Spring-security是spring中的校验流程,有SpringMVC配置和SpringFlux配置两种模式,关于使用方式,我们在这里说下
1、SpirngMVC中的Security配置
在SpirngMVC中的Security配置,我们需要有一个类继承WebSecurityConfigurerAdapter类,在里面可以配置自己需要的bean和拦截属性,更多详细介绍请看官方文档,这里只是简单做下介绍
@Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public UsernamePasswordAuthFilter usernamePasswordAuthFilter() { return new UsernamePasswordAuthFilter(this.getApplicationContext()); } @Bean public Oauth2LoginAuthenticationFilter Oauth2LoginAuthenticationFilter() { return new Oauth2LoginAuthenticationFilter(this.getApplicationContext()); } @Override public void configure(HttpSecurity http) throws Exception { http .authorizeRequests() // .requestMatchers(CorsUtils::isPreFlightRequest).permitAll() // 对于获取token的rest api要允许匿名访问 .antMatchers("/auth_center/auth/**").permitAll() .antMatchers("/auth_center/oauth2/**").permitAll() .antMatchers("/auth_center/druid/**").permitAll() .antMatchers(HttpMethod.GET, "/").permitAll() .antMatchers(HttpMethod.HEAD).permitAll() // 除上面外的所有请求全部需要鉴权认证 .anyRequest().authenticated().and().formLogin().disable() .httpBasic().disable() .openidLogin().disable() .logout().disable() .rememberMe().disable() // 由于使用的是JWT,我们这里不需要csrf .csrf().disable() // 基于token,所以不需要session .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); //http.addFilterBefore(userCenterFilterSecurityInterceptor, FilterSecurityInterceptor.class); // 添加JWT filter http.addFilterAt(usernamePasswordAuthFilter(), UsernamePasswordAuthenticationFilter.class); http.addFilterAt(Oauth2LoginAuthenticationFilter(), OAuth2LoginAuthenticationFilter.class); // 禁用缓存 http.headers().cacheControl(); } }
2、Spring-security关于在WebFlux项目中的配置
Spring-security关于在WebFlux项目中的配置,与在SpringMVC中的注解是不同的,为@EnableWebFluxSecurity,使用方式如下,可以自己配置Filter和权限属性:
@EnableWebFluxSecurity public class WebfluxSecurityConfig { /** **/ @Autowired private AuthReactiveAuthenticationManager reactiveAuthenticationManager; @Autowired private ServerHttpAuthenticationConverter serverHttpAuthenticationConverter; @Autowired public RequiresServerWebExchangeMatcher serverWebExchangeMatcher; @Resource(name="delegatingAuthorizationManager") public DelegatingReactiveAuthorizationManager delegatingAuthorizationManager; @Bean public ServerAuthenticationFailureHandler serverAuthenticationFailureHandler(){ return new ServerAuthenticationEntryPointFailureHandler(serverAuthenticationEntryPoint()); } @Bean public ServerAuthenticationEntryPoint serverAuthenticationEntryPoint(){ return new RestServerAuthenticationEntryPoint(); } /** * 身份认证 * @return */ public AuthenticationWebFilter authenticationWebFilter(){ AuthenticationWebFilter authenticationWebFilter= new AuthenticationWebFilter(reactiveAuthenticationManager); authenticationWebFilter.setRequiresAuthenticationMatcher(serverWebExchangeMatcher); authenticationWebFilter.setAuthenticationConverter(serverHttpAuthenticationConverter); authenticationWebFilter.setAuthenticationFailureHandler(serverAuthenticationFailureHandler()); return authenticationWebFilter; } /** * 访问授权 * @return */ public AuthorizationWebFilter authorizationWebFilter(){ return new AuthorizationWebFilter(delegatingAuthorizationManager); } @Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.authorizeExchange() .anyExchange().authenticated() .and().csrf().disable() .httpBasic().disable() .formLogin().disable() .logout().disable() .requestCache().disable(); http.addFilterAt(authenticationWebFilter(), SecurityWebFiltersOrder.FORM_LOGIN); http.addFilterAt(authorizationWebFilter(),SecurityWebFiltersOrder.AUTHENTICATION); return http.build(); } }