Spring Security安全框架原理与实战
SpringSecurity安全框架原理与实战🔒
SpringSecurity是Spring生态中强大的安全框架,为Java应用提供认证(Authentication)和授权(Authorization)功能。本文将介绍其核心原理并通过代码示例展示实战应用!🚀
核心原理🧠
SpringSecurity基于过滤器链(FilterChain)工作,请求会经过一系列安全过滤器:
```java
SecurityFilterChain→UsernamePasswordAuthenticationFilter→BasicAuthenticationFilter→...
```
认证流程采用ProviderManager委托多个AuthenticationProvider进行验证:
```java
//伪代码示例
Authenticationauthenticate(Authenticationauth){
for(AuthenticationProviderprovider:providers){
if(provider.supports(auth.getClass())){
returnprovider.authenticate(auth);
}
}
thrownewAuthenticationException("Nosuitableproviderfound");
}
```
实战配置⚙️
基础安全配置示例:
```java
@Configuration
@EnableWebSecurity
publicclassSecurityConfigextendsWebSecurityConfigurerAdapter{
@Override
protectedvoidconfigure(HttpSecurityhttp)throwsException{
http
.authorizeRequests()
.antMatchers("/public/").permitAll()//公共资源
.antMatchers("/admin/").hasRole("ADMIN")//需要ADMIN角色
.anyRequest().authenticated()//其他请求需认证
.and()
.formLogin()//启用表单登录
.loginPage("/login")//自定义登录页
.defaultSuccessUrl("/home")//登录成功跳转
.and()
.logout()//登出配置
.logoutUrl("/logout")
.logoutSuccessUrl("/login?logout");
}
@Bean
publicPasswordEncoderpasswordEncoder(){
returnnewBCryptPasswordEncoder();//密码加密
}
}
```
自定义认证✨
实现自定义UserDetailsService:
```java
@Service
publicclassCustomUserDetailsServiceimplementsUserDetailsService{
@Autowired
privateUserRepositoryuserRepository;
@Override
publicUserDetailsloadUserByUsername(Stringusername){
Useruser=userRepository.findByUsername(username)
.orElseThrow(()->newUsernameNotFoundException("用户不存在"));
returnneworg.springframework.security.core.userdetails.User(
user.getUsername(),
user.getPassword(),
getAuthorities(user.getRoles())
);
}
privateCollectiongetAuthorities(Setroles){
returnroles.stream()
.map(role->newSimpleGrantedAuthority("ROLE_"+role.getName()))
.collect(Collectors.toList());
}
}
```
方法级安全🔐
使用注解保护方法:
```java
@PreAuthorize("hasRole('ADMIN')oruserId==authentication.principal.id")
publicUsergetUserById(LonguserId){
//只有ADMIN或用户自己可以访问
returnuserRepository.findById(userId).orElse(null);
}
```
SpringSecurity的强大之处在于其可扩展性,开发者可以根据需求定制各种安全策略!💪记住:安全无小事,合理配置是关键!🔑
SpringSecurity是Spring生态中强大的安全框架,为Java应用提供认证(Authentication)和授权(Authorization)功能。本文将介绍其核心原理并通过代码示例展示实战应用!🚀
核心原理🧠
SpringSecurity基于过滤器链(FilterChain)工作,请求会经过一系列安全过滤器:
```java
SecurityFilterChain→UsernamePasswordAuthenticationFilter→BasicAuthenticationFilter→...
```
认证流程采用ProviderManager委托多个AuthenticationProvider进行验证:
```java
//伪代码示例
Authenticationauthenticate(Authenticationauth){
for(AuthenticationProviderprovider:providers){
if(provider.supports(auth.getClass())){
returnprovider.authenticate(auth);
}
}
thrownewAuthenticationException("Nosuitableproviderfound");
}
```
实战配置⚙️
基础安全配置示例:
```java
@Configuration
@EnableWebSecurity
publicclassSecurityConfigextendsWebSecurityConfigurerAdapter{
@Override
protectedvoidconfigure(HttpSecurityhttp)throwsException{
http
.authorizeRequests()
.antMatchers("/public/").permitAll()//公共资源
.antMatchers("/admin/").hasRole("ADMIN")//需要ADMIN角色
.anyRequest().authenticated()//其他请求需认证
.and()
.formLogin()//启用表单登录
.loginPage("/login")//自定义登录页
.defaultSuccessUrl("/home")//登录成功跳转
.and()
.logout()//登出配置
.logoutUrl("/logout")
.logoutSuccessUrl("/login?logout");
}
@Bean
publicPasswordEncoderpasswordEncoder(){
returnnewBCryptPasswordEncoder();//密码加密
}
}
```
自定义认证✨
实现自定义UserDetailsService:
```java
@Service
publicclassCustomUserDetailsServiceimplementsUserDetailsService{
@Autowired
privateUserRepositoryuserRepository;
@Override
publicUserDetailsloadUserByUsername(Stringusername){
Useruser=userRepository.findByUsername(username)
.orElseThrow(()->newUsernameNotFoundException("用户不存在"));
returnneworg.springframework.security.core.userdetails.User(
user.getUsername(),
user.getPassword(),
getAuthorities(user.getRoles())
);
}
privateCollectiongetAuthorities(Setroles){
returnroles.stream()
.map(role->newSimpleGrantedAuthority("ROLE_"+role.getName()))
.collect(Collectors.toList());
}
}
```
方法级安全🔐
使用注解保护方法:
```java
@PreAuthorize("hasRole('ADMIN')oruserId==authentication.principal.id")
publicUsergetUserById(LonguserId){
//只有ADMIN或用户自己可以访问
returnuserRepository.findById(userId).orElse(null);
}
```
SpringSecurity的强大之处在于其可扩展性,开发者可以根据需求定制各种安全策略!💪记住:安全无小事,合理配置是关键!🔑