Spring-security是spring中的校验流程,有SpringMVC配置和SpringFlux配置两种模式,关于使用方式,我们在这里说下
1、SpirngMVC中的Security配置
在SpirngMVC中的Security配置,我们需要有一个类继承WebSecurityConfigurerAdapter类,在里面可以配置自己需要的bean和拦截属性,更多详细介绍请看官方文档,这里只是简单做下介绍
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public UsernamePasswordAuthFilter usernamePasswordAuthFilter() {
return new UsernamePasswordAuthFilter(this.getApplicationContext());
}
@Bean
public Oauth2LoginAuthenticationFilter Oauth2LoginAuthenticationFilter() {
return new Oauth2LoginAuthenticationFilter(this.getApplicationContext());
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
// .requestMatchers(CorsUtils::isPreFlightRequest).permitAll()
// 对于获取token的rest api要允许匿名访问
.antMatchers("/auth_center/auth/**").permitAll()
.antMatchers("/auth_center/oauth2/**").permitAll()
.antMatchers("/auth_center/druid/**").permitAll()
.antMatchers(HttpMethod.GET, "/").permitAll()
.antMatchers(HttpMethod.HEAD).permitAll()
// 除上面外的所有请求全部需要鉴权认证
.anyRequest().authenticated().and().formLogin().disable()
.httpBasic().disable()
.openidLogin().disable()
.logout().disable()
.rememberMe().disable()
// 由于使用的是JWT,我们这里不需要csrf
.csrf().disable()
// 基于token,所以不需要session
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
//http.addFilterBefore(userCenterFilterSecurityInterceptor, FilterSecurityInterceptor.class);
// 添加JWT filter
http.addFilterAt(usernamePasswordAuthFilter(), UsernamePasswordAuthenticationFilter.class);
http.addFilterAt(Oauth2LoginAuthenticationFilter(), OAuth2LoginAuthenticationFilter.class);
// 禁用缓存
http.headers().cacheControl();
}
}
2、Spring-security关于在WebFlux项目中的配置
Spring-security关于在WebFlux项目中的配置,与在SpringMVC中的注解是不同的,为@EnableWebFluxSecurity,使用方式如下,可以自己配置Filter和权限属性:
@EnableWebFluxSecurity
public class WebfluxSecurityConfig {
/** **/
@Autowired
private AuthReactiveAuthenticationManager reactiveAuthenticationManager;
@Autowired
private ServerHttpAuthenticationConverter serverHttpAuthenticationConverter;
@Autowired
public RequiresServerWebExchangeMatcher serverWebExchangeMatcher;
@Resource(name="delegatingAuthorizationManager")
public DelegatingReactiveAuthorizationManager delegatingAuthorizationManager;
@Bean
public ServerAuthenticationFailureHandler serverAuthenticationFailureHandler(){
return new ServerAuthenticationEntryPointFailureHandler(serverAuthenticationEntryPoint());
}
@Bean
public ServerAuthenticationEntryPoint serverAuthenticationEntryPoint(){
return new RestServerAuthenticationEntryPoint();
}
/**
* 身份认证
* @return
*/
public AuthenticationWebFilter authenticationWebFilter(){
AuthenticationWebFilter authenticationWebFilter= new AuthenticationWebFilter(reactiveAuthenticationManager);
authenticationWebFilter.setRequiresAuthenticationMatcher(serverWebExchangeMatcher);
authenticationWebFilter.setAuthenticationConverter(serverHttpAuthenticationConverter);
authenticationWebFilter.setAuthenticationFailureHandler(serverAuthenticationFailureHandler());
return authenticationWebFilter;
}
/**
* 访问授权
* @return
*/
public AuthorizationWebFilter authorizationWebFilter(){
return new AuthorizationWebFilter(delegatingAuthorizationManager);
}
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http.authorizeExchange()
.anyExchange().authenticated()
.and().csrf().disable()
.httpBasic().disable()
.formLogin().disable()
.logout().disable()
.requestCache().disable();
http.addFilterAt(authenticationWebFilter(), SecurityWebFiltersOrder.FORM_LOGIN);
http.addFilterAt(authorizationWebFilter(),SecurityWebFiltersOrder.AUTHENTICATION);
return http.build();
}
}