diff --git a/src/main/java/io/qyi/e5/config/security/GithubAuth2AuthenticationConfig.java b/src/main/java/io/qyi/e5/config/security/GithubAuth2AuthenticationConfig.java new file mode 100644 index 0000000..eb389b2 --- /dev/null +++ b/src/main/java/io/qyi/e5/config/security/GithubAuth2AuthenticationConfig.java @@ -0,0 +1,48 @@ +package io.qyi.e5.config.security; + +import io.qyi.e5.config.security.filter.GithubLoginAuthenticationFilter; +import lombok.extern.slf4j.Slf4j; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.authentication.AuthenticationManager; +import org.springframework.security.config.annotation.SecurityConfigurerAdapter; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.web.DefaultSecurityFilterChain; +import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; +import org.springframework.stereotype.Component; + +/** + * @program: e5 + * @description: + * @author: 落叶随风 + * @create: 2020-02-28 16:24 + **/ +@Component +@Slf4j +public class GithubAuth2AuthenticationConfig extends SecurityConfigurerAdapter { + @Autowired + UsernamePasswordAuthenticationProvider usernamePasswordAuthenticationProvider; + @Autowired + SecurityAuthenticationHandler securityAuthenticationHandler; + + + @Override + public void configure(HttpSecurity http) throws Exception { + GithubLoginAuthenticationFilter authenticationFilter = new GithubLoginAuthenticationFilter(); + + log.info("自定义用户认证处理逻辑"); +// 自定义用户认证处理逻辑时,需要指定AuthenticationManager,否则无法认证 + authenticationFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class)); + +// 指定自定义的认证成功和失败的处理器 + authenticationFilter.setAuthenticationSuccessHandler(securityAuthenticationHandler); + authenticationFilter.setAuthenticationFailureHandler(securityAuthenticationHandler); +// 把自定义的用户名密码认证过滤器和处理器添加到UsernamePasswordAuthenticationFilter过滤器之前 + http.authenticationProvider(usernamePasswordAuthenticationProvider) + .addFilterBefore(authenticationFilter, UsernamePasswordAuthenticationFilter.class); + + + } + +} diff --git a/src/main/java/io/qyi/e5/config/security/SecurityConfig.java b/src/main/java/io/qyi/e5/config/security/SecurityConfig.java index 6005f87..6f3a2bb 100644 --- a/src/main/java/io/qyi/e5/config/security/SecurityConfig.java +++ b/src/main/java/io/qyi/e5/config/security/SecurityConfig.java @@ -1,12 +1,10 @@ package io.qyi.e5.config.security; import io.qyi.e5.config.security.filter.LinkTokenAuthenticationFilter; -import io.qyi.e5.config.security.filter.LoginAuthenticationFilter; import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Configuration; -import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.ObjectPostProcessor; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; @@ -39,6 +37,10 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired UrlInvocationSecurityMetadataSourceService myInvocationSecurityMetadataSourceService; + @Autowired + GithubAuth2AuthenticationConfig githubAuth2AuthenticationConfig; + + @Value("${web.static.filtrate}") String[] webFiltrate; @@ -50,43 +52,43 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override public void configure(WebSecurity web) throws Exception { // super.configure(web); - /*放行静态资源*/ + /*放行静态资源,这里放行不会去执行 AbstractAuthenticationProcessingFilter */ web.ignoring().antMatchers(webFiltrate); + } // 通过重载该方法,可配置如何通过拦截器保护请求。 @Override protected void configure(HttpSecurity http) throws Exception { System.out.println("HttpSecurity http"); + /*自定义*/ - http.csrf().disable(); - LoginAuthenticationFilter authenticationFilter = new LoginAuthenticationFilter(); + log.info("注册gituhb授权登录"); +// http.authorizeRequests().antMatchers("/user/login", "/user/loginFrom", "/auth2/getGithubUrl").permitAll()// 指定相应的请求 不需要验证 +//// .and() +//// .authorizeRequests().antMatchers("/quartz/**").permitAll()//测试 +// .anyRequest()// 任何请求 +// .authenticated();// 都需要身份认证 - log.info("自定义用户认证处理逻辑"); -// 自定义用户认证处理逻辑时,需要指定AuthenticationManager,否则无法认证 - authenticationFilter.setAuthenticationManager(http.getSharedObject(AuthenticationManager.class)); - -// 指定自定义的认证成功和失败的处理器 - authenticationFilter.setAuthenticationSuccessHandler(securityAuthenticationHandler); - authenticationFilter.setAuthenticationFailureHandler(securityAuthenticationHandler); - -// 把自定义的用户名密码认证过滤器和处理器添加到UsernamePasswordAuthenticationFilter过滤器之前 - http.authenticationProvider(usernamePasswordAuthenticationProvider).addFilterBefore(authenticationFilter, UsernamePasswordAuthenticationFilter.class); - http.authorizeRequests().anyRequest().authenticated().withObjectPostProcessor(filterSecurityInterceptorObjectPostProcessor()); + /*验证token*/ http.addFilterBefore(new LinkTokenAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class); - + http.csrf().disable().apply(githubAuth2AuthenticationConfig); + /*添加自定义权限管理器*/ + http.authorizeRequests().anyRequest().authenticated().withObjectPostProcessor(filterSecurityInterceptorObjectPostProcessor()); /*关闭创建session*/ http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); } /** * 自定义 FilterSecurityInterceptor ObjectPostProcessor 以替换默认配置达到动态权限的目的 + * * @return ObjectPostProcessor */ private