重写了UsernamePasswordAuthenticationFilter,里面继承AbstractAuthenticationProcessingFilter,这个类里面的session认证策略,是一个空方法,貌似RememberMe也是.
public abstract class AbstractAuthenticationProcessingFilter extends GenericFilterBean implements ApplicationEventPublisherAware, MessageSourceAware { protected ApplicationEventPublisher eventPublisher; protected AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource(); private AuthenticationManager authenticationManager; protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor(); private RememberMeServices rememberMeServices = new NullRememberMeServices(); private RequestMatcher requiresAuthenticationRequestMatcher; private boolean continueChainBeforeSuccessfulAuthentication = false; private SessionAuthenticationStrategy sessionStrategy = new NullAuthenticatedSessionStrategy(); private boolean allowSessionCreation = true; private AuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler(); private AuthenticationFailureHandler failureHandler = new SimpleUrlAuthenticationFailureHandler();
NullAuthenticatedSessionStrategy 源码
public final class NullAuthenticatedSessionStrategy implements SessionAuthenticationStrategy { public NullAuthenticatedSessionStrategy() { } public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) { } }
所以必须自己配置一个session验证策略,以及配置并发控制.红字为关键
WebSecurityConfigurerAdapter
/** * Created by ZhenWeiLai on on 2016-10-16. * <p> * 三种方法级权限控制 * <p> * 1.securedEnabled: Spring Security’s native annotation * 2.jsr250Enabled: standards-based and allow simple role-based constraints * 3.prePostEnabled: expression-based */ @EnableWebSecurity //@EnableGlobalMethodSecurity(prePostEnabled = true) public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Resource private UserDetailsService userDetailsService; @Resource private FilterInvocationSecurityMetadataSource securityMetadataSource; @Resource private SessionRegistry sessionRegistry; @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/assets/**"); web.ignoring().antMatchers("/components/**"); web.ignoring().antMatchers("/css/**"); web.ignoring().antMatchers("/images/**"); web.ignoring().antMatchers("/js/**"); web.ignoring().antMatchers("/mustache/**"); web.ignoring().antMatchers("/favicon.ico"); //注册地址不拦截 // web.ignoring().antMatchers("/base/invoice/userinfo/u/reg"); // web.ignoring().antMatchers("/**"); } @Override protected void configure(HttpSecurity http) throws Exception { //解决不允许显示在iframe的问题 http.headers().frameOptions().disable(); http.addFilterAt(usernamePasswordAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class); //session并发控制过滤器 http.addFilterAt(new ConcurrentSessionFilter(sessionRegistry,sessionInformationExpiredStrategy()),ConcurrentSessionFilter.class); //自定义过滤器 //在适当的地方加入 http.addFilterAt(filterSecurityInterceptor(securityMetadataSource, accessDecisionManager(), authenticationManagerBean()), FilterSecurityInterceptor.class); http.exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")).and().logout().logoutUrl("/logout").logoutSuccessUrl("/login").permitAll().and().exceptionHandling().accessDeniedPage("/accessDenied"); http.authorizeRequests().anyRequest().fullyAuthenticated(); // 关闭csrf http.csrf().disable(); /** * 以下配置无效 */ //session管理 //session失效后跳转 // http.sessionManagement().invalidSessionUrl("/login"); // //只允许一个用户登录,如果同一个账户两次登录,那么第一个账户将被踢下线,跳转到登录页面 // http.sessionManagement().maximumSessions(1).expiredUrl("/login"); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { // 自定义UserDetailsService,设置加密算法 auth.userDetailsService(userDetailsService); //.passwordEncoder(passwordEncoder()) //不删除凭据,以便记住用户 auth.eraseCredentials(false); } //session失效跳转 private SessionInformationExpiredStrategy sessionInformationExpiredStrategy() { return new SimpleRedirectSessionInformationExpiredStrategy("/login"); } @Bean public SessionRegistry sessionRegistry() { return new SessionRegistryImpl(); } //SpringSecurity内置的session监听器 @Bean public HttpSessionEventPublisher httpSessionEventPublisher() { return new HttpSessionEventPublisher(); } private UsernamePasswordAuthenticationFilter usernamePasswordAuthenticationFilter() throws Exception { UsernamePasswordAuthenticationFilter usernamePasswordAuthenticationFilter = new CuzUsernamePasswordAuthenticationFilter(); usernamePasswordAuthenticationFilter.setPostOnly(true); usernamePasswordAuthenticationFilter.setAuthenticationManager(this.authenticationManager()); usernamePasswordAuthenticationFilter.setUsernameParameter("name_key"); usernamePasswordAuthenticationFilter.setPasswordParameter("pwd_key"); usernamePasswordAuthenticationFilter.