如何在spring security中配置自定义身份验证过滤器-使用java配置
我正在尝试为基于spring安全性的身份验证配置自定义筛选器。这是对usernamepasswordfilter的简单重写。我的问题是我不知道如何使用java配置来配置它。每次我点击“/admin/login”——它会进入我的过滤器并导致异常,而不是进入登录页面——但是antmatchers应该允许访问/admin/login 如果我禁用我的过滤器,它可以正常工作。我读了一些相关的问题,但似乎没有一个能给我答案 有人能建议如何修复我下面的配置以支持自定义筛选器吗如何在spring security中配置自定义身份验证过滤器-使用java配置,spring,spring-security,Spring,Spring Security,我正在尝试为基于spring安全性的身份验证配置自定义筛选器。这是对usernamepasswordfilter的简单重写。我的问题是我不知道如何使用java配置来配置它。每次我点击“/admin/login”——它会进入我的过滤器并导致异常,而不是进入登录页面——但是antmatchers应该允许访问/admin/login 如果我禁用我的过滤器,它可以正常工作。我读了一些相关的问题,但似乎没有一个能给我答案 有人能建议如何修复我下面的配置以支持自定义筛选器吗 /** * the secur
/**
* the security configuration.
*/
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
DataSource dataSource;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
UserNotifier userNotifier() {
UserNotifier us = new UserNotifier();
return us;
}
@Bean
AuthenticationProvider customAuthenticationProvider() {
SystemUserAuthenticationProvider impl = new SystemUserAuthenticationProvider();
/* other properties etc */
return impl ;
}
@Bean
SystemUserService systemUserService(){
SystemUserService systemUserService = new SystemUserService();
return systemUserService;
}
@Bean
SystemAuthenticationFilter systemAuthenticationFilter() throws Exception {
SystemAuthenticationFilter f = new SystemAuthenticationFilter();
f.setAuthenticationManager(this.authenticationManager());
f.setPasswordParameter("password");
f.setUsernameParameter("email");
f.setPostOnly(true);
f.setAuthenticationFailureHandler(exceptionMappingAuthenticationFailureHandler());
f.setAuthenticationSuccessHandler(savedRequestAwareAuthenticationSuccessHandler());
f.setFilterProcessesUrl("/login");
return f;
}
@Bean
SavedRequestAwareAuthenticationSuccessHandler savedRequestAwareAuthenticationSuccessHandler(){
SavedRequestAwareAuthenticationSuccessHandler sv = new SavedRequestAwareAuthenticationSuccessHandler();
sv.setDefaultTargetUrl("/admin/customers");
return sv;
}
@Bean
AuditorAware<SystemUser> auditorAware(){
SystemUserAuditorAware adw = new SystemUserAuditorAware();
return adw;
}
@Bean
ExceptionMappingAuthenticationFailureHandler exceptionMappingAuthenticationFailureHandler(){
ExceptionMappingAuthenticationFailureHandler ex = new ExceptionMappingAuthenticationFailureHandler();
Map<String, String> mappings = new HashMap<String, String>();
mappings.put("org.springframework.security.authentication.CredentialsExpiredException", "/admin/login?reset");
mappings.put("org.springframework.security.authentication.LockedException", "/admin/login?locked");
mappings.put("org.springframework.security.authentication.BadCredentialsException", "/admin/login?error");
mappings.put("org.springframework.security.core.userdetails.UsernameNotFoundException", "/admin/login?error");
ex.setExceptionMappings(mappings);
return ex;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthenticationProvider());
}
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/resources/**")
;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/admin/login", "/admin/login/new**", "/admin/register", "/admin/logout", "/assets/**", "/admin/session/timeout").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().permitAll()
.and()
.formLogin()
.failureHandler(exceptionMappingAuthenticationFailureHandler())
.loginProcessingUrl("/login")
