在现代应用程序开发中,身份认证是确保应用程序安全的核心环节。Spring Security作为一个强大的安全框架,提供了灵活且全面的身份认证机制。本篇文章将深入探讨Spring Security中身份认证的实现细节,包括用户的描述和管理方式。

什么是身份认证

身份认证(Authentication)是指确认用户身份的过程。它确保访问系统的用户确实是他们声称的那个人,从而保护系统免受未经授权的访问。Spring Security通过多种方式实现身份认证,包括表单登录、HTTP Basic认证、JWT等。

Spring Security中用户的描述

在Spring Security中,用户的描述主要通过以下几个核心接口和类来实现:

  1. UserDetails
  2. UserDetailsService
  3. GrantedAuthority

UserDetails接口

UserDetails接口是Spring Security用来描述用户的核心接口。它包含了与用户相关的基本信息,如用户名、密码、账户是否过期、账户是否锁定、凭据是否过期以及用户是否启用。

  1. public interface UserDetails extends Serializable {
  3.     Collection<? extends GrantedAuthority> getAuthorities();
  5.     String getPassword();
  7.     String getUsername();
  9.     boolean isAccountNonExpired();
  11.     boolean isAccountNonLocked();
  13.     boolean isCredentialsNonExpired();
  15.     boolean isEnabled();
  16. }
主要方法
  • getAuthorities():返回用户的权限集合。
  • getPassword():返回用户的密码。
  • getUsername():返回用户的用户名。
  • isAccountNonExpired():判断账户是否未过期。
  • isAccountNonLocked():判断账户是否未锁定。
  • isCredentialsNonExpired():判断凭据是否未过期。
  • isEnabled():判断用户是否启用。

User类

User类是UserDetails接口的一个实现,Spring Security提供了该类以简化用户信息的管理。

  1. public class User implements UserDetails {
  3.     private final String username;
  4.     private final String password;
  5.     private final Collection<? extends GrantedAuthority> authorities;
  6.     private final boolean accountNonExpired;
  7.     private final boolean accountNonLocked;
  8.     private final boolean credentialsNonExpired;
  9.     private final boolean enabled;
  11.     // Constructors, getters and other methods
  12. }

User类的构造器允许我们设置用户名、密码、权限以及账户状态。

GrantedAuthority接口

GrantedAuthority接口用于表示用户的权限。通常情况下,权限以字符串形式表示,如ROLE_USERROLE_ADMIN

  1. public interface GrantedAuthority extends Serializable {
  2.     String getAuthority();
  3. }

SimpleGrantedAuthority类

SimpleGrantedAuthority类是GrantedAuthority接口的一个实现,提供了简单的字符串权限表示。

  1. public class SimpleGrantedAuthority implements GrantedAuthority {
  3.     private final String role;
  5.     public SimpleGrantedAuthority(String role) {
  6.         this.role = role;
  7.     }
  9.     @Override
  10.     public String getAuthority() {
  11.         return this.role;
  12.     }
  13. }

用户的管理

在Spring Security中,用户的管理主要通过UserDetailsService接口来实现。该接口定义了一个方法loadUserByUsername,用于根据用户名加载用户信息。

UserDetailsService接口

UserDetailsService接口是Spring Security用来管理用户信息的核心接口。它只有一个方法loadUserByUsername

  1. public interface UserDetailsService {
  2.     UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;
  3. }
实现UserDetailsService

开发者可以实现UserDetailsService接口,提供自定义的用户管理逻辑。

  1. import org.springframework.beans.factory.annotation.Autowired;
  2. import org.springframework.security.core.userdetails.User;
  3. import org.springframework.security.core.userdetails.UserDetails;
  4. import org.springframework.security.core.userdetails.UserDetailsService;
  5. import org.springframework.security.core.userdetails.UsernameNotFoundException;
  6. import org.springframework.stereotype.Service;
  8. @Service
  9. public class CustomUserDetailsService implements UserDetailsService {
  11.     @Autowired
  12.     private UserRepository userRepository;
  14.     @Override
  15.     public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
  16.         UserEntity userEntity = userRepository.findByUsername(username);
  17.         if (userEntity == null) {
  18.             throw new UsernameNotFoundException("User not found");
  19.         }
  20.         return new User(userEntity.getUsername(), userEntity.getPassword(), new ArrayList<>());
  21.     }
  22. }

