spring.datasource.druid.max-open-prepared-statements=和上面的等价 31 spring.datasource.druid.validation-query=select 'x' 32 #spring.datasource.druid.validation-query-timeout= 33 spring.datasource.druid.test-on-borrow=false 34 spring.datasource.druid.test-on-return=false 35 spring.datasource.druid.test-while-idle=true 36 #配置间隔多久才进行一次检测,检测需要关闭的空闲连接,单位是毫秒 37 spring.datasource.druid.time-between-eviction-runs-millis=60000 38 #配置一个连接在池中最小生存的时间,单位是毫秒 39 spring.datasource.druid.min-evictable-idle-time-millis=300000 40 #spring.datasource.druid.max-evictable-idle-time-millis= 41 #配置多个英文逗号分隔 42 #spring.datasource.druid.filters= stat 43 44 # webstatfilter配置,说明请参考druid wiki,配置_配置webstatfilter 45 #是否启用statfilter默认值true 46 spring.datasource.druid.web-stat-filter.enabled=true 47 spring.datasource.druid.web-stat-filter.url-pattern=/* 48 spring.datasource.druid.web-stat-filter.exclusions=*.js,*.gif,*.jpg,*.png,*.css,*.ico,/druid/* 49 spring.datasource.druid.web-stat-filter.session-stat-enable=false 50 spring.datasource.druid.web-stat-filter.session-stat-max-count=1000 51 spring.datasource.druid.web-stat-filter.principal-session-name=admin 52 spring.datasource.druid.web-stat-filter.principal-cookie-name=admin 53 spring.datasource.druid.web-stat-filter.profile-enable=true 54 55 # statviewservlet配置 56 #展示druid的统计信息,statviewservlet的用途包括:1.提供监控信息展示的html页面2.提供监控信息的json api 57 #是否启用statviewservlet默认值true 58 spring.datasource.druid.stat-view-servlet.enabled=true 59 spring.datasource.druid.stat-view-servlet.url-pattern=/druid/* 60 61 62 # jpa config 63 spring.jpa.database=mysql 64 spring.jpa.hibernate.ddl-auto=update 65 spring.jpa.show-sql=true 66 spring.jpa.generate-ddl=true 67 spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.mysql5dialect 68 spring.jpa.open-in-view=true 69 # 解决jpa no session的问题 70 spring.jpa.properties.hibernate.enable_lazy_load_no_trans=true
这里使用数据库存储角色权限信息,分三种实体:用户;角色;资源;用户对角色多对多;角色对资源多对多
创建几个实体类:
用户:这里直接使用用户持久化对象实现spring security要求的userdetails接口,并实现对应方法
我要评论 1 package com.cas.client1.entity;
2
3 import org.springframework.security.core.grantedauthority;
4 import org.springframework.security.core.userdetails.userdetails;
5 import org.springframework.util.collectionutils;
6
7 import javax.persistence.*;
8 import java.util.arraylist;
9 import java.util.collection;
10 import java.util.list;
11
12 @entity
13 @table(name = "s_user")
14 public class user implements userdetails {
15 @id
16 private string id;
17 @column(name = "username")
18 private string username;
19 @column(name = "password")
20 private string password;
21
22 @manytomany(fetch = fetchtype.lazy)
23 @jointable(
24 name = "s_user_role",
25 joincolumns = @joincolumn(name = "user_id"),
26 inversejoincolumns = @joincolumn(name = "role_id")
27 )
28 private list<role> roles;
29
30 public user() {
31 }
32
33 public user(string id, string username, string password) {
34 this.id = id;
35 this.username = username;
36 this.password = password;
37 }
38
39 public string getid() {
40 return id;
41 }
42
43 public void setid(string id) {
44 this.id = id;
45 }
46
47 public list<role> getroles() {
48 return roles;
49 }
50
51 public void setroles(list<role> roles) {
52 this.roles = roles;
53 }
54
55 @override
56 public string getusername() {
57 return username;
58 }
59
60 @override
61 public boolean isaccountnonexpired() {
62 return true;
63 }
64
65 @override
66 public boolean isaccountnonlocked() {
67 return true;
68 }
69
70 @override
71 public boolean iscredentialsnonexpired() {
72 return true;
73 }
74
75 @override
76 public boolean isenabled() {
77 return true;
78 }
79
80 public void setusername(string username) {
81 this.username = username;
82 }
83
84 @transient
85 list<grantedauthority> grantedauthorities=new arraylist<>();
86 @override
87 public collection<? extends grantedauthority> getauthorities() {
88 if (grantedauthorities.size()==0){
89 if (!collectionutils.isempty(roles)){
90 for (role role:roles){
91 list<resource> resources = role.getresources();
92 if (!collectionutils.isempty(resources)){
93 for (resource resource:resources){
94 grantedauthorities.add(new simplegrantedauthority(resource.getrescode()));
95 }
96 }
97 }
98 }
99 grantedauthorities.add(new simplegrantedauthority("auth_0"));
100 }
101 return grantedauthorities;
102 }
103 @override
104 public string getpassword() {
105 return password;
106 }
107
108 public void setpassword(string password) {
109 this.password = password;
110 }
111 }
注意看这里:
我给每一位登录的用户都授予了auth_0的权限,auth_0在下面的securitymetadatasource里被关联的url为:/**,也就是说除开那些机密程度更高的,这个登录用户能访问所有资源
角色:
1 package com.cas.client1.entity;
2
3 import javax.persistence.*;
4 import java.util.list;
5
6 /**
7 * @author administrator
8 */
9 @entity
10 @table(name = "s_role")
11 public class role {
12 @id
13 @column(name = "id")
14 private string id;
15 @column(name = "role_name")
