源访问控制
概述
在构建Web应用时,我们经常需要实现诸如用户认证、资源访问控制等功能。Spring Boot 提供了多种工具来帮助开发者轻松实现这些需求。本文将介绍如何使用Spring Boot 3.x中的过滤器(Filter)和拦截器(Interceptor)来实现用户登录验证和对特定资源的访问控制。
技术栈
- Spring Boot 3.x
- Spring Security
- Spring Web
- Lombok
- Thymeleaf
业务需求
假设我们需要构建一个简单的博客平台,用户需要登录后才能发表评论或查看私人文章。为了实现这一需求,我们需要:
- 在用户尝试访问需要登录的功能时进行身份验证。
- 对特定资源(如私人文章)进行访问控制。
步骤详解
1. 配置Spring Security
首先,在WebSecurityConfig类中配置Spring Security来处理基本的身份验证和授权。
java
深色版本
1package com.example.blogapp.config;
2
3import org.springframework.context.annotation.Bean;
4import org.springframework.context.annotation.Configuration;
5import org.springframework.security.config.annotation.web.builders.HttpSecurity;
6import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
7import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
8import org.springframework.security.crypto.password.PasswordEncoder;
9import org.springframework.security.web.SecurityFilterChain;
10
11@Configuration
12@EnableWebSecurity
13public class WebSecurityConfig {
14
15 @Bean
16 public PasswordEncoder passwordEncoder() {
17 return new BCryptPasswordEncoder();
18 }
19
20 @Bean
21 public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
22 http
23 .authorizeHttpRequests((authz) -> authz
24 .requestMatchers("/private/**").authenticated()
25 .anyRequest().permitAll()
26 )
27 .formLogin(form -> form
28 .loginPage("/login")
29 .permitAll()
30 )
31 .logout(logout -> logout
32 .permitAll()
33 );
34 return http.build();
35 }
36}
2. 实现过滤器
接下来,创建一个过滤器来处理登录请求前后的操作,例如记录登录日志。
java
深色版本
1package com.example.blogapp.filter;
2
3import javax.servlet.FilterChain;
4import javax.servlet.ServletException;
5import javax.servlet.ServletRequest;
6import javax.servlet.ServletResponse;
7import javax.servlet.http.HttpServletRequest;
8import javax.servlet.http.HttpServletResponse;
9import java.io.IOException;
10
11public class AuthFilter implements javax.servlet.Filter {
12
13 @Override
14 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
15 throws IOException, ServletException {
16 HttpServletRequest httpRequest = (HttpServletRequest) request;
17 HttpServletResponse httpResponse = (HttpServletResponse) response;
18
19 System.out.println("AuthFilter: Pre-processing for request to " + httpRequest.getRequestURI());
20
21 chain.doFilter(request, response);
22
23 System.out.println("AuthFilter: Post-processing for request to " + httpRequest.getRequestURI());
24 }
25}
在web.xml文件中配置过滤器:
xml
深色版本
1<filter>
2 <filter-name>authFilter</filter-name>
3 <filter-class>com.example.blogapp.filter.AuthFilter</filter-class>
4</filter>
5
6<filter-mapping>
7 <filter-name>authFilter</filter-name>
8 <url-pattern>/login</url-pattern>
9</filter-mapping>
3. 实现拦截器
然后,创建一个拦截器来控制对私人文章页面的访问。如果用户未登录,则重定向到登录页面。
java
深色版本
1package com.example.blogapp.interceptor;
2
3import org.springframework.stereotype.Component;
4import org.springframework.web.servlet.HandlerInterceptor;
5import org.springframework.web.servlet.ModelAndView;
6
7import javax.servlet.http.HttpServletRequest;
8import javax.servlet.http.HttpServletResponse;
9
10@Component
11public class AccessControlInterceptor implements HandlerInterceptor {
12
13 @Override
14 public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
15 throws Exception {
16 if (request.getSession(false).getAttribute("user") == null) {
17 response.sendRedirect("/login");
18 return false;
19 }
20 return true;
21 }
22
23 @Override