在上述示例中,CustomUserDetailsService从数据库中加载用户信息。UserRepository是一个数据访问层接口,用于访问数据库中的用户数据。

配置身份认证

基本配置

要在Spring Security中启用身份认证,需要配置AuthenticationManager。这可以通过扩展WebSecurityConfigurerAdapter并重写configure方法来实现。

  1. import org.springframework.context.annotation.Bean;
  2. import org.springframework.context.annotation.Configuration;
  3. import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
  4. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
  5. import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
  6. import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
  7. import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
  8. import org.springframework.security.crypto.password.PasswordEncoder;
  10. @Configuration
  11. @EnableWebSecurity
  12. public class SecurityConfig extends WebSecurityConfigurerAdapter {
  14.     @Autowired
  15.     private CustomUserDetailsService userDetailsService;
  17.     @Override
  18.     protected void configure(AuthenticationManagerBuilder auth) throws Exception {
  19.         auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
  20.     }
  22.     @Override
  23.     protected void configure(HttpSecurity http) throws Exception {
  24.         http.authorizeRequests()
  25.             .antMatchers("/admin/**").hasRole("ADMIN")
  26.             .antMatchers("/user/**").hasRole("USER")
  27.             .antMatchers("/", "/home").permitAll()
  28.             .and()
  29.             .formLogin()
  30.             .loginPage("/login")
  31.             .permitAll()
  32.             .and()
  33.             .logout()
  34.             .permitAll();
  35.     }
  37.     @Bean
  38.     public PasswordEncoder passwordEncoder() {
  39.         return new BCryptPasswordEncoder();
  40.     }
  41. }

在上述配置中,我们使用userDetailsService方法指定自定义的UserDetailsService实现,并使用BCryptPasswordEncoder进行密码编码。

数据库配置

在生产环境中,通常会将用户信息存储在数据库中。我们可以通过JdbcUserDetailsManager来实现这一点。

引入依赖

pom.xml文件中引入JDBC和数据库驱动的依赖:

  1. <dependency>
  2.     <groupId>org.springframework.boot</groupId>
  3.     <artifactId>spring-boot-starter-jdbc</artifactId>
  4. </dependency>
  5. <dependency>
  6.     <groupId>org.springframework.boot</groupId>
  7.     <artifactId>spring-boot-starter-data-jpa</artifactId>
  8. </dependency>
  9. <dependency>
  10.     <groupId>mysql</groupId>
  11.     <artifactId>mysql-connector-java</artifactId>
  12.     <scope>runtime</scope>
  13. </dependency>
配置数据源

application.properties中配置数据库连接:

  1. spring.datasource.url=jdbc:mysql://localhost:3306/mydb
  2. spring.datasource.username=root
  3. spring.datasource.password=root
  4. spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
创建数据库表
  1. CREATE TABLE users (
  2.     username VARCHAR(50) NOT NULL PRIMARY KEY,
  3.     password VARCHAR(100) NOT NULL,
  4.     enabled BOOLEAN NOT NULL
  5. );
  7. CREATE TABLE authorities (
  8.     username VARCHAR(50) NOT NULL,
  9.     authority VARCHAR(50) NOT NULL,
  10.     FOREIGN KEY (username) REFERENCES users(username)
  11. );
使用JdbcUserDetailsManager