16 private string rolename;
17
18 @manytomany(fetch = fetchtype.lazy)
19 @jointable(
20 name = "s_role_res",
21 joincolumns = @joincolumn(name = "role_id"),
22 inversejoincolumns = @joincolumn(name = "res_id")
23 )
24 private list<resource> resources;
25 @manytomany(fetch = fetchtype.lazy)
26 @jointable(
27 name = "s_user_role",
28 joincolumns = @joincolumn(name = "role_id"),
29 inversejoincolumns = @joincolumn(name = "user_id")
30 )
31 private list<user> users;
32
33 public string getid() {
34 return id;
35 }
36
37 public void setid(string id) {
38 this.id = id;
39 }
40
41 public string getrolename() {
42 return rolename;
43 }
44
45 public void setrolename(string rolename) {
46 this.rolename = rolename;
47 }
48
49 public list<resource> getresources() {
50 return resources;
51 }
52
53 public void setresources(list<resource> resources) {
54 this.resources = resources;
55 }
56
57 public list<user> getusers() {
58 return users;
59 }
60
61 public void setusers(list<user> users) {
62 this.users = users;
63 }
64 }
权限:
1 package com.cas.client1.entity;
2
3 import javax.persistence.column;
4 import javax.persistence.entity;
5 import javax.persistence.id;
6 import javax.persistence.table;
7
8 @entity
9 @table(name = "s_resource")
10 public class resource {
11 @id
12 @column(name = "id")
13 private string id;
14 @column(name = "res_name")
15 private string resname;
16 @column(name = "res_code")
17 private string rescode;
18 @column(name = "url")
19 private string url;
20 @column(name = "priority")
21 private string priority;
22
23 public string getid() {
24 return id;
25 }
26
27 public void setid(string id) {
28 this.id = id;
29 }
30
31 public string getresname() {
32 return resname;
33 }
34
35 public void setresname(string resname) {
36 this.resname = resname;
37 }
38
39 public string getrescode() {
40 return rescode;
41 }
42
43 public void setrescode(string rescode) {
44 this.rescode = rescode;
45 }
46
47 public string geturl() {
48 return url;
49 }
50
51 public void seturl(string url) {
52 this.url = url;
53 }
54
55 public string getpriority() {
56 return priority;
57 }
58
59 public void setpriority(string priority) {
60 this.priority = priority;
61 }
62 }
建立几个dao
userdao:
1 package com.cas.client1.dao;
2
3 import com.cas.client1.entity.user;
4 import org.springframework.data.jpa.repository.jparepository;
5 import org.springframework.data.jpa.repository.query;
6 import org.springframework.data.repository.query.param;
7 import org.springframework.stereotype.repository;
8
9 import java.util.list;
10
11 @repository
12 public interface userdao extends jparepository<user,string> {
13 @override
14 list<user> findall();
15
16 list<user> findbyusername(string username);
17
18 /**
19 * 根据用户名like查询
20 * @param username
21 * @return
22 */
23 list<user> getuserbyusernamecontains(string username);
24
25 @query("from user where id=:id")
26 user getuserbyid(@param("id") string id);
27
28 }
resourcedao:
1 package com.cas.client1.dao;
2
3 import com.cas.client1.entity.resource;
4 import org.springframework.data.jpa.repository.jparepository;
5 import org.springframework.data.jpa.repository.query;
6 import org.springframework.stereotype.repository;
7
8 import java.util.list;
9
10 /**
11 * @author administrator
12 */
13 @repository
14 public interface resourcedao extends jparepository<resource,string> {
15
16 @query("from resource order by priority")
17 list<resource> getallresource();
18 }
service
userservice:
1 package com.cas.client1.service;
2
3 import com.cas.client1.dao.userdao;
4 import com.cas.client1.entity.user;
5 import org.springframework.beans.factory.annotation.autowired;
6 import org.springframework.stereotype.service;
7
8 import java.util.list;
9
10 @service
11 public class userservice {
12 @autowired
13 private userdao userdao;
14
15 public user findbyusername(string username){
16 list<user> list = userdao.findbyusername(username);
17 return list!=null&&list.size()>0?list.get(0):null;
18 }
19 }
resourceservice:
1 package com.cas.client1.service;
2
3 import com.cas.client1.dao.resourcedao;
4 import com.cas.client1.entity.resource;
5 import org.springframework.beans.factory.annotation.autowired;
6 import org.springframework.stereotype.service;
7
8 import java.util.list;
9
10 @service
11 public class resourceservice {
12 @autowired
13 private resourcedao resourcedao;
14
15 public list<resource> getall(){
16 return resourcedao.getallresource();
17 }
18 }
创建userdetailsserviceimpl,实现userdetailsservice接口,这个类是用以提供给spring security从数据库加载用户信息的
1 package com.cas.client1.security;
2
3 import com.cas.client1.entity.user;
4 import com.cas.client1.service.userservice;
5 import org.springframework.beans.factory.annotation.autowired;
6 import org.springframework.security.cas.authentication.casassertionauthenticationtoken;
7 import org.springframework.security.core.userdetails.authenticationuserdetailsservice;
