使用java 编程的注解的方式定制spring security

上一批博客 介绍了用 xml配置的方式来使用spring security
现在改造成完全使用注解的方式进行 定制 spring security

1. 编程方式替换 在web.xml中定义的spring 的 filterChain

   <!-- spring security --><filter>    <filter-name>springSecurityFilterChain</filter-name>    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class></filter><filter-mapping>    <filter-name>springSecurityFilterChain</filter-name>    <url-pattern>/*</url-pattern></filter-mapping><!-- end -->

   用java 代码来实现是：定义一个 SecurityWebApplicationInitializer 类来继承AbstractSecurityWebApplicationInitializer

   /** * @Title: SecurityWebApplicationInitializer.java * @Package com.ninelephas.whale.springsecurity.configuration * @Description: TODO * Copyright: Copyright (c) 2016 * Company:九象网络科技（上海）有限公司 *  * @author roamerxv * @date 2016年9月6日 下午7:04:47 * @version V1.0.0 */package com.ninelephas.whale.springsecurity.configuration;import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;/**  * @ClassName: SecurityWebApplicationInitializer  * @Description: TODO  * @author Comsys-roamerxv  * @date 2016年9月6日 下午7:04:47  *  */public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {}

2. 编程方式实现在 applicationContext-security.xml 中定义的 http 部分

   <http auto-config="false">        <intercept-url pattern="/" access="permitAll" />        <intercept-url pattern="/admin**" access="hasRole('ADMIN')" />         <intercept-url pattern="/workflow/***" access="hasRole('ADMIN')" />        自定义登录的界面        <form-login login-page="/views/login.jsp" username-parameter="username" password-parameter="password"/>        自定登录的filter        <custom-filter before="FORM_LOGIN_FILTER" ref="customUsernamePasswordAuthenticationFilter" />        自定退出的filter        <custom-filter before="LOGOUT_FILTER" ref="customLogoutFilter" />    </http>

   用java 代码来实现是：定义一个 SecurityConfiguration 类来继承WebSecurityConfigurerAdapter

   “`
   /**

   • @Title: SecurityConfiguration.java
   • @Package com.ninelephas.whale.springsecurity.configuration
   • @Description: TODO
   • Copyright: Copyright (c) 2016
   • Company:九象网络科技（上海）有限公司
   • 
     
     • @author roamerxv
   • @date 2016年9月7日 下午12:17:47
   • @version V1.0.0
     */

package com.ninelephas.whale.springsecurity.configuration;

import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.LogManager;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.logout.LogoutFilter;

import com.ninelephas.whale.springsecurity.CustomLoginSuccessHandler;
import com.ninelephas.whale.springsecurity.CustomLogoutFilter;
import com.ninelephas.whale.springsecurity.CustomUsernamePasswordAuthenticationFilter;

/**
* @ClassName: SecurityConfiguration
* @Description: TODO
* @author Comsys-roamerxv
* @date 2016年9月7日 下午12:17:47
*
*/

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
/**
* Logger for this class
*/
private static final Logger logger = LogManager.getLogger(SecurityConfiguration.class.getName());

@AutowiredCustomUsernamePasswordAuthenticationFilter customUsernamePasswordAuthenticationFilter;

// @Autowired
// CustomLogoutFilter customLogoutFilter;

