开发者学堂课程【Spring Security知识精讲与实战演示(三):分布式整合之认证服务配置文件编写和测试】学习笔记与课程紧密联系,让用户快速学习知识
课程地址:https://developer.aliyun.com/learning/course/732/detail/13073
分布式整合之认证服务配置文件编写和测试
认证服务配置文件编写和测试
之前的课程写了两个过滤器,但是没有配置文件这两个过滤器是没有作用的,此时需要提供Spring Security的配置文件,配置文件放在com.itheima.config里。
在原有webSecurityConfig.java文件中,在Spring Security配置信息下只需要如下内容:
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()ExpressionInterceptUrlRegistry
.antMatchers(...antPatterns:"/product").hasAnyRole ...roles:"USBR")ExpressionUrlAuthorizationConfigurer<Hitt. .anyRequest().authenticated()ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegis
.and() HttpSecurity
.csrf() CsrfConfigurer<HttpSecurity>
.disable() HttpSecurity
此时,如果在最后输入.and返现不能输入,因为在Spring Security中,如果将csrf()放到最后一步,后续不能在做任何配置,故要将其放在如下位置:
public void configure(HttpSecurity http) throws Exception {
http.csrf() CsrfConfigurer<HttpSecurity>
.disable() HttpSecurity
.authorizeRequests()ExpressionInterceptUrlRegistry
.antMatchers(...antPatterns:"/product").hasAnyRole ...roles:"USBR")
.anyRequest()ExpressionUrlAuthorizationConfigurer<Hittpsed.authenticated()ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry
}
}
之后就可以在其中加入一些过滤器。
. and() HttpSecurity
.addFilter(newJwtLoginFilter(super.authenticationManager(),prop)) HttpSecurity
注:prop的对象不存在,要在 private UserService userService;下进行注入,输入@autowired private PsaKeyProperties Prop
.addFilter(newJwtVerifyFilter(super.authenticationManager(),prop);
之后可以做优化性配置,分布式认证是不需要用session绘画的,要将其禁用。.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) ;
注:SessionCreationPolicy.STATELESS表示禁用session
配置的全部内容:
import …
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled=true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserService userService,
@Autowired
private RsaKeyProperties prop;
@Bean
public BCryptPasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); }
//指定认证对象的来源
public void configure(AuthenticationManagerBuilder auth)throws Exception {
auth. userDetailsService(userService).passwordEncoder(passwordEncoder());
}
//Spring Security 配置信息
public void configure(HttpSecurity http) throws Exception {
http.csrf() CsrfConfigurer<HttpSecurity>
.disable() HttpSecurity
.authorizeRequests()ExpressionInterceptUrlRegistry
.antMatchers(...antPatterns:"/product").hasAnyRole ...roles:"USBR")
.anyRequest()ExpressionUrlAuthorizationConfigurer<Hittpsed.authenticated()ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry
.and() HttpSecurity
.addFilter(newJwtLoginFilter(super.authenticationManager(),prop)) HttpSecurity
.addFilter(newJwtVerifyFilter(super.authenticationManager(),prop);.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) ;
}
}
然后进行运行,可在如下图所示的窗口运行:
在上图可看到端口号是 :9001/,运行正常
接下来做认证操作,做认证操作需要借助工具,打开postman,地址是login
使用的是http://loaclhost:9001/login,点击body,注意在body里要选raw和json数据。
点击 send,出现
{
“msg”:“认证通过”
“code”:200
}
认证通过之后会在header里加"Authorization","Beaer "+token。在header里面会有如下token:
Bearer eylbGdOUSU21NMS9.eyJl1c2yloie wiaWRcijpudwWsLEFwidXNcnsbhbWcilpcimhpYWsiawsnccis.C.w0YKNxd2972PwiOom51bGisXCldGFOooNcloulistFwlemnAcENclpetwiaRlaeuneeQhiWRmFwifV1livianRpliaTWprNU1HRTFZek10WRObFITMDBZbUlLzTFRedN5UZ3RNV1xTVWpoaU1UUTRORGs0liwiZXnwjoNTY5NTY5MDgO12.TCXkisntIF3CDo2MANjejacVnysz03qxbN9y9yWmOcG1ym3tigTYz11PuyPICe7790dGWwmmjBR_JHBUumCR-yiPuHBpVUSKm3-MSqOR.J4czbgh4Kzd6-b4O06.1Huyb730xwub09do8VO S3Hlbu6HPps _lco-W0C3XPDwt 3 c. SmjurBsFzRAOMtYcmU_R2NCiR4zq25wCCulorurGcanOZox1EmsgpHli2boyC)YMyNlIUGPsOF3gtzowow-mU9xRyTnKxKgP2h6ibOdM018ru6bZAB5MPZ7QYmG_vbX(NNgzca_sA8FLWcplomyPe3oo9SeJ9w
利用这个token进行具体的请求访问:
一般请求是Get,访问http://localhost:9001/product/findAll,
Key值必须是Authorization,value是上文的header内容,访问之后显示查询成功。如果value中Bearer不变,其他改变,进行请求是没有任何提示的;当bearer改变,进行请求会显示“status”:403,因为在配置文件中没有判断token异常之后如何做。