8 import org.springframework.security.core.userdetails.userdetails;
9 import org.springframework.security.core.userdetails.userdetailsservice;
10 import org.springframework.security.core.userdetails.usernamenotfoundexception;
11 import org.springframework.stereotype.component;
12
13 /**
14 * @author administrator
15 */
16 @suppresswarnings("all")
17 @component
18 public class userdetailsserviceimpl implements userdetailsservice{
19 @autowired
20 private userservice userservice;
21 @override
22 public userdetails loaduserbyusername(string username) throws usernamenotfoundexception {
23 user user = userservice.findbyusername(username);
24 return user;
25 }
26
27
28 }
记得加@component注解,以把实例交由spring管理,或@service,你们喜欢就好
创建securitymetadatasource类
该类实现spring security的filterinvocationsecuritymetadatasource接口,作用是提供权限的元数据定义,并根据请求url匹配该url所需要的权限,获取权限后交由accessdecisionmanager的实现者裁定能否访问这个url,不能则会返回403的http错误码
securitymetadatasource:
1 package com.cas.client1.security;
2
3 import com.cas.client1.entity.resource;
4 import com.cas.client1.service.resourceservice;
5 import org.springframework.beans.factory.annotation.autowired;
6 import org.springframework.security.access.accessdecisionmanager;
7 import org.springframework.security.access.configattribute;
8 import org.springframework.security.access.securityconfig;
9 import org.springframework.security.access.intercept.abstractsecurityinterceptor;
10 import org.springframework.security.web.filterinvocation;
11 import org.springframework.security.web.access.intercept.filterinvocationsecuritymetadatasource;
12 import org.springframework.security.web.util.matcher.andrequestmatcher;
13 import org.springframework.security.web.util.matcher.antpathrequestmatcher;
14 import org.springframework.security.web.util.matcher.requestmatcher;
15 import org.springframework.stereotype.component;
16
17 import javax.annotation.postconstruct;
18 import java.util.*;
19
20 @component
21 public class securitymetadatasource implements filterinvocationsecuritymetadatasource {
22
23 @autowired
24 private resourceservice resourceservice;
25
26 private linkedhashmap<string,collection<configattribute>> metadata;
27 @postconstruct
28 private void loadsecuritymetadata(){
29 list<resource> list = resourceservice.getall();
30 metadata=new linkedhashmap<>();
31 for (resource resource:list){
32 list<configattribute> attributes=new arraylist<>();
33 attributes.add(new securityconfig(resource.getrescode()));
34 metadata.put(resource.geturl(),attributes);
35 }
36 list<configattribute> base=new arraylist<>();
37 base.add(new securityconfig("auth_0"));
38 metadata.put("/**",base);
39 }
40
41 @override
42 public collection<configattribute> getattributes(object object) throws illegalargumentexception {
43 filterinvocation invocation= (filterinvocation) object;
44 if (metadata==null){
45 return new arraylist<>(0);
46 }
47 string requesturl = invocation.getrequesturl();
48 system.out.println("请求url:"+requesturl);
49 iterator<map.entry<string, collection<configattribute>>> iterator = metadata.entryset().iterator();
50 collection<configattribute> rs=new arraylist<>();
51 while (iterator.hasnext()){
52 map.entry<string, collection<configattribute>> next = iterator.next();
53 string url = next.getkey();
54 collection<configattribute> value = next.getvalue();
55 requestmatcher requestmatcher=new antpathrequestmatcher(url);
56 if (requestmatcher.matches(invocation.getrequest())){
57 rs = value;
58 break;
59 }
60 }
61 system.out.println("拦截认证权限为:"+rs);
62 return rs;
63 }
64
65 @override
66 public collection<configattribute> getallconfigattributes() {
67 system.out.println("invoke getallconfigattributes ");
68 //loadsecuritymetadata();
69 //system.out.println("初始化元数据");
70 collection<collection<configattribute>> values = metadata.values();
71 collection<configattribute> all=new arraylist<>();
72 for (collection<configattribute> each:values){
73 each.foreach(configattribute -> {
74 all.add(configattribute);
75 });
76 }
77 return all;
78 }
79
80 @override
81 public boolean supports(class<?> clazz) {
82 return true;
83 }
84 }
同理:记得加上@component注解
重头戏来了!spring security的配置
创建springsecurityconfig类
该类继承于websecurityconfigureradapter,核心的配置类,在这里定义spring security的使用方式
springsecurityconfig
1 package com.cas.client1.security;
2
3 import com.cas.client1.config.casproperties;
4 import org.springframework.beans.factory.annotation.autowired;
5 import org.springframework.context.annotation.bean;
6 import org.springframework.context.annotation.configuration;
7 import org.springframework.security.access.accessdecisionmanager;
8 import org.springframework.security.access.accessdecisionvoter;
9 import org.springframework.security.access.vote.affirmativebased;
10 import org.springframework.security.access.vote.rolevoter;