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher("/checkLogin", "POST")); usernamePasswordAuthenticationFilter.setAuthenticationFailureHandler(simpleUrlAuthenticationFailureHandler()); usernamePasswordAuthenticationFilter.setAuthenticationSuccessHandler(authenticationSuccessHandler()); //session并发控制,因为默认的并发控制方法是空方法.这里必须自己配置一个 usernamePasswordAuthenticationFilter.setSessionAuthenticationStrategy(new ConcurrentSessionControlAuthenticationStrategy(sessionRegistry)); return usernamePasswordAuthenticationFilter; } // @Bean // public LoggerListener loggerListener() { // System.out.println("org.springframework.security.authentication.event.LoggerListener"); // return new LoggerListener(); // } // // @Bean // public org.springframework.security.access.event.LoggerListener eventLoggerListener() { // System.out.println("org.springframework.security.access.event.LoggerListener"); // return new org.springframework.security.access.event.LoggerListener(); // } /** * 投票器 */ private AbstractAccessDecisionManager accessDecisionManager() { List<AccessDecisionVoter<? extends Object>> decisionVoters = new ArrayList(); decisionVoters.add(new AuthenticatedVoter()); decisionVoters.add(new RoleVoter());//角色投票器,默认前缀为ROLE_ RoleVoter AuthVoter = new RoleVoter(); AuthVoter.setRolePrefix("AUTH_");//特殊权限投票器,修改前缀为AUTH_ decisionVoters.add(AuthVoter); AbstractAccessDecisionManager accessDecisionManager = new AffirmativeBased(decisionVoters); return accessDecisionManager; } @Override public AuthenticationManager authenticationManagerBean() { AuthenticationManager authenticationManager = null; try { authenticationManager = super.authenticationManagerBean(); } catch (Exception e) { e.printStackTrace(); } return authenticationManager; } /** * 验证异常处理器 * * @return */ private SimpleUrlAuthenticationFailureHandler simpleUrlAuthenticationFailureHandler() { return new SimpleUrlAuthenticationFailureHandler("/getLoginError"); } // /** // * 表达式控制器 // * // * @return // */ // private DefaultWebSecurityExpressionHandler webSecurityExpressionHandler() { // DefaultWebSecurityExpressionHandler webSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler(); // return webSecurityExpressionHandler; // } // /** // * 表达式投票器 // * // * @return // */ // private WebExpressionVoter webExpressionVoter() { // WebExpressionVoter webExpressionVoter = new WebExpressionVoter(); // webExpressionVoter.setExpressionHandler(webSecurityExpressionHandler()); // return webExpressionVoter; // } // Code5 官方推荐加密算法 // @Bean("passwordEncoder") // public BCryptPasswordEncoder passwordEncoder() { // BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder(); // return bCryptPasswordEncoder; // } // // Code3---------------------------------------------- /** * 登录成功后跳转 * 如果需要根据不同的角色做不同的跳转处理,那么继承AuthenticationSuccessHandler重写方法 * * @return */ private SimpleUrlAuthenticationSuccessHandler authenticationSuccessHandler() { return new SimpleUrlAuthenticationSuccessHandler("/loginSuccess"); } /** * Created by ZhenWeiLai on on 2016-10-16. */ private FilterSecurityInterceptor filterSecurityInterceptor(FilterInvocationSecurityMetadataSource securityMetadataSource, AccessDecisionManager accessDecisionManager, AuthenticationManager authenticationManager) { FilterSecurityInterceptor filterSecurityInterceptor = new FilterSecurityInterceptor(); filterSecurityInterceptor.setSecurityMetadataSource(securityMetadataSource); filterSecurityInterceptor.setAccessDecisionManager(accessDecisionManager); filterSecurityInterceptor.setAuthenticationManager(authenticationManager); return filterSecurityInterceptor; } }
继承UsernamePasswordAuthenticationFilter ,注入SessionRegistry ,当用户登录验证成功后注册session
/** * Created by ZhenWeiLai on 2017/6/2. */ public class CuzUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter { private boolean postOnly = true; @Resource private SessionRegistry sessionRegistry; @Override public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException { if(this.postOnly && !request.getMethod().equals("POST")) { throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod()); } else { String username = this.obtainUsername(request); String password = this.obtainPassword(request); if(username == null) { username = ""; } if(password == null) { password = ""; } username = username.trim(); UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); //用户名密码验证通过后,注册session sessionRegistry.registerNewSession(request.getSession().getId(),authRequest.getPrincipal()); this.setDetails(request, authRequest); return this.getAuthenticationManager().authenticate(authRequest); } } }
重写用户实体类的比较方法.
/** * 重写比较方法,SpringSecurity根据用户名来比较是否同一个用户 */ @Override public boolean equals(Object o){ if(o.toString().equals(this.username)) return true; return false; } @Override public int hashCode(){ return username.hashCode(); } @Override public String toString() { return this.username; }