@AutowiredCustomLoginSuccessHandler customLoginSuccessHandler;// 这里要分配注入一个 AuthenticationManagerBuilder的实例@AutowiredAuthenticationManagerBuilder authenticationManagerBuilder;// 这里要注入这个方法。@Autowiredpublic void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {    logger.debug("configureGlobal(AuthenticationManagerBuilder) - start"); //$NON-NLS-1$    this.authenticationManagerBuilder.inMemoryAuthentication().withUser("user").password("user").roles("USER");    this.authenticationManagerBuilder.inMemoryAuthentication().withUser("admin").password("admin").roles("ADMIN");    logger.debug("configureGlobal(AuthenticationManagerBuilder) - end"); //$NON-NLS-1$}@Overrideprotected void configure(HttpSecurity http) throws Exception {    logger.debug("configure(HttpSecurity) - start"); //$NON-NLS-1$    http.authorizeRequests()        .antMatchers("/").access("permitAll")        .antMatchers("/admin**").access("hasRole('ADMIN')")        .antMatchers("/workflow/***").access("hasRole('ADMIN')")        .and().formLogin().loginPage("/views/login.jsp").successHandler(customLoginSuccessHandler)        .usernameParameter("username").passwordParameter("password")        .and().csrf()        .and().exceptionHandling()        .and().addFilterBefore(customUsernamePasswordAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);        //.addFilterBefore(customLogoutFilter, LogoutFilter.class);    logger.debug("configure(HttpSecurity) - end"); //$NON-NLS-1$}// 这里要用@Bean注解这个方法，以便容器调用获取实例   AuthenticationManager 实例@Beanpublic AuthenticationManager authenticationManager() throws Exception {    logger.debug("authenticationManager() - start"); //$NON-NLS-1$    logger.debug("authenticationManager() - end"); //$NON-NLS-1$    return this.authenticationManagerBuilder.build();}

}

```

3. 编程方式实现在 applicationContext-security.xml 中定义的 指定登录filter的实现类

<beans:bean id="customUsernamePasswordAuthenticationFilter" class="com.ninelephas.whale.springsecurity.CustomUsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>

用java 代码来实现是：定义一个 CustomUsernamePasswordAuthenticationFilter 类来实现UsernamePasswordAuthenticationFilter

```/** * @Title: CustomLoginFilter.java * @Package com.ninelephas.whale.springsecurity * @Description: TODO *               Copyright: Copyright (c) 2016 *               Company:九象网络科技（上海）有限公司 *  * @author roamerxv * @date 2016年9月6日 上午11:23:31 * @version V1.0.0 */package com.ninelephas.whale.springsecurity;import java.io.IOException;import javax.servlet.FilterChain;import javax.servlet.ServletException;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import org.apache.logging.log4j.LogManager;import org.apache.logging.log4j.Logger;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.security.authentication.AuthenticationManager;import org.springframework.security.core.Authentication;import org.springframework.security.core.AuthenticationException;import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;import org.springframework.stereotype.Component;/** * @ClassName: CustomLoginFilter * @Description: TODO * @author Comsys-roamerxv * @date 2016年9月6日 上午11:23:31 * */@Componentpublic class CustomUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter {    /**     * Logger for this class     */    private static final Logger logger = LogManager.getLogger(CustomUsernamePasswordAuthenticationFilter.class.getName());    /*      * <p>Title: setAuthenticationManager</p>      * <p>指定AuthenticationManager</p>      * @param authenticationManager      * @see org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter#setAuthenticationManager(org.springframework.security.authentication.AuthenticationManager)      */    @Autowired    @Override    public void setAuthenticationManager(AuthenticationManager authenticationManager) {        logger.debug("setAuthenticationManager(AuthenticationManager) - start"); //$NON-NLS-1$        super.setAuthenticationManager(authenticationManager);        logger.debug("setAuthenticationManager(AuthenticationManager) - end"); //$NON-NLS-1$    }    /*      * <p>Title: attemptAuthentication</p>      * <p>登录验证做的出来: </p>      * @param request      * @param response      * @return      * @throws AuthenticationException      * @see org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#attemptAuthentication(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)      */    @Override    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {        logger.debug("attemptAuthentication(HttpServletRequest, HttpServletResponse) - start"); //$NON-NLS-1$        logger.debug("attemptAuthentication(HttpServletRequest, HttpServletResponse) - end"); //$NON-NLS-1$        return super.attemptAuthentication(request, response);    }    /*      * <p>Title: successfulAuthentication</p>      * <p>登录成功: </p>      * @param request      * @param response      * @param chain      * @param authResult      * @throws IOException      * @throws ServletException      * @see org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter#successfulAuthentication(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.FilterChain, org.springframework.security.core.Authentication)      */    @Override    protected void successfulAuthentication(HttpServletRequest request,        HttpServletResponse response,        FilterChain chain,        Authentication authResult) throws IOException, ServletException {        logger.debug("successfulAuthentication(HttpServletRequest, HttpServletResponse, FilterChain, Authentication) - start"); //$NON-NLS-1$        super.successfulAuthentication(request, response, chain, authResult);        logger.debug(new StringBuffer("登录成功！用户是:").append(authResult.getName()));        request.getSession().setAttribute("user", authResult.getName());        logger.debug("successfulAuthentication(HttpServletRequest, HttpServletResponse, FilterChain, Authentication) - end"); //$NON-NLS-1$    }    /*      * <p>Title: unsuccessfulAuthentication</p>      * <p>登录失败: </p>      * @param request      * @param response      * @param failed      * @throws IOException      * @throws ServletException      * @see org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter#unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, org.springframework.security.core.AuthenticationException)      */    @Override    protected void unsuccessfulAuthentication(HttpServletRequest request,        HttpServletResponse response, AuthenticationException failed)        throws IOException, ServletException {        logger.debug("unsuccessfulAuthentication(HttpServletRequest, HttpServletResponse, AuthenticationException) - start"); //$NON-NLS-1$        super.unsuccessfulAuthentication(request, response, failed);        logger.debug("登录失败！");        logger.debug("unsuccessfulAuthentication(HttpServletRequest, HttpServletResponse, AuthenticationException) - end"); //$NON-NLS-1$    }}```