11 import org.springframework.security.authentication.authenticationmanager;
12 import org.springframework.security.config.annotation.authentication.builders.authenticationmanagerbuilder;
13 import org.springframework.security.config.annotation.web.builders.httpsecurity;
14 import org.springframework.security.config.annotation.web.builders.websecurity;
15 import org.springframework.security.config.annotation.web.configuration.enablewebsecurity;
16 import org.springframework.security.config.annotation.web.configuration.websecurityconfigureradapter;
17 import org.springframework.security.crypto.bcrypt.bcryptpasswordencoder;
18 import org.springframework.security.web.access.intercept.filtersecurityinterceptor;
19
20 import java.util.arraylist;
21 import java.util.list;
22
23 /**
24 * spring security配置
25 * @author youyp
26 * @date 2018-8-10
27 */
28 @suppresswarnings("all")
29 @configuration
30 @enablewebsecurity
31 public class springsecurityconfig extends websecurityconfigureradapter {
32 @autowired
33 private userdetailsserviceimpl userdetailsservice;
34
35 @autowired
36 private securitymetadatasource securitymetadatasource;
37
38 @override
39 protected void configure(authenticationmanagerbuilder auth) throws exception {
40 super.configure(auth);
41 }
42
43 @override
44 public void configure(websecurity web) throws exception {
45 web.ignoring().antmatchers("/js/**","/css/**","/img/**","/*.ico","/login.html",
46 "/error","/login.do");
47 }
48
49 @override
50 protected void configure(httpsecurity http) throws exception {
51 system.out.println("配置spring security");
52 http.formlogin()
53 //指定登录页是”/login”
54 .loginpage("/login.html").permitall()
55 .loginprocessingurl("/login.do").permitall()
56 .defaultsuccessurl("/home",true)
57 .permitall()
58 //登录成功后可使用loginsuccesshandler()存储用户信息,可选。
59 //.successhandler(loginsuccesshandler()).permitall()
60 .and()
61 .logout().permitall()
62 .invalidatehttpsession(true)
63 .and()
64 //登录后记住用户,下次自动登录,数据库中必须存在名为persistent_logins的表
65 .rememberme()
66 .tokenvalidityseconds(1209600)
67 .and()
68 .csrf().disable()
69 //其他所有资源都需要认证,登陆后访问
70 .authorizerequests().anyrequest().fullyauthenticated();
71
72 http.addfilterbefore(filtersecurityinterceptor(),filtersecurityinterceptor.class);
73 }
74
75 /**
76 * 注意:这里不能加@bean注解
77 * @return
78 * @throws exception
79 */
80 //@bean
81 public filtersecurityinterceptor filtersecurityinterceptor() throws exception {
82 filtersecurityinterceptor filtersecurityinterceptor=new filtersecurityinterceptor();
83 filtersecurityinterceptor.setsecuritymetadatasource(securitymetadatasource);
84 filtersecurityinterceptor.setauthenticationmanager(authenticationmanager());
85 filtersecurityinterceptor.setaccessdecisionmanager(affirmativebased());
86 return filtersecurityinterceptor;
87 }
88
89
90 /**
91 * 重写authenticationmanager获取的方法并且定义为bean
92 * @return
93 * @throws exception
94 */
95 @override
96 @bean
97 public authenticationmanager authenticationmanagerbean() throws exception {
98 return super.authenticationmanagerbean();
99 }
100
101 @autowired
102 public void configureglobal(authenticationmanagerbuilder auth) throws exception {
103 //指定密码加密所使用的加密器为passwordencoder()
104 //需要将密码加密后写入数据库
105 auth.userdetailsservice(userdetailsservice).passwordencoder(passwordencoder());
106 auth.erasecredentials(false);
107 }
108
109 @bean
110 public bcryptpasswordencoder passwordencoder() {
111
112 return new bcryptpasswordencoder(4);
113 }
114
115
116 /**
117 * 定义决策管理器,这里可直接使用内置的affirmativebased选举器,
118 * 如果需要,可自定义,继承abstractaccessdecisionmanager,实现decide方法即可
119 * @return
120 */
121 @bean
122 public accessdecisionmanager affirmativebased(){
123 list<accessdecisionvoter<? extends object>> voters=new arraylist<>();
124 voters.add(rolevoter());
125 system.out.println("正在创建决策管理器");
126 return new affirmativebased(voters);
127 }
128
129 /**
130 * 定义选举器
131 * @return
132 */
133 @bean
134 public rolevoter rolevoter(){
135 //这里使用角色选举器
136 rolevoter voter=new rolevoter();
137 system.out.println("正在创建选举器");
138 voter.setroleprefix("auth_");
139 system.out.println("已将角色选举器的前缀修改为auth_");
140 return voter;
141 }
142
143 }
说一个注意点:
filtersecurityinterceptor这个过滤器最为重要,它负责数据库权限信息加载,权限鉴定等关键动作,这个过滤器位于springsecurityfilterchain,即spring security的过滤器链中,如果将这个类在配置类中加了@bean注解,那么它将直接加入web容器的过滤器链中,这个链是首层过滤器链,
进入这个过滤器链之后才会进入springsecurityfilterchain这个负责安全的链条,如果这个跑到外层去了,就会导致这个独有的过滤器一直在生效,请求无限被拦截重定向,因为这个过滤器前面没有别的过滤器阻止它生效,如果它位于springsecurityfilterchain中,在进入filtersecurityinterceptor这个
过滤器之前会有很多的spring security过滤器在生效,如果不满足前面的过滤器的条件,不会进入到这个过滤器。也就是说,要进入到这个过滤器,必须要从springsecurityfilterchain进入,从其他地方进入都会导致请求被无限重定向
另外
filtersecurityinterceptor这个类继承于abstractsecurityinterceptor并实现filter接口,由此我们可以重写该类,自定义我们的特殊业务,但是,个人觉得filtersecurityinterceptor这个实现类已经很完整地实现了这个过滤器应做的工作,没有必要重写
