spring-security使用-获得当前用户信息(四)

主要是通过Authentication封装

接口定义

public interface Authentication extends Principal, Serializable {
    //用来获取用户的权限。
    Collection<? extends GrantedAuthority> getAuthorities();
    //方法用来获取用户凭证，一般来说就是密码。
    Object getCredentials();
    //方法用来获取用户携带的详细信息，可能是当前请求之类的东西。
    Object getDetails();
    //方法用来获取当前用户，可能是一个用户名，也可能是一个用户对象。
    Object getPrincipal();
    //当前用户是否认证成功。
    boolean isAuthenticated();

    void setAuthenticated(boolean var1) throws IllegalArgumentException;
}

如何获取

   @GetMapping("/hello")
    public String hello() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        return "hello";
    }

getDetails方法

可以看到打印了用户id和sessionId信息

 @GetMapping("/hello")
    public String hello() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        WebAuthenticationDetails details = (WebAuthenticationDetails) authentication.getDetails();
        System.out.println(details);
        return "hello";
    }

打印

org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 127.0.0.1; SessionId: C1886FD11CACBAD7387B9273442BC212

源码

1.org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#attemptAuthentication

    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        if (this.postOnly && !request.getMethod().equals("POST")) {
            throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
        } else {
            String username = this.obtainUsername(request);
            String password = this.obtainPassword(request);
            if (username == null) {
                username = "";
            }

            if (password == null) {
                password = "";
            }

            username = username.trim();
            UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
            //为authRequest 的detail赋值 UsernamePasswordAuthenticationToken实现了Authentication
            this.setDetails(request, authRequest);
            return this.getAuthenticationManager().authenticate(authRequest);
        }
    }

2.org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#setDetails

protected AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();

 protected void setDetails(HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest) {
            //UsernamePasswordAuthenticationToken是通过authenticationDetailsSource 构建的detail数据
            authRequest.setDetails(this.authenticationDetailsSource.buildDetails(request));
        }

3.WebAuthenticationDetailsSource的定义

public class WebAuthenticationDetailsSource implements AuthenticationDetailsSource<HttpServletRequest, WebAuthenticationDetails> {
    public WebAuthenticationDetailsSource() {
    }

    public WebAuthenticationDetails buildDetails(HttpServletRequest context) {
        //我们通过Authentication.getDetails()获取的就是WebAuthenticationDetails
        return new WebAuthenticationDetails(context);
    }
}

4.WebAuthenticationDetails定义

public class WebAuthenticationDetails implements Serializable {
    private static final long serialVersionUID = 520L;
    private final String remoteAddress;
    private final String sessionId;

    public WebAuthenticationDetails(HttpServletRequest request) {
        //从request获取ip
        this.remoteAddress = request.getRemoteAddr();
        //获取sessionId
        HttpSession session = request.getSession(false);
        this.sessionId = session != null ? session.getId() : null;
    }
}

自定义 

看上面源码我们知道入口是在UsernamePasswordAuthenticationFilter进行Authentication的detail设置的 如何构建detail对象 是委托给AuthenticationDetailsSource默认是WebAuthenticationDetailsSource

所以我们自定义就要自定义WebAuthenticationDetailsSource和封装数据的Dtail对象

通过自定优化《spring-security使用-更友好的方式扩展登录AuthenticationProvider(三)》 验证码校验逻辑

1.自定义的Detail对象

 */
public class MyWebAuthenticationDetails extends WebAuthenticationDetails {
    //封装提交的验证码信息
    private String code;
    private HttpServletRequest httpServletRequest;
    public MyWebAuthenticationDetails(HttpServletRequest request) {
        super(request);
        //获得验证码
        this.code=request.getParameter("code");
        this.httpServletRequest=request;
    }

    /**
     * 增加一个检查验证码的方法
     * @return
     */
    public boolean checkCode(){
        String verify_code = (String) httpServletRequest.getSession().getAttribute("verify_code");
        if (code == null || verify_code == null || !code.equals(verify_code)) {
            throw new AuthenticationServiceException("验证码错误");
        }
        return true;
    }

}

2.自定义构建对象

public class MyWebAuthenticationDetailsSource implements AuthenticationDetailsSource<HttpServletRequest, MyWebAuthenticationDetails> {
    @Override
    public MyWebAuthenticationDetails buildDetails(HttpServletRequest request) {
        return new MyWebAuthenticationDetails(request);
    }
}

3.使用自定义的构建对象替换默认的

    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .rememberMe()
                .key("system")
                .and()
                .formLogin()
                .authenticationDetailsSource(new MyWebAuthenticationDetailsSource())
                .usernameParameter("loginName")
                .passwordParameter("loginPassword")
                .defaultSuccessUrl("/hello")
                .failureForwardUrl("/loginFail")
                .failureUrl("/login.html")
                .permitAll()//不拦截
                .and()
                .csrf()//记得关闭
                .disable();
    }