Spring Security 配置

Spring Security 6 模式:SecurityFilterChain DSL、JWT 过滤器、BCrypt 密码编码、方法级安全和 CORS 配置。

1. SecurityFilterChain

@Configuration
@EnableWebSecurity
@EnableMethodSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        return http
            .csrf(csrf -> csrf.disable())
            .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/auth/**", "/public/**").permitAll()
                .requestMatchers(HttpMethod.GET, "/articles/**").permitAll()
                .requestMatchers("/admin/**").hasRole("ADMIN")
                .anyRequest().authenticated()
            )
            .addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class)
            .build();
    }
}

2. JWT 认证过滤器

@Component
public class JwtAuthFilter extends OncePerRequestFilter {

    @Override
    protected void doFilterInternal(HttpServletRequest req,
                                    HttpServletResponse res,
                                    FilterChain chain) throws ServletException, IOException {
        String header = req.getHeader("Authorization");
        if (header == null || !header.startsWith("Bearer ")) {
            chain.doFilter(req, res);
            return;
        }
        String token = header.substring(7);
        String username = jwtService.extractUsername(token);
        if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
            UserDetails user = userDetailsService.loadUserByUsername(username);
            if (jwtService.isValid(token, user)) {
                var auth = new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
                SecurityContextHolder.getContext().setAuthentication(auth);
            }
        }
        chain.doFilter(req, res);
    }
}

3. 方法级安全

@DeleteMapping("/{id}")
@PreAuthorize("hasRole('ADMIN') or @articleSecurity.isOwner(#id, authentication)")
public void delete(@PathVariable Long id) { ... }

@Component("articleSecurity")
public class ArticleSecurity {
    public boolean isOwner(Long articleId, Authentication auth) {
        return repo.findById(articleId)
            .map(a -> a.getAuthor().getUsername().equals(auth.getName()))
            .orElse(false);
    }
}

4. URL 授权表达式

表达式含义
permitAll()允许所有人
authenticated()需要登录
hasRole("ADMIN")具有 ROLE_ADMIN 权限
hasAnyRole("A","B")具有任意指定角色
anonymous()必须是匿名用户

相关工具推荐

React Hooks 参考 useState/useEffect 等 Hooks 速查 Context 模式 React Context API 使用模式速查 性能优化 React 性能优化技巧速查 Testing Library React Testing Library 速查 React Query 指南 TanStack Query 数据获取速查 Redux Toolkit RTK 状态管理速查手册 React Router v6 React Router v6 路由速查 💚 Composition API Vue 3 Composition API 速查 💚 Vue Router v4 Vue Router 4 路由配置速查 💚 Pinia 指南 Vue 3 Pinia 状态管理速查 💚 Vite + Vue 配置 Vite + Vue 3 项目初始化速查 💚 Vue 测试 Vue Test Utils 测试速查