类似的,还有accessdecisionmanager这个“决策者”,spring security为这个功能提供了几个默认的实现者,如affirmativebased这个类,是一个基于投票的决策器,投票器(voter)要求实现accessdecisionvoter接口,spring security已为我们提供了几个很有用的投票器如rolevoter,webexpressionvoter
这些我们都没有必要去自定义,而且自定义出来的也没有默认实现拓展性和稳定性更好
再定义一个登陆的controller
logincontroller
1 package com.cas.client2.casclient2.controller;
2
3 import org.springframework.beans.factory.annotation.autowired;
4 import org.springframework.security.authentication.authenticationmanager;
5 import org.springframework.security.authentication.usernamepasswordauthenticationtoken;
6 import org.springframework.security.cas.authentication.casauthenticationtoken;
7 import org.springframework.security.cas.web.casauthenticationfilter;
8 import org.springframework.security.core.authentication;
9 import org.springframework.security.core.context.securitycontextholder;
10 import org.springframework.stereotype.controller;
11 import org.springframework.web.bind.annotation.requestmapping;
12
13 import javax.servlet.http.httpsession;
14
15 @suppresswarnings("all")
16 @controller
17 public class logincontroller {
18 @autowired
19 private authenticationmanager authenticationmanager;
20
21 /**
22 * 自定义登录地址
23 * @param username
24 * @param password
25 * @param session
26 * @return
27 */
28 @requestmapping("login.do")
29 public string login(string username,string passwod, httpsession session){
30 try {
31 system.out.println("进入登录请求..........");
32 usernamepasswordauthenticationtoken token=new usernamepasswordauthenticationtoken(username,passwod);
33
34 authentication authentication=authenticationmanager.authenticate(token);
35 securitycontextholder.getcontext().setauthentication(authentication);
36 session.setattribute("spring_security_context", securitycontextholder.getcontext());
37 system.out.println("登录成功");
38 return "redirect:home.html";
39 }catch (exception e){
40 e.printstacktrace();
41 return "login.html";
42 }
43
44 }
45 }
创建几个页面:在resources下创建文件夹html,用于存放html静态文件,
home.html
1 <!doctype html> 2 <html lang="en"> 3 <head> 4 <meta charset="utf-8"> 5 <title>home</title> 6 </head> 7 <body> 8 <h1>welcome to home</h1> 9 <button onclick="javascript:location.href='/logout'">退出</button> 10 </body> 11 </html>
login.html
1 <!doctype html>
2 <html lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org"
3 xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
4 <head>
5 <meta charset="utf-8">
6 <title>登录</title>
7 </head>
8
9 <body>
10 <span style="color: red" id="msg"></span>
11 <form action="/login.do" method="post">
12 <div><label> user name : <input type="text" name="username"/> </label></div>
13 <div><label> password: <input type="password" name="password"/> </label></div>
14 <div><input type="submit" value="sign in"/></div>
15 <input type="checkbox" name="remember-me" value="true" th:checked="checked"/><p>remember me</p>
16 </form>
17
18 </body>
19 <script type="text/javascript">
20 var url=location.href
21 var param=url.split("?")[1];
22 console.log(param);
23 if (param){
24 var p=param.split("&");
25 var msg=p[0].split("=")[1];
26 document.getelementbyid("msg").innerhtml=msg;
27 }
28 </script>
29 </html>
admin.html
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>admin</title>
</head>
<body>
你好,欢迎登陆,这是管理员界面,拥有/admin.html的访问权限才能访问
</body>
</html>
再定义几个错误页面
在html文件夹下创建一个error文件夹,在error文件夹中创建403.html,404.html,500.html;在程序遇到这些错误码时,会自动跳转到对应的页面
先启动一下项目,让spring-data-jpa反向生成一下表结构
再往数据库插入几条数据:
用户表的密码需要放密文,我们把我们的明文密码使用我们的密码encoder转一下:bcryptpasswordencoder.encode("123");得到密文后存到数据库的password字段中
用户表:
资源表:即权限信息表
角色表:
角色权限中间表:
我们先不给用户配置角色,现在是空角色
启动spring boot启动类,访问localhost:8083,检测到没登录会自动跳到登录页面,登录后自动跳转到home.html
访问admin.html,返回403页面,当前用户无权限访问
再将刚刚的角色分配给用户,再次访问
此时便可访问,大功告成!
报了个警告,说我们没有配置ssl,也就是需要配置https,不过可以不用配置,测试环境下先不管它,具体怎么配详情请百度
部署好cas服务器后,我们便可以在我们的客户端集成cas认证了
1 <!-- security 对cas支持 --> 2 <dependency> 3 <groupid>org.springframework.security</groupid> 4 <artifactid>spring-security-cas</artifactid> 5 </dependency>
修改一下我们的userdetailsserviceimpl类,让它实现authenticationuserdetailsservice<casassertionauthenticationtoken>接口
userdetailsserviceimpl:
1 package com.cas.client1.security;
2
3 import com.cas.client1.entity.user;
4 import com.cas.client1.service.userservice;
5 import org.springframework.beans.factory.annotation.autowired;
6 import org.springframework.security.cas.authentication.casassertionauthenticationtoken;
7 import org.springframework.security.core.userdetails.authenticationuserdetailsservice;
8 import org.springframework.security.core.userdetails.userdetails;
9 import org.springframework.security.core.userdetails.userdetailsservice;
10 import org.springframework.security.core.userdetails.usernamenotfoundexception;
11 import org.springframework.stereotype.component;
12
13 /**
14 * @author administrator
15 */
16 @suppresswarnings("all")
17 @component
18 public class userdetailsserviceimpl implements userdetailsservice,
19 authenticationuserdetailsservice<casassertionauthenticationtoken> {
