Spring Security 认证授权机制与实战配置

五、认证机制详解

5.1 内存认证（开发测试）

@Bean
public UserDetailsService userDetailsService() {
    UserDetails user = User.builder()
        .username("admin")
        .password(passwordEncoder().encode("123456"))
        .roles("ADMIN")
        .build();
    UserDetails guest = User.builder()
        .username("guest")
        .password(passwordEncoder().encode("123456"))
        .roles("GUEST")
        .build();
    return new InMemoryUserDetailsManager(user, guest);
}

@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

5.2 数据库认证（生产推荐）

@Service
public class CustomUserDetailsService implements UserDetailsService {
    @Autowired
    private UserRepository userRepository;

    @Override
    public UserDetails loadUserByUsername(String username) {
        User user = userRepository.findByUsername(username)
            .orElseThrow(() -> new UsernameNotFoundException("用户不存在"));
        return User.withUsername(user.getUsername())
            .password(user.getPassword())
            .roles(user.getRole())
            .build();
    }
}

六、授权控制方式

6.1 注解方式

// 启用注解
@EnableGlobalMethodSecurity(prePostEnabled = true)

// 使用示例
@Service
public class UserService {
    @PreAuthorize("hasRole('ADMIN')")
    public void deleteUser(Long id) {
        // 只有 ADMIN 角色可以删除
    }

    @PreAuthorize("#userId == authentication.principal.id")
    public UserInfo getUserInfo(Long userId) {
        // 只能查询自己的信息
    }

    @PostFilter("filterObject.owner == authentication.name")
    public List<Document> getAllDocuments() {
        // 过滤返回结果
    }
}

6.2 配置方式

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests(auth -> auth
        .requestMatchers("/api/admin/**").hasRole("ADMIN")
        .requestMatchers("/api/user/**").hasAnyRole("ADMIN", "USER")
        .requestMatchers(HttpMethod.POST, "/api/posts").hasAuthority("post:write")
        .requestMatchers("/public/**").permitAll()
        .anyRequest().authenticated());
    return http.build();
}

七、JWT 无状态认证

7.1 JWT 认证流程

1. 用户 POST /login {username, password}
2. 验证用户信息
3. 返回 JWT Token
4. GET /api/data (Header: Authorization: Bearer )
5. 验证 Token
6. 返回数据

7.2 JWT 实现

// JWT 工具类
@Component
public class JwtUtil {
    @Value("${jwt.secret}")
    private String secret;

    public String generateToken(UserDetails userDetails) {
        return Jwts.builder()
            .setSubject(userDetails.getUsername())
            .setIssuedAt(new Date())
            .setExpiration(new Date(System.currentTimeMillis() + 86400000))
            .signWith(SignatureAlgorithm.HS256, secret)
            .compact();
    }

    public boolean validateToken(String token, UserDetails userDetails) {
        return extractUsername(token).equals(userDetails.getUsername()) && !isTokenExpired(token);
    }
}

// JWT 认证过滤器
public class JwtAuthenticationFilter extends OncePerRequestFilter {
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) {
        String token = extractToken(request);
        if (token != null && jwtUtil.validateToken(token, userDetails)) {
            UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(
                userDetails, null, userDetails.getAuthorities());
            SecurityContextHolder.getContext().setAuthentication(auth);
        }
        chain.doFilter(request, response);
    }
}

八、常见场景解决方案

8.1 场景一：记住我功能

http.rememberMe(remember -> remember
    .key("unique-and-secret")
    .tokenValiditySeconds(86400)
    .userDetailsService(userDetailsService));

8.2 场景二：退出登录

http.logout(logout -> logout
    .logoutUrl("/logout")
    .logoutSuccessUrl("/login?logout")
    .deleteCookies("JSESSIONID")
    .addLogoutHandler(new SecurityContextLogoutHandler()));

8.3 场景三：CSRF 防护

http.csrf(csrf -> csrf
    .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
    // API 接口可以禁用 CSRF
    .ignoringRequestMatchers("/api/**"));

8.4 场景四：自定义登录页

http.formLogin(form -> form
    .loginPage("/login")
    .defaultSuccessUrl("/dashboard")
    .permitAll());

九、学习路线

Spring Security 入门 -> 理解核心概念 -> 认证机制 -> 授权控制 -> JWT 集成 -> OAuth2/SAML -> 微服务安全 -> 实战项目

9.1 学习时间建议

十、最佳实践

10.1 密码加密

// 始终使用 BCrypt
@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

10.2 权限设计原则

// 推荐：基于角色的权限访问控制 (RBAC)
@PreAuthorize("hasRole('ADMIN') and hasAuthority('user:delete')")

// 不推荐：硬编码
@PreAuthorize("hasRole('ADMIN') or username == 'admin'")

10.3 异常处理

@RestControllerAdvice
public class SecurityExceptionHandler {
    @ExceptionHandler(AccessDeniedException.class)
    public ResponseEntity<?> handleAccessDenied(AccessDeniedException e) {
        return ResponseEntity.status(403).body("没有权限访问该资源");
    }
}

10.4 安全配置

// 生产环境必须配置
http.headers(headers -> headers
    .contentSecurityPolicy(csp -> csp.policyDirectives("default-src 'self'"))
    .frameOptions(frame -> frame.sameOrigin())
    .httpStrictTransportSecurity(hsts -> hsts
        .includeSubDomains(true)
        .maxAgeInSeconds(31536000)));

十一、总结

Spring Security 虽然学习曲线陡峭，但一旦掌握，将极大提升应用的安全性和开发效率。

11.1 核心要点回顾

十二、推荐资源