问题:不添加权限控制,页面可以正常访问,添加后页面无法正常访问(未进入控制层),权限认证正常
代码如下:
1. WebSecurityConfig.java
package com.player.config; import com.player.handler.AuthenticationProviderCustom; import com.player.handler.UserDetailsServiceCustom; import com.player.repository.AuthorRepository; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.UserDetailsService; /** * Created by ronger on 2017/6/24. */ @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter{ @Autowired private AuthorRepository authorRepository; @Bean public UserDetailsService userDetailsService(){ UserDetailsService userDetailsService=new UserDetailsServiceCustom(authorRepository); return userDetailsService; } @Bean public AuthenticationProvider authenticationProvider(){ AuthenticationProvider authenticationProvider = new AuthenticationProviderCustom(userDetailsService()); return authenticationProvider; } /** * 匹配 "/" 路径,不需要权限即可访问 * 匹配 "/user" 及其以下所有路径,都需要 "USER" 权限 * 登录地址为 "/login",登录成功默认跳转到页面 "/user" * 退出登录的地址为 "/logout",退出成功后跳转到页面 "/login" * 默认启用 CSRF */ @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/").permitAll() .antMatchers("/user/**").hasRole("USER") .antMatchers("/upload/**").hasRole("USER") .antMatchers("/admin/**").hasRole("ADMIN") .and() .formLogin().loginPage("/login").defaultSuccessUrl("/index").failureUrl("/login?error").usernameParameter("username").passwordParameter("password").permitAll() .and() .logout().logoutUrl("/logout").logoutSuccessUrl("/login"); } @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/static/**"); } /** * 添加 UserDetailsService, 实现自定义登录校验 */ @Override protected void configure(AuthenticationManagerBuilder builder) throws Exception{ //暂时使用基于内存的AuthenticationProvider //builder.inMemoryAuthentication().withUser("username").password("password").roles("USER"); //自定义AuthenticationProvider builder.authenticationProvider(authenticationProvider()); } }
2. UserDetailsServiceCustom.java
package com.player.handler; import com.player.repository.AuthorRepository; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; /** * Created by ronger on 2017/6/24. */ public class UserDetailsServiceCustom implements UserDetailsService { @Autowired private AuthorRepository authorRepository; public UserDetailsServiceCustom(AuthorRepository authorRepository) { this.authorRepository = authorRepository; } @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { return authorRepository.findByUsernameWithAuthorities(username); } }
3. AuthenticationProviderCustom.java
package com.player.handler; import com.player.util.MD5Tools; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.*; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; /** * Created by ronger on 2017/6/24. */ public class AuthenticationProviderCustom implements AuthenticationProvider { @Autowired private UserDetailsService userDetailsService; public AuthenticationProviderCustom(UserDetailsService userDetailsService) { this.userDetailsService = userDetailsService; } @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { try{ UsernamePasswordAuthenticationToken token = (UsernamePasswordAuthenticationToken) authentication; String account = token.getName(); //从数据库找到的用户 UserDetails userDetails = null; if(account != null) { userDetails = userDetailsService.loadUserByUsername(account); } // if(userDetails == null) { throw new UsernameNotFoundException("用户名/密码无效"); }else if (!userDetails.isEnabled()){ throw new DisabledException("用户已被禁用"); }else if (!userDetails.isAccountNonExpired()) { throw new AccountExpiredException("账号已过期"); }else if (!userDetails.isAccountNonLocked()) { throw new LockedException("账号已被锁定"); }else if (!userDetails.isCredentialsNonExpired()) { throw new LockedException("凭证已过期"); } //数据库用户的密码 String password = userDetails.getPassword(); //与authentication里面的credentials相比较 if(!password.equals(MD5Tools.MD5(token.getCredentials().toString()))) { throw new BadCredentialsException("Invalid username/password"); } //授权 return new UsernamePasswordAuthenticationToken(userDetails, password,userDetails.getAuthorities()); }catch (Exception e){ e.printStackTrace(); } return null; } @Override public boolean supports(Class authentication) { //返回true后才会执行上面的authenticate方法,这步能确保authentication能正确转换类型 return UsernamePasswordAuthenticationToken.class.equals(authentication); } }
欢迎来到这里!
我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。
注册 关于