在Spring Security配置类中使用JdbcUserDetailsManager

  1. import org.springframework.context.annotation.Bean;
  2. import org.springframework.context.annotation.Configuration;
  3. import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
  4. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
  5. import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
  6. import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
  7. import org.springframework.security.core.userdetails.jdbc.JdbcUserDetailsManager;
  8. import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
  9. import org.springframework.security.crypto.password.PasswordEncoder;
  11. import javax.sql.DataSource;
  13. @Configuration
  14. @EnableWebSecurity
  15. public class SecurityConfig extends WebSecurityConfigurerAdapter {
  17.     @Autowired
  18.     private DataSource dataSource;
  20.     @Override
  21.     protected void configure(AuthenticationManagerBuilder auth) throws Exception {
  22.         auth.jdbcAuthentication()
  23.             .dataSource(dataSource)
  24.             .usersByUsernameQuery("select username, password, enabled from users where username = ?")
  25.             .authoritiesByUsernameQuery("select username, authority from authorities where username = ?")
  26.             .passwordEncoder(passwordEncoder());
  27.     }
  29.     @Override
  30.     protected void configure(HttpSecurity http) throws Exception {
  31.         http.authorizeRequests()
  32.             .antMatchers("/admin/**").hasRole("ADMIN")
  33.             .antMatchers("/user/**").hasRole("USER")
  34.             .antMatchers("/", "/home").permitAll()
  35.             .and()
  36.             .formLogin()
  37.             .loginPage("/login")
  38.             .permitAll()
  39.             .and()
  40.             .logout()
  41.             .permitAll();
  42.     }
  44.     @Bean
  45.     public PasswordEncoder passwordEncoder() {
  46.         return new BCryptPasswordEncoder();
  47.     }
  48. }

其他身份认证机制

基于JWT的认证

JWT(JSON Web Token)是一种用于

在网络应用环境中传递声明的方式。Spring Security支持通过JWT实现无状态认证。

引入依赖
  1. <dependency>
  2.     <groupId>io.jsonwebtoken</groupId>
  3.     <artifactId>jjwt</artifactId>
  4.     <version>0.9.1</version>
  5. </dependency>
JWT生成和验证

创建一个工具类用于生成和验证JWT:

  1. import io.jsonwebtoken.Claims;
  2. import io.jsonwebtoken.Jwts;
  3. import io.jsonwebtoken.SignatureAlgorithm;
  4. import org.springframework.security.core.userdetails.UserDetails;
  5. import org.springframework.stereotype.Component;
  7. import java.util.Date;
  8. import java.util.HashMap;
  9. import java.util.Map;
  10. import java.util.function.Function;
  12. @Component
  13. public class JwtUtil {
  15.     private String SECRET_KEY = "secret";
  17.     public String extractUsername(String token) {
  18.         return extractClaim(token, Claims::getSubject);
  19.     }
  21.     public Date extractExpiration(String token) {
  22.         return extractClaim(token, Claims::getExpiration);
  23.     }
  25.     public <T> T extractClaim(String token, Function<Claims, T> claimsResolver) {
  26.         final Claims claims = extractAllClaims(token);
  27.         return claimsResolver.apply(claims);
  28.     }
  30.     private Claims extractAllClaims(String token) {
  31.         return Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody();
  32.     }
  34.     private Boolean isTokenExpired(String token) {
  35.         return extractExpiration(token).before(new Date());
  36.     }
  38.     public String generateToken(UserDetails userDetails) {
  39.         Map<String, Object> claims = new HashMap<>();
  40.         return createToken(claims, userDetails.getUsername());
  41.     }
  43.     private String createToken(Map<String, Object> claims, String subject) {
  44.         return Jwts.builder().setClaims(claims).setSubject(subject).setIssuedAt(new Date(System.currentTimeMillis()))
  45.                 .setExpiration(new Date(System.currentTimeMillis() + 1000 * 60 * 60 * 10))
  46.                 .signWith(SignatureAlgorithm.HS256, SECRET_KEY).compact();
  47.     }
  49.     public Boolean validateToken(String token, UserDetails userDetails) {
  50.         final String username = extractUsername(token);
  51.         return (username.equals(userDetails.getUsername()) && !isTokenExpired(token));
  52.     }
  53. }
JWT过滤器

创建一个过滤器,用于拦截每个请求并验证JWT:

  1. import org.springframework.beans.factory.annotation.Autowired;
  2. import org.springframework.security.core.context.SecurityContextHolder;
  3. import org.springframework.security.core.userdetails.UserDetails;
  4. import org.springframework.security.core.userdetails.UserDetailsService;
  5. import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
  6. import org.springframework.stereotype.Component;
  7. import org.springframework.web.filter.OncePerRequestFilter;
  8. import io.jsonwebtoken.ExpiredJwtException;
  10. import javax.servlet.FilterChain;
  11. import javax.servlet.ServletException;
  12. import javax.servlet.http.HttpServletRequest;
  13. import javax.servlet.http.HttpServletResponse;
  14. import java.io.IOException;
  16. @Component
  17. public class JwtRequestFilter extends OncePerRequestFilter {
  19.     @Autowired
  20.     private UserDetailsService userDetailsService;
  22.     @Autowired
  23.     private JwtUtil jwtUtil;
  25.     @Override
  26.     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
  27.             throws ServletException, IOException {
  29.         final String authorizationHeader = request.getHeader("Authorization");
  31.         String username = null;
  32.         String jwt = null;
  34.         if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
  35.             jwt = authorizationHeader.substring(7);
  36.             try {
  37.                 username = jwtUtil.extractUsername(jwt);
  38.             } catch (ExpiredJwtException e) {
  39.                 logger.warn("JWT Token has expired");
  40.             }
  41.         }
  43.         if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
  45.             UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
  47.             if (jwtUtil.validateToken(jwt, userDetails)) {
  49.                 UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(
  50.                         userDetails, null, userDetails.getAuthorities());
  51.                 usernamePasswordAuthenticationToken
  52.                         .setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
  53.                 SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
  54.             }
  55.         }
  56.         chain.doFilter(request, response);
  57.     }
  58. }
配置JWT过滤器

在Spring Security配置类中添加JWT过滤器:

  1. import org.springframework.beans.factory.annotation.Autowired;
  2. import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
  3. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
  4. import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
  5. import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
  6. import org.springframework.security.config.http.SessionCreationPolicy;
  7. import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
  9. @EnableWebSecurity
  10. public class SecurityConfig extends WebSecurityConfigurerAdapter {
  12.     @Autowired
  13.     private JwtRequestFilter jwtRequestFilter;
  15.     @Override
  16.     protected void configure(AuthenticationManagerBuilder auth) throws Exception {
  17.         // 配置身份认证逻辑
  18.     }
  20.     @Override
  21.     protected void configure(HttpSecurity http) throws Exception {
  22.         http.csrf().disable()
  23.             .authorizeRequests().antMatchers("/authenticate").permitAll()
  24.             .anyRequest().authenticated()
  25.             .and().sessionManagement()
  26.             .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
  27.         http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
  28.     }
  29. }

自定义身份认证逻辑

实现自定义身份认证

有时候,默认的身份认证机制可能无法满足特定需求,此时可以实现自定义身份认证逻辑。可以通过自定义AuthenticationProvider来实现。

  1. import org.springframework.beans.factory.annotation.Autowired;
  2. import org.springframework.security.authentication.AuthenticationProvider;
  3. import org.springframework.security.authentication.BadCredentialsException;
  4. import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
  5. import org.springframework.security.core.Authentication;
  6. import org.springframework.security.core.AuthenticationException;
  7. import org.springframework.security.core.userdetails.UserDetails;
  8. import org.springframework.security.core.userdetails.UserDetailsService;
  9. import org.springframework.security.crypto.password.PasswordEncoder;
  10. import org.springframework.stereotype.Component;
  12. @Component
  13. public class CustomAuthenticationProvider implements AuthenticationProvider {
  15.     @Autowired
  16.     private UserDetailsService userDetailsService;
  18.     @Autowired
  19.     private PasswordEncoder passwordEncoder;
  21.     @Override
  22.     public Authentication authenticate(Authentication authentication) throws AuthenticationException {
  23.         String username = authentication.getName();
  24.         String password = (String) authentication.getCredentials();
  26.         UserDetails user = userDetailsService.loadUserByUsername(username);
  28.         if (user == null || !passwordEncoder.matches(password, user.getPassword())) {
  29.             throw new BadCredentialsException("Username or password is incorrect");
  30.         }
  32.         return new UsernamePasswordAuthenticationToken(user, password, user.getAuthorities());
  33.     }
  35.     @Override
  36.     public boolean supports(Class<?> authentication) {
  37.         return UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);
  38.     }
  39. }