* 注意！！! *

在xml配置中customUsernamePasswordAuthenticationFilter 这部分需要指定authenticationManager ，并且 是通过

<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="user" password="user" authorities="ROLE_USER" />
<user name="admin" password="admin" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>

来指定的。所以在SecurityConfiguration.java 文件中需要注意着几个地方
a. 定义一个
@Autowired
AuthenticationManagerBuilder authenticationManagerBuilder;
变量
b. 在配置的函数里面 设置这个变量

    // 这里要注入这个方法。    @Autowired    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {        logger.debug("configureGlobal(AuthenticationManagerBuilder) - start"); //$NON-NLS-1$                            this.authenticationManagerBuilder.inMemoryAuthentication().withUser("user").password("user").roles("USER");        this.authenticationManagerBuilder.inMemoryAuthentication().withUser("admin").password("admin").roles("ADMIN");        logger.debug("configureGlobal(AuthenticationManagerBuilder) - end"); //$NON-NLS-1$    }

c. 用Bean来注解authenticationManager的方法来返回这个 AuthenticationManager

    // 这里要用@Bean注解这个方法，以便容器调用获取实例   AuthenticationManager 实例    @Bean    public AuthenticationManager authenticationManager() throws Exception {        logger.debug("authenticationManager() - start"); //$NON-NLS-1$        AuthenticationManager authenticationManager =  this.authenticationManagerBuilder.build();        logger.debug(new StringBuffer("AuthenticationManager设置成功，对象指针是:").append(authenticationManager));        logger.debug("authenticationManager() - end"); //$NON-NLS-1$        return authenticationManager;    }

d. 在CustomUsernamePasswordAuthenticationFilter.java 中设置这个变量

    @Autowired    @Override    public void setAuthenticationManager(AuthenticationManager authenticationManager) {        logger.debug("setAuthenticationManager(AuthenticationManager) - start"); //$NON-NLS-1$        super.setAuthenticationManager(authenticationManager);        logger.debug("setAuthenticationManager(AuthenticationManager) - end"); //$NON-NLS-1$    }

1. 
   
   5.