ObjectPostProcessor filterSecurityInterceptorObjectPostProcessor() { return new ObjectPostProcessor() { @Override public O postProcess(O object) { + log.info("加载自定义url权限"); object.setAccessDecisionManager(myAccessDecisionManager); object.setSecurityMetadataSource(myInvocationSecurityMetadataSourceService); return object; diff --git a/src/main/java/io/qyi/e5/config/security/UrlAccessDecisionManager.java b/src/main/java/io/qyi/e5/config/security/UrlAccessDecisionManager.java index 70662df..baef417 100644 --- a/src/main/java/io/qyi/e5/config/security/UrlAccessDecisionManager.java +++ b/src/main/java/io/qyi/e5/config/security/UrlAccessDecisionManager.java @@ -25,18 +25,18 @@ import java.util.Iterator; public class UrlAccessDecisionManager implements AccessDecisionManager { @Override public void decide(Authentication authentication, Object o, Collection collection) throws AccessDeniedException, InsufficientAuthenticationException { - log.info("进入权限判断!"); + log.debug("进入权限判断!"); if (collection == null) { return; } - log.info("object is a URL. {}", o.toString()); + log.debug("object is a URL. {}", o.toString()); //所请求的资源拥有的权限(一个资源对多个权限) Iterator iterator = collection.iterator(); while (iterator.hasNext()) { ConfigAttribute configAttribute = iterator.next(); //访问所请求资源所需要的权限 String needPermission = configAttribute.getAttribute(); - log.info("访问 " + o.toString() + " 需要的权限是:" + needPermission); + log.debug("访问 " + o.toString() + " 需要的权限是:" + needPermission); if (needPermission == null) { break; } diff --git a/src/main/java/io/qyi/e5/config/security/UrlInvocationSecurityMetadataSourceService.java b/src/main/java/io/qyi/e5/config/security/UrlInvocationSecurityMetadataSourceService.java index 06dda2b..c69eaa2 100644 --- a/src/main/java/io/qyi/e5/config/security/UrlInvocationSecurityMetadataSourceService.java +++ b/src/main/java/io/qyi/e5/config/security/UrlInvocationSecurityMetadataSourceService.java @@ -32,8 +32,10 @@ public class UrlInvocationSecurityMetadataSourceService implements FilterInvocat Collection array; ConfigAttribute cfg; Map permissions = new HashMap<>(); + /*这里只是简单的配置*/ permissions.put("/admin/**", "admin"); permissions.put("/**", "user"); + permissions.put("/auth2/**", "ROLE_ANONYMOUS"); Iterator> iterator = permissions.entrySet().iterator(); while (iterator.hasNext()) { Map.Entry next = iterator.next(); diff --git a/src/main/java/io/qyi/e5/config/security/filter/LoginAuthenticationFilter.java b/src/main/java/io/qyi/e5/config/security/filter/GithubLoginAuthenticationFilter.java similarity index 84% rename from src/main/java/io/qyi/e5/config/security/filter/LoginAuthenticationFilter.java rename to src/main/java/io/qyi/e5/config/security/filter/GithubLoginAuthenticationFilter.java index dbc8e66..ad58284 100644 --- a/src/main/java/io/qyi/e5/config/security/filter/LoginAuthenticationFilter.java +++ b/src/main/java/io/qyi/e5/config/security/filter/GithubLoginAuthenticationFilter.java @@ -3,7 +3,9 @@ package io.qyi.e5.config.security.filter; import io.qyi.e5.config.security.UsernamePasswordAuthenticationToken; import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang3.StringUtils; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.HttpMethod; +import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationServiceException; import org.springframework.security.authentication.InternalAuthenticationServiceException; import org.springframework.security.core.Authentication; @@ -12,6 +14,7 @@ import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; +import org.springframework.stereotype.Component; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; @@ -25,23 +28,27 @@ import java.io.IOException; * @create: 2020-02-28 11:56 **/ @Slf4j -public class LoginAuthenticationFilter extends AbstractAuthenticationProcessingFilter { - protected LoginAuthenticationFilter(String defaultFilterProcessesUrl) { +public class GithubLoginAuthenticationFilter extends AbstractAuthenticationProcessingFilter { + + + protected GithubLoginAuthenticationFilter(String defaultFilterProcessesUrl) { super(defaultFilterProcessesUrl); } - protected LoginAuthenticationFilter(RequestMatcher requiresAuthenticationRequestMatcher) { + protected GithubLoginAuthenticationFilter(RequestMatcher requiresAuthenticationRequestMatcher) { super(requiresAuthenticationRequestMatcher); } - public LoginAuthenticationFilter() { + public GithubLoginAuthenticationFilter() { super(new AntPathRequestMatcher("/auth2/receive", "GET")); log.info("注册 LoginAuthenticationFilter"); } + @Override public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException { + log.info("接收github回调参数!"); /*if (!httpServletRequest.getMethod().equals(HttpMethod.POST.name())) { throw new AuthenticationServiceException("不支持该验证方法: " + httpServletRequest.getMethod()); } else { @@ -73,4 +80,5 @@ public class LoginAuthenticationFilter extends AbstractAuthenticationProcessingF private void setDetails(HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest) { authRequest.setDetails(authenticationDetailsSource.buildDetails(request)); } + }