配置自定义AuthenticationProvider

在Spring Security配置类中配置自定义的AuthenticationProvider

  1. import org.springframework.beans.factory.annotation.Autowired;
  2. import org.springframework.context.annotation.Bean;
  3. import org.springframework.context.annotation.Configuration;
  4. import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
  5. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
  6. import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
  7. import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
  8. import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
  9. import org.springframework.security.crypto.password.PasswordEncoder;
  11. @Configuration
  12. @EnableWebSecurity
  13. public class SecurityConfig extends WebSecurityConfigurerAdapter {
  15.     @Autowired
  16.     private CustomAuthenticationProvider customAuthenticationProvider;
  18.     @Override
  19.     protected void configure(AuthenticationManagerBuilder auth) throws Exception {
  20.         auth.authenticationProvider(customAuthenticationProvider);
  21.     }
  23.     @Override
  24.     protected void configure(HttpSecurity http) throws Exception {
  25.         http.authorizeRequests()
  26.             .antMatchers("/admin/**").hasRole("ADMIN")
  27.             .antMatchers("/user/**").hasRole("USER")
  28.             .antMatchers("/", "/home").permitAll()
  29.             .and()
  30.             .formLogin()
  31.             .loginPage("/login")
  32.             .permitAll()
  33.             .and()
  34.             .logout()
  35.             .permitAll();
  36.     }
  38.     @Bean
  39.     public PasswordEncoder passwordEncoder() {
  40.         return new BCryptPasswordEncoder();
  41.     }
  42. }

安全事件处理

Spring Security提供了多种方式来处理安全事件,如认证成功、认证失败和注销事件。

自定义认证成功处理

创建一个类实现AuthenticationSuccessHandler接口:

  1. import org.springframework.security.core.Authentication;
  2. import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
  4. import javax.servlet.ServletException;
  5. import javax.servlet.http.HttpServletRequest;
  6. import javax.servlet.http.HttpServletResponse;
  7. import java.io.IOException;
  9. public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
  11.     @Override
  12.     public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
  13.                                         Authentication authentication) throws IOException, ServletException {
  14.         // 认证成功后的逻辑
  15.         response.sendRedirect("/home");
  16.     }
  17. }

自定义认证失败处理

创建一个类实现AuthenticationFailureHandler接口:

  1. import org.springframework.security.core.AuthenticationException;
  2. import org.springframework.security.web.authentication.AuthenticationFailureHandler;
  4. import javax.servlet.ServletException;
  5. import javax.servlet.http.HttpServletRequest;
  6. import javax.servlet.http.HttpServletResponse;
  7. import java.io.IOException;
  9. public class CustomAuthenticationFailureHandler implements AuthenticationFailureHandler {
  11.     @Override
  12.     public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
  13.                                         AuthenticationException exception) throws IOException, ServletException {
  14.         // 认证失败后的逻辑
  15.         response.sendRedirect("/login?error=true");
  16.     }
  17. }

配置自定义处理器

在Spring Security配置类中配置自定义处理器:

  1. @Override
  2. protected void configure(HttpSecurity http) throws Exception {
  3.     http.formLogin()
  4.         .loginPage("/login")
  5.         .success
  7. Handler(new CustomAuthenticationSuccessHandler())
  8.         .failureHandler(new CustomAuthenticationFailureHandler())
  9.         .permitAll()
  10.         .and()
  11.         .logout()
  12.         .permitAll();
  13. }

总结

通过本文的介绍,我们详细探讨了Spring Security中身份认证的相关概念和实现方法。Spring Security提供了灵活且强大的身份认证机制,可以通过自定义用户信息和身份认证逻辑来满足不同的安全需求。希望本文能为你在Spring Security的身份认证实现中提供有用的参考和指导。