20 @autowired
21 private userservice userservice;
22 @override
23 public userdetails loaduserbyusername(string username) throws usernamenotfoundexception {
24 user user = userservice.findbyusername(username);
25 return user;
26 }
27
28 /**
29 * 实现authenticationuserdetailsservice的方法,
30 * 用于获取cas server返回的用户信息,再根据用户关键信息加载出用户在当前系统的权限
31 * @param token
32 * @return
33 * @throws usernamenotfoundexception
34 */
35 @override
36 public userdetails loaduserdetails(casassertionauthenticationtoken token) throws usernamenotfoundexception {
37 string name = token.getname();
38 system.out.println("获得的用户名:"+name);
39 user user = userservice.findbyusername(name);
40 if (user==null){
41 throw new usernamenotfoundexception(name+"不存在");
42 }
43 return user;
44 }
45 }
在application.properties文件中加上以下内容:
1 # cas服务器地址
2 cas.server.host.url=http://localhost:8081/cas
3 # cas服务器登录地址
4 cas.server.host.login_url=${cas.server.host.url}/login
5 # cas服务器登出地址
6 cas.server.host.logout_url=${cas.server.host.url}/logout?service=${app.server.host.url}
7 # 应用访问地址
8 app.server.host.url=http://localhost:8083
9 # 应用登录地址
10 app.login.url=/login.do
11 # 应用登出地址
12 app.logout.url=/logout
新增一个配置实体类
casproperties
package com.cas.client1.config;
import org.springframework.beans.factory.annotation.value;
import org.springframework.stereotype.component;
@component
public class casproperties {
@value("${cas.server.host.url}")
private string casserverurl;
@value("${cas.server.host.login_url}")
private string casserverloginurl;
@value("${cas.server.host.logout_url}")
private string casserverlogouturl;
@value("${app.server.host.url}")
private string appserverurl;
@value("${app.login.url}")
private string apploginurl;
@value("${app.logout.url}")
private string applogouturl;
/**get set方法略
*/
}
再修改一下我们的spring security配置类
1 package com.cas.client1.security;
2
3 import com.cas.client1.config.casproperties;
4 import org.jasig.cas.client.session.singlesignoutfilter;
5 import org.jasig.cas.client.validation.cas20serviceticketvalidator;
6 import org.springframework.beans.factory.annotation.autowired;
7 import org.springframework.context.annotation.bean;
8 import org.springframework.context.annotation.configuration;
9 import org.springframework.http.httpmethod;
10 import org.springframework.security.access.accessdecisionmanager;
11 import org.springframework.security.access.accessdecisionvoter;
12 import org.springframework.security.access.vote.affirmativebased;
13 import org.springframework.security.access.vote.rolevoter;
14 import org.springframework.security.authentication.authenticationmanager;
15 import org.springframework.security.cas.serviceproperties;
16 import org.springframework.security.cas.authentication.casauthenticationprovider;
17 import org.springframework.security.cas.web.casauthenticationentrypoint;
18 import org.springframework.security.cas.web.casauthenticationfilter;
19 import org.springframework.security.config.annotation.authentication.builders.authenticationmanagerbuilder;
20 import org.springframework.security.config.annotation.web.builders.httpsecurity;
21 import org.springframework.security.config.annotation.web.builders.websecurity;
22 import org.springframework.security.config.annotation.web.configuration.enablewebsecurity;
23 import org.springframework.security.config.annotation.web.configuration.websecurityconfigureradapter;
24 import org.springframework.security.crypto.bcrypt.bcryptpasswordencoder;
25 import org.springframework.security.web.access.intercept.filtersecurityinterceptor;
26 import org.springframework.security.web.authentication.logout.logoutfilter;
27 import org.springframework.security.web.authentication.logout.securitycontextlogouthandler;
28
29 import java.util.arraylist;
30 import java.util.list;
31
32 /**
33 * spring security配置
34 * @author youyp
35 * @date 2018-8-10
36 */
37 @suppresswarnings("all")
38 @configuration
39 @enablewebsecurity
40 public class springsecurityconfig extends websecurityconfigureradapter {
41 @autowired
42 private casproperties casproperties;
43
44 @autowired
45 private userdetailsserviceimpl userdetailsservice;
46
47 @autowired
48 private securitymetadatasource securitymetadatasource;
49
50 @override
51 protected void configure(authenticationmanagerbuilder auth) throws exception {
52 super.configure(auth);
53 auth.authenticationprovider(casauthenticationprovider());
54 }
55
56 @override
57 public void configure(websecurity web) throws exception {
58 web.ignoring().antmatchers("/js/**","/css/**","/img/**","/*.ico","/login.html",
59 "/error","/login.do");
60 //web.ignoring().antmatchers("/js/**","/css/**","/img/**","/*.ico",,"/home");
61 //web.ignoring().antmatchers("/**");
62 // super.configure(web);
63
64 }
65
66 @override
67 protected void configure(httpsecurity http) throws exception {
68 system.out.println("配置spring security");