.loginPage("/admin/login")
.usernameParameter("username")
.passwordParameter("password")
.defaultSuccessUrl("/admin/orders")
.and()
.logout()
.logoutUrl("/logout")
.and()
.requiresChannel()
.antMatchers("/admin/**").requiresSecure()
.and()
.addFilterBefore(systemAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
}
/**
*安全配置。
*/
@配置
@启用Web安全性
公共类SecurityConfig扩展了WebSecurity配置适配器{
@自动连线
数据源数据源;
@豆子
公共密码编码器PasswordEncoder(){
返回新的BCryptPasswordEncoder();
}
@豆子
UserNotifier UserNotifier(){
UserNotifier us=新的UserNotifier();
归还我们;
}
@豆子
AuthenticationProvider customAuthenticationProvider(){
SystemUserAuthenticationProvider impl=新的SystemUserAuthenticationProvider();
/*其他财产等*/
返回impl;
}
@豆子
SystemUserService SystemUserService(){
SystemUserService SystemUserService=新的SystemUserService();
返回系统用户服务;
}
@豆子
SystemAuthenticationFilter SystemAuthenticationFilter()引发异常{
SystemAuthenticationFilter f=新的SystemAuthenticationFilter();
f、 setAuthenticationManager(this.authenticationManager());
f、 setPasswordParameter(“密码”);
f、 setUsernameParameter(“电子邮件”);
f、 setPostOnly(true);
f、 setAuthenticationFailureHandler(AppingAuthenticationFailureHandler()除外);
f、 setAuthenticationSuccessHandler(savedRequestAwareAuthenticationSuccessHandler());
f、 setFilterProcessURL(“/login”);
返回f;
}
@豆子
SavedRequestStataWareAuthenticationSuccessHandler SavedRequestStataWareAuthenticationSuccessHandler(){
SavedRequestStataWareAuthenticationSuccessHandler sv=新的SavedRequestStataWareAuthenticationSuccessHandler();
sv.setDefaultTargetUrl(“/admin/customers”);
返回sv;
}
@豆子
AuditorAware AuditorAware(){
SystemUserAuditorAware adw=新的SystemUserAuditorAware();
返回adw;
}
@豆子
ExceptionMapingAuthenticationFailureHandler ExceptionMapingAuthenticationFailureHandler(){
ExceptionMapingAuthenticationFailureHandler ex=新的ExceptionMapingAuthenticationFailureHandler();
Map mappings=newhashmap();
mappings.put(“org.springframework.security.authentication.CredentialsExpiredException”,“/admin/login?reset”);
mappings.put(“org.springframework.security.authentication.LockedException”,“/admin/login?locked”);
mappings.put(“org.springframework.security.authentication.BadCredentialsException”,“/admin/login?error”);
mappings.put(“org.springframework.security.core.userdetails.UsernameNotFoundException”,“/admin/login?error”);
例如,设置例外映射(映射);
退换货;
}
@凌驾
受保护的无效配置(AuthenticationManagerBuilder auth)引发异常{
auth.authenticationProvider(customAuthenticationProvider());
}
@凌驾
public void configure(WebSecurity web)引发异常{
网状物
.忽略()
.antMatchers(“/resources/**”)
;
}
@凌驾
受保护的无效配置(HttpSecurity http)引发异常{
http
.授权请求()
.antMatchers(“/admin/login”、“/admin/login/new**”、“/admin/register”、“/admin/logout”、“/assets/**”、“/admin/session/timeout”).permitAll()
.antMatchers(“/admin/**”).hasRole(“admin”)
.anyRequest().permitAll()
.及()
.formLogin()
.failureHandler(例外MappingAuthenticationFailureHandler())
.loginProcessingUrl(“/login”)
.loginPage(“/admin/login”)
.usernameParameter(“用户名”)
.passwordParameter(“密码”)
.defaultSuccessUrl(“/admin/orders”)
.及()
.logout()
.logoutUrl(“/logout”)
.及()
.requireChannel()
.antMatchers(“/admin/**”).requirescure()
.及()
.addFilterBefore(systemAuthenticationFilter(),UsernamePasswordAuthenticationFilter.class);
}
}
没关系,我通过更改登录处理url上的正则表达式来修复它。它似乎在干扰先前的蚂蚁匹配器
因此,通过将表单login和自定义筛选器配置中的登录处理url更改为“登录”,登录页面现在可以在未经授权的情况下访问