24 public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler,
25 ModelAndView modelAndView) throws Exception {
26 // 可以在这里添加一些额外的处理逻辑
27 }
28
29 @Override
30 public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex)
31 throws Exception {
32 // 可以在这里添加一些清理逻辑
33 }
34}
在WebMvcConfigurer中注册拦截器:
java
深色版本
1package com.example.blogapp.config;
2
3import org.springframework.context.annotation.Configuration;
4import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
5import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
6
7@Configuration
8public class WebMvcConfig implements WebMvcConfigurer {
9
10 @Override
11 public void addInterceptors(InterceptorRegistry registry) {
12 registry.addInterceptor(new AccessControlInterceptor())
13 .addPathPatterns("/private/**")
14 .excludePathPatterns("/login");
15 }
16}
4. 创建控制器
接下来,定义两个控制器:一个用于处理登录流程,另一个用于展示私人文章。
java
深色版本
1package com.example.blogapp.controller;
2
3import org.springframework.security.core.Authentication;
4import org.springframework.security.core.context.SecurityContextHolder;
5import org.springframework.stereotype.Controller;
6import org.springframework.ui.Model;
7import org.springframework.web.bind.annotation.GetMapping;
8import org.springframework.web.bind.annotation.PostMapping;
9
10@Controller
11public class AuthController {
12
13 @GetMapping("/login")
14 public String showLoginPage() {
15 return "login";
16 }
17
18 @PostMapping("/login")
19 public String handleLogin() {
20 Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
21 if (authentication != null && authentication.isAuthenticated()) {
22 return "redirect:/private/posts";
23 } else {
24 return "redirect:/login?error";
25 }
26 }
27}
java
深色版本
1package com.example.blogapp.controller;
2
3import org.springframework.security.core.Authentication;
4import org.springframework.security.core.context.SecurityContextHolder;
5import org.springframework.stereotype.Controller;
6import org.springframework.ui.Model;
7import org.springframework.web.bind.annotation.GetMapping;
8
9@Controller
10public class PostController {
11
12 @GetMapping("/private/posts")
13 public String showPrivatePosts(Model model) {
14 Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
15 model.addAttribute("user", authentication.getName());
16 return "private-post";
17 }
18}
5. 页面模板
创建登录页面和私人文章页面的HTML模板。
html
深色版本
1<!-- src/main/resources/templates/login.html -->
2<!DOCTYPE html>
3<html xmlns:th="http://www.thymeleaf.org">
4<head>
5 <title>Login Page</title>
6</head>
7<body>
8 <h1>Login</h1>
9 <form th:action="@{/login}" method="post">
10 <label for="username">Username:</label>
11 <input type="text" id="username" name="username" required/>
12 <br/>
13 <label for="password">Password:</label>
14 <input type="password" id="password" name="password" required/>
15 <br/>
16 <input type="submit" value="Login"/>
17 </form>
18</body>
19</html>
html
深色版本
1<!-- src/main/resources/templates/private-post.html -->
2<!DOCTYPE html>
3<html xmlns:th="http://www.thymeleaf.org">
4<head>
5 <title>Private Posts</title>
6</head>
7<body>
8 <h1>Welcome, <span th:text="${user}"></span></h1>
9 <p>This is your private posts page.</p>
10</body>
11</html>
运行应用
启动应用后,尝试访问
http://localhost:8080/private/posts,系统会自动重定向到登录页面。登录成功后,将可以看到私人文章页面。
结论
通过以上步骤,我们实现了基于Spring Boot的用户认证和资源访问控制。这种方式结合了Spring Security、过滤器和拦截器的强大功能,为我们的应用提供了安全性和灵活性。这种架构模式可以很容易地扩展到更复杂的业务场景中,例如多角色权限管理、审计日志记录等。