69 http.formlogin()
70 //指定登录页是”/login”
71 //.loginpage("/login.html").permitall()
72 //.loginprocessingurl("/login.do").permitall()
73 //.defaultsuccessurl("/home",true)
74 //.permitall()
75 //登录成功后可使用loginsuccesshandler()存储用户信息,可选。
76 //.successhandler(loginsuccesshandler()).permitall()
77 .and()
78 .logout().permitall()
79 //退出登录后的默认网址是”/home”
80 //.logoutsuccessurl("/home.html")
81 //.permitall()
82 .invalidatehttpsession(true)
83 .and()
84 //登录后记住用户,下次自动登录,数据库中必须存在名为persistent_logins的表
85 .rememberme()
86 .tokenvalidityseconds(1209600)
87 .and()
88 .csrf().disable()
89 //其他所有资源都需要认证,登陆后访问
90 .authorizerequests().anyrequest().fullyauthenticated();
91 http.exceptionhandling().authenticationentrypoint(casauthenticationentrypoint())
92 .and()
93 .addfilterat(casauthenticationfilter(),casauthenticationfilter.class)
94 .addfilterbefore(caslogoutfilter(),logoutfilter.class)
95 .addfilterbefore(singlesignoutfilter(),casauthenticationfilter.class);
96 /**
97 * filtersecurityinterceptor本身属于过滤器,不能在外面定义为@bean,
98 * 如果定义在外面,则这个过滤器会被独立加载到webcontext中,导致请求会一直被这个过滤器拦截
99 * 加入到springsecurity的过滤器链中,才会使它完整的生效
100 */
101 http.addfilterbefore(filtersecurityinterceptor(),filtersecurityinterceptor.class);
102 }
103
104 /**
105 * 注意:这里不能加@bean注解
106 * @return
107 * @throws exception
108 */
109 // @bean
110 public filtersecurityinterceptor filtersecurityinterceptor() throws exception {
111 filtersecurityinterceptor filtersecurityinterceptor=new filtersecurityinterceptor();
112 filtersecurityinterceptor.setsecuritymetadatasource(securitymetadatasource);
113 filtersecurityinterceptor.setauthenticationmanager(authenticationmanager());
114 filtersecurityinterceptor.setaccessdecisionmanager(affirmativebased());
115 return filtersecurityinterceptor;
116 }
117
118 /**
119 * 认证入口
120 * <p>
121 * <b>note:</b>浏览器访问不可直接填客户端的login请求,若如此则会返回error页面,无法被此入口拦截
122 * </p>
123 * @return
124 */
125 @bean
126 public casauthenticationentrypoint casauthenticationentrypoint(){
127 casauthenticationentrypoint casauthenticationentrypoint=new casauthenticationentrypoint();
128 casauthenticationentrypoint.setloginurl(casproperties.getcasserverloginurl());
129 casauthenticationentrypoint.setserviceproperties(serviceproperties());
130 return casauthenticationentrypoint;
131 }
132
133 @bean
134 public serviceproperties serviceproperties() {
135 serviceproperties serviceproperties=new serviceproperties();
136 serviceproperties.setservice(casproperties.getappserverurl()+casproperties.getapploginurl());
137 serviceproperties.setauthenticateallartifacts(true);
138 return serviceproperties;
139 }
140
141 // @bean
142 public casauthenticationfilter casauthenticationfilter() throws exception {
143 casauthenticationfilter casauthenticationfilter=new casauthenticationfilter();
144 casauthenticationfilter.setauthenticationmanager(authenticationmanager());
145 casauthenticationfilter.setfilterprocessesurl(casproperties.getapploginurl());
146 // casauthenticationfilter.setauthenticationsuccesshandler(
147 // new simpleurlauthenticationsuccesshandler("/home.html"));
148 return casauthenticationfilter;
149 }
150
151 @bean
152 public casauthenticationprovider casauthenticationprovider(){
153 casauthenticationprovider casauthenticationprovider=new casauthenticationprovider();
154 casauthenticationprovider.setauthenticationuserdetailsservice(userdetailsservice);
155
156 casauthenticationprovider.setserviceproperties(serviceproperties());
157 casauthenticationprovider.setticketvalidator(cas20serviceticketvalidator());
158 casauthenticationprovider.setkey("casauthenticationproviderkey");
159 return casauthenticationprovider;
160 }
161
162 @bean
163 public cas20serviceticketvalidator cas20serviceticketvalidator() {
164 return new cas20serviceticketvalidator(casproperties.getcasserverurl());
165 }
166
167 // @bean
168 public singlesignoutfilter singlesignoutfilter(){
169 singlesignoutfilter singlesignoutfilter=new singlesignoutfilter();
170 singlesignoutfilter.setcasserverurlprefix(casproperties.getcasserverurl());
171 singlesignoutfilter.setignoreinitconfiguration(true);
172 return singlesignoutfilter;
173 }
174
175 // @bean
176 public logoutfilter caslogoutfilter(){
177 logoutfilter logoutfilter = new logoutfilter(casproperties.getcasserverlogouturl(), new securitycontextlogouthandler());
178 logoutfilter.setfilterprocessesurl(casproperties.getapplogouturl());
179 return logoutfilter;
180 }
181
182 /**
183 * 重写authenticationmanager获取的方法并且定义为bean
184 * @return
185 * @throws exception
186 */
187 @override
188 @bean
189 public authenticationmanager authenticationmanagerbean() throws exception {
190 return super.authenticationmanagerbean();
191 }
192
193 @autowired
194 public void configureglobal(authenticationmanagerbuilder auth) throws exception {
195 //指定密码加密所使用的加密器为passwordencoder()
196 //需要将密码加密后写入数据库
