Spring-security是spring中的校驗流程,有SpringMVC配置和SpringFlux配置兩種模式,關于使用方式,我們在這裡說下
1、SpirngMVC中的Security配置
在SpirngMVC中的Security配置,我們需要有一個類繼承WebSecurityConfigurerAdapter類,在裡面可以配置自己需要的bean和攔截屬性,更多詳細介紹請看官方文檔,這裡隻是簡單做下介紹
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public UsernamePasswordAuthFilter usernamePasswordAuthFilter() {
return new UsernamePasswordAuthFilter(this.getApplicationContext());
}
@Bean
public Oauth2LoginAuthenticationFilter Oauth2LoginAuthenticationFilter() {
return new Oauth2LoginAuthenticationFilter(this.getApplicationContext());
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
// .requestMatchers(CorsUtils::isPreFlightRequest).permitAll()
// 對于擷取token的rest api要允許匿名通路
.antMatchers("/auth_center/auth/**").permitAll()
.antMatchers("/auth_center/oauth2/**").permitAll()
.antMatchers("/auth_center/druid/**").permitAll()
.antMatchers(HttpMethod.GET, "/").permitAll()
.antMatchers(HttpMethod.HEAD).permitAll()
// 除上面外的所有請求全部需要鑒權認證
.anyRequest().authenticated().and().formLogin().disable()
.httpBasic().disable()
.openidLogin().disable()
.logout().disable()
.rememberMe().disable()
// 由于使用的是JWT,我們這裡不需要csrf
.csrf().disable()
// 基于token,是以不需要session
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
//http.addFilterBefore(userCenterFilterSecurityInterceptor, FilterSecurityInterceptor.class);
// 添加JWT filter
http.addFilterAt(usernamePasswordAuthFilter(), UsernamePasswordAuthenticationFilter.class);
http.addFilterAt(Oauth2LoginAuthenticationFilter(), OAuth2LoginAuthenticationFilter.class);
// 禁用緩存
http.headers().cacheControl();
}
}
2、Spring-security關于在WebFlux項目中的配置
Spring-security關于在WebFlux項目中的配置,與在SpringMVC中的注解是不同的,為@EnableWebFluxSecurity,使用方式如下,可以自己配置Filter和權限屬性:
@EnableWebFluxSecurity
public class WebfluxSecurityConfig {
/** **/
@Autowired
private AuthReactiveAuthenticationManager reactiveAuthenticationManager;
@Autowired
private ServerHttpAuthenticationConverter serverHttpAuthenticationConverter;
@Autowired
public RequiresServerWebExchangeMatcher serverWebExchangeMatcher;
@Resource(name="delegatingAuthorizationManager")
public DelegatingReactiveAuthorizationManager delegatingAuthorizationManager;
@Bean
public ServerAuthenticationFailureHandler serverAuthenticationFailureHandler(){
return new ServerAuthenticationEntryPointFailureHandler(serverAuthenticationEntryPoint());
}
@Bean
public ServerAuthenticationEntryPoint serverAuthenticationEntryPoint(){
return new RestServerAuthenticationEntryPoint();
}
/**
* 身份認證
* @return
*/
public AuthenticationWebFilter authenticationWebFilter(){
AuthenticationWebFilter authenticationWebFilter= new AuthenticationWebFilter(reactiveAuthenticationManager);
authenticationWebFilter.setRequiresAuthenticationMatcher(serverWebExchangeMatcher);
authenticationWebFilter.setAuthenticationConverter(serverHttpAuthenticationConverter);
authenticationWebFilter.setAuthenticationFailureHandler(serverAuthenticationFailureHandler());
return authenticationWebFilter;
}
/**
* 通路授權
* @return
*/
public AuthorizationWebFilter authorizationWebFilter(){
return new AuthorizationWebFilter(delegatingAuthorizationManager);
}
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http.authorizeExchange()
.anyExchange().authenticated()
.and().csrf().disable()
.httpBasic().disable()
.formLogin().disable()
.logout().disable()
.requestCache().disable();
http.addFilterAt(authenticationWebFilter(), SecurityWebFiltersOrder.FORM_LOGIN);
http.addFilterAt(authorizationWebFilter(),SecurityWebFiltersOrder.AUTHENTICATION);
return http.build();
}
}