我正在开发一个 Spring Boot Web 应用程序。问题出在登录场景中。假设我有一个用户名“Ali”注册的用户。该用户可以使用用户名“Ali”或“ali”登录。下面的代码代表我的 spring 安全配置类。似乎在比较时,Spring boot 不检查大写小写因素,但我希望它被检查。
包 nf.something.conf;
导入 nf.something.repo.EventRepository;
导入 org.springframework.beans.factory.annotation.Autowired;
导入 org.springframework.boot.web.servlet.ServletListenerRegistrationBean;
导入 org.springframework.context.annotation.Bean;
导入 org.springframework.context.annotation.Configuration;
导入 org.springframework.http.HttpMethod;
导入 org.springframework.security.authentication.AuthenticationProvider;
导入 org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
导入 org.springframework.security.config.annotation.web.builders.HttpSecurity;
导入 org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
导入 org.springframework.security.core.Authentication;
导入 org.springframework.security.core.AuthenticationException;
导入 org.springframework.security.core.session.SessionRegistry;
导入 org.springframework.security.core.session.SessionRegistryImpl;
导入 org.springframework.security.core.userdetails.UserDetailsService;
导入 org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
导入 org.springframework.security.web.AuthenticationEntryPoint;
导入 org.springframework.security.web.authentication.AuthenticationFailureHandler;
导入 org.springframework.security.web.authentication.AuthenticationSuccessHandler;
导入 org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
导入 org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
导入 org.springframework.security.web.header.writers.StaticHeadersWriter;
导入 org.springframework.security.web.session.HttpSessionEventPublisher;
导入 org.springframework.web.servlet.config.annotation.CorsRegistry;
导入 org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
导入 org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
导入 javax.sql.DataSource;
/**
* 由 reza 于 2016 年 11 月 12 日创建。
*/
@配置
公共类 SecurityConf 扩展 WebSecurityConfigurerAdapter {
@自动连线
私有 DataSource 数据源;
@自动连线
私有事件存储库事件存储库;
// 注册 HttpSessionEventPublisher
@豆
公共静态 ServletListenerRegistrationBean httpSessionEventPublisher() {
返回新的 ServletListenerRegistrationBean(new HttpSessionEventPublisher());
}
@覆盖
受保护的无效配置(HttpSecurity http)抛出异常{
http.authorizeRequests()
// .antMatchers(HttpMethod.POST, "/users/").permitAll()
.antMatchers(HttpMethod.GET, "/**").permitAll()
.antMatchers(HttpMethod.POST, "/**").permitAll()
.antMatchers(HttpMethod.PUT, "/**").permitAll()
.antMatchers(HttpMethod.DELETE, "/**").permitAll()
.antMatchers("/swagger*").permitAll()
//.anyRequest().permitAll()
//.and().csrf().disable();
.anyRequest().authenticated()
.and().httpBasic()
.and().formLogin().successHandler(restAuthenticationSuccessHandler()).failureHandler(restAuthenticationFailureHandler())
.and().logout().logoutSuccessHandler(restLogoutSuccessHandler())
.and().exceptionHandling().authenticationEntryPoint(restAuthenticationEntryPoint())
.and().csrf().disable().cors() //TODO 当我们准备好时启用csrf
.and().sessionManagement().maximumSessions(1).maxSessionsPreventsLogin(true).sessionRegistry(sessionRegistry());
http.headers().cacheControl().disable()
.addHeaderWriter(new StaticHeadersWriter("WWW-Authenticate","xBasic realm=\"fake\""));
}
@豆
公共 SessionRegistry sessionRegistry() {
SessionRegistry sessionRegistry = new SessionRegistryImpl();
返回会话注册表;
}
@豆
公共 WebMvcConfigurer corsConfigurer() {
返回新的 WebMvcConfigurerAdapter() {
@覆盖
公共无效 addCorsMappings(CorsRegistry 注册表){
registry.addMapping("/**").allowedOrigins("*").allowedMethods("PUT", "POST", "GET", "DELETE", "HEAD");
}
};
}
@SuppressWarnings("SpringJavaAutowiringInspection")
@自动连线
public void configureGlobal(AuthenticationManagerBuilder auth, UserDetailsService userDetailsService) 抛出异常 {
/*认证
.jdbcAuthentication().usersByUsernameQuery("Select username,password, 'true' as enabled from Users where username=?")
.authoritiesByUsernameQuery("select username, authority from authority where username=?")
.dataSource(datasource).passwordEncoder(new BCryptPasswordEncoder());*/
auth.userDetailsService(userDetailsService)
.passwordEncoder(new BCryptPasswordEncoder());
}
@豆
公共 AuthenticationEntryPoint restAuthenticationEntryPoint() {
返回新的 RestAuthenticationEntryPoint();
}
@豆
公共 AuthenticationFailureHandler restAuthenticationFailureHandler() {
返回新的 SimpleUrlAuthenticationFailureHandler();
}
@豆
公共 AuthenticationSuccessHandler restAuthenticationSuccessHandler() {
返回新的 RESTAuthenticationSuccessHandler(eventRepository);
}
@豆
公共 LogoutSuccessHandler restLogoutSuccessHandler() {
返回新的 RESTLogoutSuccessHandler(eventRepository);
}
}
我还在课堂上实现equals了方法User:
@覆盖
公共布尔等于(对象o){
if (this == o) 返回真;
if (!(o instanceof User)) 返回假;
用户用户=(用户)o;
如果 (!getUsername().equals(user.getUsername())) 返回 false;
如果 (getName() != null ? !getName().equals(user.getName()) : user.getName() != null) 返回 false;
if (getFamily() != null ? !getFamily().equals(user.getFamily()) : user.getFamily() != null) 返回 false;
if (getPassword() != null ? !getPassword().equals(user.getPassword()) : user.getPassword() != null)
返回假;
返回 getMobilePhone() != null ?getMobilePhone().equals(user.getMobilePhone()) : user.getMobilePhone() == null;
}