197 //auth.userdetailsservice(userdetailsservice).passwordencoder(passwordencoder());
198 //auth.erasecredentials(false);
199 }
200
201 @bean
202 public bcryptpasswordencoder passwordencoder() {
203
204 return new bcryptpasswordencoder(4);
205 }
206
207
208 /**
209 * 定义决策管理器,这里可直接使用内置的affirmativebased选举器,
210 * 如果需要,可自定义,继承abstractaccessdecisionmanager,实现decide方法即可
211 * @return
212 */
213 @bean
214 public accessdecisionmanager affirmativebased(){
215 list<accessdecisionvoter<? extends object>> voters=new arraylist<>();
216 voters.add(rolevoter());
217 system.out.println("正在创建决策管理器");
218 return new affirmativebased(voters);
219 }
220
221 /**
222 * 定义选举器
223 * @return
224 */
225 @bean
226 public rolevoter rolevoter(){
227 //这里使用角色选举器
228 rolevoter voter=new rolevoter();
229 system.out.println("正在创建选举器");
230 voter.setroleprefix("auth_");
231 system.out.println("已将角色选举器的前缀修改为auth_");
232 return voter;
233 }
234
235
236 @bean
237 public loginsuccesshandler loginsuccesshandler() {
238 return new loginsuccesshandler();
239 }
240
241
242 }
这里我们新增了几个filter,请注意,这几个filter定义时都不能配置@bean注解,原因以上相同,这几个filter都要加入到springsecurity的filterchain中,而不是直接加入到web容器的filterchain中
再修改一下logincontroller
1 package com.cas.client1.controller;
2
3 import org.springframework.beans.factory.annotation.autowired;
4 import org.springframework.security.authentication.authenticationmanager;
5 import org.springframework.security.authentication.usernamepasswordauthenticationtoken;
6 import org.springframework.security.cas.web.casauthenticationfilter;
7 import org.springframework.security.core.authentication;
8 import org.springframework.security.core.context.securitycontextholder;
9 import org.springframework.security.web.authentication.usernamepasswordauthenticationfilter;
10 import org.springframework.stereotype.controller;
11 import org.springframework.web.bind.annotation.requestmapping;
12
13 import javax.servlet.http.httpsession;
14
15 @suppresswarnings("duplicates")
16 @controller
17 public class logincontroller {
18 @autowired
19 private authenticationmanager authenticationmanager;
20
21 /**
22 * 自定义登录地址
23 * @param username
24 * @param password
25 * @param session
26 * @return
27 */
28 @requestmapping("login.do")
29 public string login(string ticket, httpsession session){
30 try {
31 system.out.println("进入登录请求..........");
32 //cas单点登录的用户名就是:_cas_stateful_ ,用户凭证是server传回来的ticket
33 string username = casauthenticationfilter.cas_stateful_identifier;
34 usernamepasswordauthenticationtoken token=new usernamepasswordauthenticationtoken(username,ticket);
35 authentication authentication=authenticationmanager.authenticate(token);
36 securitycontextholder.getcontext().setauthentication(authentication);
37 session.setattribute("spring_security_context", securitycontextholder.getcontext());
38 system.out.println("登录成功");
39 return "redirect:home.html";
40 }catch (exception e){
41 e.printstacktrace();
42 return "login.html";
43 }
44
45 }
46 }
这时,之前负责登录的logincontroller不再是验证用户名和密码正不正确了,因为用户名密码的验证已经交给cas server了,logincontroller的工作就是接收cas server重定向时传回来的ticket,验证ticket的有效性,如果没有异常,则会进入到userdetailsserviceimpl中的loaduserdetails方法,并根据用户名加载用户权限等信息,然后我们再将用户信息存入session,完成本地登录,本地登录之后,用户每次请求时,就不需要再次验证ticket了,而是验证session
到这里,cas client已经配置完成,为了看清楚流程,我们以debug模式启动一下项目,在logincontroller的login方法开头打一个断点,打开浏览器调试模式(f12),切换到network看请求,在浏览器中输入:localhost:8083,浏览器会自动重定向到cas server 的登录页面,如下图:
我们输入一个数据库中有的用户名,再在密码栏中输入一次用户名,因为这里的cas server验证方式还没改,只要求用户名和密码相同就可通过验证,后面我会研究一下怎么修改cas server 的验证方式为数据库验证
如输入:用户名:user 密码:user
点击登录,验证成功后,我们看f12 network请求,发现浏览器发送了两个请求,一个是8081的,也就是cas server的,另外一个是8083的,也就是我们的client端的,如图:
另一个
因为我们在后台开了debug模式,打了断点,所以后面这个请求一直在pending状态,我们先看第一个请求的详细情况:
很明显的,这个请求发送了我们的用户名和密码,由此可知,这个请求的作用就是负责在cas server后台验证用户名的密码,验证成功后,会自动重定向到第二个请求
我们再来看第二个请求:
这个请求就是我们cas client所配置的登录地址,此时这个请求后面自动带上了一个名为ticket的参数,参数值是一串自动生成的随机字符串,由cas server生成的
我们再回到后台,没什么错误的话,我们可以看到logincontroller接收到了这个参数,我们先在userdetailsserviceimpl类的loaduserdetails方法的开头打一个断点,按f8让调试器跑走,此时,我们就可以看到调试器跳到了我们刚刚打的userdetasserviceimpl的断点中,再看看参数
可以看出,我们接收到了cas server认证完ticket后传回来的用户名,我们根据用户名加载对应的权限,返回即可,此时我们再次按f8跳走
再回到界面,发现我们已经可以访问页面了:
下一步,就是验证多个应用之间是否能只登陆一次就不用再登陆了;
我们将当前项目拷贝一份,改名称为cas-client2(maven的groupid和artifactid),再修改一下端口为8082,
,记得对应的cas配置也要改:
启动项目
先访问localhost:8082
发现它自动跳转到了8081的cas server
再打开另外一个浏览器标签,访问localhost:8083
发现它也自动跳到了cas的登录页面,我们先在这里输入账号密码登录:
登录成功后,我们再切换回刚刚没登录的8082的网页标签,刷新一下,
ok,8082也不用登陆了,大功告成!
源码地址:
https://github.com/yupingyou/casclient.git
另:spring security原本默认有个/login和/logout的handler,(以前不是这个地址,不知道从哪个版本开始改了,以前好像是_spring_security_check,大概是这个,记不太清,我用了4以后就发现地址变了),但是我发现我访问/login的时候出现404,但/logout可以访问,没发现什么原因,后来我就自定义一个登陆了,也就是我配置的/login.do,代替了默认的/login
第一次动手写这么长的博客...............累
如对本文有疑问, 点击进行留言回复!!
HashMap、Hashtable、ConcurrentHashMap三者间的异同
解决RecycleView 中Item包含Edittext时,滑动view复用导致数据错乱的问题
多线程、同步工作原理、死锁案例、Lock接口、线程的生命周期的讲解及实现
网友评论