我这是一个前后端分离项目所以可能和大多数项目不太相同
我登陆成功之后获取到的 SecurityContextHolder.getContext().getAuthentication().getPrincipal() 是 anonymous
之前我设置的是
.anyRequest().permitAll()
所有请求都不需要权限就可以访问,这样的话所有请求内都无法得到认证信息,所以是anonymous
后来改成了
.anyRequest().authenticated()
所有请求都需要认证之后就可以了
下面上一个security的配置全代码
package com.qky.qingchi.config.security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
/*@Bean
public CustomUserDetailsService customUserDetailsService() {
return new CustomUserDetailsService();
}*/
@Bean
public MyAuthenticationProvider myAuthenticationProvider() {
return new MyAuthenticationProvider();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin().successForwardUrl("/login/success")
.and()
.authorizeRequests()
//设置忽略规则
.antMatchers("/talk/*").permitAll()
//设置拦截规则
.anyRequest().authenticated()
.and()
.cors()
.and()
.csrf().disable();
}
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
/*@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("q").password(new BCryptPasswordEncoder().encode("1")).roles("USER")
.and()
.withUser("w").password(new BCryptPasswordEncoder().encode("1")).roles("USER");
}*/
}
package com.qky.qingchi.config.security;
import com.qky.qingchi.entity.User;
import com.qky.qingchi.user.repository.UserRepository;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import javax.annotation.Resource;
public class MyAuthenticationProvider implements AuthenticationProvider {
@Resource
UserRepository userRepository;
/**
* 自定义验证方式
*/
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
User user;
if (authentication.getName().equals("q")) {
user = userRepository.findOneByName("q");
} else if (authentication.getName().equals("k")) {
user = userRepository.findOneByName("kk");
} else {
throw new AuthenticationException("用户不存在") {
};
}
System.out.println("user:{"+user);
return new UsernamePasswordAuthenticationToken(user, "", user.getAuthorities());
}
@Override
public boolean supports(Class<?> arg0) {
return true;
}
}
参考: